richard
/
wiki
mirror of https://github.com/Requarks/wiki.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
878 Commits
3 Branches
120 Tags
80 MiB
Tree: 8b65a0873f
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '8b65a0873f'
${ noResults }
wiki/server/models/users.js

427 lines
13 KiB
Raw Normal View History

refactor: migrate to objection.js + knex
6 years ago
feat: core improvements + local fs provider + UI fixes
6 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: register server-side validation + forgot password UI
5 years ago
refactor: migrate to objection.js + knex
6 years ago
refactor: remove config namespaces
6 years ago
feat: user edit UI + admin UI improvements + fixes
6 years ago
feat: account verification + mail config in admin area
5 years ago
refactor: migrate to objection.js + knex
6 years ago
refactor: knex remaining models
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: save page
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: page Rules access check
5 years ago
refactor: migrate to objection.js + knex
6 years ago
refactor: knex remaining models
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: page Rules access check
5 years ago
feat: guest + user permissions
5 years ago
feat: page Rules access check
5 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: core improvements + local fs provider + UI fixes
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: core improvements + local fs provider + UI fixes
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: core improvements + local fs provider + UI fixes
6 years ago
refactor: migrate to objection.js + knex
6 years ago
fix: client login
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
feat: page Rules access check
5 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
feat: page Rules access check
5 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
feat: page Rules access check
5 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
feat: page Rules access check
5 years ago
feat: user menu + jwt certs + UI fixes
6 years ago
feat: guest + user permissions
5 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: core improvements + local fs provider + UI fixes
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: register validation + create + admin improvements
6 years ago
feat: beta preparation + utf16 editor fix
5 years ago
feat: register server-side validation + forgot password UI
5 years ago
feat: beta preparation + utf16 editor fix
5 years ago
feat: register server-side validation + forgot password UI
5 years ago
feat: register validation + create + admin improvements
6 years ago
feat: register server-side validation + forgot password UI
5 years ago
feat: beta preparation + utf16 editor fix
5 years ago
feat: register server-side validation + forgot password UI
5 years ago
feat: admin general + verify account
5 years ago
feat: register server-side validation + forgot password UI
5 years ago
feat: account verification + mail config in admin area
5 years ago
feat: beta preparation + utf16 editor fix
5 years ago
feat: admin general + verify account
5 years ago
feat: beta preparation + utf16 editor fix
5 years ago
feat: register server-side validation + forgot password UI
5 years ago
feat: register validation + create + admin improvements
6 years ago
feat: register server-side validation + forgot password UI
5 years ago
feat: register validation + create + admin improvements
6 years ago
feat: guest + user permissions
5 years ago
feat: page Rules access check
5 years ago
feat: guest + user permissions
5 years ago
refactor: migrate to objection.js + knex
6 years ago
  1. /* global WIKI */
  3. const bcrypt = require('bcryptjs-then')
  4. const _ = require('lodash')
  5. const tfa = require('node-2fa')
  6. const securityHelper = require('../helpers/security')
  7. const jwt = require('jsonwebtoken')
  8. const Model = require('objection').Model
  9. const validate = require('validate.js')
  11. const bcryptRegexp = /^\$2[ayb]\$[0-9]{2}\$[A-Za-z0-9./]{53}$/
  13. /**
  14. * Users model
  15. */
  16. module.exports = class User extends Model {
  17. static get tableName() { return 'users' }
  19. static get jsonSchema () {
  20. return {
  21. type: 'object',
  22. required: ['email', 'name', 'provider'],
  24. properties: {
  25. id: {type: 'integer'},
  26. email: {type: 'string', format: 'email'},
  27. name: {type: 'string', minLength: 1, maxLength: 255},
  28. providerId: {type: 'number'},
  29. password: {type: 'string'},
  30. role: {type: 'string', enum: ['admin', 'guest', 'user']},
  31. tfaIsActive: {type: 'boolean', default: false},
  32. tfaSecret: {type: 'string'},
  33. jobTitle: {type: 'string'},
  34. location: {type: 'string'},
  35. pictureUrl: {type: 'string'},
  36. isSystem: {type: 'boolean'},
  37. isActive: {type: 'boolean'},
  38. isVerified: {type: 'boolean'},
  39. createdAt: {type: 'string'},
  40. updatedAt: {type: 'string'}
  41. }
  42. }
  43. }
  45. static get relationMappings() {
  46. return {
  47. groups: {
  48. relation: Model.ManyToManyRelation,
  49. modelClass: require('./groups'),
  50. join: {
  51. from: 'users.id',
  52. through: {
  53. from: 'userGroups.userId',
  54. to: 'userGroups.groupId'
  55. },
  56. to: 'groups.id'
  57. }
  58. },
  59. provider: {
  60. relation: Model.BelongsToOneRelation,
  61. modelClass: require('./authentication'),
  62. join: {
  63. from: 'users.providerKey',
  64. to: 'authentication.key'
  65. }
  66. },
  67. defaultEditor: {
  68. relation: Model.BelongsToOneRelation,
  69. modelClass: require('./editors'),
  70. join: {
  71. from: 'users.editorKey',
  72. to: 'editors.key'
  73. }
  74. },
  75. locale: {
  76. relation: Model.BelongsToOneRelation,
  77. modelClass: require('./locales'),
  78. join: {
  79. from: 'users.localeCode',
  80. to: 'locales.code'
  81. }
  82. }
  83. }
  84. }
  86. async $beforeUpdate(opt, context) {
  87. await super.$beforeUpdate(opt, context)
  89. this.updatedAt = new Date().toISOString()
  91. if (!(opt.patch && this.password === undefined)) {
  92. await this.generateHash()
  93. }
  94. }
  95. async $beforeInsert(context) {
  96. await super.$beforeInsert(context)
  98. this.createdAt = new Date().toISOString()
  99. this.updatedAt = new Date().toISOString()
  101. await this.generateHash()
  102. }
  104. // ------------------------------------------------
  105. // Instance Methods
  106. // ------------------------------------------------
  108. async generateHash() {
  109. if (this.password) {
  110. if (bcryptRegexp.test(this.password)) { return }
  111. this.password = await bcrypt.hash(this.password, 12)
  112. }
  113. }
  115. async verifyPassword(pwd) {
  116. if (await bcrypt.compare(pwd, this.password) === true) {
  117. return true
  118. } else {
  119. throw new WIKI.Error.AuthLoginFailed()
  120. }
  121. }
  123. async enableTFA() {
  124. let tfaInfo = tfa.generateSecret({
  125. name: WIKI.config.site.title
  126. })
  127. return this.$query.patch({
  128. tfaIsActive: true,
  129. tfaSecret: tfaInfo.secret
  130. })
  131. }
  133. async disableTFA() {
  134. return this.$query.patch({
  135. tfaIsActive: false,
  136. tfaSecret: ''
  137. })
  138. }
  140. async verifyTFA(code) {
  141. let result = tfa.verifyToken(this.tfaSecret, code)
  142. return (result && _.has(result, 'delta') && result.delta === 0)
  143. }
  145. getGlobalPermissions() {
  146. return _.uniq(_.flatten(_.map(this.groups, 'permissions')))
  147. }
  149. getGroups() {
  150. return _.uniq(_.map(this.groups, 'id'))
  151. }
  153. // ------------------------------------------------
  154. // Model Methods
  155. // ------------------------------------------------
  157. static async processProfile(profile) {
  158. let primaryEmail = ''
  159. if (_.isArray(profile.emails)) {
  160. let e = _.find(profile.emails, ['primary', true])
  161. primaryEmail = (e) ? e.value : _.first(profile.emails).value
  162. } else if (_.isString(profile.email) && profile.email.length > 5) {
  163. primaryEmail = profile.email
  164. } else if (_.isString(profile.mail) && profile.mail.length > 5) {
  165. primaryEmail = profile.mail
  166. } else if (profile.user && profile.user.email && profile.user.email.length > 5) {
  167. primaryEmail = profile.user.email
  168. } else {
  169. return Promise.reject(new Error(WIKI.lang.t('auth:errors.invaliduseremail')))
  170. }
  172. profile.provider = _.lowerCase(profile.provider)
  173. primaryEmail = _.toLower(primaryEmail)
  175. let user = await WIKI.models.users.query().findOne({
  176. email: primaryEmail,
  177. provider: profile.provider
  178. })
  179. if (user) {
  180. user.$query().patchAdnFetch({
  181. email: primaryEmail,
  182. provider: profile.provider,
  183. providerId: profile.id,
  184. name: profile.displayName || _.split(primaryEmail, '@')[0]
  185. })
  186. } else {
  187. user = await WIKI.models.users.query().insertAndFetch({
  188. email: primaryEmail,
  189. provider: profile.provider,
  190. providerId: profile.id,
  191. name: profile.displayName || _.split(primaryEmail, '@')[0]
  192. })
  193. }
  195. // Handle unregistered accounts
  196. // if (!user && profile.provider !== 'local' && (WIKI.config.auth.defaultReadAccess || profile.provider === 'ldap' || profile.provider === 'azure')) {
  197. // let nUsr = {
  198. // email: primaryEmail,
  199. // provider: profile.provider,
  200. // providerId: profile.id,
  201. // password: '',
  202. // name: profile.displayName || profile.name || profile.cn,
  203. // rights: [{
  204. // role: 'read',
  205. // path: '/',
  206. // exact: false,
  207. // deny: false
  208. // }]
  209. // }
  210. // return WIKI.models.users.query().insert(nUsr)
  211. // }
  213. return user
  214. }
  216. static async login (opts, context) {
  217. if (_.has(WIKI.auth.strategies, opts.strategy)) {
  218. _.set(context.req, 'body.email', opts.username)
  219. _.set(context.req, 'body.password', opts.password)
  221. // Authenticate
  222. return new Promise((resolve, reject) => {
  223. WIKI.auth.passport.authenticate(opts.strategy, { session: false }, async (err, user, info) => {
  224. if (err) { return reject(err) }
  225. if (!user) { return reject(new WIKI.Error.AuthLoginFailed()) }
  227. // Is 2FA required?
  228. if (user.tfaIsActive) {
  229. try {
  230. let loginToken = await securityHelper.generateToken(32)
  231. await WIKI.redis.set(`tfa:${loginToken}`, user.id, 'EX', 600)
  232. return resolve({
  233. tfaRequired: true,
  234. tfaLoginToken: loginToken
  235. })
  236. } catch (err) {
  237. WIKI.logger.warn(err)
  238. return reject(new WIKI.Error.AuthGenericError())
  239. }
  240. } else {
  241. // No 2FA, log in user
  242. return context.req.logIn(user, { session: false }, async err => {
  243. if (err) { return reject(err) }
  244. const jwtToken = await WIKI.models.users.refreshToken(user)
  245. resolve({
  246. jwt: jwtToken.token,
  247. tfaRequired: false
  248. })
  249. })
  250. }
  251. })(context.req, context.res, () => {})
  252. })
  253. } else {
  254. throw new WIKI.Error.AuthProviderInvalid()
  255. }
  256. }
  258. static async refreshToken(user) {
  259. if (_.isSafeInteger(user)) {
  260. user = await WIKI.models.users.query().findById(user).eager('groups').modifyEager('groups', builder => {
  261. builder.select('groups.id', 'permissions')
  262. })
  263. if (!user) {
  264. WIKI.logger.warn(`Failed to refresh token for user ${user}: Not found.`)
  265. throw new WIKI.Error.AuthGenericError()
  266. }
  267. } else if(_.isNil(user.groups)) {
  268. await user.$relatedQuery('groups').select('groups.id', 'permissions')
  269. }
  271. return {
  272. token: jwt.sign({
  273. id: user.id,
  274. email: user.email,
  275. name: user.name,
  276. pictureUrl: user.pictureUrl,
  277. timezone: user.timezone,
  278. localeCode: user.localeCode,
  279. defaultEditor: user.defaultEditor,
  280. permissions: user.getGlobalPermissions(),
  281. groups: user.getGroups()
  282. }, {
  283. key: WIKI.config.certs.private,
  284. passphrase: WIKI.config.sessionSecret
  285. }, {
  286. algorithm: 'RS256',
  287. expiresIn: WIKI.config.auth.tokenExpiration,
  288. audience: WIKI.config.auth.audience,
  289. issuer: 'urn:wiki.js'
  290. }),
  291. user
  292. }
  293. }
  295. static async loginTFA(opts, context) {
  296. if (opts.securityCode.length === 6 && opts.loginToken.length === 64) {
  297. let result = await WIKI.redis.get(`tfa:${opts.loginToken}`)
  298. if (result) {
  299. let userId = _.toSafeInteger(result)
  300. if (userId && userId > 0) {
  301. let user = await WIKI.models.users.query().findById(userId)
  302. if (user && user.verifyTFA(opts.securityCode)) {
  303. return Promise.fromCallback(clb => {
  304. context.req.logIn(user, clb)
  305. }).return({
  306. succeeded: true,
  307. message: 'Login Successful'
  308. }).catch(err => {
  309. WIKI.logger.warn(err)
  310. throw new WIKI.Error.AuthGenericError()
  311. })
  312. } else {
  313. throw new WIKI.Error.AuthTFAFailed()
  314. }
  315. }
  316. }
  317. }
  318. throw new WIKI.Error.AuthTFAInvalid()
  319. }
  321. static async register ({ email, password, name, verify = false, bypassChecks = false }, context) {
  322. const localStrg = await WIKI.models.authentication.getStrategy('local')
  323. // Check if self-registration is enabled
  324. if (localStrg.selfRegistration || bypassChecks) {
  325. // Input sanitization
  326. email = _.toLower(email)
  328. // Input validation
  329. const validation = validate({
  330. email,
  331. password,
  332. name
  333. }, {
  334. email: {
  335. email: true,
  336. length: {
  337. maximum: 255
  338. }
  339. },
  340. password: {
  341. presence: {
  342. allowEmpty: false
  343. },
  344. length: {
  345. minimum: 6
  346. }
  347. },
  348. name: {
  349. presence: {
  350. allowEmpty: false
  351. },
  352. length: {
  353. minimum: 2,
  354. maximum: 255
  355. }
  356. },
  357. }, { format: 'flat' })
  358. if (validation && validation.length > 0) {
  359. throw new WIKI.Error.InputInvalid(validation[0])
  360. }
  362. // Check if email domain is whitelisted
  363. if (_.get(localStrg, 'domainWhitelist.v', []).length > 0 && !bypassChecks) {
  364. const emailDomain = _.last(email.split('@'))
  365. if (!_.includes(localStrg.domainWhitelist.v, emailDomain)) {
  366. throw new WIKI.Error.AuthRegistrationDomainUnauthorized()
  367. }
  368. }
  369. // Check if email already exists
  370. const usr = await WIKI.models.users.query().findOne({ email, providerKey: 'local' })
  371. if (!usr) {
  372. // Create the account
  373. const newUsr = await WIKI.models.users.query().insert({
  374. provider: 'local',
  375. email,
  376. name,
  377. password,
  378. locale: 'en',
  379. defaultEditor: 'markdown',
  380. tfaIsActive: false,
  381. isSystem: false,
  382. isActive: true,
  383. isVerified: false
  384. })
  386. if (verify) {
  387. // Create verification token
  388. const verificationToken = await WIKI.models.userKeys.generateToken({
  389. kind: 'verify',
  390. userId: newUsr.id
  391. })
  393. // Send verification email
  394. await WIKI.mail.send({
  395. template: 'accountVerify',
  396. to: email,
  397. subject: 'Verify your account',
  398. data: {
  399. preheadertext: 'Verify your account in order to gain access to the wiki.',
  400. title: 'Verify your account',
  401. content: 'Click the button below in order to verify your account and gain access to the wiki.',
  402. buttonLink: `${WIKI.config.host}/verify/${verificationToken}`,
  403. buttonText: 'Verify'
  404. },
  405. text: `You must open the following link in your browser to verify your account and gain access to the wiki: ${WIKI.config.host}/verify/${verificationToken}`
  406. })
  407. }
  408. return true
  409. } else {
  410. throw new WIKI.Error.AuthAccountAlreadyExists()
  411. }
  412. } else {
  413. throw new WIKI.Error.AuthRegistrationDisabled()
  414. }
  415. }
  417. static async getGuestUser () {
  418. const user = await WIKI.models.users.query().findById(2).eager('groups').modifyEager('groups', builder => {
  419. builder.select('groups.id', 'permissions')
  420. })
  421. if (!user) {
  422. WIKI.logger.error('CRITICAL ERROR: Guest user is missing!')
  423. process.exit(1)
  424. }
  425. return user
  426. }
  427. }