mirror of https://github.com/requarks/wiki
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
904 lines
27 KiB
904 lines
27 KiB
/* global WIKI */
|
|
|
|
import { difference, find, first, flatten, flattenDeep, get, has, isArray, isEmpty, isNil, isString, last, set, toString, truncate, uniq } from 'lodash-es'
|
|
import tfa from 'node-2fa'
|
|
import jwt from 'jsonwebtoken'
|
|
import { Model } from 'objection'
|
|
import validate from 'validate.js'
|
|
import qr from 'qr-image'
|
|
import bcrypt from 'bcryptjs'
|
|
|
|
import { Group } from './groups.mjs'
|
|
|
|
/**
|
|
* Users model
|
|
*/
|
|
export class User extends Model {
|
|
static get tableName() { return 'users' }
|
|
|
|
static get jsonSchema () {
|
|
return {
|
|
type: 'object',
|
|
required: ['email'],
|
|
|
|
properties: {
|
|
id: {type: 'string'},
|
|
email: {type: 'string'},
|
|
name: {type: 'string', minLength: 1, maxLength: 255},
|
|
pictureUrl: {type: 'string'},
|
|
isSystem: {type: 'boolean'},
|
|
isActive: {type: 'boolean'},
|
|
isVerified: {type: 'boolean'},
|
|
createdAt: {type: 'string'},
|
|
updatedAt: {type: 'string'}
|
|
}
|
|
}
|
|
}
|
|
|
|
static get jsonAttributes() {
|
|
return ['auth', 'meta', 'prefs']
|
|
}
|
|
|
|
static get relationMappings() {
|
|
return {
|
|
groups: {
|
|
relation: Model.ManyToManyRelation,
|
|
modelClass: Group,
|
|
join: {
|
|
from: 'users.id',
|
|
through: {
|
|
from: 'userGroups.userId',
|
|
to: 'userGroups.groupId'
|
|
},
|
|
to: 'groups.id'
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
async $beforeUpdate(opt, context) {
|
|
await super.$beforeUpdate(opt, context)
|
|
|
|
this.updatedAt = new Date().toISOString()
|
|
}
|
|
async $beforeInsert(context) {
|
|
await super.$beforeInsert(context)
|
|
|
|
this.createdAt = new Date().toISOString()
|
|
this.updatedAt = new Date().toISOString()
|
|
}
|
|
|
|
// ------------------------------------------------
|
|
// Instance Methods
|
|
// ------------------------------------------------
|
|
|
|
async generateTFA(strategyId, siteId) {
|
|
WIKI.logger.debug(`Generating new TFA secret for user ${this.id}...`)
|
|
const site = WIKI.sites[siteId] ?? WIKI.sites[0] ?? { config: { title: 'Wiki' } }
|
|
const tfaInfo = tfa.generateSecret({
|
|
name: site.config.title,
|
|
account: this.email
|
|
})
|
|
this.auth[strategyId].tfaSecret = tfaInfo.secret
|
|
this.auth[strategyId].tfaIsActive = false
|
|
await this.$query().patch({
|
|
auth: this.auth
|
|
})
|
|
const safeTitle = site.config.title.replace(/[\s-.,=!@#$%?&*()+[\]{}/\\;<>]/g, '')
|
|
return qr.imageSync(`otpauth://totp/${safeTitle}:${this.email}?secret=${tfaInfo.secret}`, { type: 'svg' })
|
|
}
|
|
|
|
async enableTFA(strategyId) {
|
|
this.auth[strategyId].tfaIsActive = true
|
|
return this.$query().patch({
|
|
auth: this.auth
|
|
})
|
|
}
|
|
|
|
async disableTFA(strategyId) {
|
|
this.auth[strategyId].tfaIsActive = false
|
|
return this.$query().patch({
|
|
tfaIsActive: false,
|
|
tfaSecret: ''
|
|
})
|
|
}
|
|
|
|
verifyTFA(strategyId, code) {
|
|
return tfa.verifyToken(this.auth[strategyId].tfaSecret, code)?.delta === 0
|
|
}
|
|
|
|
getPermissions () {
|
|
return uniq(flatten(this.groups.map(g => g.permissions)))
|
|
}
|
|
|
|
getGroups() {
|
|
return uniq(this.groups.map(g => g.id))
|
|
}
|
|
|
|
// ------------------------------------------------
|
|
// Model Methods
|
|
// ------------------------------------------------
|
|
|
|
static async getById(id) {
|
|
return WIKI.db.users.query().findById(id).withGraphFetched('groups').modifyGraph('groups', builder => {
|
|
builder.select('groups.id', 'permissions')
|
|
})
|
|
}
|
|
|
|
static async processProfile({ profile, providerKey }) {
|
|
const provider = get(WIKI.auth.strategies, providerKey, {})
|
|
provider.info = find(WIKI.data.authentication, ['key', provider.stategyKey])
|
|
|
|
// Find existing user
|
|
let user = await WIKI.db.users.query().findOne({
|
|
providerId: toString(profile.id),
|
|
providerKey
|
|
})
|
|
|
|
// Parse email
|
|
let primaryEmail = ''
|
|
if (isArray(profile.emails)) {
|
|
const e = find(profile.emails, ['primary', true])
|
|
primaryEmail = (e) ? e.value : first(profile.emails).value
|
|
} else if (isArray(profile.email)) {
|
|
primaryEmail = first(flattenDeep([profile.email]))
|
|
} else if (isString(profile.email) && profile.email.length > 5) {
|
|
primaryEmail = profile.email
|
|
} else if (isString(profile.mail) && profile.mail.length > 5) {
|
|
primaryEmail = profile.mail
|
|
} else if (profile.user && profile.user.email && profile.user.email.length > 5) {
|
|
primaryEmail = profile.user.email
|
|
} else {
|
|
throw new Error('Missing or invalid email address from profile.')
|
|
}
|
|
primaryEmail = primaryEmail.toLowerCase()
|
|
|
|
// Find pending social user
|
|
if (!user) {
|
|
user = await WIKI.db.users.query().findOne({
|
|
email: primaryEmail,
|
|
providerId: null,
|
|
providerKey
|
|
})
|
|
if (user) {
|
|
user = await user.$query().patchAndFetch({
|
|
providerId: toString(profile.id)
|
|
})
|
|
}
|
|
}
|
|
|
|
// Parse display name
|
|
let displayName = ''
|
|
if (isString(profile.displayName) && profile.displayName.length > 0) {
|
|
displayName = profile.displayName
|
|
} else if (isString(profile.name) && profile.name.length > 0) {
|
|
displayName = profile.name
|
|
} else {
|
|
displayName = primaryEmail.split('@')[0]
|
|
}
|
|
|
|
// Parse picture URL / Data
|
|
let pictureUrl = ''
|
|
if (profile.picture && Buffer.isBuffer(profile.picture)) {
|
|
pictureUrl = 'internal'
|
|
} else {
|
|
pictureUrl = truncate(get(profile, 'picture', get(user, 'pictureUrl', null)), {
|
|
length: 255,
|
|
omission: ''
|
|
})
|
|
}
|
|
|
|
// Update existing user
|
|
if (user) {
|
|
if (!user.isActive) {
|
|
throw new WIKI.Error.AuthAccountBanned()
|
|
}
|
|
if (user.isSystem) {
|
|
throw new Error('This is a system reserved account and cannot be used.')
|
|
}
|
|
|
|
user = await user.$query().patchAndFetch({
|
|
email: primaryEmail,
|
|
name: displayName,
|
|
pictureUrl: pictureUrl
|
|
})
|
|
|
|
if (pictureUrl === 'internal') {
|
|
await WIKI.db.users.updateUserAvatarData(user.id, profile.picture)
|
|
}
|
|
|
|
return user
|
|
}
|
|
|
|
// Self-registration
|
|
if (provider.selfRegistration) {
|
|
// Check if email domain is whitelisted
|
|
if (get(provider, 'domainWhitelist', []).length > 0) {
|
|
const emailDomain = last(primaryEmail.split('@'))
|
|
if (!provider.domainWhitelist.includes(emailDomain)) {
|
|
throw new WIKI.Error.AuthRegistrationDomainUnauthorized()
|
|
}
|
|
}
|
|
|
|
// Create account
|
|
user = await WIKI.db.users.query().insertAndFetch({
|
|
providerKey: providerKey,
|
|
providerId: toString(profile.id),
|
|
email: primaryEmail,
|
|
name: displayName,
|
|
pictureUrl: pictureUrl,
|
|
locale: WIKI.config.lang.code,
|
|
defaultEditor: 'markdown',
|
|
tfaIsActive: false,
|
|
isSystem: false,
|
|
isActive: true,
|
|
isVerified: true
|
|
})
|
|
|
|
// Assign to group(s)
|
|
if (provider.autoEnrollGroups.length > 0) {
|
|
await user.$relatedQuery('groups').relate(provider.autoEnrollGroups)
|
|
}
|
|
|
|
if (pictureUrl === 'internal') {
|
|
await WIKI.db.users.updateUserAvatarData(user.id, profile.picture)
|
|
}
|
|
|
|
return user
|
|
}
|
|
|
|
throw new Error('You are not authorized to login.')
|
|
}
|
|
|
|
/**
|
|
* Login a user
|
|
*/
|
|
static async login ({ strategyId, siteId, username, password }, context) {
|
|
if (has(WIKI.auth.strategies, strategyId)) {
|
|
const selStrategy = WIKI.auth.strategies[strategyId]
|
|
if (!selStrategy.isEnabled) {
|
|
throw new WIKI.Error.AuthProviderInvalid()
|
|
}
|
|
|
|
const strInfo = find(WIKI.data.authentication, ['key', selStrategy.module])
|
|
|
|
// Inject form user/pass
|
|
if (strInfo.useForm) {
|
|
set(context.req, 'body.email', username)
|
|
set(context.req, 'body.password', password)
|
|
set(context.req.params, 'strategy', strategyId)
|
|
}
|
|
|
|
// Authenticate
|
|
return new Promise((resolve, reject) => {
|
|
WIKI.auth.passport.authenticate(selStrategy.id, {
|
|
session: !strInfo.useForm,
|
|
scope: strInfo.scopes ? strInfo.scopes : null
|
|
}, async (err, user, info) => {
|
|
if (err) { return reject(err) }
|
|
if (!user) { return reject(new WIKI.Error.AuthLoginFailed()) }
|
|
|
|
try {
|
|
const resp = await WIKI.db.users.afterLoginChecks(user, selStrategy.id, context, {
|
|
siteId,
|
|
skipTFA: !strInfo.useForm,
|
|
skipChangePwd: !strInfo.useForm
|
|
})
|
|
resolve(resp)
|
|
} catch (err) {
|
|
reject(err)
|
|
}
|
|
})(context.req, context.res, () => {})
|
|
})
|
|
} else {
|
|
throw new WIKI.Error.AuthProviderInvalid()
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Perform post-login checks
|
|
*/
|
|
static async afterLoginChecks (user, strategyId, context, { siteId, skipTFA, skipChangePwd } = { skipTFA: false, skipChangePwd: false, siteId: null }) {
|
|
const str = WIKI.auth.strategies[strategyId]
|
|
if (!str) {
|
|
throw new Error('ERR_INVALID_STRATEGY')
|
|
}
|
|
|
|
// Get redirect target
|
|
user.groups = await user.$relatedQuery('groups').select('groups.id', 'permissions', 'redirectOnLogin')
|
|
let redirect = '/'
|
|
if (user.groups && user.groups.length > 0) {
|
|
for (const grp of user.groups) {
|
|
if (!isEmpty(grp.redirectOnLogin) && grp.redirectOnLogin !== '/') {
|
|
redirect = grp.redirectOnLogin
|
|
break
|
|
}
|
|
}
|
|
}
|
|
|
|
// Get auth strategy flags
|
|
const authStr = user.auth[strategyId] || {}
|
|
|
|
// Is 2FA required?
|
|
if (!skipTFA) {
|
|
if (authStr.tfaIsActive && authStr.tfaSecret) {
|
|
try {
|
|
const tfaToken = await WIKI.db.userKeys.generateToken({
|
|
kind: 'tfa',
|
|
userId: user.id,
|
|
meta: {
|
|
strategyId
|
|
}
|
|
})
|
|
return {
|
|
nextAction: 'provideTfa',
|
|
continuationToken: tfaToken,
|
|
redirect
|
|
}
|
|
} catch (errc) {
|
|
WIKI.logger.warn(errc)
|
|
throw new WIKI.Error.AuthGenericError()
|
|
}
|
|
} else if (str.config?.enforceTfa || authStr.tfaRequired) {
|
|
try {
|
|
const tfaQRImage = await user.generateTFA(strategyId, siteId)
|
|
const tfaToken = await WIKI.db.userKeys.generateToken({
|
|
kind: 'tfaSetup',
|
|
userId: user.id,
|
|
meta: {
|
|
strategyId
|
|
}
|
|
})
|
|
return {
|
|
nextAction: 'setupTfa',
|
|
continuationToken: tfaToken,
|
|
tfaQRImage,
|
|
redirect
|
|
}
|
|
} catch (errc) {
|
|
WIKI.logger.warn(errc)
|
|
throw new WIKI.Error.AuthGenericError()
|
|
}
|
|
}
|
|
}
|
|
|
|
// Must Change Password?
|
|
if (!skipChangePwd && authStr.mustChangePwd) {
|
|
try {
|
|
const pwdChangeToken = await WIKI.db.userKeys.generateToken({
|
|
kind: 'changePwd',
|
|
userId: user.id,
|
|
meta: {
|
|
strategyId
|
|
}
|
|
})
|
|
|
|
return {
|
|
nextAction: 'changePassword',
|
|
continuationToken: pwdChangeToken,
|
|
redirect
|
|
}
|
|
} catch (errc) {
|
|
WIKI.logger.warn(errc)
|
|
throw new WIKI.Error.AuthGenericError()
|
|
}
|
|
}
|
|
|
|
return new Promise((resolve, reject) => {
|
|
context.req.login(user, { session: false }, async errc => {
|
|
if (errc) { return reject(errc) }
|
|
const jwtToken = await WIKI.db.users.refreshToken(user, strategyId)
|
|
resolve({
|
|
nextAction: 'redirect',
|
|
jwt: jwtToken.token,
|
|
redirect
|
|
})
|
|
})
|
|
})
|
|
}
|
|
|
|
/**
|
|
* Generate a new token for a user
|
|
*/
|
|
static async refreshToken (user) {
|
|
if (isString(user)) {
|
|
user = await WIKI.db.users.query().findById(user).withGraphFetched('groups').modifyGraph('groups', builder => {
|
|
builder.select('groups.id', 'permissions')
|
|
})
|
|
if (!user) {
|
|
WIKI.logger.warn(`Failed to refresh token for user ${user}: Not found.`)
|
|
throw new WIKI.Error.AuthGenericError()
|
|
}
|
|
if (!user.isActive) {
|
|
WIKI.logger.warn(`Failed to refresh token for user ${user}: Inactive.`)
|
|
throw new WIKI.Error.AuthAccountBanned()
|
|
}
|
|
} else if (isNil(user.groups)) {
|
|
user.groups = await user.$relatedQuery('groups').select('groups.id', 'permissions')
|
|
}
|
|
|
|
// Update Last Login Date
|
|
// -> Bypass Objection.js to avoid updating the updatedAt field
|
|
await WIKI.db.knex('users').where('id', user.id).update({ lastLoginAt: new Date().toISOString() })
|
|
|
|
return {
|
|
token: jwt.sign({
|
|
id: user.id,
|
|
email: user.email,
|
|
groups: user.getGroups()
|
|
}, {
|
|
key: WIKI.config.auth.certs.private,
|
|
passphrase: WIKI.config.auth.secret
|
|
}, {
|
|
algorithm: 'RS256',
|
|
expiresIn: WIKI.config.auth.tokenExpiration,
|
|
audience: WIKI.config.auth.audience,
|
|
issuer: 'urn:wiki.js'
|
|
}),
|
|
user
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Verify a TFA login
|
|
*/
|
|
static async loginTFA ({ strategyId, siteId, securityCode, continuationToken, setup }, context) {
|
|
if (securityCode.length === 6 && continuationToken.length > 1) {
|
|
const { user, strategyId: expectedStrategyId } = await WIKI.db.userKeys.validateToken({
|
|
kind: setup ? 'tfaSetup' : 'tfa',
|
|
token: continuationToken,
|
|
skipDelete: setup
|
|
})
|
|
|
|
if (strategyId !== expectedStrategyId) {
|
|
throw new Error('ERR_INVALID_STRATEGY')
|
|
}
|
|
|
|
if (user) {
|
|
if (user.verifyTFA(strategyId, securityCode)) {
|
|
if (setup) {
|
|
await user.enableTFA(strategyId)
|
|
}
|
|
return WIKI.db.users.afterLoginChecks(user, strategyId, context, { siteId, skipTFA: true })
|
|
} else {
|
|
throw new Error('ERR_TFA_INCORRECT_TOKEN')
|
|
}
|
|
}
|
|
}
|
|
throw new Error('ERR_TFA_INVALID_REQUEST')
|
|
}
|
|
|
|
/**
|
|
* Change Password from a Mandatory Password Change after Login
|
|
*/
|
|
static async loginChangePassword ({ strategyId, siteId, continuationToken, newPassword }, context) {
|
|
if (!newPassword || newPassword.length < 8) {
|
|
throw new Error('ERR_PASSWORD_TOO_SHORT')
|
|
}
|
|
const { user, strategyId: expectedStrategyId } = await WIKI.db.userKeys.validateToken({
|
|
kind: 'changePwd',
|
|
token: continuationToken
|
|
})
|
|
|
|
if (strategyId !== expectedStrategyId) {
|
|
throw new Error('ERR_INVALID_STRATEGY')
|
|
}
|
|
|
|
if (user) {
|
|
user.auth[strategyId].password = await bcrypt.hash(newPassword, 12)
|
|
user.auth[strategyId].mustChangePwd = false
|
|
await user.$query().patch({
|
|
auth: user.auth
|
|
})
|
|
|
|
return WIKI.db.users.afterLoginChecks(user, strategyId, context, { siteId, skipChangePwd: true, skipTFA: true })
|
|
} else {
|
|
throw new Error('ERR_INVALID_USER')
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Change Password from Profile
|
|
*/
|
|
static async changePassword ({ strategyId, siteId, currentPassword, newPassword }, context) {
|
|
const userId = context.req.user?.id
|
|
if (!userId) {
|
|
throw new Error('ERR_NOT_AUTHENTICATED')
|
|
}
|
|
|
|
const user = await WIKI.db.users.query().findById(userId)
|
|
if (!user) {
|
|
throw new Error('ERR_INVALID_USER')
|
|
}
|
|
|
|
if (!newPassword || newPassword.length < 8) {
|
|
throw new Error('ERR_PASSWORD_TOO_SHORT')
|
|
}
|
|
|
|
if (!user.auth[strategyId]?.password) {
|
|
throw new Error('ERR_INVALID_STRATEGY')
|
|
}
|
|
|
|
if (await bcrypt.compare(currentPassword, user.auth[strategyId].password) !== true) {
|
|
throw new Error('ERR_INCORRECT_CURRENT_PASSWORD')
|
|
}
|
|
|
|
user.auth[strategyId].password = await bcrypt.hash(newPassword, 12)
|
|
user.auth[strategyId].mustChangePwd = false
|
|
|
|
await user.$query().patch({
|
|
auth: user.auth
|
|
})
|
|
|
|
return true
|
|
}
|
|
|
|
/**
|
|
* Send a password reset request
|
|
*/
|
|
static async loginForgotPassword ({ email }, context) {
|
|
const usr = await WIKI.db.users.query().where({
|
|
email,
|
|
providerKey: 'local'
|
|
}).first()
|
|
if (!usr) {
|
|
WIKI.logger.debug(`Password reset attempt on nonexistant local account ${email}: [DISCARDED]`)
|
|
return
|
|
}
|
|
const resetToken = await WIKI.db.userKeys.generateToken({
|
|
userId: usr.id,
|
|
kind: 'resetPwd'
|
|
})
|
|
|
|
await WIKI.mail.send({
|
|
template: 'accountResetPwd',
|
|
to: email,
|
|
subject: `Password Reset Request`,
|
|
data: {
|
|
preheadertext: `A password reset was requested for ${WIKI.config.title}`,
|
|
title: `A password reset was requested for ${WIKI.config.title}`,
|
|
content: `Click the button below to reset your password. If you didn't request this password reset, simply discard this email.`,
|
|
buttonLink: `${WIKI.config.host}/login-reset/${resetToken}`,
|
|
buttonText: 'Reset Password'
|
|
},
|
|
text: `A password reset was requested for wiki ${WIKI.config.title}. Open the following link to proceed: ${WIKI.config.host}/login-reset/${resetToken}`
|
|
})
|
|
}
|
|
|
|
/**
|
|
* Create a new user
|
|
*
|
|
* @param {Object} param0 User Fields
|
|
*/
|
|
static async createNewUser ({ email, password, name, groups, userInitiated = false, mustChangePassword = false, sendWelcomeEmail = false, sendWelcomeEmailFromSiteId }) {
|
|
const localAuth = await WIKI.db.authentication.getStrategy('local')
|
|
|
|
// Check if self-registration is enabled
|
|
if (userInitiated && !localAuth.registration) {
|
|
throw new Error('ERR_REGISTRATION_DISABLED')
|
|
}
|
|
|
|
// Input sanitization
|
|
email = email.toLowerCase().trim()
|
|
|
|
// Input validation
|
|
const validation = validate({
|
|
email,
|
|
password,
|
|
name
|
|
}, {
|
|
email: {
|
|
email: true,
|
|
length: {
|
|
maximum: 255
|
|
}
|
|
},
|
|
password: {
|
|
presence: {
|
|
allowEmpty: false
|
|
},
|
|
length: {
|
|
minimum: 6
|
|
}
|
|
},
|
|
name: {
|
|
presence: {
|
|
allowEmpty: false
|
|
},
|
|
length: {
|
|
minimum: 2,
|
|
maximum: 255
|
|
}
|
|
}
|
|
}, { format: 'flat' })
|
|
|
|
if (validation && validation.length > 0) {
|
|
throw new Error(`ERR_INVALID_INPUT: ${validation[0]}`)
|
|
}
|
|
|
|
// Check if email address is allowed
|
|
if (userInitiated && localAuth.allowedEmailRegex) {
|
|
const emailCheckRgx = new RegExp(localAuth.allowedEmailRegex, 'i')
|
|
if (!emailCheckRgx.test(email)) {
|
|
throw new Error('ERR_EMAIL_ADDRESS_NOT_ALLOWED')
|
|
}
|
|
}
|
|
|
|
// Check if email already exists
|
|
const usr = await WIKI.db.users.query().findOne({ email })
|
|
if (usr) {
|
|
throw new Error('ERR_DUPLICATE_ACCOUNT_EMAIL')
|
|
}
|
|
|
|
// Check if site ID is provided when send welcome email is enabled
|
|
if (sendWelcomeEmail && !sendWelcomeEmailFromSiteId) {
|
|
throw new Error('ERR_INVALID_SITE')
|
|
}
|
|
|
|
WIKI.logger.debug(`Creating new user account for ${email}...`)
|
|
|
|
// Create the account
|
|
const newUsr = await WIKI.db.users.query().insert({
|
|
email,
|
|
name,
|
|
auth: {
|
|
[localAuth.id]: {
|
|
password: await bcrypt.hash(password, 12),
|
|
mustChangePwd: mustChangePassword,
|
|
restrictLogin: false,
|
|
tfaRequired: false,
|
|
tfaSecret: ''
|
|
}
|
|
},
|
|
hasAvatar: false,
|
|
isSystem: false,
|
|
isActive: true,
|
|
isVerified: true,
|
|
meta: {
|
|
jobTitle: '',
|
|
location: '',
|
|
pronouns: ''
|
|
},
|
|
prefs: {
|
|
cvd: 'none',
|
|
timezone: WIKI.config.userDefaults.timezone || 'America/New_York',
|
|
appearance: 'site',
|
|
dateFormat: WIKI.config.userDefaults.dateFormat || 'YYYY-MM-DD',
|
|
timeFormat: WIKI.config.userDefaults.timeFormat || '12h'
|
|
}
|
|
}).returning('*')
|
|
|
|
// Assign to group(s)
|
|
const groupsToEnroll = [WIKI.data.systemIds.usersGroupId]
|
|
if (groups?.length > 0) {
|
|
groupsToEnroll.push(...groups)
|
|
}
|
|
if (userInitiated && localAuth.autoEnrollGroups?.length > 0) {
|
|
groupsToEnroll.push(...localAuth.autoEnrollGroups)
|
|
}
|
|
await newUsr.$relatedQuery('groups').relate(uniq(groupsToEnroll))
|
|
|
|
// Verification Email
|
|
if (userInitiated && localAuth.config?.emailValidation) {
|
|
// Create verification token
|
|
const verificationToken = await WIKI.db.userKeys.generateToken({
|
|
kind: 'verify',
|
|
userId: newUsr.id
|
|
})
|
|
|
|
// TODO: Handle multilingual text
|
|
// Send verification email
|
|
await WIKI.mail.send({
|
|
template: 'UserVerify',
|
|
to: email,
|
|
subject: 'Verify your account',
|
|
data: {
|
|
preheadertext: 'Verify your account in order to gain access to the wiki.',
|
|
title: 'Verify your account',
|
|
content: 'Click the button below in order to verify your account and gain access to the wiki.',
|
|
buttonLink: `${WIKI.config.mail.defaultBaseURL}/verify/${verificationToken}`,
|
|
buttonText: 'Verify'
|
|
},
|
|
text: `You must open the following link in your browser to verify your account and gain access to the wiki: ${WIKI.config.mail.defaultBaseURL}/verify/${verificationToken}`
|
|
})
|
|
} else if (sendWelcomeEmail) {
|
|
// TODO: Handle multilingual text
|
|
const site = WIKI.sites[sendWelcomeEmailFromSiteId]
|
|
if (site) {
|
|
const siteUrl = site.hostname === '*' ? WIKI.config.mail.defaultBaseURL : `https://${site.hostname}`
|
|
// Send welcome email
|
|
await WIKI.mail.send({
|
|
template: 'UserWelcome',
|
|
to: email,
|
|
subject: `Welcome to the wiki ${site.config.title}`,
|
|
data: {
|
|
siteTitle: site.config.title,
|
|
preview: `You've been invited to the wiki ${site.config.title}`,
|
|
title: `You've been invited to the wiki ${site.config.title}`,
|
|
content: `Click the button below to access the wiki.`,
|
|
email,
|
|
password,
|
|
buttonLink: `${siteUrl}/login`,
|
|
buttonText: 'Login',
|
|
logo: `${siteUrl}/_site/logo`
|
|
},
|
|
text: `You've been invited to the wiki ${site.config.title}: ${siteUrl}/login`
|
|
})
|
|
} else {
|
|
WIKI.logger.warn('An invalid site ID was provided when creating user. No welcome email was sent.')
|
|
throw new Error('ERR_INVALID_SITE')
|
|
}
|
|
}
|
|
|
|
WIKI.logger.debug(`Created new user account for ${email} successfully.`)
|
|
|
|
return newUsr
|
|
}
|
|
|
|
/**
|
|
* Update an existing user
|
|
*
|
|
* @param {Object} param0 User ID and fields to update
|
|
*/
|
|
static async updateUser (id, { email, name, groups, auth, isVerified, isActive, meta, prefs }) {
|
|
const usr = await WIKI.db.users.query().findById(id)
|
|
if (usr) {
|
|
let usrData = {}
|
|
if (!isEmpty(email) && email !== usr.email) {
|
|
const dupUsr = await WIKI.db.users.query().select('id').where({ email }).first()
|
|
if (dupUsr) {
|
|
throw new Error('ERR_DUPLICATE_ACCOUNT_EMAIL')
|
|
}
|
|
usrData.email = email.toLowerCase()
|
|
}
|
|
if (!isEmpty(name) && name !== usr.name) {
|
|
usrData.name = name.trim()
|
|
}
|
|
if (isArray(groups)) {
|
|
const usrGroupsRaw = await usr.$relatedQuery('groups')
|
|
const usrGroups = usrGroupsRaw.map(g => g.id)
|
|
// Relate added groups
|
|
const addUsrGroups = difference(groups, usrGroups)
|
|
for (const grp of addUsrGroups) {
|
|
await usr.$relatedQuery('groups').relate(grp)
|
|
}
|
|
// Unrelate removed groups
|
|
const remUsrGroups = difference(usrGroups, groups)
|
|
for (const grp of remUsrGroups) {
|
|
await usr.$relatedQuery('groups').unrelate().where('groupId', grp)
|
|
}
|
|
}
|
|
if (!isNil(auth?.tfaRequired)) {
|
|
usr.auth[WIKI.data.systemIds.localAuthId].tfaRequired = auth.tfaRequired
|
|
usrData.auth = usr.auth
|
|
}
|
|
if (!isNil(auth?.mustChangePwd)) {
|
|
usr.auth[WIKI.data.systemIds.localAuthId].mustChangePwd = auth.mustChangePwd
|
|
usrData.auth = usr.auth
|
|
}
|
|
if (!isNil(auth?.restrictLogin)) {
|
|
usr.auth[WIKI.data.systemIds.localAuthId].restrictLogin = auth.restrictLogin
|
|
usrData.auth = usr.auth
|
|
}
|
|
if (!isNil(isVerified)) {
|
|
usrData.isVerified = isVerified
|
|
}
|
|
if (!isNil(isActive)) {
|
|
usrData.isVerified = isActive
|
|
}
|
|
if (!isEmpty(meta)) {
|
|
usrData.meta = meta
|
|
}
|
|
if (!isEmpty(prefs)) {
|
|
usrData.prefs = prefs
|
|
}
|
|
await WIKI.db.users.query().patch(usrData).findById(id)
|
|
} else {
|
|
throw new WIKI.Error.UserNotFound()
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Delete a User
|
|
*
|
|
* @param {*} id User ID
|
|
*/
|
|
static async deleteUser (id, replaceId) {
|
|
const usr = await WIKI.db.users.query().findById(id)
|
|
if (usr) {
|
|
await WIKI.db.assets.query().patch({ authorId: replaceId }).where('authorId', id)
|
|
await WIKI.db.comments.query().patch({ authorId: replaceId }).where('authorId', id)
|
|
await WIKI.db.pageHistory.query().patch({ authorId: replaceId }).where('authorId', id)
|
|
await WIKI.db.pages.query().patch({ authorId: replaceId }).where('authorId', id)
|
|
await WIKI.db.pages.query().patch({ creatorId: replaceId }).where('creatorId', id)
|
|
|
|
await WIKI.db.userKeys.query().delete().where('userId', id)
|
|
await WIKI.db.users.query().deleteById(id)
|
|
} else {
|
|
throw new WIKI.Error.UserNotFound()
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Logout the current user
|
|
*/
|
|
static async logout (context) {
|
|
if (!context.req.user || context.req.user.id === WIKI.config.auth.guestUserId) {
|
|
return '/'
|
|
}
|
|
if (context.req.user.strategyId && has(WIKI.auth.strategies, context.req.user.strategyId)) {
|
|
const selStrategy = WIKI.auth.strategies[context.req.user.strategyId]
|
|
if (!selStrategy.isEnabled) {
|
|
throw new WIKI.Error.AuthProviderInvalid()
|
|
}
|
|
const provider = find(WIKI.data.authentication, ['key', selStrategy.module])
|
|
if (provider.logout) {
|
|
return provider.logout(provider.config)
|
|
}
|
|
}
|
|
return '/'
|
|
}
|
|
|
|
static async getGuestUser () {
|
|
const user = await WIKI.db.users.query().findById(WIKI.config.auth.guestUserId).withGraphJoined('groups').modifyGraph('groups', builder => {
|
|
builder.select('groups.id', 'permissions')
|
|
})
|
|
if (!user) {
|
|
WIKI.logger.error('CRITICAL ERROR: Guest user is missing!')
|
|
process.exit(1)
|
|
}
|
|
user.permissions = user.getPermissions()
|
|
return user
|
|
}
|
|
|
|
static async getRootUser () {
|
|
let user = await WIKI.db.users.query().findById(WIKI.config.auth.rootAdminUserId)
|
|
if (!user) {
|
|
WIKI.logger.error('CRITICAL ERROR: Root Administrator user is missing!')
|
|
process.exit(1)
|
|
}
|
|
user.permissions = ['manage:system']
|
|
return user
|
|
}
|
|
|
|
/**
|
|
* Add / Update User Avatar Data
|
|
*/
|
|
static async updateUserAvatarData (userId, data) {
|
|
try {
|
|
WIKI.logger.debug(`Updating user ${userId} avatar data...`)
|
|
if (data.length > 1024 * 1024) {
|
|
throw new Error('Avatar image filesize is too large. 1MB max.')
|
|
}
|
|
const existing = await WIKI.db.knex('userAvatars').select('id').where('id', userId).first()
|
|
if (existing) {
|
|
await WIKI.db.knex('userAvatars').where({
|
|
id: userId
|
|
}).update({
|
|
data
|
|
})
|
|
} else {
|
|
await WIKI.db.knex('userAvatars').insert({
|
|
id: userId,
|
|
data
|
|
})
|
|
}
|
|
} catch (err) {
|
|
WIKI.logger.warn(`Failed to process binary thumbnail data for user ${userId}: ${err.message}`)
|
|
}
|
|
}
|
|
|
|
static async getUserAvatarData (userId) {
|
|
try {
|
|
const usrData = await WIKI.db.knex('userAvatars').where('id', userId).first()
|
|
if (usrData) {
|
|
return usrData.data
|
|
} else {
|
|
return null
|
|
}
|
|
} catch (err) {
|
|
WIKI.logger.warn(`Failed to process binary thumbnail data for user ${userId}`)
|
|
}
|
|
}
|
|
}
|