[github/Chocobozzz/PeerTube.git] / server / middlewares / validators / users.ts

import * as Bluebird from 'bluebird'
import * as express from 'express'
import 'express-validator'
import { body, param } from 'express-validator/check'
import { omit } from 'lodash'
import { isIdOrUUIDValid } from '../../helpers/custom-validators/misc'
import {
  isUserAdminFlagsValid,
  isUserAutoPlayVideoValid,
  isUserBlockedReasonValid,
  isUserDescriptionValid,
  isUserDisplayNameValid,
  isUserNSFWPolicyValid,
  isUserPasswordValid,
  isUserRoleValid,
  isUserUsernameValid,
  isUserVideoLanguages,
  isUserVideoQuotaDailyValid,
  isUserVideoQuotaValid,
  isUserVideosHistoryEnabledValid
} from '../../helpers/custom-validators/users'
import { logger } from '../../helpers/logger'
import { isSignupAllowed, isSignupAllowedForCurrentIP } from '../../helpers/signup'
import { Redis } from '../../lib/redis'
import { UserModel } from '../../models/account/user'
import { areValidationErrors } from './utils'
import { ActorModel } from '../../models/activitypub/actor'
import { isActorPreferredUsernameValid } from '../../helpers/custom-validators/activitypub/actor'
import { isVideoChannelNameValid } from '../../helpers/custom-validators/video-channels'
import { UserRegister } from '../../../shared/models/users/user-register.model'
import { isThemeNameValid } from '../../helpers/custom-validators/plugins'
import { isThemeRegistered } from '../../lib/plugins/theme-utils'
import { doesVideoExist } from '../../helpers/middlewares'

const usersAddValidator = [
  body('username').custom(isUserUsernameValid).withMessage('Should have a valid username (lowercase alphanumeric characters)'),
  body('password').custom(isUserPasswordValid).withMessage('Should have a valid password'),
  body('email').isEmail().withMessage('Should have a valid email'),
  body('videoQuota').custom(isUserVideoQuotaValid).withMessage('Should have a valid user quota'),
  body('videoQuotaDaily').custom(isUserVideoQuotaDailyValid).withMessage('Should have a valid daily user quota'),
  body('role').custom(isUserRoleValid).withMessage('Should have a valid role'),
  body('adminFlags').optional().custom(isUserAdminFlagsValid).withMessage('Should have a valid admin flags'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking usersAdd parameters', { parameters: omit(req.body, 'password') })

    if (areValidationErrors(req, res)) return
    if (!await checkUserNameOrEmailDoesNotAlreadyExist(req.body.username, req.body.email, res)) return

    return next()
  }
]

const usersRegisterValidator = [
  body('username').custom(isUserUsernameValid).withMessage('Should have a valid username'),
  body('password').custom(isUserPasswordValid).withMessage('Should have a valid password'),
  body('email').isEmail().withMessage('Should have a valid email'),
  body('displayName')
    .optional()
    .custom(isUserDisplayNameValid).withMessage('Should have a valid display name'),

  body('channel.name')
    .optional()
    .custom(isActorPreferredUsernameValid).withMessage('Should have a valid channel name'),
  body('channel.displayName')
    .optional()
    .custom(isVideoChannelNameValid).withMessage('Should have a valid display name'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking usersRegister parameters', { parameters: omit(req.body, 'password') })

    if (areValidationErrors(req, res)) return
    if (!await checkUserNameOrEmailDoesNotAlreadyExist(req.body.username, req.body.email, res)) return

    const body: UserRegister = req.body
    if (body.channel) {
      if (!body.channel.name || !body.channel.displayName) {
        return res.status(400)
          .send({ error: 'Channel is optional but if you specify it, channel.name and channel.displayName are required.' })
          .end()
      }

      if (body.channel.name === body.username) {
        return res.status(400)
                  .send({ error: 'Channel name cannot be the same than user username.' })
                  .end()
      }

      const existing = await ActorModel.loadLocalByName(body.channel.name)
      if (existing) {
        return res.status(409)
                  .send({ error: `Channel with name ${body.channel.name} already exists.` })
                  .end()
      }
    }

    return next()
  }
]

const usersRemoveValidator = [
  param('id').isInt().not().isEmpty().withMessage('Should have a valid id'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking usersRemove parameters', { parameters: req.params })

    if (areValidationErrors(req, res)) return
    if (!await checkUserIdExist(req.params.id, res)) return

    const user = res.locals.user
    if (user.username === 'root') {
      return res.status(400)
                .send({ error: 'Cannot remove the root user' })
                .end()
    }

    return next()
  }
]

const usersBlockingValidator = [
  param('id').isInt().not().isEmpty().withMessage('Should have a valid id'),
  body('reason').optional().custom(isUserBlockedReasonValid).withMessage('Should have a valid blocking reason'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking usersBlocking parameters', { parameters: req.params })

    if (areValidationErrors(req, res)) return
    if (!await checkUserIdExist(req.params.id, res)) return

    const user = res.locals.user
    if (user.username === 'root') {
      return res.status(400)
                .send({ error: 'Cannot block the root user' })
                .end()
    }

    return next()
  }
]

const deleteMeValidator = [
  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    const user = res.locals.oauth.token.User
    if (user.username === 'root') {
      return res.status(400)
                .send({ error: 'You cannot delete your root account.' })
                .end()
    }

    return next()
  }
]

const usersUpdateValidator = [
  param('id').isInt().not().isEmpty().withMessage('Should have a valid id'),
  body('password').optional().custom(isUserPasswordValid).withMessage('Should have a valid password'),
  body('email').optional().isEmail().withMessage('Should have a valid email attribute'),
  body('emailVerified').optional().isBoolean().withMessage('Should have a valid email verified attribute'),
  body('videoQuota').optional().custom(isUserVideoQuotaValid).withMessage('Should have a valid user quota'),
  body('videoQuotaDaily').optional().custom(isUserVideoQuotaDailyValid).withMessage('Should have a valid daily user quota'),
  body('role').optional().custom(isUserRoleValid).withMessage('Should have a valid role'),
  body('adminFlags').optional().custom(isUserAdminFlagsValid).withMessage('Should have a valid admin flags'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking usersUpdate parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return
    if (!await checkUserIdExist(req.params.id, res)) return

    const user = res.locals.user
    if (user.username === 'root' && req.body.role !== undefined && user.role !== req.body.role) {
      return res.status(400)
        .send({ error: 'Cannot change root role.' })
        .end()
    }

    return next()
  }
]

const usersUpdateMeValidator = [
  body('displayName')
    .optional()
    .custom(isUserDisplayNameValid).withMessage('Should have a valid display name'),
  body('description')
    .optional()
    .custom(isUserDescriptionValid).withMessage('Should have a valid description'),
  body('currentPassword')
    .optional()
    .custom(isUserPasswordValid).withMessage('Should have a valid current password'),
  body('password')
    .optional()
    .custom(isUserPasswordValid).withMessage('Should have a valid password'),
  body('email')
    .optional()
    .isEmail().withMessage('Should have a valid email attribute'),
  body('nsfwPolicy')
    .optional()
    .custom(isUserNSFWPolicyValid).withMessage('Should have a valid display Not Safe For Work policy'),
  body('autoPlayVideo')
    .optional()
    .custom(isUserAutoPlayVideoValid).withMessage('Should have a valid automatically plays video attribute'),
  body('videoLanguages')
    .optional()
    .custom(isUserVideoLanguages).withMessage('Should have a valid video languages attribute'),
  body('videosHistoryEnabled')
    .optional()
    .custom(isUserVideosHistoryEnabledValid).withMessage('Should have a valid videos history enabled attribute'),
  body('theme')
    .optional()
    .custom(v => isThemeNameValid(v) && isThemeRegistered(v)).withMessage('Should have a valid theme'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking usersUpdateMe parameters', { parameters: omit(req.body, 'password') })

    if (req.body.password || req.body.email) {
      if (!req.body.currentPassword) {
        return res.status(400)
                  .send({ error: 'currentPassword parameter is missing.' })
                  .end()
      }

      const user = res.locals.oauth.token.User
      if (await user.isPasswordMatch(req.body.currentPassword) !== true) {
        return res.status(401)
                  .send({ error: 'currentPassword is invalid.' })
                  .end()
      }
    }

    if (areValidationErrors(req, res)) return

    return next()
  }
]

const usersGetValidator = [
  param('id').isInt().not().isEmpty().withMessage('Should have a valid id'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking usersGet parameters', { parameters: req.params })

    if (areValidationErrors(req, res)) return
    if (!await checkUserIdExist(req.params.id, res)) return

    return next()
  }
]

const usersVideoRatingValidator = [
  param('videoId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid video id'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking usersVideoRating parameters', { parameters: req.params })

    if (areValidationErrors(req, res)) return
    if (!await doesVideoExist(req.params.videoId, res, 'id')) return

    return next()
  }
]

const ensureUserRegistrationAllowed = [
  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    const allowed = await isSignupAllowed()
    if (allowed === false) {
      return res.status(403)
                .send({ error: 'User registration is not enabled or user limit is reached.' })
                .end()
    }

    return next()
  }
]

const ensureUserRegistrationAllowedForIP = [
  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    const allowed = isSignupAllowedForCurrentIP(req.ip)

    if (allowed === false) {
      return res.status(403)
                .send({ error: 'You are not on a network authorized for registration.' })
                .end()
    }

    return next()
  }
]

const usersAskResetPasswordValidator = [
  body('email').isEmail().not().isEmpty().withMessage('Should have a valid email'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking usersAskResetPassword parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return

    const exists = await checkUserEmailExist(req.body.email, res, false)
    if (!exists) {
      logger.debug('User with email %s does not exist (asking reset password).', req.body.email)
      // Do not leak our emails
      return res.status(204).end()
    }

    return next()
  }
]

const usersResetPasswordValidator = [
  param('id').isInt().not().isEmpty().withMessage('Should have a valid id'),
  body('verificationString').not().isEmpty().withMessage('Should have a valid verification string'),
  body('password').custom(isUserPasswordValid).withMessage('Should have a valid password'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking usersResetPassword parameters', { parameters: req.params })

    if (areValidationErrors(req, res)) return
    if (!await checkUserIdExist(req.params.id, res)) return

    const user = res.locals.user
    const redisVerificationString = await Redis.Instance.getResetPasswordLink(user.id)

    if (redisVerificationString !== req.body.verificationString) {
      return res
        .status(403)
        .send({ error: 'Invalid verification string.' })
        .end()
    }

    return next()
  }
]

const usersAskSendVerifyEmailValidator = [
  body('email').isEmail().not().isEmpty().withMessage('Should have a valid email'),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking askUsersSendVerifyEmail parameters', { parameters: req.body })

    if (areValidationErrors(req, res)) return
    const exists = await checkUserEmailExist(req.body.email, res, false)
    if (!exists) {
      logger.debug('User with email %s does not exist (asking verify email).', req.body.email)
      // Do not leak our emails
      return res.status(204).end()
    }

    return next()
  }
]

const usersVerifyEmailValidator = [
  param('id')
    .isInt().not().isEmpty().withMessage('Should have a valid id'),

  body('verificationString')
    .not().isEmpty().withMessage('Should have a valid verification string'),
  body('isPendingEmail')
    .optional()
    .toBoolean(),

  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    logger.debug('Checking usersVerifyEmail parameters', { parameters: req.params })

    if (areValidationErrors(req, res)) return
    if (!await checkUserIdExist(req.params.id, res)) return

    const user = res.locals.user
    const redisVerificationString = await Redis.Instance.getVerifyEmailLink(user.id)

    if (redisVerificationString !== req.body.verificationString) {
      return res
        .status(403)
        .send({ error: 'Invalid verification string.' })
        .end()
    }

    return next()
  }
]

const userAutocompleteValidator = [
  param('search').isString().not().isEmpty().withMessage('Should have a search parameter')
]

const ensureAuthUserOwnsAccountValidator = [
  async (req: express.Request, res: express.Response, next: express.NextFunction) => {
    const user = res.locals.oauth.token.User

    if (res.locals.account.id !== user.Account.id) {
      return res.status(403)
                .send({ error: 'Only owner can access ratings list.' })
                .end()
    }

    return next()
  }
]

// ---------------------------------------------------------------------------

export {
  usersAddValidator,
  deleteMeValidator,
  usersRegisterValidator,
  usersBlockingValidator,
  usersRemoveValidator,
  usersUpdateValidator,
  usersUpdateMeValidator,
  usersVideoRatingValidator,
  ensureUserRegistrationAllowed,
  ensureUserRegistrationAllowedForIP,
  usersGetValidator,
  usersAskResetPasswordValidator,
  usersResetPasswordValidator,
  usersAskSendVerifyEmailValidator,
  usersVerifyEmailValidator,
  userAutocompleteValidator,
  ensureAuthUserOwnsAccountValidator
}

// ---------------------------------------------------------------------------

function checkUserIdExist (id: number, res: express.Response) {
  return checkUserExist(() => UserModel.loadById(id), res)
}

function checkUserEmailExist (email: string, res: express.Response, abortResponse = true) {
  return checkUserExist(() => UserModel.loadByEmail(email), res, abortResponse)
}

async function checkUserNameOrEmailDoesNotAlreadyExist (username: string, email: string, res: express.Response) {
  const user = await UserModel.loadByUsernameOrEmail(username, email)

  if (user) {
    res.status(409)
              .send({ error: 'User with this username or email already exists.' })
              .end()
    return false
  }

  const actor = await ActorModel.loadLocalByName(username)
  if (actor) {
    res.status(409)
       .send({ error: 'Another actor (account/channel) with this name on this instance already exists or has already existed.' })
       .end()
    return false
  }

  return true
}

async function checkUserExist (finder: () => Bluebird<UserModel>, res: express.Response, abortResponse = true) {
  const user = await finder()

  if (!user) {
    if (abortResponse === true) {
      res.status(404)
        .send({ error: 'User not found' })
        .end()
    }

    return false
  }

  res.locals.user = user

  return true
}
Commit	Line	Data
ecb4e35f	1	import * as Bluebird from 'bluebird'
69818c93	2	import * as express from 'express'
a2431b7d C	3	import 'express-validator'
a2431b7d C	4	import { body, param } from 'express-validator/check'
ecb4e35f	5	import { omit } from 'lodash'
3fd3ab2d	6	import { isIdOrUUIDValid } from '../../helpers/custom-validators/misc'
b60e5f38	7	import {
1eddc9a7	8	isUserAdminFlagsValid,
1a12adcd C	9	isUserAutoPlayVideoValid,
1a12adcd C	10	isUserBlockedReasonValid,
4bbfc6c6 C	11	isUserDescriptionValid,
4bbfc6c6 C	12	isUserDisplayNameValid,
0883b324	13	isUserNSFWPolicyValid,
ecb4e35f C	14	isUserPasswordValid,
ecb4e35f C	15	isUserRoleValid,
3e753302 C	16	isUserUsernameValid,
3e753302 C	17	isUserVideoLanguages,
1a12adcd	18	isUserVideoQuotaDailyValid,
dae86118 C	19	isUserVideoQuotaValid,
dae86118 C	20	isUserVideosHistoryEnabledValid
3fd3ab2d	21	} from '../../helpers/custom-validators/users'
da854ddd	22	import { logger } from '../../helpers/logger'
06215f15	23	import { isSignupAllowed, isSignupAllowedForCurrentIP } from '../../helpers/signup'
ecb4e35f	24	import { Redis } from '../../lib/redis'
3fd3ab2d	25	import { UserModel } from '../../models/account/user'
a2431b7d	26	import { areValidationErrors } from './utils'
2ef6a063	27	import { ActorModel } from '../../models/activitypub/actor'
e590b4a5 C	28	import { isActorPreferredUsernameValid } from '../../helpers/custom-validators/activitypub/actor'
e590b4a5 C	29	import { isVideoChannelNameValid } from '../../helpers/custom-validators/video-channels'
e590b4a5	30	import { UserRegister } from '../../../shared/models/users/user-register.model'
503c6f44 C	31	import { isThemeNameValid } from '../../helpers/custom-validators/plugins'
503c6f44 C	32	import { isThemeRegistered } from '../../lib/plugins/theme-utils'
3e753302	33	import { doesVideoExist } from '../../helpers/middlewares'
9bd26629	34
b60e5f38	35	const usersAddValidator = [
563d032e	36	body('username').custom(isUserUsernameValid).withMessage('Should have a valid username (lowercase alphanumeric characters)'),
b60e5f38 C	37	body('password').custom(isUserPasswordValid).withMessage('Should have a valid password'),
	38	body('email').isEmail().withMessage('Should have a valid email'),
	39	body('videoQuota').custom(isUserVideoQuotaValid).withMessage('Should have a valid user quota'),
bee0abff	40	body('videoQuotaDaily').custom(isUserVideoQuotaDailyValid).withMessage('Should have a valid daily user quota'),
954605a8	41	body('role').custom(isUserRoleValid).withMessage('Should have a valid role'),
1eddc9a7	42	body('adminFlags').optional().custom(isUserAdminFlagsValid).withMessage('Should have a valid admin flags'),
9bd26629	43
a2431b7d	44	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
ce97fe36	45	logger.debug('Checking usersAdd parameters', { parameters: omit(req.body, 'password') })
9bd26629	46
a2431b7d C	47	if (areValidationErrors(req, res)) return
	48	if (!await checkUserNameOrEmailDoesNotAlreadyExist(req.body.username, req.body.email, res)) return
	49
	50	return next()
b60e5f38 C	51	}
b60e5f38 C	52	]
6fcd19ba	53
b60e5f38 C	54	const usersRegisterValidator = [
	55	body('username').custom(isUserUsernameValid).withMessage('Should have a valid username'),
	56	body('password').custom(isUserPasswordValid).withMessage('Should have a valid password'),
	57	body('email').isEmail().withMessage('Should have a valid email'),
1f20622f C	58	body('displayName')
	59	.optional()
	60	.custom(isUserDisplayNameValid).withMessage('Should have a valid display name'),
	61
	62	body('channel.name')
	63	.optional()
	64	.custom(isActorPreferredUsernameValid).withMessage('Should have a valid channel name'),
	65	body('channel.displayName')
	66	.optional()
	67	.custom(isVideoChannelNameValid).withMessage('Should have a valid display name'),
77a5501f	68
a2431b7d	69	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
ce97fe36	70	logger.debug('Checking usersRegister parameters', { parameters: omit(req.body, 'password') })
77a5501f	71
a2431b7d C	72	if (areValidationErrors(req, res)) return
	73	if (!await checkUserNameOrEmailDoesNotAlreadyExist(req.body.username, req.body.email, res)) return
	74
e590b4a5 C	75	const body: UserRegister = req.body
	76	if (body.channel) {
	77	if (!body.channel.name \|\| !body.channel.displayName) {
	78	return res.status(400)
	79	.send({ error: 'Channel is optional but if you specify it, channel.name and channel.displayName are required.' })
	80	.end()
	81	}
	82
1d5342ab C	83	if (body.channel.name === body.username) {
	84	return res.status(400)
	85	.send({ error: 'Channel name cannot be the same than user username.' })
	86	.end()
	87	}
	88
e590b4a5 C	89	const existing = await ActorModel.loadLocalByName(body.channel.name)
	90	if (existing) {
	91	return res.status(409)
	92	.send({ error: `Channel with name ${body.channel.name} already exists.` })
	93	.end()
	94	}
	95	}
	96
a2431b7d	97	return next()
b60e5f38 C	98	}
b60e5f38 C	99	]
9bd26629	100
b60e5f38 C	101	const usersRemoveValidator = [
b60e5f38 C	102	param('id').isInt().not().isEmpty().withMessage('Should have a valid id'),
9bd26629	103
a2431b7d	104	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
b60e5f38	105	logger.debug('Checking usersRemove parameters', { parameters: req.params })
9bd26629	106
a2431b7d C	107	if (areValidationErrors(req, res)) return
	108	if (!await checkUserIdExist(req.params.id, res)) return
	109
	110	const user = res.locals.user
	111	if (user.username === 'root') {
	112	return res.status(400)
	113	.send({ error: 'Cannot remove the root user' })
	114	.end()
	115	}
	116
	117	return next()
b60e5f38 C	118	}
b60e5f38 C	119	]
8094a898	120
e6921918 C	121	const usersBlockingValidator = [
e6921918 C	122	param('id').isInt().not().isEmpty().withMessage('Should have a valid id'),
eacb25c4	123	body('reason').optional().custom(isUserBlockedReasonValid).withMessage('Should have a valid blocking reason'),
e6921918 C	124
e6921918 C	125	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
eacb25c4	126	logger.debug('Checking usersBlocking parameters', { parameters: req.params })
e6921918 C	127
	128	if (areValidationErrors(req, res)) return
	129	if (!await checkUserIdExist(req.params.id, res)) return
	130
	131	const user = res.locals.user
	132	if (user.username === 'root') {
	133	return res.status(400)
	134	.send({ error: 'Cannot block the root user' })
	135	.end()
	136	}
	137
	138	return next()
	139	}
	140	]
	141
92b9d60c C	142	const deleteMeValidator = [
92b9d60c C	143	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
dae86118	144	const user = res.locals.oauth.token.User
92b9d60c C	145	if (user.username === 'root') {
	146	return res.status(400)
	147	.send({ error: 'You cannot delete your root account.' })
	148	.end()
	149	}
	150
	151	return next()
	152	}
	153	]
	154
b60e5f38 C	155	const usersUpdateValidator = [
b60e5f38 C	156	param('id').isInt().not().isEmpty().withMessage('Should have a valid id'),
b426edd4	157	body('password').optional().custom(isUserPasswordValid).withMessage('Should have a valid password'),
b60e5f38	158	body('email').optional().isEmail().withMessage('Should have a valid email attribute'),
fc2ec87a	159	body('emailVerified').optional().isBoolean().withMessage('Should have a valid email verified attribute'),
b60e5f38	160	body('videoQuota').optional().custom(isUserVideoQuotaValid).withMessage('Should have a valid user quota'),
bee0abff	161	body('videoQuotaDaily').optional().custom(isUserVideoQuotaDailyValid).withMessage('Should have a valid daily user quota'),
954605a8	162	body('role').optional().custom(isUserRoleValid).withMessage('Should have a valid role'),
1eddc9a7	163	body('adminFlags').optional().custom(isUserAdminFlagsValid).withMessage('Should have a valid admin flags'),
8094a898	164
a2431b7d	165	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
b60e5f38	166	logger.debug('Checking usersUpdate parameters', { parameters: req.body })
9bd26629	167
a2431b7d C	168	if (areValidationErrors(req, res)) return
	169	if (!await checkUserIdExist(req.params.id, res)) return
	170
f8b8c36b C	171	const user = res.locals.user
	172	if (user.username === 'root' && req.body.role !== undefined && user.role !== req.body.role) {
	173	return res.status(400)
	174	.send({ error: 'Cannot change root role.' })
	175	.end()
	176	}
	177
a2431b7d	178	return next()
b60e5f38 C	179	}
b60e5f38 C	180	]
9bd26629	181
b60e5f38	182	const usersUpdateMeValidator = [
d1ab89de C	183	body('displayName')
	184	.optional()
	185	.custom(isUserDisplayNameValid).withMessage('Should have a valid display name'),
	186	body('description')
	187	.optional()
	188	.custom(isUserDescriptionValid).withMessage('Should have a valid description'),
	189	body('currentPassword')
	190	.optional()
	191	.custom(isUserPasswordValid).withMessage('Should have a valid current password'),
	192	body('password')
	193	.optional()
	194	.custom(isUserPasswordValid).withMessage('Should have a valid password'),
	195	body('email')
	196	.optional()
	197	.isEmail().withMessage('Should have a valid email attribute'),
	198	body('nsfwPolicy')
	199	.optional()
	200	.custom(isUserNSFWPolicyValid).withMessage('Should have a valid display Not Safe For Work policy'),
	201	body('autoPlayVideo')
	202	.optional()
	203	.custom(isUserAutoPlayVideoValid).withMessage('Should have a valid automatically plays video attribute'),
3caf77d3 C	204	body('videoLanguages')
	205	.optional()
	206	.custom(isUserVideoLanguages).withMessage('Should have a valid video languages attribute'),
1a12adcd C	207	body('videosHistoryEnabled')
	208	.optional()
	209	.custom(isUserVideosHistoryEnabledValid).withMessage('Should have a valid videos history enabled attribute'),
7cd4d2ba C	210	body('theme')
7cd4d2ba C	211	.optional()
503c6f44	212	.custom(v => isThemeNameValid(v) && isThemeRegistered(v)).withMessage('Should have a valid theme'),
9bd26629	213
a890d1e0	214	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
ce97fe36	215	logger.debug('Checking usersUpdateMe parameters', { parameters: omit(req.body, 'password') })
8094a898	216
0ba5f5ba	217	if (req.body.password \|\| req.body.email) {
a890d1e0 C	218	if (!req.body.currentPassword) {
	219	return res.status(400)
	220	.send({ error: 'currentPassword parameter is missing.' })
	221	.end()
	222	}
	223
2ba92871	224	const user = res.locals.oauth.token.User
a890d1e0 C	225	if (await user.isPasswordMatch(req.body.currentPassword) !== true) {
	226	return res.status(401)
	227	.send({ error: 'currentPassword is invalid.' })
	228	.end()
	229	}
	230	}
	231
a2431b7d C	232	if (areValidationErrors(req, res)) return
	233
	234	return next()
b60e5f38 C	235	}
b60e5f38 C	236	]
8094a898	237
b60e5f38 C	238	const usersGetValidator = [
b60e5f38 C	239	param('id').isInt().not().isEmpty().withMessage('Should have a valid id'),
d38b8281	240
a2431b7d	241	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
ce97fe36	242	logger.debug('Checking usersGet parameters', { parameters: req.params })
a2431b7d C	243
	244	if (areValidationErrors(req, res)) return
	245	if (!await checkUserIdExist(req.params.id, res)) return
	246
	247	return next()
b60e5f38 C	248	}
b60e5f38 C	249	]
d38b8281	250
b60e5f38	251	const usersVideoRatingValidator = [
72c7248b	252	param('videoId').custom(isIdOrUUIDValid).not().isEmpty().withMessage('Should have a valid video id'),
0a6658fd	253
a2431b7d	254	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
b60e5f38	255	logger.debug('Checking usersVideoRating parameters', { parameters: req.params })
0a6658fd	256
a2431b7d	257	if (areValidationErrors(req, res)) return
0f6acda1	258	if (!await doesVideoExist(req.params.videoId, res, 'id')) return
a2431b7d C	259
a2431b7d C	260	return next()
b60e5f38 C	261	}
	262	]
	263
	264	const ensureUserRegistrationAllowed = [
a2431b7d C	265	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
	266	const allowed = await isSignupAllowed()
	267	if (allowed === false) {
	268	return res.status(403)
	269	.send({ error: 'User registration is not enabled or user limit is reached.' })
	270	.end()
	271	}
	272
	273	return next()
b60e5f38 C	274	}
b60e5f38 C	275	]
291e8d3e	276
ff2c1fe8 RK	277	const ensureUserRegistrationAllowedForIP = [
	278	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
	279	const allowed = isSignupAllowedForCurrentIP(req.ip)
	280
	281	if (allowed === false) {
	282	return res.status(403)
	283	.send({ error: 'You are not on a network authorized for registration.' })
	284	.end()
	285	}
	286
	287	return next()
	288	}
	289	]
	290
ecb4e35f C	291	const usersAskResetPasswordValidator = [
	292	body('email').isEmail().not().isEmpty().withMessage('Should have a valid email'),
	293
	294	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
	295	logger.debug('Checking usersAskResetPassword parameters', { parameters: req.body })
	296
	297	if (areValidationErrors(req, res)) return
b426edd4	298
ecb4e35f C	299	const exists = await checkUserEmailExist(req.body.email, res, false)
	300	if (!exists) {
	301	logger.debug('User with email %s does not exist (asking reset password).', req.body.email)
	302	// Do not leak our emails
	303	return res.status(204).end()
	304	}
	305
	306	return next()
	307	}
	308	]
	309
	310	const usersResetPasswordValidator = [
	311	param('id').isInt().not().isEmpty().withMessage('Should have a valid id'),
	312	body('verificationString').not().isEmpty().withMessage('Should have a valid verification string'),
	313	body('password').custom(isUserPasswordValid).withMessage('Should have a valid password'),
	314
	315	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
	316	logger.debug('Checking usersResetPassword parameters', { parameters: req.params })
	317
	318	if (areValidationErrors(req, res)) return
	319	if (!await checkUserIdExist(req.params.id, res)) return
	320
dae86118	321	const user = res.locals.user
ecb4e35f C	322	const redisVerificationString = await Redis.Instance.getResetPasswordLink(user.id)
	323
	324	if (redisVerificationString !== req.body.verificationString) {
	325	return res
	326	.status(403)
	327	.send({ error: 'Invalid verification string.' })
f076daa7	328	.end()
ecb4e35f C	329	}
	330
	331	return next()
	332	}
	333	]
	334
d9eaee39 JM	335	const usersAskSendVerifyEmailValidator = [
	336	body('email').isEmail().not().isEmpty().withMessage('Should have a valid email'),
	337
	338	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
	339	logger.debug('Checking askUsersSendVerifyEmail parameters', { parameters: req.body })
	340
	341	if (areValidationErrors(req, res)) return
	342	const exists = await checkUserEmailExist(req.body.email, res, false)
	343	if (!exists) {
	344	logger.debug('User with email %s does not exist (asking verify email).', req.body.email)
	345	// Do not leak our emails
	346	return res.status(204).end()
	347	}
	348
	349	return next()
	350	}
	351	]
	352
	353	const usersVerifyEmailValidator = [
d1ab89de C	354	param('id')
	355	.isInt().not().isEmpty().withMessage('Should have a valid id'),
	356
	357	body('verificationString')
	358	.not().isEmpty().withMessage('Should have a valid verification string'),
	359	body('isPendingEmail')
	360	.optional()
	361	.toBoolean(),
d9eaee39 JM	362
	363	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
	364	logger.debug('Checking usersVerifyEmail parameters', { parameters: req.params })
	365
	366	if (areValidationErrors(req, res)) return
	367	if (!await checkUserIdExist(req.params.id, res)) return
	368
dae86118	369	const user = res.locals.user
d9eaee39 JM	370	const redisVerificationString = await Redis.Instance.getVerifyEmailLink(user.id)
	371
	372	if (redisVerificationString !== req.body.verificationString) {
	373	return res
	374	.status(403)
	375	.send({ error: 'Invalid verification string.' })
	376	.end()
	377	}
	378
	379	return next()
	380	}
	381	]
	382
74d63469 GR	383	const userAutocompleteValidator = [
	384	param('search').isString().not().isEmpty().withMessage('Should have a search parameter')
	385	]
	386
c100a614 YB	387	const ensureAuthUserOwnsAccountValidator = [
	388	async (req: express.Request, res: express.Response, next: express.NextFunction) => {
	389	const user = res.locals.oauth.token.User
	390
	391	if (res.locals.account.id !== user.Account.id) {
	392	return res.status(403)
	393	.send({ error: 'Only owner can access ratings list.' })
	394	.end()
	395	}
	396
	397	return next()
	398	}
	399	]
	400
9bd26629 C	401	// ---------------------------------------------------------------------------
9bd26629 C	402
65fcc311 C	403	export {
65fcc311 C	404	usersAddValidator,
92b9d60c	405	deleteMeValidator,
77a5501f	406	usersRegisterValidator,
e6921918	407	usersBlockingValidator,
65fcc311 C	408	usersRemoveValidator,
65fcc311 C	409	usersUpdateValidator,
8094a898	410	usersUpdateMeValidator,
291e8d3e	411	usersVideoRatingValidator,
8094a898	412	ensureUserRegistrationAllowed,
ff2c1fe8	413	ensureUserRegistrationAllowedForIP,
c5911fd3	414	usersGetValidator,
ecb4e35f	415	usersAskResetPasswordValidator,
d9eaee39 JM	416	usersResetPasswordValidator,
d9eaee39 JM	417	usersAskSendVerifyEmailValidator,
74d63469	418	usersVerifyEmailValidator,
c100a614 YB	419	userAutocompleteValidator,
c100a614 YB	420	ensureAuthUserOwnsAccountValidator
8094a898 C	421	}
	422
	423	// ---------------------------------------------------------------------------
	424
ecb4e35f C	425	function checkUserIdExist (id: number, res: express.Response) {
	426	return checkUserExist(() => UserModel.loadById(id), res)
	427	}
a2431b7d	428
ecb4e35f C	429	function checkUserEmailExist (email: string, res: express.Response, abortResponse = true) {
ecb4e35f C	430	return checkUserExist(() => UserModel.loadByEmail(email), res, abortResponse)
65fcc311	431	}
77a5501f	432
a2431b7d	433	async function checkUserNameOrEmailDoesNotAlreadyExist (username: string, email: string, res: express.Response) {
3fd3ab2d	434	const user = await UserModel.loadByUsernameOrEmail(username, email)
a2431b7d C	435
	436	if (user) {
	437	res.status(409)
edf7f40a	438	.send({ error: 'User with this username or email already exists.' })
a2431b7d C	439	.end()
	440	return false
	441	}
	442
2ef6a063 C	443	const actor = await ActorModel.loadLocalByName(username)
	444	if (actor) {
	445	res.status(409)
c907c2fa	446	.send({ error: 'Another actor (account/channel) with this name on this instance already exists or has already existed.' })
2ef6a063 C	447	.end()
	448	return false
	449	}
	450
a2431b7d	451	return true
77a5501f	452	}
ecb4e35f C	453
	454	async function checkUserExist (finder: () => Bluebird<UserModel>, res: express.Response, abortResponse = true) {
	455	const user = await finder()
	456
	457	if (!user) {
	458	if (abortResponse === true) {
	459	res.status(404)
	460	.send({ error: 'User not found' })
	461	.end()
	462	}
	463
	464	return false
	465	}
	466
	467	res.locals.user = user
	468
	469	return true
	470	}