wikijs-fork/server/models/user.js

/* global wiki */

const Promise = require('bluebird')
const bcrypt = require('bcryptjs-then')
const _ = require('lodash')
const tfa = require('node-2fa')
const securityHelper = require('../helpers/security')

/**
 * Users schema
 */
module.exports = (sequelize, DataTypes) => {
  let userSchema = sequelize.define('user', {
    email: {
      type: DataTypes.STRING,
      allowNull: false,
      validate: {
        isEmail: true
      }
    },
    provider: {
      type: DataTypes.STRING,
      allowNull: false
    },
    providerId: {
      type: DataTypes.STRING,
      allowNull: true
    },
    password: {
      type: DataTypes.STRING,
      allowNull: true
    },
    name: {
      type: DataTypes.STRING,
      allowNull: true
    },
    role: {
      type: DataTypes.ENUM('admin', 'user', 'guest'),
      allowNull: false
    },
    tfaIsActive: {
      type: DataTypes.BOOLEAN,
      allowNull: false,
      defaultValue: false
    },
    tfaSecret: {
      type: DataTypes.STRING,
      allowNull: true
    }
  }, {
    timestamps: true,
    version: true,
    indexes: [
      {
        unique: true,
        fields: ['provider', 'email']
      }
    ]
  })

  userSchema.prototype.validatePassword = async function (rawPwd) {
    if (await bcrypt.compare(rawPwd, this.password) === true) {
      return true
    } else {
      throw new wiki.Error.AuthLoginFailed()
    }
  }

  userSchema.prototype.enableTFA = async function () {
    let tfaInfo = tfa.generateSecret({
      name: wiki.config.site.title
    })
    this.tfaIsActive = true
    this.tfaSecret = tfaInfo.secret
    return this.save()
  }

  userSchema.prototype.disableTFA = async function () {
    this.tfaIsActive = false
    this.tfaSecret = ''
    return this.save()
  }

  userSchema.prototype.verifyTFA = function (code) {
    let result = tfa.verifyToken(this.tfaSecret, code)
    return (result && _.has(result, 'delta') && result.delta === 0)
  }

  userSchema.login = async (opts, context) => {
    if (_.has(wiki.config.auth.strategies, opts.provider)) {
      _.set(context.req, 'body.email', opts.username)
      _.set(context.req, 'body.password', opts.password)

      // Authenticate
      return new Promise((resolve, reject) => {
        wiki.auth.passport.authenticate(opts.provider, async (err, user, info) => {
          if (err) { return reject(err) }
          if (!user) { return reject(new wiki.Error.AuthLoginFailed()) }

          // Is 2FA required?
          if (user.tfaIsActive) {
            try {
              let loginToken = await securityHelper.generateToken(32)
              await wiki.redis.set(`tfa:${loginToken}`, user.id, 'EX', 600)
              return resolve({
                succeeded: true,
                message: 'Login Successful. Awaiting 2FA security code.',
                tfaRequired: true,
                tfaLoginToken: loginToken
              })
            } catch (err) {
              wiki.logger.warn(err)
              return reject(new wiki.Error.AuthGenericError())
            }
          } else {
            // No 2FA, log in user
            return context.req.logIn(user, err => {
              if (err) { return reject(err) }
              resolve({
                succeeded: true,
                message: 'Login Successful',
                tfaRequired: false
              })
            })
          }
        })(context.req, context.res, () => {})
      })
    } else {
      throw new wiki.Error.AuthProviderInvalid()
    }
  }

  userSchema.loginTFA = async (opts, context) => {
    if (opts.securityCode.length === 6 && opts.loginToken.length === 64) {
      let result = await wiki.redis.get(`tfa:${opts.loginToken}`)
      if (result) {
        let userId = _.toSafeInteger(result)
        if (userId && userId > 0) {
          let user = await wiki.db.User.findById(userId)
          if (user && user.verifyTFA(opts.securityCode)) {
            return Promise.fromCallback(clb => {
              context.req.logIn(user, clb)
            }).return({
              succeeded: true,
              message: 'Login Successful'
            }).catch(err => {
              wiki.logger.warn(err)
              throw new wiki.Error.AuthGenericError()
            })
          } else {
            throw new wiki.Error.AuthTFAFailed()
          }
        }
      }
    }
    throw new wiki.Error.AuthTFAInvalid()
  }

  userSchema.processProfile = (profile) => {
    let primaryEmail = ''
    if (_.isArray(profile.emails)) {
      let e = _.find(profile.emails, ['primary', true])
      primaryEmail = (e) ? e.value : _.first(profile.emails).value
    } else if (_.isString(profile.email) && profile.email.length > 5) {
      primaryEmail = profile.email
    } else if (_.isString(profile.mail) && profile.mail.length > 5) {
      primaryEmail = profile.mail
    } else if (profile.user && profile.user.email && profile.user.email.length > 5) {
      primaryEmail = profile.user.email
    } else {
      return Promise.reject(new Error(wiki.lang.t('auth:errors.invaliduseremail')))
    }

    profile.provider = _.lowerCase(profile.provider)
    primaryEmail = _.toLower(primaryEmail)

    return wiki.db.User.findOneAndUpdate({
      email: primaryEmail,
      provider: profile.provider
    }, {
      email: primaryEmail,
      provider: profile.provider,
      providerId: profile.id,
      name: profile.displayName || _.split(primaryEmail, '@')[0]
    }, {
      new: true
    }).then((user) => {
      // Handle unregistered accounts
      if (!user && profile.provider !== 'local' && (wiki.config.auth.defaultReadAccess || profile.provider === 'ldap' || profile.provider === 'azure')) {
        let nUsr = {
          email: primaryEmail,
          provider: profile.provider,
          providerId: profile.id,
          password: '',
          name: profile.displayName || profile.name || profile.cn,
          rights: [{
            role: 'read',
            path: '/',
            exact: false,
            deny: false
          }]
        }
        return wiki.db.User.create(nUsr)
      }
      return user || Promise.reject(new Error(wiki.lang.t('auth:errors:notyetauthorized')))
    })
  }

  userSchema.hashPassword = (rawPwd) => {
    return bcrypt.hash(rawPwd)
  }

  return userSchema
}
feat: login + TFA authentication 2018-01-10 01:41:53 +00:00			`/* global wiki */`
chore: removed global eslint references 2017-05-13 19:29:00 +00:00
Standard JS code conversion + fixes 2017-02-09 01:52:37 +00:00			`const Promise = require('bluebird')`
			`const bcrypt = require('bcryptjs-then')`
			`const _ = require('lodash')`
feat: login + TFA authentication 2018-01-10 01:41:53 +00:00			`const tfa = require('node-2fa')`
			`const securityHelper = require('../helpers/security')`
Removed Search-Index and LokiJS, replaced with Mongo + Updated VueJs 2016-10-15 03:31:15 +00:00
			`/**`
feat: admin page icons + Color Theme footer field 2017-06-26 15:03:16 +00:00			`* Users schema`
Removed Search-Index and LokiJS, replaced with Mongo + Updated VueJs 2016-10-15 03:31:15 +00:00			`*/`
refactor: migrate to PostgreSQL + Sequelize 2017-07-23 03:56:46 +00:00			`module.exports = (sequelize, DataTypes) => {`
			`let userSchema = sequelize.define('user', {`
			`email: {`
			`type: DataTypes.STRING,`
			`allowNull: false,`
			`validate: {`
			`isEmail: true`
			`}`
			`},`
			`provider: {`
feat: Kernel module 2017-10-08 02:44:35 +00:00			`type: DataTypes.STRING,`
refactor: migrate to PostgreSQL + Sequelize 2017-07-23 03:56:46 +00:00			`allowNull: false`
			`},`
			`providerId: {`
			`type: DataTypes.STRING,`
			`allowNull: true`
			`},`
			`password: {`
			`type: DataTypes.STRING,`
			`allowNull: true`
			`},`
			`name: {`
			`type: DataTypes.STRING,`
			`allowNull: true`
			`},`
			`role: {`
			`type: DataTypes.ENUM('admin', 'user', 'guest'),`
			`allowNull: false`
feat: Kernel module 2017-10-08 02:44:35 +00:00			`},`
			`tfaIsActive: {`
			`type: DataTypes.BOOLEAN,`
			`allowNull: false,`
			`defaultValue: false`
			`},`
			`tfaSecret: {`
			`type: DataTypes.STRING,`
			`allowNull: true`
refactor: migrate to PostgreSQL + Sequelize 2017-07-23 03:56:46 +00:00			`}`
			`}, {`
			`timestamps: true,`
			`version: true,`
			`indexes: [`
			`{`
			`unique: true,`
			`fields: ['provider', 'email']`
			`}`
			`]`
			`})`
Removed Search-Index and LokiJS, replaced with Mongo + Updated VueJs 2016-10-15 03:31:15 +00:00
feat: login + TFA authentication 2018-01-10 01:41:53 +00:00			`userSchema.prototype.validatePassword = async function (rawPwd) {`
			`if (await bcrypt.compare(rawPwd, this.password) === true) {`
			`return true`
			`} else {`
			`throw new wiki.Error.AuthLoginFailed()`
			`}`
			`}`

			`userSchema.prototype.enableTFA = async function () {`
			`let tfaInfo = tfa.generateSecret({`
			`name: wiki.config.site.title`
refactor: migrate to PostgreSQL + Sequelize 2017-07-23 03:56:46 +00:00			`})`
feat: login + TFA authentication 2018-01-10 01:41:53 +00:00			`this.tfaIsActive = true`
			`this.tfaSecret = tfaInfo.secret`
			`return this.save()`
			`}`

			`userSchema.prototype.disableTFA = async function () {`
			`this.tfaIsActive = false`
			`this.tfaSecret = ''`
			`return this.save()`
			`}`

			`userSchema.prototype.verifyTFA = function (code) {`
			`let result = tfa.verifyToken(this.tfaSecret, code)`
			`return (result && _.has(result, 'delta') && result.delta === 0)`
			`}`

			`userSchema.login = async (opts, context) => {`
			`if (_.has(wiki.config.auth.strategies, opts.provider)) {`
			`_.set(context.req, 'body.email', opts.username)`
			`_.set(context.req, 'body.password', opts.password)`

			`// Authenticate`
			`return new Promise((resolve, reject) => {`
			`wiki.auth.passport.authenticate(opts.provider, async (err, user, info) => {`
			`if (err) { return reject(err) }`
			`if (!user) { return reject(new wiki.Error.AuthLoginFailed()) }`

			`// Is 2FA required?`
			`if (user.tfaIsActive) {`
			`try {`
			`let loginToken = await securityHelper.generateToken(32)`
			await wiki.redis.set(`tfa:${loginToken}`, user.id, 'EX', 600)
			`return resolve({`
			`succeeded: true,`
			`message: 'Login Successful. Awaiting 2FA security code.',`
			`tfaRequired: true,`
			`tfaLoginToken: loginToken`
			`})`
			`} catch (err) {`
			`wiki.logger.warn(err)`
			`return reject(new wiki.Error.AuthGenericError())`
			`}`
			`} else {`
			`// No 2FA, log in user`
			`return context.req.logIn(user, err => {`
			`if (err) { return reject(err) }`
			`resolve({`
			`succeeded: true,`
			`message: 'Login Successful',`
			`tfaRequired: false`
			`})`
			`})`
			`}`
			`})(context.req, context.res, () => {})`
			`})`
			`} else {`
			`throw new wiki.Error.AuthProviderInvalid()`
			`}`
			`}`

			`userSchema.loginTFA = async (opts, context) => {`
			`if (opts.securityCode.length === 6 && opts.loginToken.length === 64) {`
			let result = await wiki.redis.get(`tfa:${opts.loginToken}`)
			`if (result) {`
			`let userId = _.toSafeInteger(result)`
			`if (userId && userId > 0) {`
			`let user = await wiki.db.User.findById(userId)`
			`if (user && user.verifyTFA(opts.securityCode)) {`
			`return Promise.fromCallback(clb => {`
			`context.req.logIn(user, clb)`
			`}).return({`
			`succeeded: true,`
			`message: 'Login Successful'`
			`}).catch(err => {`
			`wiki.logger.warn(err)`
			`throw new wiki.Error.AuthGenericError()`
			`})`
			`} else {`
			`throw new wiki.Error.AuthTFAFailed()`
			`}`
			`}`
			`}`
			`}`
			`throw new wiki.Error.AuthTFAInvalid()`
Standard JS code conversion + fixes 2017-02-09 01:52:37 +00:00			`}`
Added Social Authentication + fixed Agent Cron 2016-10-30 22:41:10 +00:00
refactor: migrate to PostgreSQL + Sequelize 2017-07-23 03:56:46 +00:00			`userSchema.processProfile = (profile) => {`
			`let primaryEmail = ''`
			`if (_.isArray(profile.emails)) {`
			`let e = _.find(profile.emails, ['primary', true])`
			`primaryEmail = (e) ? e.value : _.first(profile.emails).value`
			`} else if (_.isString(profile.email) && profile.email.length > 5) {`
			`primaryEmail = profile.email`
			`} else if (_.isString(profile.mail) && profile.mail.length > 5) {`
			`primaryEmail = profile.mail`
			`} else if (profile.user && profile.user.email && profile.user.email.length > 5) {`
			`primaryEmail = profile.user.email`
			`} else {`
			`return Promise.reject(new Error(wiki.lang.t('auth:errors.invaliduseremail')))`
			`}`
Added GitHub and Slack authentication integrations 2017-02-24 21:50:04 +00:00
refactor: migrate to PostgreSQL + Sequelize 2017-07-23 03:56:46 +00:00			`profile.provider = _.lowerCase(profile.provider)`
			`primaryEmail = _.toLower(primaryEmail)`

			`return wiki.db.User.findOneAndUpdate({`
			`email: primaryEmail,`
			`provider: profile.provider`
			`}, {`
			`email: primaryEmail,`
			`provider: profile.provider,`
			`providerId: profile.id,`
			`name: profile.displayName \|\| _.split(primaryEmail, '@')[0]`
			`}, {`
			`new: true`
			`}).then((user) => {`
			`// Handle unregistered accounts`
feat: login + TFA authentication 2018-01-10 01:41:53 +00:00			`if (!user && profile.provider !== 'local' && (wiki.config.auth.defaultReadAccess \|\| profile.provider === 'ldap' \|\| profile.provider === 'azure')) {`
refactor: migrate to PostgreSQL + Sequelize 2017-07-23 03:56:46 +00:00			`let nUsr = {`
			`email: primaryEmail,`
			`provider: profile.provider,`
			`providerId: profile.id,`
			`password: '',`
			`name: profile.displayName \|\| profile.name \|\| profile.cn,`
			`rights: [{`
			`role: 'read',`
			`path: '/',`
			`exact: false,`
			`deny: false`
			`}]`
			`}`
feat: GraphQL base implementation 2017-07-25 02:37:13 +00:00			`return wiki.db.User.create(nUsr)`
LDAP authentication 2017-03-12 04:38:47 +00:00			`}`
refactor: migrate to PostgreSQL + Sequelize 2017-07-23 03:56:46 +00:00			`return user \|\| Promise.reject(new Error(wiki.lang.t('auth:errors:notyetauthorized')))`
			`})`
			`}`
Added Social Authentication + fixed Agent Cron 2016-10-30 22:41:10 +00:00
refactor: migrate to PostgreSQL + Sequelize 2017-07-23 03:56:46 +00:00			`userSchema.hashPassword = (rawPwd) => {`
			`return bcrypt.hash(rawPwd)`
			`}`
Added Social Authentication + fixed Agent Cron 2016-10-30 22:41:10 +00:00
refactor: migrate to PostgreSQL + Sequelize 2017-07-23 03:56:46 +00:00			`return userSchema`
Standard JS code conversion + fixes 2017-02-09 01:52:37 +00:00			`}`