src/routes/profile.js

'use strict';

exports = module.exports = {
    canEditProfile,
    get,
    setDisplayName,
    setEmail,
    setFallbackEmail,
    getAvatar,
    setAvatar,
    setLanguage,
    getBackgroundImage,
    setBackgroundImage,
    setPassword,
    setTwoFactorAuthenticationSecret,
    enableTwoFactorAuthentication,
    disableTwoFactorAuthentication,
    setNotificationConfig
};

const assert = require('assert'),
    AuditSource = require('../auditsource.js'),
    BoxError = require('../boxerror.js'),
    constants = require('../constants.js'),
    crypto = require('crypto'),
    dashboard = require('../dashboard.js'),
    HttpError = require('connect-lastmile').HttpError,
    HttpSuccess = require('connect-lastmile').HttpSuccess,
    https = require('https'),
    path = require('path'),
    paths = require('../paths.js'),
    safe = require('safetydance'),
    userDirectory = require('../user-directory.js'),
    users = require('../users.js');

async function canEditProfile(req, res, next) {
    assert.strictEqual(typeof req.user, 'object');

    const [error, profileConfig] = await safe(userDirectory.getProfileConfig());
    if (error) return next(BoxError.toHttpError(error));

    if (profileConfig.lockUserProfiles) return next(new HttpError(403, 'admin has disallowed users from editing profiles'));

    next();
}

async function get(req, res, next) {
    assert.strictEqual(typeof req.user, 'object');

    const [error, backgroundImage] = await safe(users.getBackgroundImage(req.user.id));
    if (error) return next(BoxError.toHttpError(error));

    const [avatarError, avatar] = await safe(users.getAvatar(req.user.id));
    if (avatarError) return next(BoxError.toHttpError(error));

    let avatarType;
    if (avatar.equals(constants.AVATAR_GRAVATAR)) avatarType = constants.AVATAR_GRAVATAR;
    else if (avatar.equals(constants.AVATAR_NONE)) avatarType = constants.AVATAR_NONE;
    else avatarType = constants.AVATAR_CUSTOM;

    const { fqdn:dashboardFqdn } = await dashboard.getLocation();

    next(new HttpSuccess(200, {
        id: req.user.id,
        username: req.user.username,
        email: req.user.email,
        fallbackEmail: req.user.fallbackEmail,
        displayName: req.user.displayName,
        twoFactorAuthenticationEnabled: req.user.twoFactorAuthenticationEnabled,
        role: req.user.role,
        source: req.user.source,
        hasBackgroundImage: !!backgroundImage,
        language: req.user.language,
        notificationConfig: req.user.notificationConfig,
        avatarUrl: `https://${dashboardFqdn}/api/v1/profile/avatar/${req.user.id}`,
        avatarType: avatarType.toString() // this is a Buffer
    }));
}

async function setEmail(req, res, next) {
    assert.strictEqual(typeof req.user, 'object');
    assert.strictEqual(typeof req.body, 'object');

    if ('email' in req.body && typeof req.body.email !== 'string') return next(new HttpError(400, 'email must be string'));

    const [error] = await safe(users.update(req.user, { email: req.body.email }, AuditSource.fromRequest(req)));
    if (error) return next(BoxError.toHttpError(error));

    next(new HttpSuccess(204));
}

async function setFallbackEmail(req, res, next) {
    assert.strictEqual(typeof req.user, 'object');
    assert.strictEqual(typeof req.body, 'object');

    if ('fallbackEmail' in req.body && typeof req.body.fallbackEmail !== 'string') return next(new HttpError(400, 'fallbackEmail must be string'));

    const [error] = await safe(users.update(req.user, { fallbackEmail: req.body.fallbackEmail }, AuditSource.fromRequest(req)));
    if (error) return next(BoxError.toHttpError(error));

    next(new HttpSuccess(204));
}

async function setDisplayName(req, res, next) {
    assert.strictEqual(typeof req.user, 'object');
    assert.strictEqual(typeof req.body, 'object');

    if ('displayName' in req.body && typeof req.body.displayName !== 'string') return next(new HttpError(400, 'displayName must be string'));

    const [error] = await safe(users.update(req.user, { displayName: req.body.displayName }, AuditSource.fromRequest(req)));
    if (error) return next(BoxError.toHttpError(error));

    next(new HttpSuccess(204));
}

async function setLanguage(req, res, next) {
    assert.strictEqual(typeof req.user, 'object');
    assert.strictEqual(typeof req.body, 'object');

    if ('language' in req.body && typeof req.body.language !== 'string') return next(new HttpError(400, 'language must be string'));

    const [error] = await safe(users.update(req.user, { language: req.body.language }, AuditSource.fromRequest(req)));
    if (error) return next(BoxError.toHttpError(error));

    next(new HttpSuccess(204));
}

async function setAvatar(req, res, next) {
    assert.strictEqual(typeof req.user, 'object');

    let avatar = typeof req.body.avatar === 'string' ? Buffer.from(req.body.avatar, 'utf8') : null;

    if (req.files && req.files.avatar) {
        avatar = safe.fs.readFileSync(req.files.avatar.path);
        safe.fs.unlinkSync(req.files.avatar.path);
        if (!avatar) return next(BoxError.toHttpError(new BoxError(BoxError.FS_ERROR, safe.error.message)));
    } else if (!avatar || (!avatar.equals(constants.AVATAR_GRAVATAR) && !avatar.equals(constants.AVATAR_NONE))) {
        return next(new HttpError(400, `avatar must be a file, ${constants.AVATAR_GRAVATAR} or ${constants.AVATAR_NONE}`));
    }

    const [error] = await safe(users.setAvatar(req.user.id, avatar));
    if (error) return next(BoxError.toHttpError(error));

    next(new HttpSuccess(202, {}));
}

async function getAvatar(req, res, next) {
    assert.strictEqual(typeof req.params.identifier, 'string');

    const [,userId, ext] = req.params.identifier.match(/^(.*?)(?:\.(\w+))?$/);
    const [userError, user] = await safe(users.get(userId));
    if (userError) return next(BoxError.toHttpError(userError));

    const [avatarError, avatar] = await safe(users.getAvatar(userId));
    if (avatarError) return next(BoxError.toHttpError(avatarError));

    if (avatar.equals(constants.AVATAR_GRAVATAR)) {
        const gravatarHash = crypto.createHash('md5').update(user.email).digest('hex');
        https.get(`https://www.gravatar.com/avatar/${gravatarHash}.jpg`, function (upstreamRes) {
            if (upstreamRes.status !== 200) {
                console.error('Gravatar error:', upstreamRes.status);
                return res.status(404).end();
            }

            res.set('content-type', 'image/jpeg');
            upstreamRes.pipe(res);
        }).on('error', (e) => {
            console.error('Gravatar error:', e.message);
            return res.status(404).end();
        });
    } else if (avatar.equals(constants.AVATAR_NONE)) {
        if (ext) {
            res.sendFile(path.join(paths.DASHBOARD_DIR, '/img/avatar-default-symbolic.png'));
        } else {
            res.sendFile(path.join(paths.DASHBOARD_DIR, '/img/avatar-default-symbolic.svg'));
        }
    } else {
        res.set('Content-Type', 'image/png');
        res.send(avatar);
    }
}

async function setBackgroundImage(req, res, next) {
    assert.strictEqual(typeof req.user, 'object');

    let backgroundImage = null;

    if (req.files && req.files.backgroundImage) {
        backgroundImage = safe.fs.readFileSync(req.files.backgroundImage.path);
        safe.fs.unlinkSync(req.files.backgroundImage.path);
        if (!backgroundImage) return next(BoxError.toHttpError(new BoxError(BoxError.FS_ERROR, safe.error.message)));
    }

    const [error] = await safe(users.setBackgroundImage(req.user.id, backgroundImage));
    if (error) return next(BoxError.toHttpError(error));

    next(new HttpSuccess(202, {}));
}

async function getBackgroundImage(req, res, next) {
    assert.strictEqual(typeof req.user, 'object');

    const [error, backgroundImage] = await safe(users.getBackgroundImage(req.user.id));
    if (error) return next(BoxError.toHttpError(error));

    res.send(backgroundImage);
}

async function setPassword(req, res, next) {
    assert.strictEqual(typeof req.body, 'object');
    assert.strictEqual(typeof req.user, 'object');

    if (typeof req.body.newPassword !== 'string') return next(new HttpError(400, 'newPassword must be a string'));

    const [error] = await safe(users.setPassword(req.user, req.body.newPassword, AuditSource.fromRequest(req)));
    if (error) return next(BoxError.toHttpError(error));

    next(new HttpSuccess(204));
}

async function setTwoFactorAuthenticationSecret(req, res, next) {
    assert.strictEqual(typeof req.user, 'object');

    const [error, result] = await safe(users.setTwoFactorAuthenticationSecret(req.user, AuditSource.fromRequest(req)));
    if (error) return next(BoxError.toHttpError(error));

    next(new HttpSuccess(200, { secret: result.secret, qrcode: result.qrcode }));
}

async function enableTwoFactorAuthentication(req, res, next) {
    assert.strictEqual(typeof req.body, 'object');
    assert.strictEqual(typeof req.user, 'object');

    if (!req.body.totpToken || typeof req.body.totpToken !== 'string') return next(new HttpError(400, 'totpToken must be a nonempty string'));

    const [error] = await safe(users.enableTwoFactorAuthentication(req.user, req.body.totpToken, AuditSource.fromRequest(req)));
    if (error) return next(BoxError.toHttpError(error));

    next(new HttpSuccess(204, {}));
}

async function disableTwoFactorAuthentication(req, res, next) {
    assert.strictEqual(typeof req.user, 'object');

    const [error] = await safe(users.disableTwoFactorAuthentication(req.user, AuditSource.fromRequest(req)));
    if (error) return next(BoxError.toHttpError(error));

    next(new HttpSuccess(204, {}));
}

async function setNotificationConfig(req, res, next) {
    assert.strictEqual(typeof req.body, 'object');
    assert.strictEqual(typeof req.user, 'object');

    if (!Array.isArray(req.body.notificationConfig)) return next(new HttpError(400, 'notificationConfig must be an array of strings'));
    if (req.body.notificationConfig.some(k => typeof k !== 'string')) return next(new HttpError(400, 'notificationConfig must be an array of strings'));

    const [error] = await safe(users.setNotificationConfig(req.user, req.body.notificationConfig, AuditSource.fromRequest(req)));
    if (error) return next(BoxError.toHttpError(error));

    next(new HttpSuccess(204, {}));
}
Add specific user profile routes 2016-04-17 16:22:39 +02:00			`'use strict';`

			`exports = module.exports = {`
profile: unify password verification check 2024-01-22 13:53:40 +01:00			`canEditProfile,`
add directory config setting part of #704 2020-07-09 14:35:34 -07:00			`get,`
profile: email change now requires password 2024-01-18 17:34:45 +01:00			`setDisplayName,`
			`setEmail,`
			`setFallbackEmail,`
add directory config setting part of #704 2020-07-09 14:35:34 -07:00			`getAvatar,`
			`setAvatar,`
profile: store preferred language in the database 2024-02-26 12:32:14 +01:00			`setLanguage,`
Add profile backgroundImage api 2022-05-14 19:41:32 +02:00			`getBackgroundImage,`
			`setBackgroundImage,`
merge userdb.js into users.js 2021-07-15 09:50:11 -07:00			`setPassword,`
add directory config setting part of #704 2020-07-09 14:35:34 -07:00			`setTwoFactorAuthenticationSecret,`
			`enableTwoFactorAuthentication,`
			`disableTwoFactorAuthentication,`
notifications: per user email prefs 2024-12-11 18:24:20 +01:00			`setNotificationConfig`
Add specific user profile routes 2016-04-17 16:22:39 +02:00			`};`

async'ify avatar and apppassword code 2021-06-25 22:11:17 -07:00			`const assert = require('assert'),`
make auditsource a class this allows us to use AuditSource for the class and auditSource for the instances! 2021-09-30 09:50:30 -07:00			`AuditSource = require('../auditsource.js'),`
Move UsersError to BoxError 2019-10-24 14:40:26 -07:00			`BoxError = require('../boxerror.js'),`
Make gravatar support explicit only 2021-07-07 14:31:39 +02:00			`constants = require('../constants.js'),`
Move requires to the top 2024-10-18 21:50:23 +02:00			`crypto = require('crypto'),`
Always send an image as avatar 2024-01-29 11:47:19 +01:00			`dashboard = require('../dashboard.js'),`
Add specific user profile routes 2016-04-17 16:22:39 +02:00			`HttpError = require('connect-lastmile').HttpError,`
			`HttpSuccess = require('connect-lastmile').HttpSuccess,`
Move requires to the top 2024-10-18 21:50:23 +02:00			`https = require('https'),`
Always send an image as avatar 2024-01-29 11:47:19 +01:00			`path = require('path'),`
			`paths = require('../paths.js'),`
move profile icons into the database 2021-04-29 12:49:48 -07:00			`safe = require('safetydance'),`
split routes and model code into user-directory.js 2024-06-12 10:27:59 +02:00			`userDirectory = require('../user-directory.js'),`
profile: email change now requires password 2024-01-18 17:34:45 +01:00			`users = require('../users.js');`
Add specific user profile routes 2016-04-17 16:22:39 +02:00
profile: unify password verification check 2024-01-22 13:53:40 +01:00			`async function canEditProfile(req, res, next) {`
add directory config setting part of #704 2020-07-09 14:35:34 -07:00			`assert.strictEqual(typeof req.user, 'object');`

split routes and model code into user-directory.js 2024-06-12 10:27:59 +02:00			`const [error, profileConfig] = await safe(userDirectory.getProfileConfig());`
settings: async'ify * directory config * unstable app config 2021-08-18 15:40:28 -07:00			`if (error) return next(BoxError.toHttpError(error));`
add directory config setting part of #704 2020-07-09 14:35:34 -07:00
more profileConfig rename 2022-01-13 15:20:16 -08:00			`if (profileConfig.lockUserProfiles) return next(new HttpError(403, 'admin has disallowed users from editing profiles'));`
add directory config setting part of #704 2020-07-09 14:35:34 -07:00
settings: async'ify * directory config * unstable app config 2021-08-18 15:40:28 -07:00			`next();`
add directory config setting part of #704 2020-07-09 14:35:34 -07:00			`}`

async'ify avatar and apppassword code 2021-06-25 22:11:17 -07:00			`async function get(req, res, next) {`
Add specific user profile routes 2016-04-17 16:22:39 +02:00			`assert.strictEqual(typeof req.user, 'object');`

Always send an image as avatar 2024-01-29 11:47:19 +01:00			`const [error, backgroundImage] = await safe(users.getBackgroundImage(req.user.id));`
async'ify avatar and apppassword code 2021-06-25 22:11:17 -07:00			`if (error) return next(BoxError.toHttpError(error));`

Send avatarType explicitly in profile 2024-01-29 13:35:54 +01:00			`const [avatarError, avatar] = await safe(users.getAvatar(req.user.id));`
			`if (avatarError) return next(BoxError.toHttpError(error));`

			`let avatarType;`
			`if (avatar.equals(constants.AVATAR_GRAVATAR)) avatarType = constants.AVATAR_GRAVATAR;`
			`else if (avatar.equals(constants.AVATAR_NONE)) avatarType = constants.AVATAR_NONE;`
			`else avatarType = constants.AVATAR_CUSTOM;`

Always send an image as avatar 2024-01-29 11:47:19 +01:00			`const { fqdn:dashboardFqdn } = await dashboard.getLocation();`
Give the dashboard a way to check backgroundImage availability 2022-05-17 15:25:44 +02:00
async'ify avatar and apppassword code 2021-06-25 22:11:17 -07:00			`next(new HttpSuccess(200, {`
			`id: req.user.id,`
			`username: req.user.username,`
			`email: req.user.email,`
			`fallbackEmail: req.user.fallbackEmail,`
			`displayName: req.user.displayName,`
			`twoFactorAuthenticationEnabled: req.user.twoFactorAuthenticationEnabled,`
			`role: req.user.role,`
			`source: req.user.source,`
Give the dashboard a way to check backgroundImage availability 2022-05-17 15:25:44 +02:00			`hasBackgroundImage: !!backgroundImage,`
profile: store preferred language in the database 2024-02-26 12:32:14 +01:00			`language: req.user.language,`
notifications: per user email prefs 2024-12-11 18:24:20 +01:00			`notificationConfig: req.user.notificationConfig,`
Send avatarType explicitly in profile 2024-01-29 13:35:54 +01:00			avatarUrl: `https://${dashboardFqdn}/api/v1/profile/avatar/${req.user.id}`,
			`avatarType: avatarType.toString() // this is a Buffer`
async'ify avatar and apppassword code 2021-06-25 22:11:17 -07:00			`}));`
Add specific user profile routes 2016-04-17 16:22:39 +02:00			`}`

profile: email change now requires password 2024-01-18 17:34:45 +01:00			`async function setEmail(req, res, next) {`
Add specific user profile routes 2016-04-17 16:22:39 +02:00			`assert.strictEqual(typeof req.user, 'object');`
			`assert.strictEqual(typeof req.body, 'object');`

			`if ('email' in req.body && typeof req.body.email !== 'string') return next(new HttpError(400, 'email must be string'));`
profile: email change now requires password 2024-01-18 17:34:45 +01:00
			`const [error] = await safe(users.update(req.user, { email: req.body.email }, AuditSource.fromRequest(req)));`
			`if (error) return next(BoxError.toHttpError(error));`

			`next(new HttpSuccess(204));`
			`}`

			`async function setFallbackEmail(req, res, next) {`
			`assert.strictEqual(typeof req.user, 'object');`
			`assert.strictEqual(typeof req.body, 'object');`

Allow changing fallbackEmail via the profile api 2018-01-22 15:55:55 +01:00			`if ('fallbackEmail' in req.body && typeof req.body.fallbackEmail !== 'string') return next(new HttpError(400, 'fallbackEmail must be string'));`
profile: email change now requires password 2024-01-18 17:34:45 +01:00
			`const [error] = await safe(users.update(req.user, { fallbackEmail: req.body.fallbackEmail }, AuditSource.fromRequest(req)));`
			`if (error) return next(BoxError.toHttpError(error));`
user.update does not need the user object 2016-06-02 23:53:06 -07:00
profile: email change now requires password 2024-01-18 17:34:45 +01:00			`next(new HttpSuccess(204));`
			`}`
Require password for fallback email change 2021-09-09 23:01:28 +02:00
profile: email change now requires password 2024-01-18 17:34:45 +01:00			`async function setDisplayName(req, res, next) {`
			`assert.strictEqual(typeof req.user, 'object');`
			`assert.strictEqual(typeof req.body, 'object');`
redact password immediately after verify 2021-09-14 10:36:14 -07:00
profile: email change now requires password 2024-01-18 17:34:45 +01:00			`if ('displayName' in req.body && typeof req.body.displayName !== 'string') return next(new HttpError(400, 'displayName must be string'));`
Require password for fallback email change 2021-09-09 23:01:28 +02:00
profile: email change now requires password 2024-01-18 17:34:45 +01:00			`const [error] = await safe(users.update(req.user, { displayName: req.body.displayName }, AuditSource.fromRequest(req)));`
merge userdb.js into users.js 2021-07-15 09:50:11 -07:00			`if (error) return next(BoxError.toHttpError(error));`
Add specific user profile routes 2016-04-17 16:22:39 +02:00
merge userdb.js into users.js 2021-07-15 09:50:11 -07:00			`next(new HttpSuccess(204));`
Add specific user profile routes 2016-04-17 16:22:39 +02:00			`}`

profile: store preferred language in the database 2024-02-26 12:32:14 +01:00			`async function setLanguage(req, res, next) {`
			`assert.strictEqual(typeof req.user, 'object');`
			`assert.strictEqual(typeof req.body, 'object');`

			`if ('language' in req.body && typeof req.body.language !== 'string') return next(new HttpError(400, 'language must be string'));`

			`const [error] = await safe(users.update(req.user, { language: req.body.language }, AuditSource.fromRequest(req)));`
			`if (error) return next(BoxError.toHttpError(error));`

			`next(new HttpSuccess(204));`
			`}`

async'ify avatar and apppassword code 2021-06-25 22:11:17 -07:00			`async function setAvatar(req, res, next) {`
Add support to upload custom profile avatar 2019-11-25 16:12:22 +01:00			`assert.strictEqual(typeof req.user, 'object');`

Make avatar apis buffer based 2021-07-08 10:40:10 +02:00			`let avatar = typeof req.body.avatar === 'string' ? Buffer.from(req.body.avatar, 'utf8') : null;`
Add support to upload custom profile avatar 2019-11-25 16:12:22 +01:00
Make gravatar support explicit only 2021-07-07 14:31:39 +02:00			`if (req.files && req.files.avatar) {`
			`avatar = safe.fs.readFileSync(req.files.avatar.path);`
multipart: cleanup files after reading their contents one idea is just use express.raw() . however, we have to implement some file size limit there. one case this does not handle is aborted uploads from a box.service restart. for this rare case, a server reboot will clean up /tmp anyway. 2024-07-19 23:11:26 +02:00			`safe.fs.unlinkSync(req.files.avatar.path);`
Make gravatar support explicit only 2021-07-07 14:31:39 +02:00			`if (!avatar) return next(BoxError.toHttpError(new BoxError(BoxError.FS_ERROR, safe.error.message)));`
Make avatar apis buffer based 2021-07-08 10:40:10 +02:00			`} else if (!avatar \|\| (!avatar.equals(constants.AVATAR_GRAVATAR) && !avatar.equals(constants.AVATAR_NONE))) {`
Make gravatar support explicit only 2021-07-07 14:31:39 +02:00			return next(new HttpError(400, `avatar must be a file, ${constants.AVATAR_GRAVATAR} or ${constants.AVATAR_NONE}`));
			`}`
move profile icons into the database 2021-04-29 12:49:48 -07:00
async'ify avatar and apppassword code 2021-06-25 22:11:17 -07:00			`const [error] = await safe(users.setAvatar(req.user.id, avatar));`
			`if (error) return next(BoxError.toHttpError(error));`
Add support to upload custom profile avatar 2019-11-25 16:12:22 +01:00
async'ify avatar and apppassword code 2021-06-25 22:11:17 -07:00			`next(new HttpSuccess(202, {}));`
Add support to upload custom profile avatar 2019-11-25 16:12:22 +01:00			`}`

async'ify avatar and apppassword code 2021-06-25 22:11:17 -07:00			`async function getAvatar(req, res, next) {`
user: move avatar handling into model code 2020-07-09 22:33:36 -07:00			`assert.strictEqual(typeof req.params.identifier, 'string');`

avatar: deliver .png images this is required for mastodon atleast. if the oidc avatar url, returns an svg, it crashes! the profile pic png was created using inkspace: inkscape -w 96 -h 96 avatar-default-symbolic.svg -o avatar-default-symbolic.png 2024-10-18 22:05:52 +02:00			`const [,userId, ext] = req.params.identifier.match(/^(.*?)(?:\.(\w+))?$/);`
			`const [userError, user] = await safe(users.get(userId));`
Always send an image as avatar 2024-01-29 11:47:19 +01:00			`if (userError) return next(BoxError.toHttpError(userError));`

avatar: deliver .png images this is required for mastodon atleast. if the oidc avatar url, returns an svg, it crashes! the profile pic png was created using inkspace: inkscape -w 96 -h 96 avatar-default-symbolic.svg -o avatar-default-symbolic.png 2024-10-18 22:05:52 +02:00			`const [avatarError, avatar] = await safe(users.getAvatar(userId));`
Always send an image as avatar 2024-01-29 11:47:19 +01:00			`if (avatarError) return next(BoxError.toHttpError(avatarError));`

			`if (avatar.equals(constants.AVATAR_GRAVATAR)) {`
Move requires to the top 2024-10-18 21:50:23 +02:00			`const gravatarHash = crypto.createHash('md5').update(user.email).digest('hex');`
			https.get(`https://www.gravatar.com/avatar/${gravatarHash}.jpg`, function (upstreamRes) {
replace with custom superagent based on fetch API 2025-02-14 17:26:54 +01:00			`if (upstreamRes.status !== 200) {`
			`console.error('Gravatar error:', upstreamRes.status);`
Always send an image as avatar 2024-01-29 11:47:19 +01:00			`return res.status(404).end();`
			`}`

			`res.set('content-type', 'image/jpeg');`
			`upstreamRes.pipe(res);`
			`}).on('error', (e) => {`
			`console.error('Gravatar error:', e.message);`
			`return res.status(404).end();`
			`});`
			`} else if (avatar.equals(constants.AVATAR_NONE)) {`
avatar: deliver .png images this is required for mastodon atleast. if the oidc avatar url, returns an svg, it crashes! the profile pic png was created using inkspace: inkscape -w 96 -h 96 avatar-default-symbolic.svg -o avatar-default-symbolic.png 2024-10-18 22:05:52 +02:00			`if (ext) {`
			`res.sendFile(path.join(paths.DASHBOARD_DIR, '/img/avatar-default-symbolic.png'));`
			`} else {`
			`res.sendFile(path.join(paths.DASHBOARD_DIR, '/img/avatar-default-symbolic.svg'));`
			`}`
Always send images for profile 2024-01-27 22:55:10 +01:00			`} else {`
			`res.set('Content-Type', 'image/png');`
			`res.send(avatar);`
			`}`
Add support to upload custom profile avatar 2019-11-25 16:12:22 +01:00			`}`

Add profile backgroundImage api 2022-05-14 19:41:32 +02:00			`async function setBackgroundImage(req, res, next) {`
			`assert.strictEqual(typeof req.user, 'object');`

Allow to unset background image 2022-05-15 12:14:17 +02:00			`let backgroundImage = null;`
Add profile backgroundImage api 2022-05-14 19:41:32 +02:00
Allow to unset background image 2022-05-15 12:14:17 +02:00			`if (req.files && req.files.backgroundImage) {`
			`backgroundImage = safe.fs.readFileSync(req.files.backgroundImage.path);`
multipart: cleanup files after reading their contents one idea is just use express.raw() . however, we have to implement some file size limit there. one case this does not handle is aborted uploads from a box.service restart. for this rare case, a server reboot will clean up /tmp anyway. 2024-07-19 23:11:26 +02:00			`safe.fs.unlinkSync(req.files.backgroundImage.path);`
Allow to unset background image 2022-05-15 12:14:17 +02:00			`if (!backgroundImage) return next(BoxError.toHttpError(new BoxError(BoxError.FS_ERROR, safe.error.message)));`
			`}`
Add profile backgroundImage api 2022-05-14 19:41:32 +02:00
			`const [error] = await safe(users.setBackgroundImage(req.user.id, backgroundImage));`
			`if (error) return next(BoxError.toHttpError(error));`

			`next(new HttpSuccess(202, {}));`
			`}`

			`async function getBackgroundImage(req, res, next) {`
			`assert.strictEqual(typeof req.user, 'object');`

			`const [error, backgroundImage] = await safe(users.getBackgroundImage(req.user.id));`
			`if (error) return next(BoxError.toHttpError(error));`

			`res.send(backgroundImage);`
			`}`

merge userdb.js into users.js 2021-07-15 09:50:11 -07:00			`async function setPassword(req, res, next) {`
Add specific user profile routes 2016-04-17 16:22:39 +02:00			`assert.strictEqual(typeof req.body, 'object');`
			`assert.strictEqual(typeof req.user, 'object');`

profile updates must be POST 2016-06-02 00:31:41 -07:00			`if (typeof req.body.newPassword !== 'string') return next(new HttpError(400, 'newPassword must be a string'));`
Add specific user profile routes 2016-04-17 16:22:39 +02:00
make auditsource a class this allows us to use AuditSource for the class and auditSource for the instances! 2021-09-30 09:50:30 -07:00			`const [error] = await safe(users.setPassword(req.user, req.body.newPassword, AuditSource.fromRequest(req)));`
merge userdb.js into users.js 2021-07-15 09:50:11 -07:00			`if (error) return next(BoxError.toHttpError(error));`
Add specific user profile routes 2016-04-17 16:22:39 +02:00
merge userdb.js into users.js 2021-07-15 09:50:11 -07:00			`next(new HttpSuccess(204));`
Add specific user profile routes 2016-04-17 16:22:39 +02:00			`}`
Add 2fa routest and business logic 2018-04-25 19:08:15 +02:00
merge userdb.js into users.js 2021-07-15 09:50:11 -07:00			`async function setTwoFactorAuthenticationSecret(req, res, next) {`
2fa routest work with the req.user object 2018-04-26 15:12:14 +02:00			`assert.strictEqual(typeof req.user, 'object');`
Add 2fa routest and business logic 2018-04-25 19:08:15 +02:00
externalldap: when using cloudron source, disable local 2fa setup 2024-01-20 11:35:27 +01:00			`const [error, result] = await safe(users.setTwoFactorAuthenticationSecret(req.user, AuditSource.fromRequest(req)));`
merge userdb.js into users.js 2021-07-15 09:50:11 -07:00			`if (error) return next(BoxError.toHttpError(error));`
Add 2fa routest and business logic 2018-04-25 19:08:15 +02:00
Fix status codes of 2fa routes 2023-09-13 21:07:07 +05:30			`next(new HttpSuccess(200, { secret: result.secret, qrcode: result.qrcode }));`
Add 2fa routest and business logic 2018-04-25 19:08:15 +02:00			`}`

merge userdb.js into users.js 2021-07-15 09:50:11 -07:00			`async function enableTwoFactorAuthentication(req, res, next) {`
2fa routest work with the req.user object 2018-04-26 15:12:14 +02:00			`assert.strictEqual(typeof req.body, 'object');`
			`assert.strictEqual(typeof req.user, 'object');`
Add 2fa routest and business logic 2018-04-25 19:08:15 +02:00
			`if (!req.body.totpToken \|\| typeof req.body.totpToken !== 'string') return next(new HttpError(400, 'totpToken must be a nonempty string'));`

externalldap: when using cloudron source, disable local 2fa setup 2024-01-20 11:35:27 +01:00			`const [error] = await safe(users.enableTwoFactorAuthentication(req.user, req.body.totpToken, AuditSource.fromRequest(req)));`
merge userdb.js into users.js 2021-07-15 09:50:11 -07:00			`if (error) return next(BoxError.toHttpError(error));`
Send 2fa auth status with profile info 2018-04-26 16:29:40 +02:00
Fix status codes of 2fa routes 2023-09-13 21:07:07 +05:30			`next(new HttpSuccess(204, {}));`
Add 2fa routest and business logic 2018-04-25 19:08:15 +02:00			`}`

merge userdb.js into users.js 2021-07-15 09:50:11 -07:00			`async function disableTwoFactorAuthentication(req, res, next) {`
2fa routest work with the req.user object 2018-04-26 15:12:14 +02:00			`assert.strictEqual(typeof req.user, 'object');`
Add 2fa routest and business logic 2018-04-25 19:08:15 +02:00
externalldap: when using cloudron source, disable local 2fa setup 2024-01-20 11:35:27 +01:00			`const [error] = await safe(users.disableTwoFactorAuthentication(req.user, AuditSource.fromRequest(req)));`
merge userdb.js into users.js 2021-07-15 09:50:11 -07:00			`if (error) return next(BoxError.toHttpError(error));`
Send 2fa auth status with profile info 2018-04-26 16:29:40 +02:00
Fix status codes of 2fa routes 2023-09-13 21:07:07 +05:30			`next(new HttpSuccess(204, {}));`
Add 2fa routest and business logic 2018-04-25 19:08:15 +02:00			`}`
notifications: per user email prefs 2024-12-11 18:24:20 +01:00
			`async function setNotificationConfig(req, res, next) {`
			`assert.strictEqual(typeof req.body, 'object');`
			`assert.strictEqual(typeof req.user, 'object');`

			`if (!Array.isArray(req.body.notificationConfig)) return next(new HttpError(400, 'notificationConfig must be an array of strings'));`
			`if (req.body.notificationConfig.some(k => typeof k !== 'string')) return next(new HttpError(400, 'notificationConfig must be an array of strings'));`

			`const [error] = await safe(users.setNotificationConfig(req.user, req.body.notificationConfig, AuditSource.fromRequest(req)));`
			`if (error) return next(BoxError.toHttpError(error));`

			`next(new HttpSuccess(204, {}));`
			`}`