src/routes/profile.js

'use strict';

exports = module.exports = {
    get: get,
    update: update,
    changePassword: changePassword,
    setTwoFactorAuthenticationSecret: setTwoFactorAuthenticationSecret,
    enableTwoFactorAuthentication: enableTwoFactorAuthentication,
    disableTwoFactorAuthentication: disableTwoFactorAuthentication
};

var assert = require('assert'),
    HttpError = require('connect-lastmile').HttpError,
    HttpSuccess = require('connect-lastmile').HttpSuccess,
    user = require('../user.js'),
    UserError = user.UserError,
    _ = require('underscore');

function auditSource(req) {
    var ip = req.headers['x-forwarded-for'] || req.connection.remoteAddress || null;
    return { ip: ip, username: req.user ? req.user.username : null, userId: req.user ? req.user.id : null };
}

function get(req, res, next) {
    assert.strictEqual(typeof req.user, 'object');

    next(new HttpSuccess(200, {
        id: req.user.id,
        username: req.user.username,
        email: req.user.email,
        fallbackEmail: req.user.fallbackEmail,
        admin: req.user.admin,
        displayName: req.user.displayName
    }));
}

function update(req, res, next) {
    assert.strictEqual(typeof req.user, 'object');
    assert.strictEqual(typeof req.body, 'object');

    if ('email' in req.body && typeof req.body.email !== 'string') return next(new HttpError(400, 'email must be string'));
    if ('fallbackEmail' in req.body && typeof req.body.fallbackEmail !== 'string') return next(new HttpError(400, 'fallbackEmail must be string'));
    if ('displayName' in req.body && typeof req.body.displayName !== 'string') return next(new HttpError(400, 'displayName must be string'));

    var data = _.pick(req.body, 'email', 'fallbackEmail', 'displayName');

    user.update(req.user.id, data, auditSource(req), function (error) {
        if (error && error.reason === UserError.BAD_FIELD) return next(new HttpError(400, error.message));
        if (error && error.reason === UserError.ALREADY_EXISTS) return next(new HttpError(409, error.message));
        if (error && error.reason === UserError.NOT_FOUND) return next(new HttpError(404, 'User not found'));
        if (error) return next(new HttpError(500, error));

        next(new HttpSuccess(204));
    });
}

function changePassword(req, res, next) {
    assert.strictEqual(typeof req.body, 'object');
    assert.strictEqual(typeof req.user, 'object');

    if (typeof req.body.newPassword !== 'string') return next(new HttpError(400, 'newPassword must be a string'));

    user.setPassword(req.user.id, req.body.newPassword, function (error) {
        if (error && error.reason === UserError.BAD_FIELD) return next(new HttpError(400, error.message));
        if (error && error.reason === UserError.NOT_FOUND) return next(new HttpError(403, 'Wrong password'));
        if (error) return next(new HttpError(500, error));

        next(new HttpSuccess(204));
    });
}

function setTwoFactorAuthenticationSecret(req, res, next) {
    assert.strictEqual(typeof req.user, 'object');

    user.setTwoFactorAuthenticationSecret(req.user.id, function (error, result) {
        if (error && error.reason === UserError.ALREADY_EXISTS) return next(new HttpError(409, 'TwoFactor Authentication is enabled, disable first'));
        if (error) return next(new HttpError(500, error));

        next(new HttpSuccess(201, { enabled: false, secret: result.secret, qrcode: result.qrcode }));
    });
}

function enableTwoFactorAuthentication(req, res, next) {
    assert.strictEqual(typeof req.body, 'object');
    assert.strictEqual(typeof req.user, 'object');

    if (!req.body.totpToken || typeof req.body.totpToken !== 'string') return next(new HttpError(400, 'totpToken must be a nonempty string'));

    user.enableTwoFactorAuthentication(req.user.id, req.body.totpToken, function (error) {
        if (error && error.reason === UserError.NOT_FOUND) return next(new HttpError(404, 'User not found'));
        if (error && error.reason === UserError.BAD_TOKEN) return next(new HttpError(403, 'Invalid token'));
        if (error && error.reason === UserError.ALREADY_EXISTS) return next(new HttpError(409, 'TwoFactor Authentication is already enabled'));
        if (error) return next(new HttpError(500, error));
        next(new HttpSuccess(202, {}));
    });
}

function disableTwoFactorAuthentication(req, res, next) {
    assert.strictEqual(typeof req.user, 'object');

    user.disableTwoFactorAuthentication(req.user.id, function (error) {
        if (error) return next(new HttpError(500, error));
        next(new HttpSuccess(202, {}));
    });
}
Add specific user profile routes 2016-04-17 16:22:39 +02:00			`'use strict';`

			`exports = module.exports = {`
			`get: get,`
			`update: update,`
Add 2fa routest and business logic 2018-04-25 19:08:15 +02:00			`changePassword: changePassword,`
			`setTwoFactorAuthenticationSecret: setTwoFactorAuthenticationSecret,`
			`enableTwoFactorAuthentication: enableTwoFactorAuthentication,`
			`disableTwoFactorAuthentication: disableTwoFactorAuthentication`
Add specific user profile routes 2016-04-17 16:22:39 +02:00			`};`

			`var assert = require('assert'),`
			`HttpError = require('connect-lastmile').HttpError,`
			`HttpSuccess = require('connect-lastmile').HttpSuccess,`
			`user = require('../user.js'),`
user.update does not need the user object 2016-06-02 23:53:06 -07:00			`UserError = user.UserError,`
			`_ = require('underscore');`
Add specific user profile routes 2016-04-17 16:22:39 +02:00
make user.remove and user.update add eventlog 2016-05-01 20:09:31 -07:00			`function auditSource(req) {`
			`var ip = req.headers['x-forwarded-for'] \|\| req.connection.remoteAddress \|\| null;`
			`return { ip: ip, username: req.user ? req.user.username : null, userId: req.user ? req.user.id : null };`
			`}`

Add specific user profile routes 2016-04-17 16:22:39 +02:00			`function get(req, res, next) {`
			`assert.strictEqual(typeof req.user, 'object');`

No need to again check the groups for admin 2016-06-23 13:03:39 +02:00			`next(new HttpSuccess(200, {`
			`id: req.user.id,`
			`username: req.user.username,`
			`email: req.user.email,`
Replace alternateEmail with fallbackEmail 2018-01-21 14:50:24 +01:00			`fallbackEmail: req.user.fallbackEmail,`
No need to again check the groups for admin 2016-06-23 13:03:39 +02:00			`admin: req.user.admin,`
Remove showTutorial 2017-01-17 09:07:24 -08:00			`displayName: req.user.displayName`
No need to again check the groups for admin 2016-06-23 13:03:39 +02:00			`}));`
Add specific user profile routes 2016-04-17 16:22:39 +02:00			`}`

			`function update(req, res, next) {`
			`assert.strictEqual(typeof req.user, 'object');`
			`assert.strictEqual(typeof req.body, 'object');`

			`if ('email' in req.body && typeof req.body.email !== 'string') return next(new HttpError(400, 'email must be string'));`
Allow changing fallbackEmail via the profile api 2018-01-22 15:55:55 +01:00			`if ('fallbackEmail' in req.body && typeof req.body.fallbackEmail !== 'string') return next(new HttpError(400, 'fallbackEmail must be string'));`
Add specific user profile routes 2016-04-17 16:22:39 +02:00			`if ('displayName' in req.body && typeof req.body.displayName !== 'string') return next(new HttpError(400, 'displayName must be string'));`

Allow changing fallbackEmail via the profile api 2018-01-22 15:55:55 +01:00			`var data = _.pick(req.body, 'email', 'fallbackEmail', 'displayName');`
user.update does not need the user object 2016-06-02 23:53:06 -07:00
			`user.update(req.user.id, data, auditSource(req), function (error) {`
merge bad fields and pass error.message correctly in REST responses 2016-06-02 00:06:54 -07:00			`if (error && error.reason === UserError.BAD_FIELD) return next(new HttpError(400, error.message));`
Report user conflict message all the way through the rest routes 2016-06-02 15:41:07 +02:00			`if (error && error.reason === UserError.ALREADY_EXISTS) return next(new HttpError(409, error.message));`
Add specific user profile routes 2016-04-17 16:22:39 +02:00			`if (error && error.reason === UserError.NOT_FOUND) return next(new HttpError(404, 'User not found'));`
			`if (error) return next(new HttpError(500, error));`

			`next(new HttpSuccess(204));`
			`});`
			`}`

			`function changePassword(req, res, next) {`
			`assert.strictEqual(typeof req.body, 'object');`
			`assert.strictEqual(typeof req.user, 'object');`

profile updates must be POST 2016-06-02 00:31:41 -07:00			`if (typeof req.body.newPassword !== 'string') return next(new HttpError(400, 'newPassword must be a string'));`
Add specific user profile routes 2016-04-17 16:22:39 +02:00
Simplify the password change logic 2016-04-17 19:17:01 +02:00			`user.setPassword(req.user.id, req.body.newPassword, function (error) {`
merge bad fields and pass error.message correctly in REST responses 2016-06-02 00:06:54 -07:00			`if (error && error.reason === UserError.BAD_FIELD) return next(new HttpError(400, error.message));`
Add specific user profile routes 2016-04-17 16:22:39 +02:00			`if (error && error.reason === UserError.NOT_FOUND) return next(new HttpError(403, 'Wrong password'));`
			`if (error) return next(new HttpError(500, error));`

			`next(new HttpSuccess(204));`
			`});`
			`}`
Add 2fa routest and business logic 2018-04-25 19:08:15 +02:00
			`function setTwoFactorAuthenticationSecret(req, res, next) {`
2fa routest work with the req.user object 2018-04-26 15:12:14 +02:00			`assert.strictEqual(typeof req.user, 'object');`
Add 2fa routest and business logic 2018-04-25 19:08:15 +02:00
2fa routest work with the req.user object 2018-04-26 15:12:14 +02:00			`user.setTwoFactorAuthenticationSecret(req.user.id, function (error, result) {`
Add 2fa routest and business logic 2018-04-25 19:08:15 +02:00			`if (error && error.reason === UserError.ALREADY_EXISTS) return next(new HttpError(409, 'TwoFactor Authentication is enabled, disable first'));`
			`if (error) return next(new HttpError(500, error));`

			`next(new HttpSuccess(201, { enabled: false, secret: result.secret, qrcode: result.qrcode }));`
			`});`
			`}`

			`function enableTwoFactorAuthentication(req, res, next) {`
2fa routest work with the req.user object 2018-04-26 15:12:14 +02:00			`assert.strictEqual(typeof req.body, 'object');`
			`assert.strictEqual(typeof req.user, 'object');`
Add 2fa routest and business logic 2018-04-25 19:08:15 +02:00
			`if (!req.body.totpToken \|\| typeof req.body.totpToken !== 'string') return next(new HttpError(400, 'totpToken must be a nonempty string'));`

2fa routest work with the req.user object 2018-04-26 15:12:14 +02:00			`user.enableTwoFactorAuthentication(req.user.id, req.body.totpToken, function (error) {`
Handle more 2fa route errors 2018-04-26 16:14:37 +02:00			`if (error && error.reason === UserError.NOT_FOUND) return next(new HttpError(404, 'User not found'));`
			`if (error && error.reason === UserError.BAD_TOKEN) return next(new HttpError(403, 'Invalid token'));`
			`if (error && error.reason === UserError.ALREADY_EXISTS) return next(new HttpError(409, 'TwoFactor Authentication is already enabled'));`
Add 2fa routest and business logic 2018-04-25 19:08:15 +02:00			`if (error) return next(new HttpError(500, error));`
			`next(new HttpSuccess(202, {}));`
			`});`
			`}`

			`function disableTwoFactorAuthentication(req, res, next) {`
2fa routest work with the req.user object 2018-04-26 15:12:14 +02:00			`assert.strictEqual(typeof req.user, 'object');`
Add 2fa routest and business logic 2018-04-25 19:08:15 +02:00
2fa routest work with the req.user object 2018-04-26 15:12:14 +02:00			`user.disableTwoFactorAuthentication(req.user.id, function (error) {`
Add 2fa routest and business logic 2018-04-25 19:08:15 +02:00			`if (error) return next(new HttpError(500, error));`
			`next(new HttpSuccess(202, {}));`
			`});`
			`}`