'use strict'; const async = require('async'); const config = require('config'); const request = require('request'); const bcrypt = require('bcrypt'); const db = require('../db'); const mail = require('../mail'); const cache = require('../cache'); const utils = require('../utils'); const hooks = require('./hooks'); const sha256 = require('sha256'); const logger = require('../logger'); cache.sub('user.updateUsername', user => { utils.socketsFromUser(user._id, sockets => { sockets.forEach(socket => { socket.emit('event:user.username.changed', user.username); }); }); }); cache.sub('user.linkPassword', userId => { console.log("LINK4", userId); utils.socketsFromUser(userId, sockets => { sockets.forEach(socket => { socket.emit('event:user.linkPassword'); }); }); }); cache.sub('user.linkGitHub', userId => { console.log("LINK1", userId); utils.socketsFromUser(userId, sockets => { sockets.forEach(socket => { socket.emit('event:user.linkGitHub'); }); }); }); cache.sub('user.unlinkPassword', userId => { console.log("LINK2", userId); utils.socketsFromUser(userId, sockets => { sockets.forEach(socket => { socket.emit('event:user.unlinkPassword'); }); }); }); cache.sub('user.unlinkGitHub', userId => { console.log("LINK3", userId); utils.socketsFromUser(userId, sockets => { sockets.forEach(socket => { socket.emit('event:user.unlinkGitHub'); }); }); }); module.exports = { /** * Lists all Users * * @param {Object} session - the session object automatically added by socket.io * @param {Function} cb - gets called with the result */ index: hooks.adminRequired((session, cb) => { async.waterfall([ (next) => { db.models.user.find({}).exec(next); } ], (err, users) => { if (err) { err = utils.getError(err); logger.error("USER_INDEX", `Indexing users failed. "${err}"`); return cb({status: 'failure', message: err}); } else { logger.success("USER_INDEX", `Indexing users successful.`); let filteredUsers = []; users.forEach(user => { filteredUsers.push({ _id: user._id, username: user.username, role: user.role, liked: user.liked, disliked: user.disliked, songsRequested: user.statistics.songsRequested, email: { address: user.email.address, verified: user.email.verified }, hasPassword: !!user.services.password, services: { github: user.services.github } }); }); return cb({ status: 'success', data: filteredUsers }); } }); }), /** * Logs user in * * @param {Object} session - the session object automatically added by socket.io * @param {String} identifier - the email of the user * @param {String} password - the plaintext of the user * @param {Function} cb - gets called with the result */ login: (session, identifier, password, cb) => { identifier = identifier.toLowerCase(); async.waterfall([ // check if a user with the requested identifier exists (next) => { db.models.user.findOne({ $or: [{ 'email.address': identifier }] }, next) }, // if the user doesn't exist, respond with a failure // otherwise compare the requested password and the actual users password (user, next) => { if (!user) return next('User not found'); if (!user.services.password || !user.services.password.password) return next('The account you are trying to access uses GitHub to log in.'); bcrypt.compare(sha256(password), user.services.password.password, (err, match) => { if (err) return next(err); if (!match) return next('Incorrect password'); next(null, user); }); }, (user, next) => { let sessionId = utils.guid(); cache.hset('sessions', sessionId, cache.schemas.session(sessionId, user._id), (err) => { if (err) return next(err); next(null, sessionId); }); } ], (err, sessionId) => { if (err && err !== true) { err = utils.getError(err); logger.error("USER_PASSWORD_LOGIN", `Login failed with password for user "${identifier}". "${err}"`); return cb({status: 'failure', message: err}); } logger.success("USER_PASSWORD_LOGIN", `Login successful with password for user "${identifier}"`); cb({ status: 'success', message: 'Login successful', user: {}, SID: sessionId }); }); }, /** * Registers a new user * * @param {Object} session - the session object automatically added by socket.io * @param {String} username - the username for the new user * @param {String} email - the email for the new user * @param {String} password - the plaintext password for the new user * @param {Object} recaptcha - the recaptcha data * @param {Function} cb - gets called with the result */ register: function(session, username, email, password, recaptcha, cb) { email = email.toLowerCase(); let verificationToken = utils.generateRandomString(64); async.waterfall([ // verify the request with google recaptcha (next) => { if (!db.passwordValid(password)) return next('Invalid password. Check if it meets all the requirements.'); return next(); }, (next) => { request({ url: 'https://www.google.com/recaptcha/api/siteverify', method: 'POST', form: { 'secret': config.get("apis").recaptcha.secret, 'response': recaptcha } }, next); }, // check if the response from Google recaptcha is successful // if it is, we check if a user with the requested username already exists (response, body, next) => { let json = JSON.parse(body); if (json.success !== true) return next('Response from recaptcha was not successful.'); db.models.user.findOne({ username: new RegExp(`^${username}$`, 'i') }, next); }, // if the user already exists, respond with that // otherwise check if a user with the requested email already exists (user, next) => { if (user) return next('A user with that username already exists.'); db.models.user.findOne({ 'email.address': email }, next); }, // if the user already exists, respond with that // otherwise, generate a salt to use with hashing the new users password (user, next) => { if (user) return next('A user with that email already exists.'); bcrypt.genSalt(10, next); }, // hash the password (salt, next) => { bcrypt.hash(sha256(password), salt, next) }, // save the new user to the database (hash, next) => { db.models.user.create({ _id: utils.generateRandomString(12),//TODO Check if exists username, email: { address: email, verificationToken }, services: { password: { password: hash } } }, next); }, // respond with the new user (newUser, next) => { //TODO Send verification email mail.schemas.verifyEmail(email, username, verificationToken, () => { next(); }); } ], (err) => { if (err && err !== true) { err = utils.getError(err); logger.error("USER_PASSWORD_REGISTER", `Register failed with password for user "${username}"."${err}"`); cb({status: 'failure', message: err}); } else { module.exports.login(session, email, password, (result) => { let obj = {status: 'success', message: 'Successfully registered.'}; if (result.status === 'success') { obj.SID = result.SID; } logger.success("USER_PASSWORD_REGISTER", `Register successful with password for user "${username}".`); cb(obj); }); } }); }, /** * Logs out a user * * @param {Object} session - the session object automatically added by socket.io * @param {Function} cb - gets called with the result */ logout: (session, cb) => { async.waterfall([ (next) => { cache.hget('sessions', session.sessionId, next); }, (session, next) => { if (!session) return next('Session not found'); next(null, session); }, (session, next) => { cache.hdel('sessions', session.sessionId, next); } ], (err) => { if (err && err !== true) { err = utils.getError(err); logger.error("USER_LOGOUT", `Logout failed. "${err}" `); cb({status: 'failure', message: err}); } else { logger.success("USER_LOGOUT", `Logout successful.`); cb({status: 'success', message: 'Successfully logged out.'}); } }); }, /** * Gets user object from username (only a few properties) * * @param {Object} session - the session object automatically added by socket.io * @param {String} username - the username of the user we are trying to find * @param {Function} cb - gets called with the result */ findByUsername: (session, username, cb) => { async.waterfall([ (next) => { db.models.user.findOne({ username: new RegExp(`^${username}$`, 'i') }, next); }, (account, next) => { if (!account) return next('User not found.'); next(null, account); } ], (err, account) => { if (err && err !== true) { err = utils.getError(err); logger.error("FIND_BY_USERNAME", `User not found for username "${username}". "${err}"`); cb({status: 'failure', message: err}); } else { logger.success("FIND_BY_USERNAME", `User found for username "${username}".`); return cb({ status: 'success', data: { _id: account._id, username: account.username, role: account.role, email: account.email.address, createdAt: account.createdAt, statistics: account.statistics, liked: account.liked, disliked: account.disliked } }); } }); }, //TODO Fix security issues /** * Gets user info from session * * @param {Object} session - the session object automatically added by socket.io * @param {Function} cb - gets called with the result */ findBySession: (session, cb) => { async.waterfall([ (next) => { cache.hget('sessions', session.sessionId, next); }, (session, next) => { if (!session) return next('Session not found.'); next(null, session); }, (session, next) => { db.models.user.findOne({ _id: session.userId }, next); }, (user, next) => { if (!user) return next('User not found.'); next(null, user); } ], (err, user) => { if (err && err !== true) { err = utils.getError(err); logger.error("FIND_BY_SESSION", `User not found. "${err}"`); cb({status: 'failure', message: err}); } else { let data = { email: { address: user.email.address }, username: user.username }; if (user.services.password && user.services.password.password) data.password = true; if (user.services.github && user.services.github.id) data.github = true; logger.success("FIND_BY_SESSION", `User found. "${user.username}".`); return cb({ status: 'success', data }); } }); }, /** * Updates a user's username * * @param {Object} session - the session object automatically added by socket.io * @param {String} updatingUserId - the updating user's id * @param {String} newUsername - the new username * @param {Function} cb - gets called with the result * @param {String} userId - the userId automatically added by hooks */ updateUsername: hooks.loginRequired((session, updatingUserId, newUsername, cb, userId) => { async.waterfall([ (next) => { if (updatingUserId === userId) return next(null, true); db.models.user.findOne({_id: userId}, next); }, (user, next) => { if (user !== true && (!user || user.role !== 'admin')) return next('Invalid permissions.'); db.models.user.findOne({ _id: updatingUserId }, next); }, (user, next) => { if (!user) return next('User not found.'); if (user.username === newUsername) return next('New username can\'t be the same as the old username.'); next(null); }, (next) => { db.models.user.findOne({ username: new RegExp(`^${newUsername}$`, 'i') }, next); }, (user, next) => { if (!user) return next(); if (user._id === updatingUserId) return next(); next('That username is already in use.'); }, (next) => { db.models.user.update({ _id: updatingUserId }, {$set: {username: newUsername}}, {runValidators: true}, next); } ], (err) => { if (err && err !== true) { err = utils.getError(err); logger.error("UPDATE_USERNAME", `Couldn't update username for user "${updatingUserId}" to username "${newUsername}". "${err}"`); cb({status: 'failure', message: err}); } else { cache.pub('user.updateUsername', { username: newUsername, _id: updatingUserId }); logger.success("UPDATE_USERNAME", `Updated username for user "${updatingUserId}" to username "${newUsername}".`); cb({ status: 'success', message: 'Username updated successfully' }); } }); }), /** * Updates a user's email * * @param {Object} session - the session object automatically added by socket.io * @param {String} updatingUserId - the updating user's id * @param {String} newEmail - the new email * @param {Function} cb - gets called with the result * @param {String} userId - the userId automatically added by hooks */ updateEmail: hooks.loginRequired((session, updatingUserId, newEmail, cb, userId) => { newEmail = newEmail.toLowerCase(); let verificationToken = utils.generateRandomString(64); async.waterfall([ (next) => { if (updatingUserId === userId) return next(null, true); db.models.user.findOne({_id: userId}, next); }, (user, next) => { if (user !== true && (!user || user.role !== 'admin')) return next('Invalid permissions.'); db.models.user.findOne({ _id: updatingUserId }, next); }, (user, next) => { if (!user) return next('User not found.'); if (user.email.address === newEmail) return next('New email can\'t be the same as your the old email.'); next(); }, (next) => { db.models.user.findOne({"email.address": newEmail}, next); }, (user, next) => { if (!user) return next(); if (user._id === updatingUserId) return next(); next('That email is already in use.'); }, (next) => { db.models.user.update({_id: updatingUserId}, {$set: {"email.address": newEmail, "email.verified": false, "email.verificationToken": verificationToken}}, {runValidators: true}, next); }, (res, next) => { db.models.user.findOne({ _id: updatingUserId }, next); }, (user, next) => { mail.schemas.verifyEmail(newEmail, user.username, verificationToken, () => { next(); }); } ], (err) => { if (err && err !== true) { err = utils.getError(err); logger.error("UPDATE_EMAIL", `Couldn't update email for user "${updatingUserId}" to email "${newEmail}". '${err}'`); cb({status: 'failure', message: err}); } else { logger.success("UPDATE_EMAIL", `Updated email for user "${updatingUserId}" to email "${newEmail}".`); cb({ status: 'success', message: 'Email updated successfully.' }); } }); }), /** * Updates a user's role * * @param {Object} session - the session object automatically added by socket.io * @param {String} updatingUserId - the updating user's id * @param {String} newRole - the new role * @param {Function} cb - gets called with the result * @param {String} userId - the userId automatically added by hooks */ updateRole: hooks.adminRequired((session, updatingUserId, newRole, cb, userId) => { newRole = newRole.toLowerCase(); async.waterfall([ (next) => { db.models.user.findOne({ _id: updatingUserId }, next); }, (user, next) => { if (!user) return next('User not found.'); else if (user.role === newRole) return next('New role can\'t be the same as the old role.'); else return next(); }, (next) => { db.models.user.update({_id: updatingUserId}, {$set: {role: newRole}}, {runValidators: true}, next); } ], (err) => { if (err && err !== true) { err = utils.getError(err); logger.error("UPDATE_ROLE", `User "${userId}" couldn't update role for user "${updatingUserId}" to role "${newRole}". "${err}"`); cb({status: 'failure', message: err}); } else { logger.success("UPDATE_ROLE", `User "${userId}" updated the role of user "${updatingUserId}" to role "${newRole}".`); cb({ status: 'success', message: 'Role successfully updated.' }); } }); }), /** * Updates a user's password * * @param {Object} session - the session object automatically added by socket.io * @param {String} newPassword - the new password * @param {Function} cb - gets called with the result * @param {String} userId - the userId automatically added by hooks */ updatePassword: hooks.loginRequired((session, newPassword, cb, userId) => { async.waterfall([ (next) => { db.models.user.findOne({_id: userId}, next); }, (user, next) => { if (!user.services.password) return next('This account does not have a password set.'); next(); }, (next) => { if (!db.passwordValid(newPassword)) return next('Invalid password. Check if it meets all the requirements.'); return next(); }, (next) => { bcrypt.genSalt(10, next); }, // hash the password (salt, next) => { bcrypt.hash(sha256(newPassword), salt, next); }, (hashedPassword, next) => { db.models.user.update({_id: userId}, {$set: {"services.password.password": hashedPassword}}, next); } ], (err) => { if (err) { err = utils.getError(err); logger.error("UPDATE_PASSWORD", `Failed updating user password of user '${userId}'. '${err}'.`); return cb({ status: 'failure', message: err }); } logger.success("UPDATE_PASSWORD", `User '${userId}' updated their password.`); cb({ status: 'success', message: 'Password successfully updated.' }); }); }), /** * Requests a password for a session * * @param {Object} session - the session object automatically added by socket.io * @param {String} email - the email of the user that requests a password reset * @param {Function} cb - gets called with the result * @param {String} userId - the userId automatically added by hooks */ requestPassword: hooks.loginRequired((session, cb, userId) => { let code = utils.generateRandomString(8); async.waterfall([ (next) => { db.models.user.findOne({_id: userId}, next); }, (user, next) => { if (!user) return next('User not found.'); if (user.services.password && user.services.password.password) return next('You already have a password set.'); next(null, user); }, (user, next) => { let expires = new Date(); expires.setDate(expires.getDate() + 1); db.models.user.findOneAndUpdate({"email.address": user.email.address}, {$set: {"services.password": {set: {code: code, expires}}}}, {runValidators: true}, next); }, (user, next) => { mail.schemas.passwordRequest(user.email.address, user.username, code, next); } ], (err) => { if (err && err !== true) { err = utils.getError(err); logger.error("REQUEST_PASSWORD", `UserId '${userId}' failed to request password. '${err}'`); cb({status: 'failure', message: err}); } else { logger.success("REQUEST_PASSWORD", `UserId '${userId}' successfully requested a password.`); cb({ status: 'success', message: 'Successfully requested password.' }); } }); }), /** * Verifies a password code * * @param {Object} session - the session object automatically added by socket.io * @param {String} code - the password code * @param {Function} cb - gets called with the result * @param {String} userId - the userId automatically added by hooks */ verifyPasswordCode: hooks.loginRequired((session, code, cb, userId) => { async.waterfall([ (next) => { if (!code || typeof code !== 'string') return next('Invalid code1.'); db.models.user.findOne({"services.password.set.code": code, _id: userId}, next); }, (user, next) => { if (!user) return next('Invalid code2.'); if (user.services.password.set.expires < new Date()) return next('That code has expired.'); next(null); } ], (err) => { if (err && err !== true) { err = utils.getError(err); logger.error("VERIFY_PASSWORD_CODE", `Code '${code}' failed to verify. '${err}'`); cb({status: 'failure', message: err}); } else { logger.success("VERIFY_PASSWORD_CODE", `Code '${code}' successfully verified.`); cb({ status: 'success', message: 'Successfully verified password code.' }); } }); }), /** * Adds a password to a user with a code * * @param {Object} session - the session object automatically added by socket.io * @param {String} code - the password code * @param {String} newPassword - the new password code * @param {Function} cb - gets called with the result * @param {String} userId - the userId automatically added by hooks */ changePasswordWithCode: hooks.loginRequired((session, code, newPassword, cb, userId) => { async.waterfall([ (next) => { if (!code || typeof code !== 'string') return next('Invalid code1.'); db.models.user.findOne({"services.password.set.code": code}, next); }, (user, next) => { if (!user) return next('Invalid code2.'); if (!user.services.password.set.expires > new Date()) return next('That code has expired.'); next(); }, (next) => { if (!db.passwordValid(newPassword)) return next('Invalid password. Check if it meets all the requirements.'); return next(); }, (next) => { bcrypt.genSalt(10, next); }, // hash the password (salt, next) => { bcrypt.hash(sha256(newPassword), salt, next); }, (hashedPassword, next) => { db.models.user.update({"services.password.set.code": code}, {$set: {"services.password.password": hashedPassword}, $unset: {"services.password.set": ''}}, {runValidators: true}, next); } ], (err) => { if (err && err !== true) { err = utils.getError(err); logger.error("ADD_PASSWORD_WITH_CODE", `Code '${code}' failed to add password. '${err}'`); cb({status: 'failure', message: err}); } else { logger.success("ADD_PASSWORD_WITH_CODE", `Code '${code}' successfully added password.`); cache.pub('user.linkPassword', userId); cb({ status: 'success', message: 'Successfully added password.' }); } }); }), /** * Unlinks password from user * * @param {Object} session - the session object automatically added by socket.io * @param {Function} cb - gets called with the result * @param {String} userId - the userId automatically added by hooks */ unlinkPassword: hooks.loginRequired((session, cb, userId) => { async.waterfall([ (next) => { db.models.user.findOne({_id: userId}, next); }, (user, next) => { if (!user) return next('Not logged in.'); if (!user.services.github || !user.services.github.id) return next('You can\'t remove password login without having GitHub login.'); db.models.user.update({_id: userId}, {$unset: {"services.password": ''}}, next); } ], (err) => { if (err && err !== true) { err = utils.getError(err); logger.error("UNLINK_PASSWORD", `Unlinking password failed for userId '${userId}'. '${err}'`); cb({status: 'failure', message: err}); } else { logger.success("UNLINK_PASSWORD", `Unlinking password successful for userId '${userId}'.`); cache.pub('user.unlinkPassword', userId); cb({ status: 'success', message: 'Successfully unlinked password.' }); } }); }), /** * Unlinks GitHub from user * * @param {Object} session - the session object automatically added by socket.io * @param {Function} cb - gets called with the result * @param {String} userId - the userId automatically added by hooks */ unlinkGitHub: hooks.loginRequired((session, cb, userId) => { async.waterfall([ (next) => { db.models.user.findOne({_id: userId}, next); }, (user, next) => { if (!user) return next('Not logged in.'); if (!user.services.password || !user.services.password.password) return next('You can\'t remove GitHub login without having password login.'); db.models.user.update({_id: userId}, {$unset: {"services.github": ''}}, next); } ], (err) => { if (err && err !== true) { err = utils.getError(err); logger.error("UNLINK_GITHUB", `Unlinking GitHub failed for userId '${userId}'. '${err}'`); cb({status: 'failure', message: err}); } else { logger.success("UNLINK_GITHUB", `Unlinking GitHub successful for userId '${userId}'.`); cache.pub('user.unlinkGitHub', userId); cb({ status: 'success', message: 'Successfully unlinked GitHub.' }); } }); }), /** * Requests a password reset for an email * * @param {Object} session - the session object automatically added by socket.io * @param {String} email - the email of the user that requests a password reset * @param {Function} cb - gets called with the result */ requestPasswordReset: (session, email, cb) => { let code = utils.generateRandomString(8); async.waterfall([ (next) => { if (!email || typeof email !== 'string') return next('Invalid email.'); email = email.toLowerCase(); db.models.user.findOne({"email.address": email}, next); }, (user, next) => { if (!user) return next('User not found.'); if (!user.services.password || !user.services.password.password) return next('User does not have a password set, and probably uses GitHub to log in.'); next(null, user); }, (user, next) => { let expires = new Date(); expires.setDate(expires.getDate() + 1); db.models.user.findOneAndUpdate({"email.address": email}, {$set: {"services.password.reset": {code: code, expires}}}, {runValidators: true}, next); }, (user, next) => { mail.schemas.resetPasswordRequest(user.email.address, user.username, code, next); } ], (err) => { if (err && err !== true) { err = utils.getError(err); logger.error("REQUEST_PASSWORD_RESET", `Email '${email}' failed to request password reset. '${err}'`); cb({status: 'failure', message: err}); } else { logger.success("REQUEST_PASSWORD_RESET", `Email '${email}' successfully requested a password reset.`); cb({ status: 'success', message: 'Successfully requested password reset.' }); } }); }, /** * Verifies a reset code * * @param {Object} session - the session object automatically added by socket.io * @param {String} code - the password reset code * @param {Function} cb - gets called with the result */ verifyPasswordResetCode: (session, code, cb) => { async.waterfall([ (next) => { if (!code || typeof code !== 'string') return next('Invalid code.'); db.models.user.findOne({"services.password.reset.code": code}, next); }, (user, next) => { if (!user) return next('Invalid code.'); if (!user.services.password.reset.expires > new Date()) return next('That code has expired.'); next(null); } ], (err) => { if (err && err !== true) { err = utils.getError(err); logger.error("VERIFY_PASSWORD_RESET_CODE", `Code '${code}' failed to verify. '${err}'`); cb({status: 'failure', message: err}); } else { logger.success("VERIFY_PASSWORD_RESET_CODE", `Code '${code}' successfully verified.`); cb({ status: 'success', message: 'Successfully verified password reset code.' }); } }); }, /** * Changes a user's password with a reset code * * @param {Object} session - the session object automatically added by socket.io * @param {String} code - the password reset code * @param {String} newPassword - the new password reset code * @param {Function} cb - gets called with the result */ changePasswordWithResetCode: (session, code, newPassword, cb) => { async.waterfall([ (next) => { if (!code || typeof code !== 'string') return next('Invalid code.'); db.models.user.findOne({"services.password.reset.code": code}, next); }, (user, next) => { if (!user) return next('Invalid code.'); if (!user.services.password.reset.expires > new Date()) return next('That code has expired.'); next(); }, (next) => { if (!db.passwordValid(newPassword)) return next('Invalid password. Check if it meets all the requirements.'); return next(); }, (next) => { bcrypt.genSalt(10, next); }, // hash the password (salt, next) => { bcrypt.hash(sha256(newPassword), salt, next); }, (hashedPassword, next) => { db.models.user.update({"services.password.reset.code": code}, {$set: {"services.password.password": hashedPassword}, $unset: {"services.password.reset": ''}}, {runValidators: true}, next); } ], (err) => { if (err && err !== true) { err = utils.getError(err); logger.error("CHANGE_PASSWORD_WITH_RESET_CODE", `Code '${code}' failed to change password. '${err}'`); cb({status: 'failure', message: err}); } else { logger.success("CHANGE_PASSWORD_WITH_RESET_CODE", `Code '${code}' successfully changed password.`); cb({ status: 'success', message: 'Successfully changed password.' }); } }); } };