server/controllers/api/users/index.ts

   1 import * as express from 'express'
   2 import * as RateLimit from 'express-rate-limit'
   3 import { UserCreate, UserRight, UserRole, UserUpdate } from '../../../../shared'
   4 import { logger } from '../../../helpers/logger'
   5 import { getFormattedObjects } from '../../../helpers/utils'
   6 import { WEBSERVER } from '../../../initializers/constants'
   7 import { Emailer } from '../../../lib/emailer'
   8 import { Redis } from '../../../lib/redis'
   9 import { createUserAccountAndChannelAndPlaylist, sendVerifyUserEmail } from '../../../lib/user'
  10 import {
  11   asyncMiddleware,
  12   asyncRetryTransactionMiddleware,
  13   authenticate,
  14   ensureUserHasRight,
  15   ensureUserRegistrationAllowed,
  16   ensureUserRegistrationAllowedForIP,
  17   paginationValidator,
  18   setDefaultPagination,
  19   setDefaultSort,
  20   token,
  21   userAutocompleteValidator,
  22   usersAddValidator,
  23   usersGetValidator,
  24   usersRegisterValidator,
  25   usersRemoveValidator,
  26   usersSortValidator,
  27   usersUpdateValidator
  28 } from '../../../middlewares'
  29 import {
  30   usersAskResetPasswordValidator,
  31   usersAskSendVerifyEmailValidator,
  32   usersBlockingValidator,
  33   usersResetPasswordValidator,
  34   usersVerifyEmailValidator
  35 } from '../../../middlewares/validators'
  36 import { UserModel } from '../../../models/account/user'
  37 import { auditLoggerFactory, getAuditIdFromRes, UserAuditView } from '../../../helpers/audit-logger'
  38 import { meRouter } from './me'
  39 import { deleteUserToken } from '../../../lib/oauth-model'
  40 import { myBlocklistRouter } from './my-blocklist'
  41 import { myVideoPlaylistsRouter } from './my-video-playlists'
  42 import { myVideosHistoryRouter } from './my-history'
  43 import { myNotificationsRouter } from './my-notifications'
  44 import { Notifier } from '../../../lib/notifier'
  45 import { mySubscriptionsRouter } from './my-subscriptions'
  46 import { CONFIG } from '../../../initializers/config'
  47 import { sequelizeTypescript } from '../../../initializers/database'
  48 import { UserAdminFlag } from '../../../../shared/models/users/user-flag.model'
  49 import { UserRegister } from '../../../../shared/models/users/user-register.model'
  50
  51 const auditLogger = auditLoggerFactory('users')
  52
  53 // FIXME: https://github.com/nfriedly/express-rate-limit/issues/138
  54 // @ts-ignore
  55 const loginRateLimiter = RateLimit({
  56   windowMs: CONFIG.RATES_LIMIT.LOGIN.WINDOW_MS,
  57   max: CONFIG.RATES_LIMIT.LOGIN.MAX
  58 })
  59
  60 // @ts-ignore
  61 const signupRateLimiter = RateLimit({
  62   windowMs: CONFIG.RATES_LIMIT.SIGNUP.WINDOW_MS,
  63   max: CONFIG.RATES_LIMIT.SIGNUP.MAX,
  64   skipFailedRequests: true
  65 })
  66
  67 // @ts-ignore
  68 const askSendEmailLimiter = new RateLimit({
  69   windowMs: CONFIG.RATES_LIMIT.ASK_SEND_EMAIL.WINDOW_MS,
  70   max: CONFIG.RATES_LIMIT.ASK_SEND_EMAIL.MAX
  71 })
  72
  73 const usersRouter = express.Router()
  74 usersRouter.use('/', myNotificationsRouter)
  75 usersRouter.use('/', mySubscriptionsRouter)
  76 usersRouter.use('/', myBlocklistRouter)
  77 usersRouter.use('/', myVideosHistoryRouter)
  78 usersRouter.use('/', myVideoPlaylistsRouter)
  79 usersRouter.use('/', meRouter)
  80
  81 usersRouter.get('/autocomplete',
  82   userAutocompleteValidator,
  83   asyncMiddleware(autocompleteUsers)
  84 )
  85
  86 usersRouter.get('/',
  87   authenticate,
  88   ensureUserHasRight(UserRight.MANAGE_USERS),
  89   paginationValidator,
  90   usersSortValidator,
  91   setDefaultSort,
  92   setDefaultPagination,
  93   asyncMiddleware(listUsers)
  94 )
  95
  96 usersRouter.post('/:id/block',
  97   authenticate,
  98   ensureUserHasRight(UserRight.MANAGE_USERS),
  99   asyncMiddleware(usersBlockingValidator),
 100   asyncMiddleware(blockUser)
 101 )
 102 usersRouter.post('/:id/unblock',
 103   authenticate,
 104   ensureUserHasRight(UserRight.MANAGE_USERS),
 105   asyncMiddleware(usersBlockingValidator),
 106   asyncMiddleware(unblockUser)
 107 )
 108
 109 usersRouter.get('/:id',
 110   authenticate,
 111   ensureUserHasRight(UserRight.MANAGE_USERS),
 112   asyncMiddleware(usersGetValidator),
 113   getUser
 114 )
 115
 116 usersRouter.post('/',
 117   authenticate,
 118   ensureUserHasRight(UserRight.MANAGE_USERS),
 119   asyncMiddleware(usersAddValidator),
 120   asyncRetryTransactionMiddleware(createUser)
 121 )
 122
 123 usersRouter.post('/register',
 124   signupRateLimiter,
 125   asyncMiddleware(ensureUserRegistrationAllowed),
 126   ensureUserRegistrationAllowedForIP,
 127   asyncMiddleware(usersRegisterValidator),
 128   asyncRetryTransactionMiddleware(registerUser)
 129 )
 130
 131 usersRouter.put('/:id',
 132   authenticate,
 133   ensureUserHasRight(UserRight.MANAGE_USERS),
 134   asyncMiddleware(usersUpdateValidator),
 135   asyncMiddleware(updateUser)
 136 )
 137
 138 usersRouter.delete('/:id',
 139   authenticate,
 140   ensureUserHasRight(UserRight.MANAGE_USERS),
 141   asyncMiddleware(usersRemoveValidator),
 142   asyncMiddleware(removeUser)
 143 )
 144
 145 usersRouter.post('/ask-reset-password',
 146   asyncMiddleware(usersAskResetPasswordValidator),
 147   asyncMiddleware(askResetUserPassword)
 148 )
 149
 150 usersRouter.post('/:id/reset-password',
 151   asyncMiddleware(usersResetPasswordValidator),
 152   asyncMiddleware(resetUserPassword)
 153 )
 154
 155 usersRouter.post('/ask-send-verify-email',
 156   askSendEmailLimiter,
 157   asyncMiddleware(usersAskSendVerifyEmailValidator),
 158   asyncMiddleware(reSendVerifyUserEmail)
 159 )
 160
 161 usersRouter.post('/:id/verify-email',
 162   asyncMiddleware(usersVerifyEmailValidator),
 163   asyncMiddleware(verifyUserEmail)
 164 )
 165
 166 usersRouter.post('/token',
 167   loginRateLimiter,
 168   token,
 169   success
 170 )
 171 // TODO: Once https://github.com/oauthjs/node-oauth2-server/pull/289 is merged, implement revoke token route
 172
 173 // ---------------------------------------------------------------------------
 174
 175 export {
 176   usersRouter
 177 }
 178
 179 // ---------------------------------------------------------------------------
 180
 181 async function createUser (req: express.Request, res: express.Response) {
 182   const body: UserCreate = req.body
 183   const userToCreate = new UserModel({
 184     username: body.username,
 185     password: body.password,
 186     email: body.email,
 187     nsfwPolicy: CONFIG.INSTANCE.DEFAULT_NSFW_POLICY,
 188     autoPlayVideo: true,
 189     role: body.role,
 190     videoQuota: body.videoQuota,
 191     videoQuotaDaily: body.videoQuotaDaily,
 192     adminFlags: body.adminFlags || UserAdminFlag.NONE
 193   })
 194
 195   const { user, account } = await createUserAccountAndChannelAndPlaylist({ userToCreate: userToCreate })
 196
 197   auditLogger.create(getAuditIdFromRes(res), new UserAuditView(user.toFormattedJSON()))
 198   logger.info('User %s with its channel and account created.', body.username)
 199
 200   return res.json({
 201     user: {
 202       id: user.id,
 203       account: {
 204         id: account.id
 205       }
 206     }
 207   }).end()
 208 }
 209
 210 async function registerUser (req: express.Request, res: express.Response) {
 211   const body: UserRegister = req.body
 212
 213   const userToCreate = new UserModel({
 214     username: body.username,
 215     password: body.password,
 216     email: body.email,
 217     nsfwPolicy: CONFIG.INSTANCE.DEFAULT_NSFW_POLICY,
 218     autoPlayVideo: true,
 219     role: UserRole.USER,
 220     videoQuota: CONFIG.USER.VIDEO_QUOTA,
 221     videoQuotaDaily: CONFIG.USER.VIDEO_QUOTA_DAILY,
 222     emailVerified: CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION ? false : null
 223   })
 224
 225   const { user } = await createUserAccountAndChannelAndPlaylist({
 226     userToCreate: userToCreate,
 227     userDisplayName: body.displayName || undefined,
 228     channelNames: body.channel
 229   })
 230
 231   auditLogger.create(body.username, new UserAuditView(user.toFormattedJSON()))
 232   logger.info('User %s with its channel and account registered.', body.username)
 233
 234   if (CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION) {
 235     await sendVerifyUserEmail(user)
 236   }
 237
 238   Notifier.Instance.notifyOnNewUserRegistration(user)
 239
 240   return res.type('json').status(204).end()
 241 }
 242
 243 async function unblockUser (req: express.Request, res: express.Response) {
 244   const user = res.locals.user
 245
 246   await changeUserBlock(res, user, false)
 247
 248   return res.status(204).end()
 249 }
 250
 251 async function blockUser (req: express.Request, res: express.Response) {
 252   const user = res.locals.user
 253   const reason = req.body.reason
 254
 255   await changeUserBlock(res, user, true, reason)
 256
 257   return res.status(204).end()
 258 }
 259
 260 function getUser (req: express.Request, res: express.Response) {
 261   return res.json(res.locals.user.toFormattedJSON({ withAdminFlags: true }))
 262 }
 263
 264 async function autocompleteUsers (req: express.Request, res: express.Response) {
 265   const resultList = await UserModel.autoComplete(req.query.search as string)
 266
 267   return res.json(resultList)
 268 }
 269
 270 async function listUsers (req: express.Request, res: express.Response) {
 271   const resultList = await UserModel.listForApi(req.query.start, req.query.count, req.query.sort, req.query.search)
 272
 273   return res.json(getFormattedObjects(resultList.data, resultList.total, { withAdminFlags: true }))
 274 }
 275
 276 async function removeUser (req: express.Request, res: express.Response) {
 277   const user = res.locals.user
 278
 279   await user.destroy()
 280
 281   auditLogger.delete(getAuditIdFromRes(res), new UserAuditView(user.toFormattedJSON()))
 282
 283   return res.sendStatus(204)
 284 }
 285
 286 async function updateUser (req: express.Request, res: express.Response) {
 287   const body: UserUpdate = req.body
 288   const userToUpdate = res.locals.user
 289   const oldUserAuditView = new UserAuditView(userToUpdate.toFormattedJSON())
 290   const roleChanged = body.role !== undefined && body.role !== userToUpdate.role
 291
 292   if (body.password !== undefined) userToUpdate.password = body.password
 293   if (body.email !== undefined) userToUpdate.email = body.email
 294   if (body.emailVerified !== undefined) userToUpdate.emailVerified = body.emailVerified
 295   if (body.videoQuota !== undefined) userToUpdate.videoQuota = body.videoQuota
 296   if (body.videoQuotaDaily !== undefined) userToUpdate.videoQuotaDaily = body.videoQuotaDaily
 297   if (body.role !== undefined) userToUpdate.role = body.role
 298   if (body.adminFlags !== undefined) userToUpdate.adminFlags = body.adminFlags
 299
 300   const user = await userToUpdate.save()
 301
 302   // Destroy user token to refresh rights
 303   if (roleChanged || body.password !== undefined) await deleteUserToken(userToUpdate.id)
 304
 305   auditLogger.update(getAuditIdFromRes(res), new UserAuditView(user.toFormattedJSON()), oldUserAuditView)
 306
 307   // Don't need to send this update to followers, these attributes are not federated
 308
 309   return res.sendStatus(204)
 310 }
 311
 312 async function askResetUserPassword (req: express.Request, res: express.Response) {
 313   const user = res.locals.user
 314
 315   const verificationString = await Redis.Instance.setResetPasswordVerificationString(user.id)
 316   const url = WEBSERVER.URL + '/reset-password?userId=' + user.id + '&verificationString=' + verificationString
 317   await Emailer.Instance.addPasswordResetEmailJob(user.email, url)
 318
 319   return res.status(204).end()
 320 }
 321
 322 async function resetUserPassword (req: express.Request, res: express.Response) {
 323   const user = res.locals.user
 324   user.password = req.body.password
 325
 326   await user.save()
 327
 328   return res.status(204).end()
 329 }
 330
 331 async function reSendVerifyUserEmail (req: express.Request, res: express.Response) {
 332   const user = res.locals.user
 333
 334   await sendVerifyUserEmail(user)
 335
 336   return res.status(204).end()
 337 }
 338
 339 async function verifyUserEmail (req: express.Request, res: express.Response) {
 340   const user = res.locals.user
 341   user.emailVerified = true
 342
 343   if (req.body.isPendingEmail === true) {
 344     user.email = user.pendingEmail
 345     user.pendingEmail = null
 346   }
 347
 348   await user.save()
 349
 350   return res.status(204).end()
 351 }
 352
 353 function success (req: express.Request, res: express.Response) {
 354   res.end()
 355 }
 356
 357 async function changeUserBlock (res: express.Response, user: UserModel, block: boolean, reason?: string) {
 358   const oldUserAuditView = new UserAuditView(user.toFormattedJSON())
 359
 360   user.blocked = block
 361   user.blockedReason = reason || null
 362
 363   await sequelizeTypescript.transaction(async t => {
 364     await deleteUserToken(user.id, t)
 365
 366     await user.save({ transaction: t })
 367   })
 368
 369   await Emailer.Instance.addUserBlockJob(user, block, reason)
 370
 371   auditLogger.update(getAuditIdFromRes(res), new UserAuditView(user.toFormattedJSON()), oldUserAuditView)
 372 }