Merge branch 'release/1.4.0' into develop

[github/Chocobozzz/PeerTube.git] / server / controllers / api / users / index.ts

diff --git a/server/controllers/api/users/index.ts b/server/controllers/api/users/index.ts
index 99f51a64831200228d601ebe082098ffda1418e8..27351c1a954b8d68ed648fac005e5462bacc0962 100644 (file)
--- a/server/controllers/api/users/index.ts
+++ b/server/controllers/api/users/index.ts
@@ -3,10 +3,10 @@ import * as RateLimit from 'express-rate-limit'
 import { UserCreate, UserRight, UserRole, UserUpdate } from '../../../../shared'
 import { logger } from '../../../helpers/logger'
 import { getFormattedObjects } from '../../../helpers/utils'
-import { RATES_LIMIT, WEBSERVER } from '../../../initializers/constants'
+import { WEBSERVER } from '../../../initializers/constants'
 import { Emailer } from '../../../lib/emailer'
 import { Redis } from '../../../lib/redis'
-import { createUserAccountAndChannelAndPlaylist } from '../../../lib/user'
+import { createUserAccountAndChannelAndPlaylist, sendVerifyUserEmail } from '../../../lib/user'
 import {
   asyncMiddleware,
   asyncRetryTransactionMiddleware,
@@ -31,7 +31,8 @@ import {
   usersAskSendVerifyEmailValidator,
   usersBlockingValidator,
   usersResetPasswordValidator,
-  usersVerifyEmailValidator
+  usersVerifyEmailValidator,
+  ensureCanManageUser
 } from '../../../middlewares/validators'
 import { UserModel } from '../../../models/account/user'
 import { auditLoggerFactory, getAuditIdFromRes, UserAuditView } from '../../../helpers/audit-logger'
@@ -47,20 +48,28 @@ import { CONFIG } from '../../../initializers/config'
 import { sequelizeTypescript } from '../../../initializers/database'
 import { UserAdminFlag } from '../../../../shared/models/users/user-flag.model'
 import { UserRegister } from '../../../../shared/models/users/user-register.model'
+import { MUser, MUserAccountDefault } from '@server/typings/models'
 
 const auditLogger = auditLoggerFactory('users')
 
 // FIXME: https://github.com/nfriedly/express-rate-limit/issues/138
 // @ts-ignore
 const loginRateLimiter = RateLimit({
-  windowMs: RATES_LIMIT.LOGIN.WINDOW_MS,
-  max: RATES_LIMIT.LOGIN.MAX
+  windowMs: CONFIG.RATES_LIMIT.LOGIN.WINDOW_MS,
+  max: CONFIG.RATES_LIMIT.LOGIN.MAX
+})
+
+// @ts-ignore
+const signupRateLimiter = RateLimit({
+  windowMs: CONFIG.RATES_LIMIT.SIGNUP.WINDOW_MS,
+  max: CONFIG.RATES_LIMIT.SIGNUP.MAX,
+  skipFailedRequests: true
 })
 
 // @ts-ignore
 const askSendEmailLimiter = new RateLimit({
-  windowMs: RATES_LIMIT.ASK_SEND_EMAIL.WINDOW_MS,
-  max: RATES_LIMIT.ASK_SEND_EMAIL.MAX
+  windowMs: CONFIG.RATES_LIMIT.ASK_SEND_EMAIL.WINDOW_MS,
+  max: CONFIG.RATES_LIMIT.ASK_SEND_EMAIL.MAX
 })
 
 const usersRouter = express.Router()
@@ -90,12 +99,14 @@ usersRouter.post('/:id/block',
   authenticate,
   ensureUserHasRight(UserRight.MANAGE_USERS),
   asyncMiddleware(usersBlockingValidator),
+  ensureCanManageUser,
   asyncMiddleware(blockUser)
 )
 usersRouter.post('/:id/unblock',
   authenticate,
   ensureUserHasRight(UserRight.MANAGE_USERS),
   asyncMiddleware(usersBlockingValidator),
+  ensureCanManageUser,
   asyncMiddleware(unblockUser)
 )
 
@@ -114,6 +125,7 @@ usersRouter.post('/',
 )
 
 usersRouter.post('/register',
+  signupRateLimiter,
   asyncMiddleware(ensureUserRegistrationAllowed),
   ensureUserRegistrationAllowedForIP,
   asyncMiddleware(usersRegisterValidator),
@@ -124,6 +136,7 @@ usersRouter.put('/:id',
   authenticate,
   ensureUserHasRight(UserRight.MANAGE_USERS),
   asyncMiddleware(usersUpdateValidator),
+  ensureCanManageUser,
   asyncMiddleware(updateUser)
 )
 
@@ -131,6 +144,7 @@ usersRouter.delete('/:id',
   authenticate,
   ensureUserHasRight(UserRight.MANAGE_USERS),
   asyncMiddleware(usersRemoveValidator),
+  ensureCanManageUser,
   asyncMiddleware(removeUser)
 )
 
@@ -147,7 +161,7 @@ usersRouter.post('/:id/reset-password',
 usersRouter.post('/ask-send-verify-email',
   askSendEmailLimiter,
   asyncMiddleware(usersAskSendVerifyEmailValidator),
-  asyncMiddleware(askSendVerifyUserEmail)
+  asyncMiddleware(reSendVerifyUserEmail)
 )
 
 usersRouter.post('/:id/verify-email',
@@ -182,7 +196,7 @@ async function createUser (req: express.Request, res: express.Response) {
     videoQuota: body.videoQuota,
     videoQuotaDaily: body.videoQuotaDaily,
     adminFlags: body.adminFlags || UserAdminFlag.NONE
-  })
+  }) as MUser
 
   const { user, account } = await createUserAccountAndChannelAndPlaylist({ userToCreate: userToCreate })
 
@@ -320,14 +334,7 @@ async function resetUserPassword (req: express.Request, res: express.Response) {
   return res.status(204).end()
 }
 
-async function sendVerifyUserEmail (user: UserModel) {
-  const verificationString = await Redis.Instance.setVerifyEmailVerificationString(user.id)
-  const url = WEBSERVER.URL + '/verify-account/email?userId=' + user.id + '&verificationString=' + verificationString
-  await Emailer.Instance.addVerifyEmailJob(user.email, url)
-  return
-}
-
-async function askSendVerifyUserEmail (req: express.Request, res: express.Response) {
+async function reSendVerifyUserEmail (req: express.Request, res: express.Response) {
   const user = res.locals.user
 
   await sendVerifyUserEmail(user)
@@ -339,6 +346,11 @@ async function verifyUserEmail (req: express.Request, res: express.Response) {
   const user = res.locals.user
   user.emailVerified = true
 
+  if (req.body.isPendingEmail === true) {
+    user.email = user.pendingEmail
+    user.pendingEmail = null
+  }
+
   await user.save()
 
   return res.status(204).end()
@@ -348,7 +360,7 @@ function success (req: express.Request, res: express.Response) {
   res.end()
 }
 
-async function changeUserBlock (res: express.Response, user: UserModel, block: boolean, reason?: string) {
+async function changeUserBlock (res: express.Response, user: MUserAccountDefault, block: boolean, reason?: string) {
   const oldUserAuditView = new UserAuditView(user.toFormattedJSON())
 
   user.blocked = block