server/controllers/api/users/index.ts

   1 import * as express from 'express'
   2 import * as RateLimit from 'express-rate-limit'
   3 import { UserCreate, UserRight, UserRole, UserUpdate } from '../../../../shared'
   4 import { logger } from '../../../helpers/logger'
   5 import { getFormattedObjects } from '../../../helpers/utils'
   6 import { RATES_LIMIT, sequelizeTypescript, WEBSERVER } from '../../../initializers'
   7 import { Emailer } from '../../../lib/emailer'
   8 import { Redis } from '../../../lib/redis'
   9 import { createUserAccountAndChannelAndPlaylist } from '../../../lib/user'
  10 import {
  11   asyncMiddleware,
  12   asyncRetryTransactionMiddleware,
  13   authenticate,
  14   ensureUserHasRight,
  15   ensureUserRegistrationAllowed,
  16   ensureUserRegistrationAllowedForIP,
  17   paginationValidator,
  18   setDefaultPagination,
  19   setDefaultSort,
  20   token,
  21   userAutocompleteValidator,
  22   usersAddValidator,
  23   usersGetValidator,
  24   usersRegisterValidator,
  25   usersRemoveValidator,
  26   usersSortValidator,
  27   usersUpdateValidator
  28 } from '../../../middlewares'
  29 import {
  30   usersAskResetPasswordValidator,
  31   usersAskSendVerifyEmailValidator,
  32   usersBlockingValidator,
  33   usersResetPasswordValidator,
  34   usersVerifyEmailValidator
  35 } from '../../../middlewares/validators'
  36 import { UserModel } from '../../../models/account/user'
  37 import { auditLoggerFactory, getAuditIdFromRes, UserAuditView } from '../../../helpers/audit-logger'
  38 import { meRouter } from './me'
  39 import { deleteUserToken } from '../../../lib/oauth-model'
  40 import { myBlocklistRouter } from './my-blocklist'
  41 import { myVideoPlaylistsRouter } from './my-video-playlists'
  42 import { myVideosHistoryRouter } from './my-history'
  43 import { myNotificationsRouter } from './my-notifications'
  44 import { Notifier } from '../../../lib/notifier'
  45 import { mySubscriptionsRouter } from './my-subscriptions'
  46 import { CONFIG } from '../../../initializers/config'
  47
  48 const auditLogger = auditLoggerFactory('users')
  49
  50 const loginRateLimiter = new RateLimit({
  51   windowMs: RATES_LIMIT.LOGIN.WINDOW_MS,
  52   max: RATES_LIMIT.LOGIN.MAX
  53 })
  54
  55 const askSendEmailLimiter = new RateLimit({
  56   windowMs: RATES_LIMIT.ASK_SEND_EMAIL.WINDOW_MS,
  57   max: RATES_LIMIT.ASK_SEND_EMAIL.MAX
  58 })
  59
  60 const usersRouter = express.Router()
  61 usersRouter.use('/', myNotificationsRouter)
  62 usersRouter.use('/', mySubscriptionsRouter)
  63 usersRouter.use('/', myBlocklistRouter)
  64 usersRouter.use('/', myVideosHistoryRouter)
  65 usersRouter.use('/', myVideoPlaylistsRouter)
  66 usersRouter.use('/', meRouter)
  67
  68 usersRouter.get('/autocomplete',
  69   userAutocompleteValidator,
  70   asyncMiddleware(autocompleteUsers)
  71 )
  72
  73 usersRouter.get('/',
  74   authenticate,
  75   ensureUserHasRight(UserRight.MANAGE_USERS),
  76   paginationValidator,
  77   usersSortValidator,
  78   setDefaultSort,
  79   setDefaultPagination,
  80   asyncMiddleware(listUsers)
  81 )
  82
  83 usersRouter.post('/:id/block',
  84   authenticate,
  85   ensureUserHasRight(UserRight.MANAGE_USERS),
  86   asyncMiddleware(usersBlockingValidator),
  87   asyncMiddleware(blockUser)
  88 )
  89 usersRouter.post('/:id/unblock',
  90   authenticate,
  91   ensureUserHasRight(UserRight.MANAGE_USERS),
  92   asyncMiddleware(usersBlockingValidator),
  93   asyncMiddleware(unblockUser)
  94 )
  95
  96 usersRouter.get('/:id',
  97   authenticate,
  98   ensureUserHasRight(UserRight.MANAGE_USERS),
  99   asyncMiddleware(usersGetValidator),
 100   getUser
 101 )
 102
 103 usersRouter.post('/',
 104   authenticate,
 105   ensureUserHasRight(UserRight.MANAGE_USERS),
 106   asyncMiddleware(usersAddValidator),
 107   asyncRetryTransactionMiddleware(createUser)
 108 )
 109
 110 usersRouter.post('/register',
 111   asyncMiddleware(ensureUserRegistrationAllowed),
 112   ensureUserRegistrationAllowedForIP,
 113   asyncMiddleware(usersRegisterValidator),
 114   asyncRetryTransactionMiddleware(registerUser)
 115 )
 116
 117 usersRouter.put('/:id',
 118   authenticate,
 119   ensureUserHasRight(UserRight.MANAGE_USERS),
 120   asyncMiddleware(usersUpdateValidator),
 121   asyncMiddleware(updateUser)
 122 )
 123
 124 usersRouter.delete('/:id',
 125   authenticate,
 126   ensureUserHasRight(UserRight.MANAGE_USERS),
 127   asyncMiddleware(usersRemoveValidator),
 128   asyncMiddleware(removeUser)
 129 )
 130
 131 usersRouter.post('/ask-reset-password',
 132   asyncMiddleware(usersAskResetPasswordValidator),
 133   asyncMiddleware(askResetUserPassword)
 134 )
 135
 136 usersRouter.post('/:id/reset-password',
 137   asyncMiddleware(usersResetPasswordValidator),
 138   asyncMiddleware(resetUserPassword)
 139 )
 140
 141 usersRouter.post('/ask-send-verify-email',
 142   askSendEmailLimiter,
 143   asyncMiddleware(usersAskSendVerifyEmailValidator),
 144   asyncMiddleware(askSendVerifyUserEmail)
 145 )
 146
 147 usersRouter.post('/:id/verify-email',
 148   asyncMiddleware(usersVerifyEmailValidator),
 149   asyncMiddleware(verifyUserEmail)
 150 )
 151
 152 usersRouter.post('/token',
 153   loginRateLimiter,
 154   token,
 155   success
 156 )
 157 // TODO: Once https://github.com/oauthjs/node-oauth2-server/pull/289 is merged, implement revoke token route
 158
 159 // ---------------------------------------------------------------------------
 160
 161 export {
 162   usersRouter
 163 }
 164
 165 // ---------------------------------------------------------------------------
 166
 167 async function createUser (req: express.Request, res: express.Response) {
 168   const body: UserCreate = req.body
 169   const userToCreate = new UserModel({
 170     username: body.username,
 171     password: body.password,
 172     email: body.email,
 173     nsfwPolicy: CONFIG.INSTANCE.DEFAULT_NSFW_POLICY,
 174     autoPlayVideo: true,
 175     role: body.role,
 176     videoQuota: body.videoQuota,
 177     videoQuotaDaily: body.videoQuotaDaily
 178   })
 179
 180   const { user, account } = await createUserAccountAndChannelAndPlaylist(userToCreate)
 181
 182   auditLogger.create(getAuditIdFromRes(res), new UserAuditView(user.toFormattedJSON()))
 183   logger.info('User %s with its channel and account created.', body.username)
 184
 185   return res.json({
 186     user: {
 187       id: user.id,
 188       account: {
 189         id: account.id,
 190         uuid: account.Actor.uuid
 191       }
 192     }
 193   }).end()
 194 }
 195
 196 async function registerUser (req: express.Request, res: express.Response) {
 197   const body: UserCreate = req.body
 198
 199   const userToCreate = new UserModel({
 200     username: body.username,
 201     password: body.password,
 202     email: body.email,
 203     nsfwPolicy: CONFIG.INSTANCE.DEFAULT_NSFW_POLICY,
 204     autoPlayVideo: true,
 205     role: UserRole.USER,
 206     videoQuota: CONFIG.USER.VIDEO_QUOTA,
 207     videoQuotaDaily: CONFIG.USER.VIDEO_QUOTA_DAILY,
 208     emailVerified: CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION ? false : null
 209   })
 210
 211   const { user } = await createUserAccountAndChannelAndPlaylist(userToCreate)
 212
 213   auditLogger.create(body.username, new UserAuditView(user.toFormattedJSON()))
 214   logger.info('User %s with its channel and account registered.', body.username)
 215
 216   if (CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION) {
 217     await sendVerifyUserEmail(user)
 218   }
 219
 220   Notifier.Instance.notifyOnNewUserRegistration(user)
 221
 222   return res.type('json').status(204).end()
 223 }
 224
 225 async function unblockUser (req: express.Request, res: express.Response) {
 226   const user = res.locals.user
 227
 228   await changeUserBlock(res, user, false)
 229
 230   return res.status(204).end()
 231 }
 232
 233 async function blockUser (req: express.Request, res: express.Response) {
 234   const user = res.locals.user
 235   const reason = req.body.reason
 236
 237   await changeUserBlock(res, user, true, reason)
 238
 239   return res.status(204).end()
 240 }
 241
 242 function getUser (req: express.Request, res: express.Response) {
 243   return res.json(res.locals.user.toFormattedJSON())
 244 }
 245
 246 async function autocompleteUsers (req: express.Request, res: express.Response) {
 247   const resultList = await UserModel.autoComplete(req.query.search as string)
 248
 249   return res.json(resultList)
 250 }
 251
 252 async function listUsers (req: express.Request, res: express.Response) {
 253   const resultList = await UserModel.listForApi(req.query.start, req.query.count, req.query.sort, req.query.search)
 254
 255   return res.json(getFormattedObjects(resultList.data, resultList.total))
 256 }
 257
 258 async function removeUser (req: express.Request, res: express.Response) {
 259   const user = res.locals.user
 260
 261   await user.destroy()
 262
 263   auditLogger.delete(getAuditIdFromRes(res), new UserAuditView(user.toFormattedJSON()))
 264
 265   return res.sendStatus(204)
 266 }
 267
 268 async function updateUser (req: express.Request, res: express.Response) {
 269   const body: UserUpdate = req.body
 270   const userToUpdate = res.locals.user
 271   const oldUserAuditView = new UserAuditView(userToUpdate.toFormattedJSON())
 272   const roleChanged = body.role !== undefined && body.role !== userToUpdate.role
 273
 274   if (body.password !== undefined) userToUpdate.password = body.password
 275   if (body.email !== undefined) userToUpdate.email = body.email
 276   if (body.emailVerified !== undefined) userToUpdate.emailVerified = body.emailVerified
 277   if (body.videoQuota !== undefined) userToUpdate.videoQuota = body.videoQuota
 278   if (body.videoQuotaDaily !== undefined) userToUpdate.videoQuotaDaily = body.videoQuotaDaily
 279   if (body.role !== undefined) userToUpdate.role = body.role
 280
 281   const user = await userToUpdate.save()
 282
 283   // Destroy user token to refresh rights
 284   if (roleChanged || body.password !== undefined) await deleteUserToken(userToUpdate.id)
 285
 286   auditLogger.update(getAuditIdFromRes(res), new UserAuditView(user.toFormattedJSON()), oldUserAuditView)
 287
 288   // Don't need to send this update to followers, these attributes are not federated
 289
 290   return res.sendStatus(204)
 291 }
 292
 293 async function askResetUserPassword (req: express.Request, res: express.Response) {
 294   const user = res.locals.user
 295
 296   const verificationString = await Redis.Instance.setResetPasswordVerificationString(user.id)
 297   const url = WEBSERVER.URL + '/reset-password?userId=' + user.id + '&verificationString=' + verificationString
 298   await Emailer.Instance.addPasswordResetEmailJob(user.email, url)
 299
 300   return res.status(204).end()
 301 }
 302
 303 async function resetUserPassword (req: express.Request, res: express.Response) {
 304   const user = res.locals.user
 305   user.password = req.body.password
 306
 307   await user.save()
 308
 309   return res.status(204).end()
 310 }
 311
 312 async function sendVerifyUserEmail (user: UserModel) {
 313   const verificationString = await Redis.Instance.setVerifyEmailVerificationString(user.id)
 314   const url = WEBSERVER.URL + '/verify-account/email?userId=' + user.id + '&verificationString=' + verificationString
 315   await Emailer.Instance.addVerifyEmailJob(user.email, url)
 316   return
 317 }
 318
 319 async function askSendVerifyUserEmail (req: express.Request, res: express.Response) {
 320   const user = res.locals.user
 321
 322   await sendVerifyUserEmail(user)
 323
 324   return res.status(204).end()
 325 }
 326
 327 async function verifyUserEmail (req: express.Request, res: express.Response) {
 328   const user = res.locals.user
 329   user.emailVerified = true
 330
 331   await user.save()
 332
 333   return res.status(204).end()
 334 }
 335
 336 function success (req: express.Request, res: express.Response) {
 337   res.end()
 338 }
 339
 340 async function changeUserBlock (res: express.Response, user: UserModel, block: boolean, reason?: string) {
 341   const oldUserAuditView = new UserAuditView(user.toFormattedJSON())
 342
 343   user.blocked = block
 344   user.blockedReason = reason || null
 345
 346   await sequelizeTypescript.transaction(async t => {
 347     await deleteUserToken(user.id, t)
 348
 349     await user.save({ transaction: t })
 350   })
 351
 352   await Emailer.Instance.addUserBlockJob(user, block, reason)
 353
 354   auditLogger.update(getAuditIdFromRes(res), new UserAuditView(user.toFormattedJSON()), oldUserAuditView)
 355 }