users.js 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541
  1. 'use strict';
  2. const async = require('async');
  3. const config = require('config');
  4. const request = require('request');
  5. const bcrypt = require('bcrypt');
  6. const db = require('../db');
  7. const mail = require('../mail');
  8. const cache = require('../cache');
  9. const utils = require('../utils');
  10. const hooks = require('./hooks');
  11. const sha256 = require('sha256');
  12. const logger = require('../logger');
  13. cache.sub('user.updateUsername', user => {
  14. utils.socketsFromUser(user._id, sockets => {
  15. sockets.forEach(socket => {
  16. socket.emit('event:user.username.changed', user.username);
  17. });
  18. });
  19. });
  20. module.exports = {
  21. /**
  22. * Lists all Users
  23. *
  24. * @param {Object} session - the session object automatically added by socket.io
  25. * @param {Function} cb - gets called with the result
  26. */
  27. index: hooks.adminRequired((session, cb) => {
  28. async.waterfall([
  29. (next) => {
  30. db.models.user.find({}).exec(next);
  31. }
  32. ], (err, users) => {
  33. if (err) {
  34. logger.error("USER_INDEX", `Indexing users failed. "${err.message}"`);
  35. return cb({status: 'failure', message: 'Something went wrong.'});
  36. } else {
  37. logger.success("USER_INDEX", `Indexing users successful.`);
  38. let filteredUsers = [];
  39. users.forEach(user => {
  40. filteredUsers.push({
  41. _id: user._id,
  42. username: user.username,
  43. role: user.role,
  44. liked: user.liked,
  45. disliked: user.disliked,
  46. songsRequested: user.statistics.songsRequested,
  47. email: {
  48. address: user.email.address,
  49. verified: user.email.verified
  50. },
  51. hasPassword: () => {
  52. if (user.services.password) return true;
  53. else return false;
  54. },
  55. services: { github: user.services.github }
  56. });
  57. });
  58. return cb({ status: 'success', data: filteredUsers });
  59. }
  60. });
  61. }),
  62. /**
  63. * Logs user in
  64. *
  65. * @param {Object} session - the session object automatically added by socket.io
  66. * @param {String} identifier - the email of the user
  67. * @param {String} password - the plaintext of the user
  68. * @param {Function} cb - gets called with the result
  69. */
  70. login: (session, identifier, password, cb) => {
  71. identifier = identifier.toLowerCase();
  72. async.waterfall([
  73. // check if a user with the requested identifier exists
  74. (next) => {
  75. db.models.user.findOne({
  76. $or: [{ 'email.address': identifier }]
  77. }, next)
  78. },
  79. // if the user doesn't exist, respond with a failure
  80. // otherwise compare the requested password and the actual users password
  81. (user, next) => {
  82. if (!user) return next('User not found');
  83. if (!user.services.password || !user.services.password.password) return next('The account you are trying to access uses GitHub to log in.');
  84. bcrypt.compare(sha256(password), user.services.password.password, (err, match) => {
  85. if (err) return next(err);
  86. if (!match) return next('Incorrect password');
  87. next(null, user);
  88. });
  89. },
  90. (user, next) => {
  91. let sessionId = utils.guid();
  92. cache.hset('sessions', sessionId, cache.schemas.session(sessionId, user._id), (err) => {
  93. if (err) return next(err);
  94. next(null, sessionId);
  95. });
  96. }
  97. ], (err, sessionId) => {
  98. if (err && err !== true) {
  99. let error = 'An error occurred.';
  100. if (typeof err === "string") error = err;
  101. else if (err.message) error = err.message;
  102. logger.error("USER_PASSWORD_LOGIN", "Login failed with password for user " + identifier + '. "' + error + '"');
  103. return cb({ status: 'failure', message: error });
  104. }
  105. logger.success("USER_PASSWORD_LOGIN", "Login successful with password for user " + identifier);
  106. cb({ status: 'success', message: 'Login successful', user: {}, SID: sessionId });
  107. });
  108. },
  109. /**
  110. * Registers a new user
  111. *
  112. * @param {Object} session - the session object automatically added by socket.io
  113. * @param {String} username - the username for the new user
  114. * @param {String} email - the email for the new user
  115. * @param {String} password - the plaintext password for the new user
  116. * @param {Object} recaptcha - the recaptcha data
  117. * @param {Function} cb - gets called with the result
  118. */
  119. register: function(session, username, email, password, recaptcha, cb) {
  120. email = email.toLowerCase();
  121. let verificationToken = utils.generateRandomString(64);
  122. async.waterfall([
  123. // verify the request with google recaptcha
  124. (next) => {
  125. request({
  126. url: 'https://www.google.com/recaptcha/api/siteverify',
  127. method: 'POST',
  128. form: {
  129. 'secret': config.get("apis").recaptcha.secret,
  130. 'response': recaptcha
  131. }
  132. }, next);
  133. },
  134. // check if the response from Google recaptcha is successful
  135. // if it is, we check if a user with the requested username already exists
  136. (response, body, next) => {
  137. let json = JSON.parse(body);
  138. if (json.success !== true) return next('Response from recaptcha was not successful.');
  139. db.models.user.findOne({ username: new RegExp(`^${username}$`, 'i') }, next);
  140. },
  141. // if the user already exists, respond with that
  142. // otherwise check if a user with the requested email already exists
  143. (user, next) => {
  144. if (user) return next('A user with that username already exists.');
  145. db.models.user.findOne({ 'email.address': email }, next);
  146. },
  147. // if the user already exists, respond with that
  148. // otherwise, generate a salt to use with hashing the new users password
  149. (user, next) => {
  150. if (user) return next('A user with that email already exists.');
  151. bcrypt.genSalt(10, next);
  152. },
  153. // hash the password
  154. (salt, next) => {
  155. bcrypt.hash(sha256(password), salt, next)
  156. },
  157. // save the new user to the database
  158. (hash, next) => {
  159. db.models.user.create({
  160. _id: utils.generateRandomString(12),//TODO Check if exists
  161. username,
  162. email: {
  163. address: email,
  164. verificationToken: verificationToken
  165. },
  166. services: {
  167. password: {
  168. password: hash
  169. }
  170. }
  171. }, next);
  172. },
  173. // respond with the new user
  174. (newUser, next) => {
  175. //TODO Send verification email
  176. mail.schemas.verifyEmail(email, username, verificationToken, () => {
  177. next();
  178. });
  179. }
  180. ], (err) => {
  181. if (err && err !== true) {
  182. let error = 'An error occurred.';
  183. if (typeof err === "string") error = err;
  184. else if (err.message) error = err.message;
  185. logger.error("USER_PASSWORD_REGISTER", "Register failed with password for user. " + '"' + error + '"');
  186. cb({status: 'failure', message: error});
  187. } else {
  188. module.exports.login(session, email, password, (result) => {
  189. let obj = {status: 'success', message: 'Successfully registered.'};
  190. if (result.status === 'success') {
  191. obj.SID = result.SID;
  192. }
  193. logger.success("USER_PASSWORD_REGISTER", "Register successful with password for user '" + username + "'.");
  194. cb({status: 'success', message: 'Successfully registered.'});
  195. });
  196. }
  197. });
  198. },
  199. /**
  200. * Logs out a user
  201. *
  202. * @param {Object} session - the session object automatically added by socket.io
  203. * @param {Function} cb - gets called with the result
  204. */
  205. logout: (session, cb) => {
  206. async.waterfall([
  207. (next) => {
  208. cache.hget('sessions', session.sessionId, next);
  209. },
  210. (session, next) => {
  211. if (!session) return next('Session not found');
  212. next(null, session);
  213. },
  214. (session, next) => {
  215. cache.hdel('sessions', session.sessionId, next);
  216. }
  217. ], (err) => {
  218. if (err && err !== true) {
  219. let error = 'An error occurred.';
  220. if (typeof err === "string") error = err;
  221. else if (err.message) error = err.message;
  222. logger.error("USER_LOGOUT", `Logout failed. ${error}`);
  223. cb({status: 'failure', message: error});
  224. } else {
  225. logger.success("USER_LOGOUT", `Logout successful.`);
  226. cb({status: 'success', message: 'Successfully logged out.'});
  227. }
  228. });
  229. },
  230. /**
  231. * Gets user object from username (only a few properties)
  232. *
  233. * @param {Object} session - the session object automatically added by socket.io
  234. * @param {String} username - the username of the user we are trying to find
  235. * @param {Function} cb - gets called with the result
  236. */
  237. findByUsername: (session, username, cb) => {
  238. async.waterfall([
  239. (next) => {
  240. db.models.user.findOne({ username: new RegExp(`^${username}$`, 'i') }, next);
  241. },
  242. (account, next) => {
  243. if (!account) return next('User not found.');
  244. next(null, account);
  245. }
  246. ], (err, account) => {
  247. if (err && err !== true) {
  248. let error = 'An error occurred.';
  249. if (typeof err === "string") error = err;
  250. else if (err.message) error = err.message;
  251. logger.error("FIND_BY_USERNAME", `User not found for username '${username}'. ${error}`);
  252. cb({status: 'failure', message: error});
  253. } else {
  254. logger.success("FIND_BY_USERNAME", `User found for username '${username}'.`);
  255. return cb({
  256. status: 'success',
  257. data: {
  258. _id: account._id,
  259. username: account.username,
  260. role: account.role,
  261. email: account.email.address,
  262. createdAt: account.createdAt,
  263. statistics: account.statistics,
  264. liked: account.liked,
  265. disliked: account.disliked
  266. }
  267. });
  268. }
  269. });
  270. },
  271. //TODO Fix security issues
  272. /**
  273. * Gets user info from session
  274. *
  275. * @param {Object} session - the session object automatically added by socket.io
  276. * @param {Function} cb - gets called with the result
  277. */
  278. findBySession: (session, cb) => {
  279. async.waterfall([
  280. (next) => {
  281. cache.hget('sessions', session.sessionId, next);
  282. },
  283. (session, next) => {
  284. if (!session) return next('Session not found.');
  285. next(null, session);
  286. },
  287. (session, next) => {
  288. db.models.user.findOne({ _id: session.userId }, next);
  289. },
  290. (user, next) => {
  291. if (!user) return next('User not found.');
  292. next(null, user);
  293. }
  294. ], (err, user) => {
  295. if (err && err !== true) {
  296. let error = 'An error occurred.';
  297. if (typeof err === "string") error = err;
  298. else if (err.message) error = err.message;
  299. logger.error("FIND_BY_SESSION", `User not found. ${error}`);
  300. cb({status: 'failure', message: error});
  301. } else {
  302. let data = {
  303. email: {
  304. address: user.email.address
  305. },
  306. username: user.username
  307. };
  308. if (user.services.password && user.services.password.password) data.password = true;
  309. logger.success("FIND_BY_SESSION", `User found. '${user.username}'.`);
  310. return cb({
  311. status: 'success',
  312. data
  313. });
  314. }
  315. });
  316. },
  317. /**
  318. * Updates a user's username
  319. *
  320. * @param {Object} session - the session object automatically added by socket.io
  321. * @param {String} updatingUserId - the updating user's id
  322. * @param {String} newUsername - the new username
  323. * @param {Function} cb - gets called with the result
  324. * @param {String} userId - the userId automatically added by hooks
  325. */
  326. updateUsername: hooks.loginRequired((session, updatingUserId, newUsername, cb, userId) => {
  327. async.waterfall([
  328. (next) => {
  329. db.models.user.findOne({ _id: updatingUserId }, next);
  330. },
  331. (user, next) => {
  332. if (!user) return next('User not found.');
  333. if (user.username === newUsername) return next('New username can\'t be the same as the old username.');
  334. next(null);
  335. },
  336. (next) => {
  337. db.models.user.findOne({ username: new RegExp(`^${newUsername}$`, 'i') }, next);
  338. },
  339. (user, next) => {
  340. if (!user) return next();
  341. if (user._id === updatingUserId) return next();
  342. next('That username is already in use.');
  343. },
  344. (next) => {
  345. db.models.user.update({ _id: updatingUserId }, {$set: {username: newUsername}}, next);
  346. }
  347. ], (err) => {
  348. if (err && err !== true) {
  349. let error = 'An error occurred.';
  350. if (typeof err === "string") error = err;
  351. else if (err.message) error = err.message;
  352. logger.error("UPDATE_USERNAME", `Couldn't update username for user '${updatingUserId}' to username '${newUsername}'. '${error}'`);
  353. cb({status: 'failure', message: error});
  354. } else {
  355. cache.pub('user.updateUsername', {
  356. username: newUsername,
  357. _id: updatingUserId
  358. });
  359. logger.success("UPDATE_USERNAME", `Updated username for user '${updatingUserId}' to username '${newUsername}'.`);
  360. cb({ status: 'success', message: 'Username updated successfully' });
  361. }
  362. });
  363. }),
  364. /**
  365. * Updates a user's email
  366. *
  367. * @param {Object} session - the session object automatically added by socket.io
  368. * @param {String} updatingUserId - the updating user's id
  369. * @param {String} newEmail - the new email
  370. * @param {Function} cb - gets called with the result
  371. * @param {String} userId - the userId automatically added by hooks
  372. */
  373. updateEmail: hooks.loginRequired((session, updatingUserId, newEmail, cb, userId) => {
  374. newEmail = newEmail.toLowerCase();
  375. let verificationToken = utils.generateRandomString(64);
  376. async.waterfall([
  377. (next) => {
  378. db.models.user.findOne({ _id: updatingUserId }, next);
  379. },
  380. (user, next) => {
  381. if (!user) return next('User not found.');
  382. if (user.email.address === newEmail) return next('New email can\'t be the same as your the old email.');
  383. next();
  384. },
  385. (next) => {
  386. db.models.user.findOne({"email.address": newEmail}, next);
  387. },
  388. (user, next) => {
  389. if (!user) return next();
  390. if (user._id === updatingUserId) return next();
  391. next('That email is already in use.');
  392. },
  393. (next) => {
  394. db.models.user.update({_id: updatingUserId}, {$set: {"email.address": newEmail, "email.verified": false, "email.verificationToken": verificationToken}}, next);
  395. },
  396. (res, next) => {
  397. db.models.user.findOne({ _id: updatingUserId }, next);
  398. },
  399. (user, next) => {
  400. mail.schemas.verifyEmail(newEmail, user.username, verificationToken, next);
  401. }
  402. ], (err) => {
  403. if (err && err !== true) {
  404. let error = 'An error occurred.';
  405. if (typeof err === "string") error = err;
  406. else if (err.message) error = err.message;
  407. logger.error("UPDATE_EMAIL", `Couldn't update email for user '${updatingUserId}' to email '${newEmail}'. '${error}'`);
  408. cb({status: 'failure', message: error});
  409. } else {
  410. logger.success("UPDATE_EMAIL", `Updated email for user '${updatingUserId}' to email '${newEmail}'.`);
  411. cb({ status: 'success', message: 'Email updated successfully.' });
  412. }
  413. });
  414. }),
  415. /**
  416. * Updates a user's role
  417. *
  418. * @param {Object} session - the session object automatically added by socket.io
  419. * @param {String} updatingUserId - the updating user's id
  420. * @param {String} newRole - the new role
  421. * @param {Function} cb - gets called with the result
  422. * @param {String} userId - the userId automatically added by hooks
  423. */
  424. updateRole: hooks.adminRequired((session, updatingUserId, newRole, cb, userId) => {
  425. newRole = newRole.toLowerCase();
  426. async.waterfall([
  427. (next) => {
  428. db.models.user.update({_id: updatingUserId}, {$set: {role: newRole}}, next);
  429. }
  430. ], (err) => {
  431. if (err && err !== true) {
  432. let error = 'An error occurred.';
  433. if (typeof err === "string") error = err;
  434. else if (err.message) error = err.message;
  435. logger.error("UPDATE_ROLE", `User '${userId}' couldn't update role for user '${updatingUserId}' to role '${newRole}'. '${error}'`);
  436. cb({status: 'failure', message: error});
  437. } else {
  438. logger.success("UPDATE_ROLE", `User '${userId}' updated the role of user '${updatingUserId}' to role '${newRole}'.`);
  439. cb({
  440. status: 'success',
  441. message: 'Role successfully updated.'
  442. });
  443. }
  444. });
  445. }),
  446. /**
  447. * Updates a user's password
  448. *
  449. * @param {Object} session - the session object automatically added by socket.io
  450. * @param {String} newPassword - the new password
  451. * @param {Function} cb - gets called with the result
  452. * @param {String} userId - the userId automatically added by hooks
  453. */
  454. updatePassword: hooks.loginRequired((session, newPassword, cb, userId) => {
  455. async.waterfall([
  456. (next) => {
  457. db.models.user.findOne({_id: userId}, next);
  458. },
  459. (user, next) => {
  460. if (!user.services.password) return next('This account does not have a password set.');
  461. next();
  462. },
  463. (next) => {
  464. bcrypt.genSalt(10, next);
  465. },
  466. // hash the password
  467. (salt, next) => {
  468. bcrypt.hash(sha256(newPassword), salt, next);
  469. },
  470. (hashedPassword, next) => {
  471. db.models.user.update({_id: userId}, {$set: {"services.password.password": hashedPassword}}, next);
  472. }
  473. ], (err) => {
  474. if (err) {
  475. let error = 'An error occurred.';
  476. if (typeof err === "string") error = err;
  477. else if (err.message) error = err.message;
  478. logger.error("UPDATE_PASSWORD", `Failed updating user password of user '${userId}'. '${error}'.`);
  479. return cb({ status: 'failure', message: error });
  480. }
  481. logger.error("UPDATE_PASSWORD", `User '${userId}' updated their password.`);
  482. cb({
  483. status: 'success',
  484. message: 'Password successfully updated.'
  485. });
  486. });
  487. })
  488. };