wiki/server/graph/resolvers/user.mjs

import { generateError, generateSuccess } from '../../helpers/graph.mjs'
import _, { isNil } from 'lodash-es'
import path from 'node:path'
import fs from 'fs-extra'
import { DateTime } from 'luxon'
import bcrypt from 'bcryptjs'

export default {
  Query: {
    /**
     * FETCH ALL USERS
     */
    async users (obj, args, context, info) {
      if (!WIKI.auth.checkAccess(context.req.user, ['read:users', 'write:users', 'manage:users'])) {
        throw new Error('ERR_FORBIDDEN')
      }

      // -> Sanitize limit
      let limit = args.pageSize ?? 20
      if (limit < 1 || limit > 1000) {
        limit = 1000
      }

      // -> Sanitize offset
      let offset = args.page ?? 1
      if (offset < 1) {
        offset = 1
      }

      // -> Fetch Users
      return WIKI.db.users.query()
        .select('id', 'email', 'name', 'isSystem', 'isActive', 'createdAt', 'lastLoginAt')
        .where(builder => {
          if (args.filter) {
            builder.where('email', 'like', `%${args.filter}%`)
              .orWhere('name', 'like', `%${args.filter}%`)
          }
        })
        .orderBy(args.orderBy ?? 'name', args.orderByDirection ?? 'asc')
        .offset((offset - 1) * limit)
        .limit(limit)
    },
    /**
     * FETCH A SINGLE USER
     */
    async userById (obj, args, context, info) {
      if (!context.req.isAuthenticated || context.req.user.id !== args.id) {
        if (!WIKI.auth.checkAccess(context.req.user, ['read:users', 'write:users', 'manage:users'])) {
          throw new Error('ERR_FORBIDDEN')
        }
      }

      const usr = await WIKI.db.users.query().findById(args.id)

      if (!usr) {
        throw new Error('ERR_INVALID_USER')
      }

      // const str = _.get(WIKI.auth.strategies, usr.providerKey)
      // str.strategy = _.find(WIKI.data.authentication, ['key', str.strategyKey])
      // usr.providerName = str.displayName
      // usr.providerIs2FACapable = _.get(str, 'strategy.useForm', false)

      usr.auth = _.mapValues(usr.auth, (auth, providerKey) => {
        if (auth.password) {
          auth.password = 'redacted'
        }
        if (auth.tfaSecret) {
          auth.tfaSecret = 'redacted'
        }
        return auth
      })

      usr.passkeys = usr.passkeys.authenticators?.map(a => ({
        id: a.id,
        createdAt: DateTime.fromISO(a.createdAt).toJSDate(),
        name: a.name,
        siteHostname: a.rpID
      })) ?? []

      return usr
    },

    async userDefaults (obj, args, context) {
      if (!WIKI.auth.checkAccess(context.req.user, ['read:users', 'write:users', 'manage:users'])) {
        throw new Error('ERR_FORBIDDEN')
      }

      return WIKI.config.userDefaults
    },

    async lastLogins (obj, args, context, info) {
      if (!WIKI.auth.checkAccess(context.req.user, ['read:dashboard', 'read:users', 'write:users', 'manage:users'])) {
        throw new Error('ERR_FORBIDDEN')
      }

      return WIKI.db.users.query()
        .select('id', 'name', 'lastLoginAt')
        .whereNotNull('lastLoginAt')
        .orderBy('lastLoginAt', 'desc')
        .limit(10)
    },

    async userPermissions (obj, args, context) {
      if (!context.req.user || context.req.user.id === WIKI.auth.guest.id) {
        throw new WIKI.Error.AuthRequired()
      }

      const currentUser = await WIKI.db.users.getById(context.req.user.id)
      return currentUser.getPermissions()
    },
    async userPermissionsAtPath (obj, args, context) {
      return []
    }
  },
  Mutation: {
    async createUser (obj, args, context) {
      try {
        if (!WIKI.auth.checkAccess(context.req.user, ['write:users', 'manage:users'])) {
          throw new Error('ERR_FORBIDDEN')
        }

        await WIKI.db.users.createNewUser({ ...args, isVerified: true })

        return {
          operation: generateSuccess('User created successfully')
        }
      } catch (err) {
        return generateError(err)
      }
    },
    async deleteUser (obj, args, context) {
      try {
        if (!WIKI.auth.checkAccess(context.req.user, ['manage:users'])) {
          throw new Error('ERR_FORBIDDEN')
        }

        if (args.id <= 2) {
          throw new WIKI.Error.UserDeleteProtected()
        }
        await WIKI.db.users.deleteUser(args.id, args.replaceId)

        WIKI.auth.revokeUserTokens({ id: args.id, kind: 'u' })
        WIKI.events.outbound.emit('addAuthRevoke', { id: args.id, kind: 'u' })

        return {
          operation: generateSuccess('User deleted successfully')
        }
      } catch (err) {
        if (err.message.indexOf('foreign') >= 0) {
          return generateError(new WIKI.Error.UserDeleteForeignConstraint())
        } else {
          return generateError(err)
        }
      }
    },
    async updateUser (obj, args, context) {
      try {
        if (!WIKI.auth.checkAccess(context.req.user, ['manage:users'])) {
          throw new Error('ERR_FORBIDDEN')
        }

        await WIKI.db.users.updateUser(args.id, args.patch)

        return {
          operation: generateSuccess('User updated successfully')
        }
      } catch (err) {
        return generateError(err)
      }
    },
    async verifyUser (obj, args, context) {
      try {
        if (!WIKI.auth.checkAccess(context.req.user, ['manage:users'])) {
          throw new Error('ERR_FORBIDDEN')
        }

        await WIKI.db.users.query().patch({ isVerified: true }).findById(args.id)

        return {
          operation: generateSuccess('User verified successfully')
        }
      } catch (err) {
        return generateError(err)
      }
    },
    async activateUser (obj, args, context) {
      try {
        if (!WIKI.auth.checkAccess(context.req.user, ['manage:users'])) {
          throw new Error('ERR_FORBIDDEN')
        }

        await WIKI.db.users.query().patch({ isActive: true }).findById(args.id)

        return {
          operation: generateSuccess('User activated successfully')
        }
      } catch (err) {
        return generateError(err)
      }
    },
    async deactivateUser (obj, args, context) {
      try {
        if (!WIKI.auth.checkAccess(context.req.user, ['manage:users'])) {
          throw new Error('ERR_FORBIDDEN')
        }

        if (args.id <= 2) {
          throw new Error('Cannot deactivate system accounts.')
        }
        await WIKI.db.users.query().patch({ isActive: false }).findById(args.id)

        WIKI.auth.revokeUserTokens({ id: args.id, kind: 'u' })
        WIKI.events.outbound.emit('addAuthRevoke', { id: args.id, kind: 'u' })

        return {
          operation: generateSuccess('User deactivated successfully')
        }
      } catch (err) {
        return generateError(err)
      }
    },
    async enableUserTFA (obj, args, context) {
      try {
        if (!WIKI.auth.checkAccess(context.req.user, ['manage:users'])) {
          throw new Error('ERR_FORBIDDEN')
        }

        await WIKI.db.users.query().patch({ tfaIsActive: true, tfaSecret: null }).findById(args.id)

        return {
          operation: generateSuccess('User 2FA enabled successfully')
        }
      } catch (err) {
        return generateError(err)
      }
    },
    async disableUserTFA (obj, args, context) {
      try {
        if (!WIKI.auth.checkAccess(context.req.user, ['manage:users'])) {
          throw new Error('ERR_FORBIDDEN')
        }

        await WIKI.db.users.query().patch({ tfaIsActive: false, tfaSecret: null }).findById(args.id)

        return {
          operation: generateSuccess('User 2FA disabled successfully')
        }
      } catch (err) {
        return generateError(err)
      }
    },
    async changeUserPassword (obj, args, context) {
      try {
        if (!WIKI.auth.checkAccess(context.req.user, ['manage:users'])) {
          throw new Error('ERR_FORBIDDEN')
        }

        if (args.newPassword?.length < 8) {
          throw new Error('ERR_PASSWORD_TOO_SHORT')
        }

        const usr = await WIKI.db.users.query().findById(args.id)
        if (!usr) {
          throw new Error('ERR_INVALID_USER')
        }
        const localAuth = await WIKI.db.authentication.getStrategy('local')

        usr.auth[localAuth.id].password = await bcrypt.hash(args.newPassword, 12)
        if (!isNil(args.mustChangePassword)) {
          usr.auth[localAuth.id].mustChangePwd = args.mustChangePassword
        }

        await WIKI.db.users.query().patch({
          auth: usr.auth
        }).findById(args.id)

        return {
          operation: generateSuccess('User password updated successfully')
        }
      } catch (err) {
        return generateError(err)
      }
    },
    async updateProfile (obj, args, context) {
      try {
        if (!context.req.user || context.req.user.id === WIKI.auth.guest.id) {
          throw new Error('ERR_NOT_AUTHENTICATED')
        }
        const usr = await WIKI.db.users.query().findById(context.req.user.id)
        if (!usr.isActive) {
          throw new Error('ERR_INACTIVE_USER')
        }
        if (!usr.isVerified) {
          throw new Error('ERR_USER_NOT_VERIFIED')
        }

        if (args.dateFormat && !['', 'DD/MM/YYYY', 'DD.MM.YYYY', 'MM/DD/YYYY', 'YYYY-MM-DD', 'YYYY/MM/DD'].includes(args.dateFormat)) {
          throw new Error('ERR_INVALID_INPUT')
        }

        if (args.appearance && !['site', 'light', 'dark'].includes(args.appearance)) {
          throw new Error('ERR_INVALID_INPUT')
        }

        await WIKI.db.users.query().findById(usr.id).patch({
          name: args.name?.trim() ?? usr.name,
          meta: {
            ...usr.meta,
            location: args.location?.trim() ?? usr.meta.location,
            jobTitle: args.jobTitle?.trim() ?? usr.meta.jobTitle,
            pronouns: args.pronouns?.trim() ?? usr.meta.pronouns
          },
          prefs: {
            ...usr.prefs,
            timezone: args.timezone || usr.prefs.timezone,
            dateFormat: args.dateFormat ?? usr.prefs.dateFormat,
            timeFormat: args.timeFormat ?? usr.prefs.timeFormat,
            appearance: args.appearance || usr.prefs.appearance,
            cvd: args.cvd || usr.prefs.cvd
          }
        })

        return {
          operation: generateSuccess('User profile updated successfully')
        }
      } catch (err) {
        return generateError(err)
      }
    },
    /**
     * UPLOAD USER AVATAR
     */
    async uploadUserAvatar (obj, args, context) {
      try {
        if (!context.req.user || context.req.user.id === WIKI.auth.guest.id) {
          throw new Error('ERR_NOT_AUTHENTICATED')
        }
        const usr = await WIKI.db.users.query().findById(context.req.user.id)
        if (!usr) {
          throw new Error('ERR_INVALID_USER')
        }

        const { filename, mimetype, createReadStream } = await args.image
        const lowercaseFilename = filename.toLowerCase()
        WIKI.logger.debug(`Processing user ${args.id} avatar ${lowercaseFilename} of type ${mimetype}...`)
        if (!WIKI.extensions.ext.sharp.isInstalled) {
          throw new Error('This feature requires the Sharp extension but it is not installed. Contact your wiki administrator.')
        }
        if (!['.png', '.jpg', '.webp', '.gif'].some(s => lowercaseFilename.endsWith(s))) {
          throw new Error('Invalid File Extension. Must be png, jpg, webp or gif.')
        }
        const destFolder = path.resolve(
          process.cwd(),
          WIKI.config.dataPath,
          `assets`
        )
        const destPath = path.join(destFolder, `userav-${args.id}.jpg`)
        await fs.ensureDir(destFolder)
        // -> Resize
        await WIKI.extensions.ext.sharp.resize({
          format: 'jpg',
          inputStream: createReadStream(),
          outputPath: destPath,
          width: 180,
          height: 180
        })
        // -> Set avatar flag for this user in the DB
        usr.$query().patch({ hasAvatar: true })
        // -> Save image data to DB
        const imgBuffer = await fs.readFile(destPath)
        await WIKI.db.knex('userAvatars').insert({
          id: args.id,
          data: imgBuffer
        }).onConflict('id').merge()
        WIKI.logger.debug(`Processed user ${args.id} avatar successfully.`)
        return {
          operation: generateSuccess('User avatar uploaded successfully')
        }
      } catch (err) {
        WIKI.logger.warn(err)
        return generateError(err)
      }
    },
    /**
     * CLEAR USER AVATAR
     */
    async clearUserAvatar (obj, args, context) {
      try {
        if (!context.req.user || context.req.user.id === WIKI.auth.guest.id) {
          throw new Error('ERR_NOT_AUTHENTICATED')
        }
        const usr = await WIKI.db.users.query().findById(context.req.user.id)
        if (!usr) {
          throw new Error('ERR_INVALID_USER')
        }

        WIKI.logger.debug(`Clearing user ${args.id} avatar...`)
        usr.$query.patch({ hasAvatar: false })
        await WIKI.db.knex('userAvatars').where({ id: args.id }).del()
        WIKI.logger.debug(`Cleared user ${args.id} avatar successfully.`)
        return {
          operation: generateSuccess('User avatar cleared successfully')
        }
      } catch (err) {
        WIKI.logger.warn(err)
        return generateError(err)
      }
    },
    /**
     * UPDATE USER DEFAULTS
     */
    async updateUserDefaults (obj, args, context) {
      try {
        if (!WIKI.auth.checkAccess(context.req.user, ['manage:users'])) {
          throw new Error('ERR_FORBIDDEN')
        }

        WIKI.config.userDefaults = {
          timezone: args.timezone,
          dateFormat: args.dateFormat,
          timeFormat: args.timeFormat
        }
        await WIKI.configSvc.saveToDb(['userDefaults'])
        return {
          operation: generateSuccess('User defaults saved successfully')
        }
      } catch (err) {
        return generateError(err)
      }
    }
  },
  User: {
    async auth (usr, args, context) {
      const authStrategies = await WIKI.db.authentication.getStrategies({ enabledOnly: true })
      return _.transform(usr.auth, (result, value, key) => {
        const authStrategy = _.find(authStrategies, ['id', key])
        const authModule = _.find(WIKI.data.authentication, ['key', authStrategy.module])
        if (!authStrategy || !authModule) { return }
        result.push({
          authId: key,
          authName: authStrategy.displayName,
          strategyKey: authStrategy.module,
          strategyIcon: authModule.icon,
          config: authStrategy.module === 'local' ? {
            isPasswordSet: value.password?.length > 0,
            isTfaSetup: value.tfaIsActive && value.tfaSecret?.length > 0,
            isTfaRequired: (value.tfaRequired || authStrategy.config.enforceTfa) ?? false,
            mustChangePwd: value.mustChangePwd ?? false,
            restrictLogin: value.restrictLogin ?? false
          } : value
        })
      }, [])
    },
    groups (usr) {
      return usr.$relatedQuery('groups')
    }
  }
}