cloudron-box/src/routes/users.js

'use strict';

exports = module.exports = {
    get,
    update,
    list,
    add,
    del,
    setPassword,
    verifyPassword,
    createInvite,
    sendInvite,
    setGroups,
    makeOwner,

    disableTwoFactorAuthentication,

    load
};

const assert = require('assert'),
    auditSource = require('../auditsource.js'),
    BoxError = require('../boxerror.js'),
    groups = require('../groups.js'),
    HttpError = require('connect-lastmile').HttpError,
    HttpSuccess = require('connect-lastmile').HttpSuccess,
    safe = require('safetydance'),
    users = require('../users.js');

async function load(req, res, next) {
    assert.strictEqual(typeof req.params.userId, 'string');

    const [error, result] = await safe(users.get(req.params.userId));
    if (error) return next(BoxError.toHttpError(error));
    if (!result) return next(new HttpError(404, 'User not found'));
    req.resource = result;

    next();
}

async function add(req, res, next) {
    assert.strictEqual(typeof req.body, 'object');

    if (typeof req.body.email !== 'string') return next(new HttpError(400, 'email must be string'));
    if ('username' in req.body && typeof req.body.username !== 'string') return next(new HttpError(400, 'username must be string'));
    if ('displayName' in req.body && typeof req.body.displayName !== 'string') return next(new HttpError(400, 'displayName must be string'));
    if ('password' in req.body && typeof req.body.password !== 'string') return next(new HttpError(400, 'password must be string'));
    if ('role' in req.body) {
        if (typeof req.body.role !== 'string') return next(new HttpError(400, 'role must be string'));
        if (users.compareRoles(req.user.role, req.body.role) < 0) return next(new HttpError(403, `role '${req.body.role}' is required but you are only '${req.user.role}'`));
    }

    const password = req.body.password || null;
    const email = req.body.email;
    const username = 'username' in req.body ? req.body.username : null;
    const displayName = req.body.displayName || '';

    const [error, id] = await safe(users.add(email, { username, password, displayName, invitor: req.user, role: req.body.role || users.ROLE_USER }, auditSource.fromRequest(req)));
    if (error) return next(BoxError.toHttpError(error));

    next(new HttpSuccess(201, { id }));
}

async function update(req, res, next) {
    assert.strictEqual(typeof req.resource, 'object');
    assert.strictEqual(typeof req.user, 'object');
    assert.strictEqual(typeof req.body, 'object');

    if ('email' in req.body && typeof req.body.email !== 'string') return next(new HttpError(400, 'email must be string'));
    if ('fallbackEmail' in req.body && typeof req.body.fallbackEmail !== 'string') return next(new HttpError(400, 'fallbackEmail must be string'));
    if ('displayName' in req.body && typeof req.body.displayName !== 'string') return next(new HttpError(400, 'displayName must be string'));
    if ('username' in req.body && typeof req.body.username !== 'string') return next(new HttpError(400, 'username must be a string'));

    if ('role' in req.body) {
        if (typeof req.body.role !== 'string') return next(new HttpError(400, 'role must be a string'));
        if (req.user.id === req.resource.id) return next(new HttpError(409, 'Cannot set role flag on self'));

        if (users.compareRoles(req.user.role, req.body.role) < 0) return next(new HttpError(403, `role '${req.body.role}' is required but you are only '${req.user.role}'`));
    }

    if ('active' in req.body) {
        if (typeof req.body.active !== 'boolean') return next(new HttpError(400, 'active must be a boolean'));
        if (req.user.id === req.resource.id) return next(new HttpError(409, 'Cannot set active flag on self'));
    }

    if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but you are only '${req.user.role}'`));

    const [error] = await safe(users.update(req.resource, req.body, auditSource.fromRequest(req)));
    if (error) return next(BoxError.toHttpError(error));

    next(new HttpSuccess(204));
}

async function list(req, res, next) {
    const page = typeof req.query.page !== 'undefined' ? parseInt(req.query.page) : 1;
    if (!page || page < 0) return next(new HttpError(400, 'page query param has to be a postive number'));

    const perPage = typeof req.query.per_page !== 'undefined'? parseInt(req.query.per_page) : 25;
    if (!perPage || perPage < 0) return next(new HttpError(400, 'per_page query param has to be a postive number'));

    if (req.query.search && typeof req.query.search !== 'string') return next(new HttpError(400, 'search must be a string'));

    let [error, results] = await safe(users.listPaged(req.query.search || null, page, perPage));
    if (error) return next(BoxError.toHttpError(error));

    results = results.map(users.removeRestrictedFields);

    next(new HttpSuccess(200, { users: results }));
}

function get(req, res, next) {
    assert.strictEqual(typeof req.resource, 'object');
    assert.strictEqual(typeof req.user, 'object');

    next(new HttpSuccess(200, users.removePrivateFields(req.resource)));
}

async function del(req, res, next) {
    assert.strictEqual(typeof req.resource, 'object');

    if (req.user.id === req.resource.id) return next(new HttpError(409, 'Not allowed to remove yourself.'));
    if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));

    const [error] = await safe(users.del(req.resource, auditSource.fromRequest(req)));
    if (error) return next(BoxError.toHttpError(error));

    next(new HttpSuccess(204));
}

async function verifyPassword(req, res, next) {
    assert.strictEqual(typeof req.body, 'object');

    if (typeof req.body.password !== 'string') return next(new HttpError(400, 'API call requires user password'));

    const [error] = await safe(users.verifyWithUsername(req.user.username, req.body.password, users.AP_WEBADMIN));
    if (error) return next(BoxError.toHttpError(error));

    req.body.password = '<redacted>'; // this will prevent logs from displaying plain text password

    next();
}

async function createInvite(req, res, next) {
    assert.strictEqual(typeof req.resource, 'object');

    if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));

    const [error, result] = await safe(users.createInvite(req.resource, auditSource.fromRequest(req)));
    if (error) return next(BoxError.toHttpError(error));

    next(new HttpSuccess(200, result));
}

function disableTwoFactorAuthentication(req, res, next) {
    assert.strictEqual(typeof req.resource, 'object');

    if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));

    users.disableTwoFactorAuthentication(req.resource.id, function (error, result) {
        if (error) return next(BoxError.toHttpError(error));

        next(new HttpSuccess(200, result));
    });
}

async function sendInvite(req, res, next) {
    assert.strictEqual(typeof req.resource, 'object');

    if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));

    const [error] = await safe(users.sendInvite(req.resource, { invitor: req.user }));
    if (error) return next(BoxError.toHttpError(error));

    next(new HttpSuccess(200, { }));
}

async function setGroups(req, res, next) {
    assert.strictEqual(typeof req.body, 'object');
    assert.strictEqual(typeof req.resource, 'object');

    if (!Array.isArray(req.body.groupIds)) return next(new HttpError(400, 'API call requires a groups array.'));
    if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));

    const [error] = await safe(groups.setMembership(req.resource.id, req.body.groupIds));
    if (error) return next(BoxError.toHttpError(error));

    next(new HttpSuccess(204));
}

async function setPassword(req, res, next) {
    assert.strictEqual(typeof req.body, 'object');
    assert.strictEqual(typeof req.resource, 'object');

    if (typeof req.body.password !== 'string') return next(new HttpError(400, 'password must be a string'));
    if (users.compareRoles(req.user.role, req.resource.role) < 0) return next(new HttpError(403, `role '${req.resource.role}' is required but user has only '${req.user.role}'`));

    const [error] = await safe(users.setPassword(req.resource, req.body.password, auditSource.fromRequest(req)));
    if (error) return next(BoxError.toHttpError(error));

    next(new HttpSuccess(204));
}

// This route transfers ownership from token user to user specified in path param
async function makeOwner(req, res, next) {
    assert.strictEqual(typeof req.resource, 'object');

    // first make new one owner, then demote current one
    let [error] = await safe(users.update(req.resource, { role: users.ROLE_OWNER }, auditSource.fromRequest(req)));
    if (error) return next(BoxError.toHttpError(error));

    [error] = await safe(users.update(req.user, { role: users.ROLE_USER }, auditSource.fromRequest(req)));
    if (error) return next(BoxError.toHttpError(error));

    next(new HttpSuccess(204));
}