richard
/
wiki
mirror of https://github.com/Requarks/wiki.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
807 Commits
3 Branches
121 Tags
48 MiB
Tree: b870a4724d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'b870a4724d'
${ noResults }
wiki/server/models/users.js

290 lines
8.4 KiB
Raw Normal View History

refactor: migrate to objection.js + knex
6 years ago
feat: core improvements + local fs provider + UI fixes
6 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
refactor: migrate to objection.js + knex
6 years ago
refactor: remove config namespaces
6 years ago
refactor: migrate to objection.js + knex
6 years ago
refactor: knex remaining models
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: save page
6 years ago
refactor: migrate to objection.js + knex
6 years ago
refactor: knex remaining models
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: core improvements + local fs provider + UI fixes
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: core improvements + local fs provider + UI fixes
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: core improvements + local fs provider + UI fixes
6 years ago
refactor: migrate to objection.js + knex
6 years ago
fix: client login
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
feat: token refresh
6 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
feat: token refresh
6 years ago
feat: auth jwt, permissions, login ui (wip)
6 years ago
refactor: migrate to objection.js + knex
6 years ago
feat: core improvements + local fs provider + UI fixes
6 years ago
refactor: migrate to objection.js + knex
6 years ago
  1. /* global WIKI */
  3. const bcrypt = require('bcryptjs-then')
  4. const _ = require('lodash')
  5. const tfa = require('node-2fa')
  6. const securityHelper = require('../helpers/security')
  7. const jwt = require('jsonwebtoken')
  8. const Model = require('objection').Model
  10. const bcryptRegexp = /^\$2[ayb]\$[0-9]{2}\$[A-Za-z0-9./]{53}$/
  12. /**
  13. * Users model
  14. */
  15. module.exports = class User extends Model {
  16. static get tableName() { return 'users' }
  18. static get jsonSchema () {
  19. return {
  20. type: 'object',
  21. required: ['email', 'name', 'provider'],
  23. properties: {
  24. id: {type: 'integer'},
  25. email: {type: 'string', format: 'email'},
  26. name: {type: 'string', minLength: 1, maxLength: 255},
  27. providerId: {type: 'number'},
  28. password: {type: 'string'},
  29. role: {type: 'string', enum: ['admin', 'guest', 'user']},
  30. tfaIsActive: {type: 'boolean', default: false},
  31. tfaSecret: {type: 'string'},
  32. jobTitle: {type: 'string'},
  33. location: {type: 'string'},
  34. pictureUrl: {type: 'string'},
  35. createdAt: {type: 'string'},
  36. updatedAt: {type: 'string'}
  37. }
  38. }
  39. }
  41. static get relationMappings() {
  42. return {
  43. groups: {
  44. relation: Model.ManyToManyRelation,
  45. modelClass: require('./groups'),
  46. join: {
  47. from: 'users.id',
  48. through: {
  49. from: 'userGroups.userId',
  50. to: 'userGroups.groupId'
  51. },
  52. to: 'groups.id'
  53. }
  54. },
  55. provider: {
  56. relation: Model.BelongsToOneRelation,
  57. modelClass: require('./authentication'),
  58. join: {
  59. from: 'users.providerKey',
  60. to: 'authentication.key'
  61. }
  62. },
  63. defaultEditor: {
  64. relation: Model.BelongsToOneRelation,
  65. modelClass: require('./editors'),
  66. join: {
  67. from: 'users.editorKey',
  68. to: 'editors.key'
  69. }
  70. },
  71. locale: {
  72. relation: Model.BelongsToOneRelation,
  73. modelClass: require('./locales'),
  74. join: {
  75. from: 'users.localeCode',
  76. to: 'locales.code'
  77. }
  78. }
  79. }
  80. }
  82. async $beforeUpdate(opt, context) {
  83. await super.$beforeUpdate(opt, context)
  85. this.updatedAt = new Date().toISOString()
  87. if (!(opt.patch && this.password === undefined)) {
  88. await this.generateHash()
  89. }
  90. }
  91. async $beforeInsert(context) {
  92. await super.$beforeInsert(context)
  94. this.createdAt = new Date().toISOString()
  95. this.updatedAt = new Date().toISOString()
  97. await this.generateHash()
  98. }
  100. async generateHash() {
  101. if (this.password) {
  102. if (bcryptRegexp.test(this.password)) { return }
  103. this.password = await bcrypt.hash(this.password, 12)
  104. }
  105. }
  107. async verifyPassword(pwd) {
  108. if (await bcrypt.compare(pwd, this.password) === true) {
  109. return true
  110. } else {
  111. throw new WIKI.Error.AuthLoginFailed()
  112. }
  113. }
  115. async enableTFA() {
  116. let tfaInfo = tfa.generateSecret({
  117. name: WIKI.config.site.title
  118. })
  119. return this.$query.patch({
  120. tfaIsActive: true,
  121. tfaSecret: tfaInfo.secret
  122. })
  123. }
  125. async disableTFA() {
  126. return this.$query.patch({
  127. tfaIsActive: false,
  128. tfaSecret: ''
  129. })
  130. }
  132. async verifyTFA(code) {
  133. let result = tfa.verifyToken(this.tfaSecret, code)
  134. return (result && _.has(result, 'delta') && result.delta === 0)
  135. }
  137. static async processProfile(profile) {
  138. let primaryEmail = ''
  139. if (_.isArray(profile.emails)) {
  140. let e = _.find(profile.emails, ['primary', true])
  141. primaryEmail = (e) ? e.value : _.first(profile.emails).value
  142. } else if (_.isString(profile.email) && profile.email.length > 5) {
  143. primaryEmail = profile.email
  144. } else if (_.isString(profile.mail) && profile.mail.length > 5) {
  145. primaryEmail = profile.mail
  146. } else if (profile.user && profile.user.email && profile.user.email.length > 5) {
  147. primaryEmail = profile.user.email
  148. } else {
  149. return Promise.reject(new Error(WIKI.lang.t('auth:errors.invaliduseremail')))
  150. }
  152. profile.provider = _.lowerCase(profile.provider)
  153. primaryEmail = _.toLower(primaryEmail)
  155. let user = await WIKI.models.users.query().findOne({
  156. email: primaryEmail,
  157. provider: profile.provider
  158. })
  159. if (user) {
  160. user.$query().patchAdnFetch({
  161. email: primaryEmail,
  162. provider: profile.provider,
  163. providerId: profile.id,
  164. name: profile.displayName || _.split(primaryEmail, '@')[0]
  165. })
  166. } else {
  167. user = await WIKI.models.users.query().insertAndFetch({
  168. email: primaryEmail,
  169. provider: profile.provider,
  170. providerId: profile.id,
  171. name: profile.displayName || _.split(primaryEmail, '@')[0]
  172. })
  173. }
  175. // Handle unregistered accounts
  176. // if (!user && profile.provider !== 'local' && (WIKI.config.auth.defaultReadAccess || profile.provider === 'ldap' || profile.provider === 'azure')) {
  177. // let nUsr = {
  178. // email: primaryEmail,
  179. // provider: profile.provider,
  180. // providerId: profile.id,
  181. // password: '',
  182. // name: profile.displayName || profile.name || profile.cn,
  183. // rights: [{
  184. // role: 'read',
  185. // path: '/',
  186. // exact: false,
  187. // deny: false
  188. // }]
  189. // }
  190. // return WIKI.models.users.query().insert(nUsr)
  191. // }
  193. return user
  194. }
  196. static async login (opts, context) {
  197. if (_.has(WIKI.auth.strategies, opts.strategy)) {
  198. _.set(context.req, 'body.email', opts.username)
  199. _.set(context.req, 'body.password', opts.password)
  201. // Authenticate
  202. return new Promise((resolve, reject) => {
  203. WIKI.auth.passport.authenticate(opts.strategy, { session: false }, async (err, user, info) => {
  204. if (err) { return reject(err) }
  205. if (!user) { return reject(new WIKI.Error.AuthLoginFailed()) }
  207. // Is 2FA required?
  208. if (user.tfaIsActive) {
  209. try {
  210. let loginToken = await securityHelper.generateToken(32)
  211. await WIKI.redis.set(`tfa:${loginToken}`, user.id, 'EX', 600)
  212. return resolve({
  213. tfaRequired: true,
  214. tfaLoginToken: loginToken
  215. })
  216. } catch (err) {
  217. WIKI.logger.warn(err)
  218. return reject(new WIKI.Error.AuthGenericError())
  219. }
  220. } else {
  221. // No 2FA, log in user
  222. return context.req.logIn(user, { session: false }, async err => {
  223. if (err) { return reject(err) }
  224. const jwtToken = await WIKI.models.users.refreshToken(user)
  225. resolve({
  226. jwt: jwtToken.token,
  227. tfaRequired: false
  228. })
  229. })
  230. }
  231. })(context.req, context.res, () => {})
  232. })
  233. } else {
  234. throw new WIKI.Error.AuthProviderInvalid()
  235. }
  236. }
  238. static async refreshToken(user) {
  239. if (_.isSafeInteger(user)) {
  240. user = await WIKI.models.users.query().findById(user)
  241. if (!user) {
  242. WIKI.logger.warn(`Failed to refresh token for user ${user}: Not found.`)
  243. throw new WIKI.Error.AuthGenericError()
  244. }
  245. }
  246. return {
  247. token: jwt.sign({
  248. id: user.id,
  249. email: user.email,
  250. name: user.name,
  251. pictureUrl: user.pictureUrl,
  252. timezone: user.timezone,
  253. localeCode: user.localeCode,
  254. defaultEditor: user.defaultEditor,
  255. permissions: ['manage:system']
  256. }, WIKI.config.sessionSecret, {
  257. expiresIn: '30m',
  258. audience: 'urn:wiki.js', // TODO: use value from admin
  259. issuer: 'urn:wiki.js'
  260. }),
  261. user
  262. }
  263. }
  265. static async loginTFA(opts, context) {
  266. if (opts.securityCode.length === 6 && opts.loginToken.length === 64) {
  267. let result = await WIKI.redis.get(`tfa:${opts.loginToken}`)
  268. if (result) {
  269. let userId = _.toSafeInteger(result)
  270. if (userId && userId > 0) {
  271. let user = await WIKI.models.users.query().findById(userId)
  272. if (user && user.verifyTFA(opts.securityCode)) {
  273. return Promise.fromCallback(clb => {
  274. context.req.logIn(user, clb)
  275. }).return({
  276. succeeded: true,
  277. message: 'Login Successful'
  278. }).catch(err => {
  279. WIKI.logger.warn(err)
  280. throw new WIKI.Error.AuthGenericError()
  281. })
  282. } else {
  283. throw new WIKI.Error.AuthTFAFailed()
  284. }
  285. }
  286. }
  287. }
  288. throw new WIKI.Error.AuthTFAInvalid()
  289. }
  290. }