241 lines
9.2 KiB
JavaScript
241 lines
9.2 KiB
JavaScript
const MongoDB = require("../mongoDB.js");
|
|
const { client_logger } = require('../utils/analyticsLogger');
|
|
const bcrypt = require('bcrypt');
|
|
const crypto = require('crypto');
|
|
const { getSessionId, getUserId, getProfileId } = require('../utils/sessionUtils.js');
|
|
const { getCookiesOptions } = require('../config/cookiesOptions');
|
|
const Notifications = require("../notifications");
|
|
|
|
// Object Definitions
|
|
const Post = require("../def/post.js")
|
|
const Profile = require("../def/profile.js");
|
|
const DUMMY_BCRYPT_HASH = '$2b$10$2zQfAaxK0cN13N7V2Q5hAOL3wxY5E9OQj1YxDCEV4VpWw2X2gYd6C';
|
|
const PASSWORD_TOKEN_TTL_MINUTES = parseInt(process.env.PASSWORD_TOKEN_TTL_MINUTES || '20', 10);
|
|
const PASSWORD_TOKEN_PATH = process.env.PASSWORD_TOKEN_PATH || '/token-login';
|
|
const FRONTEND_URL = (process.env.FRONTEND_URL || 'https://social.emmint.com').replace(/\/+$/, '');
|
|
|
|
const createPasswordTokenHash = (rawToken) =>
|
|
crypto.createHash('sha256').update(rawToken).digest('hex');
|
|
|
|
const createSessionFromUser = async ({ DB, user, req, res }) => {
|
|
const sessionObj = await DB.newSession(user._id);
|
|
const cookiesOptions = getCookiesOptions(req);
|
|
res.cookie('user_sid', user._id, cookiesOptions);
|
|
res.cookie('session_id', sessionObj.insertedId, cookiesOptions);
|
|
const latestUpdatedProfile = await DB.latestProfile(user._id);
|
|
if (latestUpdatedProfile && latestUpdatedProfile._id) {
|
|
res.cookie('profile_id', latestUpdatedProfile._id, cookiesOptions);
|
|
}
|
|
client_logger.identify({
|
|
distinctId: user._id,
|
|
properties: {
|
|
name: latestUpdatedProfile?.profile?.firstName || '',
|
|
}
|
|
});
|
|
client_logger.capture({
|
|
distinctId: user._id,
|
|
event: 'server@' + req.method + '@' + req.originalUrl,
|
|
});
|
|
return {
|
|
status: "ok",
|
|
user_sid: user._id,
|
|
session_id: sessionObj.insertedId,
|
|
profile_id: latestUpdatedProfile?._id
|
|
};
|
|
};
|
|
|
|
// Function to Singup new users. An user is a combination of a user obj and a profile.
|
|
// When new users are subscribed, they have a single profile, which is the personal one.
|
|
// Other profiles can be link to that user, like groups or courses.
|
|
const signup = async function (req, res) {
|
|
const username = (req.body.username || "").trim().toLowerCase();
|
|
const password = req.body.password;
|
|
const email = (req.body.email || "").trim().toLowerCase();
|
|
const profile = req.body.profile;
|
|
if (!username || !password || !email) return res.json({ status: "Incomplete information!" });
|
|
// Check if the new user has an invitation.
|
|
const DB = await MongoDB.getDB;
|
|
if (!await DB.getInvitation(email)) {
|
|
client_logger.capture({
|
|
distinctId: 'app_level',
|
|
event: 'server@' + req.method + '@' + req.originalUrl + '@NotInvited',
|
|
properties: {
|
|
username: username,
|
|
email: email,
|
|
}
|
|
});
|
|
return res.json({ status: "Not invitation found!" });
|
|
}
|
|
let isUserAlreadyRegistered = await DB.getUser(email);
|
|
if (isUserAlreadyRegistered && isUserAlreadyRegistered._id) return res.json({ status: "This user is already registered" });
|
|
const hashedPassword = await bcrypt.hash(password, 10);
|
|
const newUserObject = await DB.newUser({
|
|
username,
|
|
email,
|
|
password: hashedPassword
|
|
});
|
|
// If newUserObject it's an error message, we check by looking toLowerCase function
|
|
if (!newUserObject.toLowerCase) {
|
|
let user = {
|
|
userid: newUserObject.insertedId,
|
|
profile: profile,
|
|
}
|
|
// Filter the provided information by the template, and adding to the DB, and login.
|
|
const userObj = new Profile(user);
|
|
await DB.newProfile(userObj);
|
|
client_logger.capture({
|
|
distinctId: newUserObject.insertedId,
|
|
event: 'server@' + req.method + '@' + req.originalUrl,
|
|
});
|
|
// TODO: this might fail, add catch scenarios
|
|
return await login(req, res);
|
|
}
|
|
// Error return
|
|
client_logger.capture({
|
|
distinctId: 'app_level',
|
|
event: 'server@' + req.method + '@' + req.originalUrl + '@error',
|
|
properties: {
|
|
ustatus: newUserObject,
|
|
}
|
|
});
|
|
return res.json({ status: newUserObject })
|
|
}
|
|
|
|
// Function for user Login, it returns the coockies/json for user_id session_id and profile_id
|
|
const login = async function (req, res) {
|
|
// Check if user is already logged in and redirect to root if so.
|
|
const session_id = getSessionId(req);
|
|
const user_sid = getUserId(req);
|
|
const DB = await MongoDB.getDB;
|
|
if (session_id && user_sid) {
|
|
const userInfo = await DB.checkSessionOnDB(session_id, user_sid);
|
|
if (userInfo) return res.redirect('/');
|
|
}
|
|
const invalidCredentials = () => res.status(401).json({ status: "Invalid credentials" });
|
|
const username = (req.body.username || req.body.email || "").trim().toLowerCase();
|
|
const password = req.body.password || "";
|
|
if (!username || !password) return invalidCredentials();
|
|
const user = await DB.getUser(username);
|
|
|
|
if (!user) {
|
|
client_logger.capture({
|
|
distinctId: 'app_level',
|
|
event: 'server@' + req.method + '@' + req.originalUrl + '@invalidCredentials',
|
|
properties: { username },
|
|
});
|
|
}
|
|
const isSamePassword = await bcrypt.compare(password, user?.password || DUMMY_BCRYPT_HASH);
|
|
if (!user || !isSamePassword) return invalidCredentials();
|
|
try {
|
|
return res.json(await createSessionFromUser({ DB, user, req, res }));
|
|
} catch (error) {
|
|
console.error(error);
|
|
client_logger.capture({
|
|
distinctId: 'app_level',
|
|
event: 'server@' + req.method + '@' + req.originalUrl + '@error',
|
|
});
|
|
return res.json({ status: "Error on this User Profile, please contact admin." });
|
|
}
|
|
|
|
}
|
|
|
|
// route for user logout
|
|
const logout = async function (req, res) {
|
|
const session_id = getSessionId(req);
|
|
const user_sid = getUserId(req);
|
|
if (session_id && user_sid) {
|
|
const cookiesOptions = getCookiesOptions(req);
|
|
res.clearCookie('session_id', cookiesOptions);
|
|
res.clearCookie('user_sid', cookiesOptions);
|
|
//remove from DB
|
|
const DB = await MongoDB.getDB;
|
|
DB.removeSession(session_id);
|
|
client_logger.capture({
|
|
distinctId: user_sid,
|
|
event: 'server@' + req.method + '@' + req.originalUrl,
|
|
});
|
|
res.redirect('/');
|
|
} else {
|
|
res.redirect('/login');
|
|
}
|
|
}
|
|
|
|
const resetPassword = async function (req, res) {
|
|
const DB = await MongoDB.getDB;
|
|
|
|
const genericResetResponse = {
|
|
status: "ok",
|
|
details: "If the account exists, check your email for next steps"
|
|
};
|
|
// Logic for non-logged in users.
|
|
const username = (req.body.username || req.body.email || "").trim().toLowerCase();
|
|
if (!username) return res.json(genericResetResponse);
|
|
const user = await DB.getUser(username);
|
|
if (!user) {
|
|
client_logger.capture({
|
|
distinctId: 'app_level',
|
|
event: 'server@' + req.method + '@' + req.originalUrl + '@resetRequestedUnknownUser',
|
|
properties: { username }
|
|
});
|
|
return res.json(genericResetResponse);
|
|
}
|
|
const rawToken = crypto.randomBytes(32).toString('hex');
|
|
const tokenHash = createPasswordTokenHash(rawToken);
|
|
const expiresAt = new Date(Date.now() + PASSWORD_TOKEN_TTL_MINUTES * 60 * 1000);
|
|
const tokenStored = await DB.createPasswordLoginToken(user._id, tokenHash, expiresAt);
|
|
if (!tokenStored) {
|
|
return res.json(genericResetResponse);
|
|
}
|
|
const loginUrl = `${FRONTEND_URL}${PASSWORD_TOKEN_PATH}?token=${rawToken}`;
|
|
Notifications.sendEmail(username, "Your secure sign-in link",
|
|
`
|
|
<p>Hello,</p>
|
|
<p>Use this one-time sign-in link to access your account:</p>
|
|
<p><a href="${loginUrl}">${loginUrl}</a></p>
|
|
<p>This link expires in ${PASSWORD_TOKEN_TTL_MINUTES} minutes and can only be used once.</p>
|
|
<p>If you did not request this, you can ignore this email.</p>
|
|
<p>Blessings</p>
|
|
<p>Emmanuel International Ministries</p>
|
|
`);
|
|
client_logger.capture({
|
|
distinctId: user._id,
|
|
event: 'server@' + req.method + '@' + req.originalUrl,
|
|
properties: {
|
|
username: username,
|
|
}
|
|
});
|
|
return res.json(genericResetResponse);
|
|
}
|
|
|
|
const loginWithPasswordToken = async function (req, res) {
|
|
const DB = await MongoDB.getDB;
|
|
const token = (req.body.token || "").trim();
|
|
if (!token || token.length < 32) {
|
|
return res.status(401).json({ status: "Invalid or expired token" });
|
|
}
|
|
const tokenHash = createPasswordTokenHash(token);
|
|
const tokenDoc = await DB.consumePasswordLoginToken(tokenHash);
|
|
if (!tokenDoc || !tokenDoc.userId) {
|
|
return res.status(401).json({ status: "Invalid or expired token" });
|
|
}
|
|
const user = await DB.getUserById(tokenDoc.userId);
|
|
if (!user || !user._id) {
|
|
return res.status(401).json({ status: "Invalid or expired token" });
|
|
}
|
|
try {
|
|
return res.json(await createSessionFromUser({ DB, user, req, res }));
|
|
} catch (error) {
|
|
console.error("Token login error", error);
|
|
return res.status(500).json({ status: "Internal server error" });
|
|
}
|
|
}
|
|
|
|
|
|
module.exports = {
|
|
signup,
|
|
login,
|
|
logout,
|
|
resetPassword,
|
|
loginWithPasswordToken,
|
|
}
|