Girish Ramakrishnan
309 lines
11 KiB
JavaScript
309 lines
11 KiB
JavaScript
import assert from 'node:assert';
|
|
import AuditSource from '../auditsource.js';
|
|
import BoxError from '../boxerror.js';
|
|
import { HttpError } from '@cloudron/connect-lastmile';
|
|
import { HttpSuccess } from '@cloudron/connect-lastmile';
|
|
import oidcServer from '../oidcserver.js';
|
|
import passkeys from '../passkeys.js';
|
|
import safe from 'safetydance';
|
|
import tokens from '../tokens.js';
|
|
import userDirectory from '../user-directory.js';
|
|
import users from '../users.js';
|
|
import settings from '../settings.js';
|
|
|
|
|
|
async function canEditProfile(req, res, next) {
|
|
assert.strictEqual(typeof req.user, 'object');
|
|
|
|
const [error, profileConfig] = await safe(userDirectory.getProfileConfig());
|
|
if (error) return next(BoxError.toHttpError(error));
|
|
|
|
if (profileConfig.lockUserProfiles) return next(new HttpError(403, 'admin has disallowed users from editing profiles'));
|
|
|
|
next();
|
|
}
|
|
|
|
async function get(req, res, next) {
|
|
assert.strictEqual(typeof req.user, 'object');
|
|
|
|
next(new HttpSuccess(200, {
|
|
id: req.user.id,
|
|
username: req.user.username,
|
|
email: req.user.email,
|
|
fallbackEmail: req.user.fallbackEmail,
|
|
displayName: req.user.displayName,
|
|
twoFactorAuthenticationEnabled: req.user.twoFactorAuthenticationEnabled,
|
|
role: req.user.role,
|
|
source: req.user.source,
|
|
hasBackgroundImage: req.user.hasBackgroundImage,
|
|
hasAvatar: req.user.hasAvatar,
|
|
language: req.user.language || await settings.get(settings.LANGUAGE_KEY),
|
|
notificationConfig: req.user.notificationConfig,
|
|
}));
|
|
}
|
|
|
|
async function setEmail(req, res, next) {
|
|
assert.strictEqual(typeof req.user, 'object');
|
|
assert.strictEqual(typeof req.body, 'object');
|
|
|
|
if ('email' in req.body && typeof req.body.email !== 'string') return next(new HttpError(400, 'email must be string'));
|
|
|
|
const [error] = await safe(users.update(req.user, { email: req.body.email }, AuditSource.fromRequest(req)));
|
|
if (error) return next(BoxError.toHttpError(error));
|
|
|
|
next(new HttpSuccess(204));
|
|
}
|
|
|
|
async function setFallbackEmail(req, res, next) {
|
|
assert.strictEqual(typeof req.user, 'object');
|
|
assert.strictEqual(typeof req.body, 'object');
|
|
|
|
if ('fallbackEmail' in req.body && typeof req.body.fallbackEmail !== 'string') return next(new HttpError(400, 'fallbackEmail must be string'));
|
|
|
|
const [error] = await safe(users.update(req.user, { fallbackEmail: req.body.fallbackEmail }, AuditSource.fromRequest(req)));
|
|
if (error) return next(BoxError.toHttpError(error));
|
|
|
|
next(new HttpSuccess(204));
|
|
}
|
|
|
|
async function setDisplayName(req, res, next) {
|
|
assert.strictEqual(typeof req.user, 'object');
|
|
assert.strictEqual(typeof req.body, 'object');
|
|
|
|
if ('displayName' in req.body && typeof req.body.displayName !== 'string') return next(new HttpError(400, 'displayName must be string'));
|
|
|
|
const [error] = await safe(users.update(req.user, { displayName: req.body.displayName }, AuditSource.fromRequest(req)));
|
|
if (error) return next(BoxError.toHttpError(error));
|
|
|
|
next(new HttpSuccess(204));
|
|
}
|
|
|
|
async function setLanguage(req, res, next) {
|
|
assert.strictEqual(typeof req.user, 'object');
|
|
assert.strictEqual(typeof req.body, 'object');
|
|
|
|
if (typeof req.body.language !== 'string') return next(new HttpError(400, 'language must be string'));
|
|
|
|
const [error] = await safe(users.update(req.user, { language: req.body.language }, AuditSource.fromRequest(req)));
|
|
if (error) return next(BoxError.toHttpError(error));
|
|
|
|
next(new HttpSuccess(204));
|
|
}
|
|
|
|
async function setAvatar(req, res, next) {
|
|
assert.strictEqual(typeof req.user, 'object');
|
|
assert.strictEqual(typeof req.files, 'object');
|
|
|
|
const avatar = safe.fs.readFileSync(req.files.avatar.path);
|
|
safe.fs.unlinkSync(req.files.avatar.path);
|
|
if (!avatar) return next(BoxError.toHttpError(new BoxError(BoxError.FS_ERROR, safe.error.message)));
|
|
|
|
const [error] = await safe(users.setAvatar(req.user, avatar));
|
|
if (error) return next(BoxError.toHttpError(error));
|
|
|
|
next(new HttpSuccess(204, {}));
|
|
}
|
|
|
|
async function unsetAvatar(req, res, next) {
|
|
assert.strictEqual(typeof req.user, 'object');
|
|
|
|
const [error] = await safe(users.setAvatar(req.user, null));
|
|
if (error) return next(BoxError.toHttpError(error));
|
|
|
|
next(new HttpSuccess(204, {}));
|
|
}
|
|
|
|
async function getAvatarById(req, res, next) {
|
|
assert.strictEqual(typeof req.params, 'object');
|
|
|
|
const [userError, user] = await safe(users.get(req.params.identifier));
|
|
if (userError) return next(BoxError.toHttpError(userError));
|
|
if (!user) return next(new HttpError(404, 'no avatar'));
|
|
|
|
const [avatarError, avatar] = await safe(users.getAvatar(user));
|
|
if (avatarError) return next(BoxError.toHttpError(avatarError));
|
|
if (!avatar) return next(new HttpError(404, 'no avatar'));
|
|
|
|
res.set('Content-Type', 'image/png');
|
|
res.status(200).send(avatar);
|
|
}
|
|
|
|
async function setBackgroundImage(req, res, next) {
|
|
assert.strictEqual(typeof req.user, 'object');
|
|
assert.strictEqual(typeof req.files, 'object');
|
|
|
|
if (!req.files.backgroundImage) return next(new HttpError(400, 'backgroundImage must be provided'));
|
|
const backgroundImage = safe.fs.readFileSync(req.files.backgroundImage.path);
|
|
safe.fs.unlinkSync(req.files.backgroundImage.path);
|
|
if (!backgroundImage) return next(BoxError.toHttpError(new BoxError(BoxError.FS_ERROR, safe.error.message)));
|
|
|
|
const [error] = await safe(users.setBackgroundImage(req.user, backgroundImage));
|
|
if (error) return next(BoxError.toHttpError(error));
|
|
|
|
next(new HttpSuccess(200, {}));
|
|
}
|
|
|
|
async function unsetBackgroundImage(req, res, next) {
|
|
assert.strictEqual(typeof req.user, 'object');
|
|
|
|
const [error] = await safe(users.setBackgroundImage(req.user, null));
|
|
if (error) return next(BoxError.toHttpError(error));
|
|
|
|
next(new HttpSuccess(200, {}));
|
|
}
|
|
|
|
async function getBackgroundImage(req, res, next) {
|
|
assert.strictEqual(typeof req.user, 'object');
|
|
|
|
const [error, backgroundImage] = await safe(users.getBackgroundImage(req.user));
|
|
if (error) return next(BoxError.toHttpError(error));
|
|
|
|
if (!backgroundImage) return next(new HttpError(404, 'no background set'));
|
|
|
|
res.set('Cache-Control', 'no-cache');
|
|
res.set('Content-Type', 'image/webp');
|
|
|
|
res.status(200).send(backgroundImage);
|
|
}
|
|
|
|
async function setPassword(req, res, next) {
|
|
assert.strictEqual(typeof req.body, 'object');
|
|
assert.strictEqual(typeof req.user, 'object');
|
|
|
|
if (typeof req.body.newPassword !== 'string') return next(new HttpError(400, 'newPassword must be a string'));
|
|
|
|
const [error] = await safe(users.setPassword(req.user, req.body.newPassword, AuditSource.fromRequest(req)));
|
|
if (error) return next(BoxError.toHttpError(error));
|
|
|
|
next(new HttpSuccess(204));
|
|
}
|
|
|
|
async function setTwoFactorAuthenticationSecret(req, res, next) {
|
|
assert.strictEqual(typeof req.user, 'object');
|
|
|
|
const [error, result] = await safe(users.setTwoFactorAuthenticationSecret(req.user, AuditSource.fromRequest(req)));
|
|
if (error) return next(BoxError.toHttpError(error));
|
|
|
|
next(new HttpSuccess(200, { secret: result.secret, qrcode: result.qrcode }));
|
|
}
|
|
|
|
async function enableTwoFactorAuthentication(req, res, next) {
|
|
assert.strictEqual(typeof req.body, 'object');
|
|
assert.strictEqual(typeof req.user, 'object');
|
|
|
|
if (!req.body.totpToken || typeof req.body.totpToken !== 'string') return next(new HttpError(400, 'totpToken must be a nonempty string'));
|
|
|
|
const [error] = await safe(users.enableTwoFactorAuthentication(req.user, req.body.totpToken, AuditSource.fromRequest(req)));
|
|
if (error) return next(BoxError.toHttpError(error));
|
|
|
|
next(new HttpSuccess(204, {}));
|
|
}
|
|
|
|
async function disableTwoFactorAuthentication(req, res, next) {
|
|
assert.strictEqual(typeof req.user, 'object');
|
|
|
|
const [error] = await safe(users.disableTwoFactorAuthentication(req.user, AuditSource.fromRequest(req)));
|
|
if (error) return next(BoxError.toHttpError(error));
|
|
|
|
next(new HttpSuccess(204, {}));
|
|
}
|
|
|
|
async function setNotificationConfig(req, res, next) {
|
|
assert.strictEqual(typeof req.body, 'object');
|
|
assert.strictEqual(typeof req.user, 'object');
|
|
|
|
if (!Array.isArray(req.body.notificationConfig)) return next(new HttpError(400, 'notificationConfig must be an array of strings'));
|
|
if (req.body.notificationConfig.some(k => typeof k !== 'string')) return next(new HttpError(400, 'notificationConfig must be an array of strings'));
|
|
|
|
const [error] = await safe(users.setNotificationConfig(req.user, req.body.notificationConfig, AuditSource.fromRequest(req)));
|
|
if (error) return next(BoxError.toHttpError(error));
|
|
|
|
next(new HttpSuccess(204, {}));
|
|
}
|
|
|
|
async function destroyUserSession(req, res, next) {
|
|
assert.strictEqual(typeof req.user, 'object');
|
|
|
|
const [error] = await safe(oidcServer.revokeByUsername(req.user.username));
|
|
if (error) return next(BoxError.toHttpError(error));
|
|
|
|
await safe(tokens.del(req.token.id));
|
|
|
|
next(new HttpSuccess(204));
|
|
}
|
|
|
|
async function getPasskey(req, res, next) {
|
|
assert.strictEqual(typeof req.user, 'object');
|
|
|
|
const [error, result] = await safe(passkeys.listByUserId(req.user.id));
|
|
if (error) return next(BoxError.toHttpError(error));
|
|
|
|
// Only one passkey per user - return first one or null
|
|
const passkey = result.length > 0 ? passkeys.removePrivateFields(result[0]) : null;
|
|
next(new HttpSuccess(200, { passkey }));
|
|
}
|
|
|
|
async function getPasskeyRegistrationOptions(req, res, next) {
|
|
assert.strictEqual(typeof req.user, 'object');
|
|
|
|
const [error, options] = await safe(passkeys.getRegistrationOptions(req.user));
|
|
if (error) return next(BoxError.toHttpError(error));
|
|
|
|
next(new HttpSuccess(200, options));
|
|
}
|
|
|
|
async function registerPasskey(req, res, next) {
|
|
assert.strictEqual(typeof req.user, 'object');
|
|
assert.strictEqual(typeof req.body, 'object');
|
|
|
|
if (!req.body.credential || typeof req.body.credential !== 'object') return next(new HttpError(400, 'credential must be an object'));
|
|
if (req.body.name && typeof req.body.name !== 'string') return next(new HttpError(400, 'name must be a string'));
|
|
|
|
const name = req.body.name || 'Passkey';
|
|
|
|
const [error, result] = await safe(passkeys.verifyRegistration(req.user, req.body.credential, name));
|
|
if (error) return next(BoxError.toHttpError(error));
|
|
|
|
next(new HttpSuccess(201, { id: result.id }));
|
|
}
|
|
|
|
async function deletePasskey(req, res, next) {
|
|
assert.strictEqual(typeof req.user, 'object');
|
|
|
|
// Get the user's passkey (only one allowed)
|
|
const [listError, result] = await safe(passkeys.listByUserId(req.user.id));
|
|
if (listError) return next(BoxError.toHttpError(listError));
|
|
|
|
if (result.length === 0) return next(new HttpError(404, 'No passkey registered'));
|
|
|
|
const [error] = await safe(passkeys.del(result[0].id));
|
|
if (error) return next(BoxError.toHttpError(error));
|
|
|
|
next(new HttpSuccess(204));
|
|
}
|
|
|
|
export default {
|
|
canEditProfile,
|
|
get,
|
|
setDisplayName,
|
|
setEmail,
|
|
setFallbackEmail,
|
|
getAvatarById,
|
|
setAvatar,
|
|
unsetAvatar,
|
|
setLanguage,
|
|
getBackgroundImage,
|
|
setBackgroundImage,
|
|
unsetBackgroundImage,
|
|
setPassword,
|
|
setTwoFactorAuthenticationSecret,
|
|
enableTwoFactorAuthentication,
|
|
disableTwoFactorAuthentication,
|
|
setNotificationConfig,
|
|
destroyUserSession,
|
|
getPasskey,
|
|
getPasskeyRegistrationOptions,
|
|
registerPasskey,
|
|
deletePasskey
|
|
};
|