server/controllers/api/users/index.ts

   1 import * as express from 'express'
   2 import * as RateLimit from 'express-rate-limit'
   3 import { UserCreate, UserRight, UserRole, UserUpdate } from '../../../../shared'
   4 import { logger } from '../../../helpers/logger'
   5 import { getFormattedObjects } from '../../../helpers/utils'
   6 import { WEBSERVER } from '../../../initializers/constants'
   7 import { Emailer } from '../../../lib/emailer'
   8 import { Redis } from '../../../lib/redis'
   9 import { createUserAccountAndChannelAndPlaylist, sendVerifyUserEmail } from '../../../lib/user'
  10 import {
  11   asyncMiddleware,
  12   asyncRetryTransactionMiddleware,
  13   authenticate,
  14   ensureUserHasRight,
  15   ensureUserRegistrationAllowed,
  16   ensureUserRegistrationAllowedForIP,
  17   paginationValidator,
  18   setDefaultPagination,
  19   setDefaultSort,
  20   token,
  21   userAutocompleteValidator,
  22   usersAddValidator,
  23   usersGetValidator,
  24   usersRegisterValidator,
  25   usersRemoveValidator,
  26   usersSortValidator,
  27   usersUpdateValidator
  28 } from '../../../middlewares'
  29 import {
  30   usersAskResetPasswordValidator,
  31   usersAskSendVerifyEmailValidator,
  32   usersBlockingValidator,
  33   usersResetPasswordValidator,
  34   usersVerifyEmailValidator,
  35   ensureCanManageUser
  36 } from '../../../middlewares/validators'
  37 import { UserModel } from '../../../models/account/user'
  38 import { auditLoggerFactory, getAuditIdFromRes, UserAuditView } from '../../../helpers/audit-logger'
  39 import { meRouter } from './me'
  40 import { deleteUserToken } from '../../../lib/oauth-model'
  41 import { myBlocklistRouter } from './my-blocklist'
  42 import { myVideoPlaylistsRouter } from './my-video-playlists'
  43 import { myVideosHistoryRouter } from './my-history'
  44 import { myNotificationsRouter } from './my-notifications'
  45 import { Notifier } from '../../../lib/notifier'
  46 import { mySubscriptionsRouter } from './my-subscriptions'
  47 import { CONFIG } from '../../../initializers/config'
  48 import { sequelizeTypescript } from '../../../initializers/database'
  49 import { UserAdminFlag } from '../../../../shared/models/users/user-flag.model'
  50 import { UserRegister } from '../../../../shared/models/users/user-register.model'
  51 import { MUser, MUserAccountDefault } from '@server/typings/models'
  52 import { Hooks } from '@server/lib/plugins/hooks'
  53
  54 const auditLogger = auditLoggerFactory('users')
  55
  56 // FIXME: https://github.com/nfriedly/express-rate-limit/issues/138
  57 // @ts-ignore
  58 const loginRateLimiter = RateLimit({
  59   windowMs: CONFIG.RATES_LIMIT.LOGIN.WINDOW_MS,
  60   max: CONFIG.RATES_LIMIT.LOGIN.MAX
  61 })
  62
  63 // @ts-ignore
  64 const signupRateLimiter = RateLimit({
  65   windowMs: CONFIG.RATES_LIMIT.SIGNUP.WINDOW_MS,
  66   max: CONFIG.RATES_LIMIT.SIGNUP.MAX,
  67   skipFailedRequests: true
  68 })
  69
  70 // @ts-ignore
  71 const askSendEmailLimiter = new RateLimit({
  72   windowMs: CONFIG.RATES_LIMIT.ASK_SEND_EMAIL.WINDOW_MS,
  73   max: CONFIG.RATES_LIMIT.ASK_SEND_EMAIL.MAX
  74 })
  75
  76 const usersRouter = express.Router()
  77 usersRouter.use('/', myNotificationsRouter)
  78 usersRouter.use('/', mySubscriptionsRouter)
  79 usersRouter.use('/', myBlocklistRouter)
  80 usersRouter.use('/', myVideosHistoryRouter)
  81 usersRouter.use('/', myVideoPlaylistsRouter)
  82 usersRouter.use('/', meRouter)
  83
  84 usersRouter.get('/autocomplete',
  85   userAutocompleteValidator,
  86   asyncMiddleware(autocompleteUsers)
  87 )
  88
  89 usersRouter.get('/',
  90   authenticate,
  91   ensureUserHasRight(UserRight.MANAGE_USERS),
  92   paginationValidator,
  93   usersSortValidator,
  94   setDefaultSort,
  95   setDefaultPagination,
  96   asyncMiddleware(listUsers)
  97 )
  98
  99 usersRouter.post('/:id/block',
 100   authenticate,
 101   ensureUserHasRight(UserRight.MANAGE_USERS),
 102   asyncMiddleware(usersBlockingValidator),
 103   ensureCanManageUser,
 104   asyncMiddleware(blockUser)
 105 )
 106 usersRouter.post('/:id/unblock',
 107   authenticate,
 108   ensureUserHasRight(UserRight.MANAGE_USERS),
 109   asyncMiddleware(usersBlockingValidator),
 110   ensureCanManageUser,
 111   asyncMiddleware(unblockUser)
 112 )
 113
 114 usersRouter.get('/:id',
 115   authenticate,
 116   ensureUserHasRight(UserRight.MANAGE_USERS),
 117   asyncMiddleware(usersGetValidator),
 118   getUser
 119 )
 120
 121 usersRouter.post('/',
 122   authenticate,
 123   ensureUserHasRight(UserRight.MANAGE_USERS),
 124   asyncMiddleware(usersAddValidator),
 125   asyncRetryTransactionMiddleware(createUser)
 126 )
 127
 128 usersRouter.post('/register',
 129   signupRateLimiter,
 130   asyncMiddleware(ensureUserRegistrationAllowed),
 131   ensureUserRegistrationAllowedForIP,
 132   asyncMiddleware(usersRegisterValidator),
 133   asyncRetryTransactionMiddleware(registerUser)
 134 )
 135
 136 usersRouter.put('/:id',
 137   authenticate,
 138   ensureUserHasRight(UserRight.MANAGE_USERS),
 139   asyncMiddleware(usersUpdateValidator),
 140   ensureCanManageUser,
 141   asyncMiddleware(updateUser)
 142 )
 143
 144 usersRouter.delete('/:id',
 145   authenticate,
 146   ensureUserHasRight(UserRight.MANAGE_USERS),
 147   asyncMiddleware(usersRemoveValidator),
 148   ensureCanManageUser,
 149   asyncMiddleware(removeUser)
 150 )
 151
 152 usersRouter.post('/ask-reset-password',
 153   asyncMiddleware(usersAskResetPasswordValidator),
 154   asyncMiddleware(askResetUserPassword)
 155 )
 156
 157 usersRouter.post('/:id/reset-password',
 158   asyncMiddleware(usersResetPasswordValidator),
 159   asyncMiddleware(resetUserPassword)
 160 )
 161
 162 usersRouter.post('/ask-send-verify-email',
 163   askSendEmailLimiter,
 164   asyncMiddleware(usersAskSendVerifyEmailValidator),
 165   asyncMiddleware(reSendVerifyUserEmail)
 166 )
 167
 168 usersRouter.post('/:id/verify-email',
 169   asyncMiddleware(usersVerifyEmailValidator),
 170   asyncMiddleware(verifyUserEmail)
 171 )
 172
 173 usersRouter.post('/token',
 174   loginRateLimiter,
 175   token,
 176   tokenSuccess
 177 )
 178 // TODO: Once https://github.com/oauthjs/node-oauth2-server/pull/289 is merged, implement revoke token route
 179
 180 // ---------------------------------------------------------------------------
 181
 182 export {
 183   usersRouter
 184 }
 185
 186 // ---------------------------------------------------------------------------
 187
 188 async function createUser (req: express.Request, res: express.Response) {
 189   const body: UserCreate = req.body
 190   const userToCreate = new UserModel({
 191     username: body.username,
 192     password: body.password,
 193     email: body.email,
 194     nsfwPolicy: CONFIG.INSTANCE.DEFAULT_NSFW_POLICY,
 195     autoPlayVideo: true,
 196     role: body.role,
 197     videoQuota: body.videoQuota,
 198     videoQuotaDaily: body.videoQuotaDaily,
 199     adminFlags: body.adminFlags || UserAdminFlag.NONE
 200   }) as MUser
 201
 202   const { user, account, videoChannel } = await createUserAccountAndChannelAndPlaylist({ userToCreate: userToCreate })
 203
 204   auditLogger.create(getAuditIdFromRes(res), new UserAuditView(user.toFormattedJSON()))
 205   logger.info('User %s with its channel and account created.', body.username)
 206
 207   Hooks.runAction('action:api.user.created', { body, user, account, videoChannel })
 208
 209   return res.json({
 210     user: {
 211       id: user.id,
 212       account: {
 213         id: account.id
 214       }
 215     }
 216   }).end()
 217 }
 218
 219 async function registerUser (req: express.Request, res: express.Response) {
 220   const body: UserRegister = req.body
 221
 222   const userToCreate = new UserModel({
 223     username: body.username,
 224     password: body.password,
 225     email: body.email,
 226     nsfwPolicy: CONFIG.INSTANCE.DEFAULT_NSFW_POLICY,
 227     autoPlayVideo: true,
 228     role: UserRole.USER,
 229     videoQuota: CONFIG.USER.VIDEO_QUOTA,
 230     videoQuotaDaily: CONFIG.USER.VIDEO_QUOTA_DAILY,
 231     emailVerified: CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION ? false : null
 232   })
 233
 234   const { user, account, videoChannel } = await createUserAccountAndChannelAndPlaylist({
 235     userToCreate: userToCreate,
 236     userDisplayName: body.displayName || undefined,
 237     channelNames: body.channel
 238   })
 239
 240   auditLogger.create(body.username, new UserAuditView(user.toFormattedJSON()))
 241   logger.info('User %s with its channel and account registered.', body.username)
 242
 243   if (CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION) {
 244     await sendVerifyUserEmail(user)
 245   }
 246
 247   Notifier.Instance.notifyOnNewUserRegistration(user)
 248
 249   Hooks.runAction('action:api.user.registered', { body, user, account, videoChannel })
 250
 251   return res.type('json').status(204).end()
 252 }
 253
 254 async function unblockUser (req: express.Request, res: express.Response) {
 255   const user = res.locals.user
 256
 257   await changeUserBlock(res, user, false)
 258
 259   Hooks.runAction('action:api.user.unblocked', { user })
 260
 261   return res.status(204).end()
 262 }
 263
 264 async function blockUser (req: express.Request, res: express.Response) {
 265   const user = res.locals.user
 266   const reason = req.body.reason
 267
 268   await changeUserBlock(res, user, true, reason)
 269
 270   Hooks.runAction('action:api.user.blocked', { user })
 271
 272   return res.status(204).end()
 273 }
 274
 275 function getUser (req: express.Request, res: express.Response) {
 276   return res.json(res.locals.user.toFormattedJSON({ withAdminFlags: true }))
 277 }
 278
 279 async function autocompleteUsers (req: express.Request, res: express.Response) {
 280   const resultList = await UserModel.autoComplete(req.query.search as string)
 281
 282   return res.json(resultList)
 283 }
 284
 285 async function listUsers (req: express.Request, res: express.Response) {
 286   const resultList = await UserModel.listForApi(req.query.start, req.query.count, req.query.sort, req.query.search)
 287
 288   return res.json(getFormattedObjects(resultList.data, resultList.total, { withAdminFlags: true }))
 289 }
 290
 291 async function removeUser (req: express.Request, res: express.Response) {
 292   const user = res.locals.user
 293
 294   await user.destroy()
 295
 296   auditLogger.delete(getAuditIdFromRes(res), new UserAuditView(user.toFormattedJSON()))
 297
 298   Hooks.runAction('action:api.user.deleted', { user })
 299
 300   return res.sendStatus(204)
 301 }
 302
 303 async function updateUser (req: express.Request, res: express.Response) {
 304   const body: UserUpdate = req.body
 305   const userToUpdate = res.locals.user
 306   const oldUserAuditView = new UserAuditView(userToUpdate.toFormattedJSON())
 307   const roleChanged = body.role !== undefined && body.role !== userToUpdate.role
 308
 309   if (body.password !== undefined) userToUpdate.password = body.password
 310   if (body.email !== undefined) userToUpdate.email = body.email
 311   if (body.emailVerified !== undefined) userToUpdate.emailVerified = body.emailVerified
 312   if (body.videoQuota !== undefined) userToUpdate.videoQuota = body.videoQuota
 313   if (body.videoQuotaDaily !== undefined) userToUpdate.videoQuotaDaily = body.videoQuotaDaily
 314   if (body.role !== undefined) userToUpdate.role = body.role
 315   if (body.adminFlags !== undefined) userToUpdate.adminFlags = body.adminFlags
 316
 317   const user = await userToUpdate.save()
 318
 319   // Destroy user token to refresh rights
 320   if (roleChanged || body.password !== undefined) await deleteUserToken(userToUpdate.id)
 321
 322   auditLogger.update(getAuditIdFromRes(res), new UserAuditView(user.toFormattedJSON()), oldUserAuditView)
 323
 324   Hooks.runAction('action:api.user.updated', { user })
 325
 326   // Don't need to send this update to followers, these attributes are not federated
 327
 328   return res.sendStatus(204)
 329 }
 330
 331 async function askResetUserPassword (req: express.Request, res: express.Response) {
 332   const user = res.locals.user
 333
 334   const verificationString = await Redis.Instance.setResetPasswordVerificationString(user.id)
 335   const url = WEBSERVER.URL + '/reset-password?userId=' + user.id + '&verificationString=' + verificationString
 336   await Emailer.Instance.addPasswordResetEmailJob(user.email, url)
 337
 338   return res.status(204).end()
 339 }
 340
 341 async function resetUserPassword (req: express.Request, res: express.Response) {
 342   const user = res.locals.user
 343   user.password = req.body.password
 344
 345   await user.save()
 346
 347   return res.status(204).end()
 348 }
 349
 350 async function reSendVerifyUserEmail (req: express.Request, res: express.Response) {
 351   const user = res.locals.user
 352
 353   await sendVerifyUserEmail(user)
 354
 355   return res.status(204).end()
 356 }
 357
 358 async function verifyUserEmail (req: express.Request, res: express.Response) {
 359   const user = res.locals.user
 360   user.emailVerified = true
 361
 362   if (req.body.isPendingEmail === true) {
 363     user.email = user.pendingEmail
 364     user.pendingEmail = null
 365   }
 366
 367   await user.save()
 368
 369   return res.status(204).end()
 370 }
 371
 372 function tokenSuccess (req: express.Request) {
 373   const username = req.body.username
 374
 375   Hooks.runAction('action:api.user.oauth2-got-token', { username, ip: req.ip })
 376 }
 377
 378 async function changeUserBlock (res: express.Response, user: MUserAccountDefault, block: boolean, reason?: string) {
 379   const oldUserAuditView = new UserAuditView(user.toFormattedJSON())
 380
 381   user.blocked = block
 382   user.blockedReason = reason || null
 383
 384   await sequelizeTypescript.transaction(async t => {
 385     await deleteUserToken(user.id, t)
 386
 387     await user.save({ transaction: t })
 388   })
 389
 390   await Emailer.Instance.addUserBlockJob(user, block, reason)
 391
 392   auditLogger.update(getAuditIdFromRes(res), new UserAuditView(user.toFormattedJSON()), oldUserAuditView)
 393 }