1 import * as express from 'express'
2 import * as RateLimit from 'express-rate-limit'
3 import { UserCreate, UserRight, UserRole, UserUpdate } from '../../../../shared'
4 import { logger } from '../../../helpers/logger'
5 import { getFormattedObjects } from '../../../helpers/utils'
6 import { CONFIG, RATES_LIMIT, sequelizeTypescript } from '../../../initializers'
7 import { Emailer } from '../../../lib/emailer'
8 import { Redis } from '../../../lib/redis'
9 import { createUserAccountAndChannel } from '../../../lib/user'
12 asyncRetryTransactionMiddleware,
15 ensureUserRegistrationAllowed,
16 ensureUserRegistrationAllowedForIP,
21 userAutocompleteValidator,
24 usersRegisterValidator,
28 } from '../../../middlewares'
30 usersAskResetPasswordValidator,
31 usersAskSendVerifyEmailValidator,
32 usersBlockingValidator,
33 usersResetPasswordValidator,
34 usersVerifyEmailValidator
35 } from '../../../middlewares/validators'
36 import { UserModel } from '../../../models/account/user'
37 import { OAuthTokenModel } from '../../../models/oauth/oauth-token'
38 import { auditLoggerFactory, getAuditIdFromRes, UserAuditView } from '../../../helpers/audit-logger'
39 import { meRouter } from './me'
40 import { deleteUserToken } from '../../../lib/oauth-model'
42 const auditLogger = auditLoggerFactory('users')
44 const loginRateLimiter = new RateLimit({
45 windowMs: RATES_LIMIT.LOGIN.WINDOW_MS,
46 max: RATES_LIMIT.LOGIN.MAX,
50 const askSendEmailLimiter = new RateLimit({
51 windowMs: RATES_LIMIT.ASK_SEND_EMAIL.WINDOW_MS,
52 max: RATES_LIMIT.ASK_SEND_EMAIL.MAX,
56 const usersRouter = express.Router()
57 usersRouter.use('/', meRouter)
59 usersRouter.get('/autocomplete',
60 userAutocompleteValidator,
61 asyncMiddleware(autocompleteUsers)
66 ensureUserHasRight(UserRight.MANAGE_USERS),
71 asyncMiddleware(listUsers)
74 usersRouter.post('/:id/block',
76 ensureUserHasRight(UserRight.MANAGE_USERS),
77 asyncMiddleware(usersBlockingValidator),
78 asyncMiddleware(blockUser)
80 usersRouter.post('/:id/unblock',
82 ensureUserHasRight(UserRight.MANAGE_USERS),
83 asyncMiddleware(usersBlockingValidator),
84 asyncMiddleware(unblockUser)
87 usersRouter.get('/:id',
89 ensureUserHasRight(UserRight.MANAGE_USERS),
90 asyncMiddleware(usersGetValidator),
96 ensureUserHasRight(UserRight.MANAGE_USERS),
97 asyncMiddleware(usersAddValidator),
98 asyncRetryTransactionMiddleware(createUser)
101 usersRouter.post('/register',
102 asyncMiddleware(ensureUserRegistrationAllowed),
103 ensureUserRegistrationAllowedForIP,
104 asyncMiddleware(usersRegisterValidator),
105 asyncRetryTransactionMiddleware(registerUser)
108 usersRouter.put('/:id',
110 ensureUserHasRight(UserRight.MANAGE_USERS),
111 asyncMiddleware(usersUpdateValidator),
112 asyncMiddleware(updateUser)
115 usersRouter.delete('/:id',
117 ensureUserHasRight(UserRight.MANAGE_USERS),
118 asyncMiddleware(usersRemoveValidator),
119 asyncMiddleware(removeUser)
122 usersRouter.post('/ask-reset-password',
123 asyncMiddleware(usersAskResetPasswordValidator),
124 asyncMiddleware(askResetUserPassword)
127 usersRouter.post('/:id/reset-password',
128 asyncMiddleware(usersResetPasswordValidator),
129 asyncMiddleware(resetUserPassword)
132 usersRouter.post('/ask-send-verify-email',
134 asyncMiddleware(usersAskSendVerifyEmailValidator),
135 asyncMiddleware(askSendVerifyUserEmail)
138 usersRouter.post('/:id/verify-email',
139 asyncMiddleware(usersVerifyEmailValidator),
140 asyncMiddleware(verifyUserEmail)
143 usersRouter.post('/token',
148 // TODO: Once https://github.com/oauthjs/node-oauth2-server/pull/289 is merged, implement revoke token route
150 // ---------------------------------------------------------------------------
156 // ---------------------------------------------------------------------------
158 async function createUser (req: express.Request, res: express.Response) {
159 const body: UserCreate = req.body
160 const userToCreate = new UserModel({
161 username: body.username,
162 password: body.password,
164 nsfwPolicy: CONFIG.INSTANCE.DEFAULT_NSFW_POLICY,
167 videoQuota: body.videoQuota,
168 videoQuotaDaily: body.videoQuotaDaily
171 const { user, account } = await createUserAccountAndChannel(userToCreate)
173 auditLogger.create(getAuditIdFromRes(res), new UserAuditView(user.toFormattedJSON()))
174 logger.info('User %s with its channel and account created.', body.username)
181 uuid: account.Actor.uuid
187 async function registerUser (req: express.Request, res: express.Response) {
188 const body: UserCreate = req.body
190 const userToCreate = new UserModel({
191 username: body.username,
192 password: body.password,
194 nsfwPolicy: CONFIG.INSTANCE.DEFAULT_NSFW_POLICY,
197 videoQuota: CONFIG.USER.VIDEO_QUOTA,
198 videoQuotaDaily: CONFIG.USER.VIDEO_QUOTA_DAILY,
199 emailVerified: CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION ? false : null
202 const { user } = await createUserAccountAndChannel(userToCreate)
204 auditLogger.create(body.username, new UserAuditView(user.toFormattedJSON()))
205 logger.info('User %s with its channel and account registered.', body.username)
207 if (CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION) {
208 await sendVerifyUserEmail(user)
211 return res.type('json').status(204).end()
214 async function unblockUser (req: express.Request, res: express.Response, next: express.NextFunction) {
215 const user: UserModel = res.locals.user
217 await changeUserBlock(res, user, false)
219 return res.status(204).end()
222 async function blockUser (req: express.Request, res: express.Response, next: express.NextFunction) {
223 const user: UserModel = res.locals.user
224 const reason = req.body.reason
226 await changeUserBlock(res, user, true, reason)
228 return res.status(204).end()
231 function getUser (req: express.Request, res: express.Response, next: express.NextFunction) {
232 return res.json((res.locals.user as UserModel).toFormattedJSON())
235 async function autocompleteUsers (req: express.Request, res: express.Response, next: express.NextFunction) {
236 const resultList = await UserModel.autoComplete(req.query.search as string)
238 return res.json(resultList)
241 async function listUsers (req: express.Request, res: express.Response, next: express.NextFunction) {
242 const resultList = await UserModel.listForApi(req.query.start, req.query.count, req.query.sort)
244 return res.json(getFormattedObjects(resultList.data, resultList.total))
247 async function removeUser (req: express.Request, res: express.Response, next: express.NextFunction) {
248 const user: UserModel = res.locals.user
252 auditLogger.delete(getAuditIdFromRes(res), new UserAuditView(user.toFormattedJSON()))
254 return res.sendStatus(204)
257 async function updateUser (req: express.Request, res: express.Response, next: express.NextFunction) {
258 const body: UserUpdate = req.body
259 const userToUpdate = res.locals.user as UserModel
260 const oldUserAuditView = new UserAuditView(userToUpdate.toFormattedJSON())
261 const roleChanged = body.role !== undefined && body.role !== userToUpdate.role
263 if (body.email !== undefined) userToUpdate.email = body.email
264 if (body.videoQuota !== undefined) userToUpdate.videoQuota = body.videoQuota
265 if (body.videoQuotaDaily !== undefined) userToUpdate.videoQuotaDaily = body.videoQuotaDaily
266 if (body.role !== undefined) userToUpdate.role = body.role
268 const user = await userToUpdate.save()
270 // Destroy user token to refresh rights
271 if (roleChanged) await deleteUserToken(userToUpdate.id)
273 auditLogger.update(getAuditIdFromRes(res), new UserAuditView(user.toFormattedJSON()), oldUserAuditView)
275 // Don't need to send this update to followers, these attributes are not propagated
277 return res.sendStatus(204)
280 async function askResetUserPassword (req: express.Request, res: express.Response, next: express.NextFunction) {
281 const user = res.locals.user as UserModel
283 const verificationString = await Redis.Instance.setResetPasswordVerificationString(user.id)
284 const url = CONFIG.WEBSERVER.URL + '/reset-password?userId=' + user.id + '&verificationString=' + verificationString
285 await Emailer.Instance.addForgetPasswordEmailJob(user.email, url)
287 return res.status(204).end()
290 async function resetUserPassword (req: express.Request, res: express.Response, next: express.NextFunction) {
291 const user = res.locals.user as UserModel
292 user.password = req.body.password
296 return res.status(204).end()
299 async function sendVerifyUserEmail (user: UserModel) {
300 const verificationString = await Redis.Instance.setVerifyEmailVerificationString(user.id)
301 const url = CONFIG.WEBSERVER.URL + '/verify-account/email?userId=' + user.id + '&verificationString=' + verificationString
302 await Emailer.Instance.addVerifyEmailJob(user.email, url)
306 async function askSendVerifyUserEmail (req: express.Request, res: express.Response, next: express.NextFunction) {
307 const user = res.locals.user as UserModel
309 await sendVerifyUserEmail(user)
311 return res.status(204).end()
314 async function verifyUserEmail (req: express.Request, res: express.Response, next: express.NextFunction) {
315 const user = res.locals.user as UserModel
316 user.emailVerified = true
320 return res.status(204).end()
323 function success (req: express.Request, res: express.Response, next: express.NextFunction) {
327 async function changeUserBlock (res: express.Response, user: UserModel, block: boolean, reason?: string) {
328 const oldUserAuditView = new UserAuditView(user.toFormattedJSON())
331 user.blockedReason = reason || null
333 await sequelizeTypescript.transaction(async t => {
334 await deleteUserToken(user.id, t)
336 await user.save({ transaction: t })
339 await Emailer.Instance.addUserBlockJob(user, block, reason)
341 auditLogger.update(getAuditIdFromRes(res), new UserAuditView(user.toFormattedJSON()), oldUserAuditView)