projects / oweals / peertube.git / blob
? search:


b960e80c18da3a309847c2f23fe9e568ac6e4f32
[oweals/peertube.git] / server / controllers / api / users / index.ts
1 import * as express from 'express'
2 import * as RateLimit from 'express-rate-limit'
3 import { UserCreate, UserRight, UserRole, UserUpdate } from '../../../../shared'
4 import { logger } from '../../../helpers/logger'
5 import { getFormattedObjects } from '../../../helpers/utils'
6 import { WEBSERVER } from '../../../initializers/constants'
7 import { Emailer } from '../../../lib/emailer'
8 import { Redis } from '../../../lib/redis'
9 import { createUserAccountAndChannelAndPlaylist, sendVerifyUserEmail } from '../../../lib/user'
10 import {
11   asyncMiddleware,
12   asyncRetryTransactionMiddleware,
13   authenticate,
14   ensureUserHasRight,
15   ensureUserRegistrationAllowed,
16   ensureUserRegistrationAllowedForIP,
17   paginationValidator,
18   setDefaultPagination,
19   setDefaultSort,
20   token,
21   userAutocompleteValidator,
22   usersAddValidator,
23   usersGetValidator,
24   usersRegisterValidator,
25   usersRemoveValidator,
26   usersSortValidator,
27   usersUpdateValidator
28 } from '../../../middlewares'
29 import {
30   usersAskResetPasswordValidator,
31   usersAskSendVerifyEmailValidator,
32   usersBlockingValidator,
33   usersResetPasswordValidator,
34   usersVerifyEmailValidator,
35   ensureCanManageUser
36 } from '../../../middlewares/validators'
37 import { UserModel } from '../../../models/account/user'
38 import { auditLoggerFactory, getAuditIdFromRes, UserAuditView } from '../../../helpers/audit-logger'
39 import { meRouter } from './me'
40 import { deleteUserToken } from '../../../lib/oauth-model'
41 import { myBlocklistRouter } from './my-blocklist'
42 import { myVideoPlaylistsRouter } from './my-video-playlists'
43 import { myVideosHistoryRouter } from './my-history'
44 import { myNotificationsRouter } from './my-notifications'
45 import { Notifier } from '../../../lib/notifier'
46 import { mySubscriptionsRouter } from './my-subscriptions'
47 import { CONFIG } from '../../../initializers/config'
48 import { sequelizeTypescript } from '../../../initializers/database'
49 import { UserAdminFlag } from '../../../../shared/models/users/user-flag.model'
50 import { UserRegister } from '../../../../shared/models/users/user-register.model'
51 import { MUser, MUserAccountDefault } from '@server/typings/models'
52 import { Hooks } from '@server/lib/plugins/hooks'
53
54 const auditLogger = auditLoggerFactory('users')
55
56 // FIXME: https://github.com/nfriedly/express-rate-limit/issues/138
57 // @ts-ignore
58 const loginRateLimiter = RateLimit({
59   windowMs: CONFIG.RATES_LIMIT.LOGIN.WINDOW_MS,
60   max: CONFIG.RATES_LIMIT.LOGIN.MAX
61 })
62
63 // @ts-ignore
64 const signupRateLimiter = RateLimit({
65   windowMs: CONFIG.RATES_LIMIT.SIGNUP.WINDOW_MS,
66   max: CONFIG.RATES_LIMIT.SIGNUP.MAX,
67   skipFailedRequests: true
68 })
69
70 // @ts-ignore
71 const askSendEmailLimiter = new RateLimit({
72   windowMs: CONFIG.RATES_LIMIT.ASK_SEND_EMAIL.WINDOW_MS,
73   max: CONFIG.RATES_LIMIT.ASK_SEND_EMAIL.MAX
74 })
75
76 const usersRouter = express.Router()
77 usersRouter.use('/', myNotificationsRouter)
78 usersRouter.use('/', mySubscriptionsRouter)
79 usersRouter.use('/', myBlocklistRouter)
80 usersRouter.use('/', myVideosHistoryRouter)
81 usersRouter.use('/', myVideoPlaylistsRouter)
82 usersRouter.use('/', meRouter)
83
84 usersRouter.get('/autocomplete',
85   userAutocompleteValidator,
86   asyncMiddleware(autocompleteUsers)
87 )
88
89 usersRouter.get('/',
90   authenticate,
91   ensureUserHasRight(UserRight.MANAGE_USERS),
92   paginationValidator,
93   usersSortValidator,
94   setDefaultSort,
95   setDefaultPagination,
96   asyncMiddleware(listUsers)
97 )
98
99 usersRouter.post('/:id/block',
100   authenticate,
101   ensureUserHasRight(UserRight.MANAGE_USERS),
102   asyncMiddleware(usersBlockingValidator),
103   ensureCanManageUser,
104   asyncMiddleware(blockUser)
105 )
106 usersRouter.post('/:id/unblock',
107   authenticate,
108   ensureUserHasRight(UserRight.MANAGE_USERS),
109   asyncMiddleware(usersBlockingValidator),
110   ensureCanManageUser,
111   asyncMiddleware(unblockUser)
112 )
113
114 usersRouter.get('/:id',
115   authenticate,
116   ensureUserHasRight(UserRight.MANAGE_USERS),
117   asyncMiddleware(usersGetValidator),
118   getUser
119 )
120
121 usersRouter.post('/',
122   authenticate,
123   ensureUserHasRight(UserRight.MANAGE_USERS),
124   asyncMiddleware(usersAddValidator),
125   asyncRetryTransactionMiddleware(createUser)
126 )
127
128 usersRouter.post('/register',
129   signupRateLimiter,
130   asyncMiddleware(ensureUserRegistrationAllowed),
131   ensureUserRegistrationAllowedForIP,
132   asyncMiddleware(usersRegisterValidator),
133   asyncRetryTransactionMiddleware(registerUser)
134 )
135
136 usersRouter.put('/:id',
137   authenticate,
138   ensureUserHasRight(UserRight.MANAGE_USERS),
139   asyncMiddleware(usersUpdateValidator),
140   ensureCanManageUser,
141   asyncMiddleware(updateUser)
142 )
143
144 usersRouter.delete('/:id',
145   authenticate,
146   ensureUserHasRight(UserRight.MANAGE_USERS),
147   asyncMiddleware(usersRemoveValidator),
148   ensureCanManageUser,
149   asyncMiddleware(removeUser)
150 )
151
152 usersRouter.post('/ask-reset-password',
153   asyncMiddleware(usersAskResetPasswordValidator),
154   asyncMiddleware(askResetUserPassword)
155 )
156
157 usersRouter.post('/:id/reset-password',
158   asyncMiddleware(usersResetPasswordValidator),
159   asyncMiddleware(resetUserPassword)
160 )
161
162 usersRouter.post('/ask-send-verify-email',
163   askSendEmailLimiter,
164   asyncMiddleware(usersAskSendVerifyEmailValidator),
165   asyncMiddleware(reSendVerifyUserEmail)
166 )
167
168 usersRouter.post('/:id/verify-email',
169   asyncMiddleware(usersVerifyEmailValidator),
170   asyncMiddleware(verifyUserEmail)
171 )
172
173 usersRouter.post('/token',
174   loginRateLimiter,
175   token,
176   tokenSuccess
177 )
178 // TODO: Once https://github.com/oauthjs/node-oauth2-server/pull/289 is merged, implement revoke token route
179
180 // ---------------------------------------------------------------------------
181
182 export {
183   usersRouter
184 }
185
186 // ---------------------------------------------------------------------------
187
188 async function createUser (req: express.Request, res: express.Response) {
189   const body: UserCreate = req.body
190   const userToCreate = new UserModel({
191     username: body.username,
192     password: body.password,
193     email: body.email,
194     nsfwPolicy: CONFIG.INSTANCE.DEFAULT_NSFW_POLICY,
195     autoPlayVideo: true,
196     role: body.role,
197     videoQuota: body.videoQuota,
198     videoQuotaDaily: body.videoQuotaDaily,
199     adminFlags: body.adminFlags || UserAdminFlag.NONE
200   }) as MUser
201
202   const { user, account, videoChannel } = await createUserAccountAndChannelAndPlaylist({ userToCreate: userToCreate })
203
204   auditLogger.create(getAuditIdFromRes(res), new UserAuditView(user.toFormattedJSON()))
205   logger.info('User %s with its channel and account created.', body.username)
206
207   Hooks.runAction('action:api.user.created', { body, user, account, videoChannel })
208
209   return res.json({
210     user: {
211       id: user.id,
212       account: {
213         id: account.id
214       }
215     }
216   }).end()
217 }
218
219 async function registerUser (req: express.Request, res: express.Response) {
220   const body: UserRegister = req.body
221
222   const userToCreate = new UserModel({
223     username: body.username,
224     password: body.password,
225     email: body.email,
226     nsfwPolicy: CONFIG.INSTANCE.DEFAULT_NSFW_POLICY,
227     autoPlayVideo: true,
228     role: UserRole.USER,
229     videoQuota: CONFIG.USER.VIDEO_QUOTA,
230     videoQuotaDaily: CONFIG.USER.VIDEO_QUOTA_DAILY,
231     emailVerified: CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION ? false : null
232   })
233
234   const { user, account, videoChannel } = await createUserAccountAndChannelAndPlaylist({
235     userToCreate: userToCreate,
236     userDisplayName: body.displayName || undefined,
237     channelNames: body.channel
238   })
239
240   auditLogger.create(body.username, new UserAuditView(user.toFormattedJSON()))
241   logger.info('User %s with its channel and account registered.', body.username)
242
243   if (CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION) {
244     await sendVerifyUserEmail(user)
245   }
246
247   Notifier.Instance.notifyOnNewUserRegistration(user)
248
249   Hooks.runAction('action:api.user.registered', { body, user, account, videoChannel })
250
251   return res.type('json').status(204).end()
252 }
253
254 async function unblockUser (req: express.Request, res: express.Response) {
255   const user = res.locals.user
256
257   await changeUserBlock(res, user, false)
258
259   Hooks.runAction('action:api.user.unblocked', { user })
260
261   return res.status(204).end()
262 }
263
264 async function blockUser (req: express.Request, res: express.Response) {
265   const user = res.locals.user
266   const reason = req.body.reason
267
268   await changeUserBlock(res, user, true, reason)
269
270   Hooks.runAction('action:api.user.blocked', { user })
271
272   return res.status(204).end()
273 }
274
275 function getUser (req: express.Request, res: express.Response) {
276   return res.json(res.locals.user.toFormattedJSON({ withAdminFlags: true }))
277 }
278
279 async function autocompleteUsers (req: express.Request, res: express.Response) {
280   const resultList = await UserModel.autoComplete(req.query.search as string)
281
282   return res.json(resultList)
283 }
284
285 async function listUsers (req: express.Request, res: express.Response) {
286   const resultList = await UserModel.listForApi(req.query.start, req.query.count, req.query.sort, req.query.search)
287
288   return res.json(getFormattedObjects(resultList.data, resultList.total, { withAdminFlags: true }))
289 }
290
291 async function removeUser (req: express.Request, res: express.Response) {
292   const user = res.locals.user
293
294   await user.destroy()
295
296   auditLogger.delete(getAuditIdFromRes(res), new UserAuditView(user.toFormattedJSON()))
297
298   Hooks.runAction('action:api.user.deleted', { user })
299
300   return res.sendStatus(204)
301 }
302
303 async function updateUser (req: express.Request, res: express.Response) {
304   const body: UserUpdate = req.body
305   const userToUpdate = res.locals.user
306   const oldUserAuditView = new UserAuditView(userToUpdate.toFormattedJSON())
307   const roleChanged = body.role !== undefined && body.role !== userToUpdate.role
308
309   if (body.password !== undefined) userToUpdate.password = body.password
310   if (body.email !== undefined) userToUpdate.email = body.email
311   if (body.emailVerified !== undefined) userToUpdate.emailVerified = body.emailVerified
312   if (body.videoQuota !== undefined) userToUpdate.videoQuota = body.videoQuota
313   if (body.videoQuotaDaily !== undefined) userToUpdate.videoQuotaDaily = body.videoQuotaDaily
314   if (body.role !== undefined) userToUpdate.role = body.role
315   if (body.adminFlags !== undefined) userToUpdate.adminFlags = body.adminFlags
316
317   const user = await userToUpdate.save()
318
319   // Destroy user token to refresh rights
320   if (roleChanged || body.password !== undefined) await deleteUserToken(userToUpdate.id)
321
322   auditLogger.update(getAuditIdFromRes(res), new UserAuditView(user.toFormattedJSON()), oldUserAuditView)
323
324   Hooks.runAction('action:api.user.updated', { user })
325
326   // Don't need to send this update to followers, these attributes are not federated
327
328   return res.sendStatus(204)
329 }
330
331 async function askResetUserPassword (req: express.Request, res: express.Response) {
332   const user = res.locals.user
333
334   const verificationString = await Redis.Instance.setResetPasswordVerificationString(user.id)
335   const url = WEBSERVER.URL + '/reset-password?userId=' + user.id + '&verificationString=' + verificationString
336   await Emailer.Instance.addPasswordResetEmailJob(user.email, url)
337
338   return res.status(204).end()
339 }
340
341 async function resetUserPassword (req: express.Request, res: express.Response) {
342   const user = res.locals.user
343   user.password = req.body.password
344
345   await user.save()
346
347   return res.status(204).end()
348 }
349
350 async function reSendVerifyUserEmail (req: express.Request, res: express.Response) {
351   const user = res.locals.user
352
353   await sendVerifyUserEmail(user)
354
355   return res.status(204).end()
356 }
357
358 async function verifyUserEmail (req: express.Request, res: express.Response) {
359   const user = res.locals.user
360   user.emailVerified = true
361
362   if (req.body.isPendingEmail === true) {
363     user.email = user.pendingEmail
364     user.pendingEmail = null
365   }
366
367   await user.save()
368
369   return res.status(204).end()
370 }
371
372 function tokenSuccess (req: express.Request) {
373   const username = req.body.username
374
375   Hooks.runAction('action:api.user.oauth2-got-token', { username, ip: req.ip })
376 }
377
378 async function changeUserBlock (res: express.Response, user: MUserAccountDefault, block: boolean, reason?: string) {
379   const oldUserAuditView = new UserAuditView(user.toFormattedJSON())
380
381   user.blocked = block
382   user.blockedReason = reason || null
383
384   await sequelizeTypescript.transaction(async t => {
385     await deleteUserToken(user.id, t)
386
387     await user.save({ transaction: t })
388   })
389
390   await Emailer.Instance.addUserBlockJob(user, block, reason)
391
392   auditLogger.update(getAuditIdFromRes(res), new UserAuditView(user.toFormattedJSON()), oldUserAuditView)
393 }
Unnamed repository; edit this file 'description' to name the repository.