server/controllers/api/users/index.ts

   1 import * as express from 'express'
   2 import * as RateLimit from 'express-rate-limit'
   3 import { UserCreate, UserRight, UserRole, UserUpdate } from '../../../../shared'
   4 import { logger } from '../../../helpers/logger'
   5 import { getFormattedObjects } from '../../../helpers/utils'
   6 import { WEBSERVER } from '../../../initializers/constants'
   7 import { Emailer } from '../../../lib/emailer'
   8 import { Redis } from '../../../lib/redis'
   9 import { createUserAccountAndChannelAndPlaylist, sendVerifyUserEmail } from '../../../lib/user'
  10 import {
  11   asyncMiddleware,
  12   asyncRetryTransactionMiddleware,
  13   authenticate,
  14   ensureUserHasRight,
  15   ensureUserRegistrationAllowed,
  16   ensureUserRegistrationAllowedForIP,
  17   paginationValidator,
  18   setDefaultPagination,
  19   setDefaultSort,
  20   token,
  21   userAutocompleteValidator,
  22   usersAddValidator,
  23   usersGetValidator,
  24   usersRegisterValidator,
  25   usersRemoveValidator,
  26   usersSortValidator,
  27   usersUpdateValidator
  28 } from '../../../middlewares'
  29 import {
  30   usersAskResetPasswordValidator,
  31   usersAskSendVerifyEmailValidator,
  32   usersBlockingValidator,
  33   usersResetPasswordValidator,
  34   usersVerifyEmailValidator,
  35   ensureCanManageUser
  36 } from '../../../middlewares/validators'
  37 import { UserModel } from '../../../models/account/user'
  38 import { auditLoggerFactory, getAuditIdFromRes, UserAuditView } from '../../../helpers/audit-logger'
  39 import { meRouter } from './me'
  40 import { deleteUserToken } from '../../../lib/oauth-model'
  41 import { myBlocklistRouter } from './my-blocklist'
  42 import { myVideoPlaylistsRouter } from './my-video-playlists'
  43 import { myVideosHistoryRouter } from './my-history'
  44 import { myNotificationsRouter } from './my-notifications'
  45 import { Notifier } from '../../../lib/notifier'
  46 import { mySubscriptionsRouter } from './my-subscriptions'
  47 import { CONFIG } from '../../../initializers/config'
  48 import { sequelizeTypescript } from '../../../initializers/database'
  49 import { UserAdminFlag } from '../../../../shared/models/users/user-flag.model'
  50 import { UserRegister } from '../../../../shared/models/users/user-register.model'
  51
  52 const auditLogger = auditLoggerFactory('users')
  53
  54 // FIXME: https://github.com/nfriedly/express-rate-limit/issues/138
  55 // @ts-ignore
  56 const loginRateLimiter = RateLimit({
  57   windowMs: CONFIG.RATES_LIMIT.LOGIN.WINDOW_MS,
  58   max: CONFIG.RATES_LIMIT.LOGIN.MAX
  59 })
  60
  61 // @ts-ignore
  62 const signupRateLimiter = RateLimit({
  63   windowMs: CONFIG.RATES_LIMIT.SIGNUP.WINDOW_MS,
  64   max: CONFIG.RATES_LIMIT.SIGNUP.MAX,
  65   skipFailedRequests: true
  66 })
  67
  68 // @ts-ignore
  69 const askSendEmailLimiter = new RateLimit({
  70   windowMs: CONFIG.RATES_LIMIT.ASK_SEND_EMAIL.WINDOW_MS,
  71   max: CONFIG.RATES_LIMIT.ASK_SEND_EMAIL.MAX
  72 })
  73
  74 const usersRouter = express.Router()
  75 usersRouter.use('/', myNotificationsRouter)
  76 usersRouter.use('/', mySubscriptionsRouter)
  77 usersRouter.use('/', myBlocklistRouter)
  78 usersRouter.use('/', myVideosHistoryRouter)
  79 usersRouter.use('/', myVideoPlaylistsRouter)
  80 usersRouter.use('/', meRouter)
  81
  82 usersRouter.get('/autocomplete',
  83   userAutocompleteValidator,
  84   asyncMiddleware(autocompleteUsers)
  85 )
  86
  87 usersRouter.get('/',
  88   authenticate,
  89   ensureUserHasRight(UserRight.MANAGE_USERS),
  90   paginationValidator,
  91   usersSortValidator,
  92   setDefaultSort,
  93   setDefaultPagination,
  94   asyncMiddleware(listUsers)
  95 )
  96
  97 usersRouter.post('/:id/block',
  98   authenticate,
  99   ensureUserHasRight(UserRight.MANAGE_USERS),
 100   asyncMiddleware(usersBlockingValidator),
 101   ensureCanManageUser,
 102   asyncMiddleware(blockUser)
 103 )
 104 usersRouter.post('/:id/unblock',
 105   authenticate,
 106   ensureUserHasRight(UserRight.MANAGE_USERS),
 107   asyncMiddleware(usersBlockingValidator),
 108   ensureCanManageUser,
 109   asyncMiddleware(unblockUser)
 110 )
 111
 112 usersRouter.get('/:id',
 113   authenticate,
 114   ensureUserHasRight(UserRight.MANAGE_USERS),
 115   asyncMiddleware(usersGetValidator),
 116   getUser
 117 )
 118
 119 usersRouter.post('/',
 120   authenticate,
 121   ensureUserHasRight(UserRight.MANAGE_USERS),
 122   asyncMiddleware(usersAddValidator),
 123   asyncRetryTransactionMiddleware(createUser)
 124 )
 125
 126 usersRouter.post('/register',
 127   signupRateLimiter,
 128   asyncMiddleware(ensureUserRegistrationAllowed),
 129   ensureUserRegistrationAllowedForIP,
 130   asyncMiddleware(usersRegisterValidator),
 131   asyncRetryTransactionMiddleware(registerUser)
 132 )
 133
 134 usersRouter.put('/:id',
 135   authenticate,
 136   ensureUserHasRight(UserRight.MANAGE_USERS),
 137   asyncMiddleware(usersUpdateValidator),
 138   ensureCanManageUser,
 139   asyncMiddleware(updateUser)
 140 )
 141
 142 usersRouter.delete('/:id',
 143   authenticate,
 144   ensureUserHasRight(UserRight.MANAGE_USERS),
 145   asyncMiddleware(usersRemoveValidator),
 146   ensureCanManageUser,
 147   asyncMiddleware(removeUser)
 148 )
 149
 150 usersRouter.post('/ask-reset-password',
 151   asyncMiddleware(usersAskResetPasswordValidator),
 152   asyncMiddleware(askResetUserPassword)
 153 )
 154
 155 usersRouter.post('/:id/reset-password',
 156   asyncMiddleware(usersResetPasswordValidator),
 157   asyncMiddleware(resetUserPassword)
 158 )
 159
 160 usersRouter.post('/ask-send-verify-email',
 161   askSendEmailLimiter,
 162   asyncMiddleware(usersAskSendVerifyEmailValidator),
 163   asyncMiddleware(reSendVerifyUserEmail)
 164 )
 165
 166 usersRouter.post('/:id/verify-email',
 167   asyncMiddleware(usersVerifyEmailValidator),
 168   asyncMiddleware(verifyUserEmail)
 169 )
 170
 171 usersRouter.post('/token',
 172   loginRateLimiter,
 173   token,
 174   success
 175 )
 176 // TODO: Once https://github.com/oauthjs/node-oauth2-server/pull/289 is merged, implement revoke token route
 177
 178 // ---------------------------------------------------------------------------
 179
 180 export {
 181   usersRouter
 182 }
 183
 184 // ---------------------------------------------------------------------------
 185
 186 async function createUser (req: express.Request, res: express.Response) {
 187   const body: UserCreate = req.body
 188   const userToCreate = new UserModel({
 189     username: body.username,
 190     password: body.password,
 191     email: body.email,
 192     nsfwPolicy: CONFIG.INSTANCE.DEFAULT_NSFW_POLICY,
 193     autoPlayVideo: true,
 194     role: body.role,
 195     videoQuota: body.videoQuota,
 196     videoQuotaDaily: body.videoQuotaDaily,
 197     adminFlags: body.adminFlags || UserAdminFlag.NONE
 198   })
 199
 200   const { user, account } = await createUserAccountAndChannelAndPlaylist({ userToCreate: userToCreate })
 201
 202   auditLogger.create(getAuditIdFromRes(res), new UserAuditView(user.toFormattedJSON()))
 203   logger.info('User %s with its channel and account created.', body.username)
 204
 205   return res.json({
 206     user: {
 207       id: user.id,
 208       account: {
 209         id: account.id
 210       }
 211     }
 212   }).end()
 213 }
 214
 215 async function registerUser (req: express.Request, res: express.Response) {
 216   const body: UserRegister = req.body
 217
 218   const userToCreate = new UserModel({
 219     username: body.username,
 220     password: body.password,
 221     email: body.email,
 222     nsfwPolicy: CONFIG.INSTANCE.DEFAULT_NSFW_POLICY,
 223     autoPlayVideo: true,
 224     role: UserRole.USER,
 225     videoQuota: CONFIG.USER.VIDEO_QUOTA,
 226     videoQuotaDaily: CONFIG.USER.VIDEO_QUOTA_DAILY,
 227     emailVerified: CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION ? false : null
 228   })
 229
 230   const { user } = await createUserAccountAndChannelAndPlaylist({
 231     userToCreate: userToCreate,
 232     userDisplayName: body.displayName || undefined,
 233     channelNames: body.channel
 234   })
 235
 236   auditLogger.create(body.username, new UserAuditView(user.toFormattedJSON()))
 237   logger.info('User %s with its channel and account registered.', body.username)
 238
 239   if (CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION) {
 240     await sendVerifyUserEmail(user)
 241   }
 242
 243   Notifier.Instance.notifyOnNewUserRegistration(user)
 244
 245   return res.type('json').status(204).end()
 246 }
 247
 248 async function unblockUser (req: express.Request, res: express.Response) {
 249   const user = res.locals.user
 250
 251   await changeUserBlock(res, user, false)
 252
 253   return res.status(204).end()
 254 }
 255
 256 async function blockUser (req: express.Request, res: express.Response) {
 257   const user = res.locals.user
 258   const reason = req.body.reason
 259
 260   await changeUserBlock(res, user, true, reason)
 261
 262   return res.status(204).end()
 263 }
 264
 265 function getUser (req: express.Request, res: express.Response) {
 266   return res.json(res.locals.user.toFormattedJSON({ withAdminFlags: true }))
 267 }
 268
 269 async function autocompleteUsers (req: express.Request, res: express.Response) {
 270   const resultList = await UserModel.autoComplete(req.query.search as string)
 271
 272   return res.json(resultList)
 273 }
 274
 275 async function listUsers (req: express.Request, res: express.Response) {
 276   const resultList = await UserModel.listForApi(req.query.start, req.query.count, req.query.sort, req.query.search)
 277
 278   return res.json(getFormattedObjects(resultList.data, resultList.total, { withAdminFlags: true }))
 279 }
 280
 281 async function removeUser (req: express.Request, res: express.Response) {
 282   const user = res.locals.user
 283
 284   await user.destroy()
 285
 286   auditLogger.delete(getAuditIdFromRes(res), new UserAuditView(user.toFormattedJSON()))
 287
 288   return res.sendStatus(204)
 289 }
 290
 291 async function updateUser (req: express.Request, res: express.Response) {
 292   const body: UserUpdate = req.body
 293   const userToUpdate = res.locals.user
 294   const oldUserAuditView = new UserAuditView(userToUpdate.toFormattedJSON())
 295   const roleChanged = body.role !== undefined && body.role !== userToUpdate.role
 296
 297   if (body.password !== undefined) userToUpdate.password = body.password
 298   if (body.email !== undefined) userToUpdate.email = body.email
 299   if (body.emailVerified !== undefined) userToUpdate.emailVerified = body.emailVerified
 300   if (body.videoQuota !== undefined) userToUpdate.videoQuota = body.videoQuota
 301   if (body.videoQuotaDaily !== undefined) userToUpdate.videoQuotaDaily = body.videoQuotaDaily
 302   if (body.role !== undefined) userToUpdate.role = body.role
 303   if (body.adminFlags !== undefined) userToUpdate.adminFlags = body.adminFlags
 304
 305   const user = await userToUpdate.save()
 306
 307   // Destroy user token to refresh rights
 308   if (roleChanged || body.password !== undefined) await deleteUserToken(userToUpdate.id)
 309
 310   auditLogger.update(getAuditIdFromRes(res), new UserAuditView(user.toFormattedJSON()), oldUserAuditView)
 311
 312   // Don't need to send this update to followers, these attributes are not federated
 313
 314   return res.sendStatus(204)
 315 }
 316
 317 async function askResetUserPassword (req: express.Request, res: express.Response) {
 318   const user = res.locals.user
 319
 320   const verificationString = await Redis.Instance.setResetPasswordVerificationString(user.id)
 321   const url = WEBSERVER.URL + '/reset-password?userId=' + user.id + '&verificationString=' + verificationString
 322   await Emailer.Instance.addPasswordResetEmailJob(user.email, url)
 323
 324   return res.status(204).end()
 325 }
 326
 327 async function resetUserPassword (req: express.Request, res: express.Response) {
 328   const user = res.locals.user
 329   user.password = req.body.password
 330
 331   await user.save()
 332
 333   return res.status(204).end()
 334 }
 335
 336 async function reSendVerifyUserEmail (req: express.Request, res: express.Response) {
 337   const user = res.locals.user
 338
 339   await sendVerifyUserEmail(user)
 340
 341   return res.status(204).end()
 342 }
 343
 344 async function verifyUserEmail (req: express.Request, res: express.Response) {
 345   const user = res.locals.user
 346   user.emailVerified = true
 347
 348   if (req.body.isPendingEmail === true) {
 349     user.email = user.pendingEmail
 350     user.pendingEmail = null
 351   }
 352
 353   await user.save()
 354
 355   return res.status(204).end()
 356 }
 357
 358 function success (req: express.Request, res: express.Response) {
 359   res.end()
 360 }
 361
 362 async function changeUserBlock (res: express.Response, user: UserModel, block: boolean, reason?: string) {
 363   const oldUserAuditView = new UserAuditView(user.toFormattedJSON())
 364
 365   user.blocked = block
 366   user.blockedReason = reason || null
 367
 368   await sequelizeTypescript.transaction(async t => {
 369     await deleteUserToken(user.id, t)
 370
 371     await user.save({ transaction: t })
 372   })
 373
 374   await Emailer.Instance.addUserBlockJob(user, block, reason)
 375
 376   auditLogger.update(getAuditIdFromRes(res), new UserAuditView(user.toFormattedJSON()), oldUserAuditView)
 377 }