nodebb/src/middleware/user.js

'use strict';

var async = require('async');
var nconf = require('nconf');
var winston = require('winston');

var meta = require('../meta');
var user = require('../user');
var privileges = require('../privileges');
var plugins = require('../plugins');

var auth = require('../routes/authentication');

var controllers = {
	helpers: require('../controllers/helpers'),
};

module.exports = function (middleware) {
	function authenticate(req, res, next, callback) {
		if (req.loggedIn) {
			return next();
		}
		if (plugins.hasListeners('response:middleware.authenticate')) {
			return plugins.fireHook('response:middleware.authenticate', {
				req: req,
				res: res,
				next: function (err) {
					if (err) {
						return next(err);
					}

					auth.setAuthVars(req, res, function () {
						if (req.loggedIn && req.user && req.user.uid) {
							return next();
						}

						callback();
					});
				},
			});
		}

		callback();
	}

	middleware.authenticate = function middlewareAuthenticate(req, res, next) {
		authenticate(req, res, next, function () {
			controllers.helpers.notAllowed(req, res, next);
		});
	};

	middleware.authenticateOrGuest = function authenticateOrGuest(req, res, next) {
		authenticate(req, res, next, next);
	};

	middleware.ensureSelfOrGlobalPrivilege = function ensureSelfOrGlobalPrivilege(req, res, next) {
		ensureSelfOrMethod(user.isAdminOrGlobalMod, req, res, next);
	};

	middleware.ensureSelfOrPrivileged = function ensureSelfOrPrivileged(req, res, next) {
		ensureSelfOrMethod(user.isPrivileged, req, res, next);
	};

	function ensureSelfOrMethod(method, req, res, next) {
		/*
			The "self" part of this middleware hinges on you having used
			middleware.exposeUid prior to invoking this middleware.
		*/
		async.waterfall([
			function (next) {
				if (!req.loggedIn) {
					return setImmediate(next, null, false);
				}

				if (req.uid === parseInt(res.locals.uid, 10)) {
					return setImmediate(next, null, true);
				}

				method(req.uid, next);
			},
			function (allowed, next) {
				if (!allowed) {
					return controllers.helpers.notAllowed(req, res);
				}
				next();
			},
		], next);
	}

	middleware.checkGlobalPrivacySettings = function checkGlobalPrivacySettings(req, res, next) {
		winston.warn('[middleware], checkGlobalPrivacySettings deprecated, use canViewUsers or canViewGroups');
		middleware.canViewUsers(req, res, next);
	};

	middleware.canViewUsers = function canViewUsers(req, res, next) {
		if (parseInt(res.locals.uid, 10) === req.uid) {
			return next();
		}
		privileges.global.can('view:users', req.uid, function (err, canView) {
			if (err || canView) {
				return next(err);
			}
			controllers.helpers.notAllowed(req, res);
		});
	};

	middleware.canViewGroups = function canViewGroups(req, res, next) {
		privileges.global.can('view:groups', req.uid, function (err, canView) {
			if (err || canView) {
				return next(err);
			}
			controllers.helpers.notAllowed(req, res);
		});
	};

	middleware.checkAccountPermissions = function checkAccountPermissions(req, res, next) {
		// This middleware ensures that only the requested user and admins can pass
		async.waterfall([
			function (next) {
				middleware.authenticate(req, res, next);
			},
			function (next) {
				user.getUidByUserslug(req.params.userslug, next);
			},
			function (uid, next) {
				privileges.users.canEdit(req.uid, uid, next);
			},
			function (allowed, next) {
				if (allowed) {
					return next(null, allowed);
				}

				// For the account/info page only, allow plain moderators through
				if (/user\/.+\/info$/.test(req.path)) {
					privileges.global.can('view:users:info', req.uid, next);
				} else {
					next(null, false);
				}
			},
			function (allowed) {
				if (allowed) {
					return next();
				}
				controllers.helpers.notAllowed(req, res);
			},
		], next);
	};

	middleware.redirectToAccountIfLoggedIn = function redirectToAccountIfLoggedIn(req, res, next) {
		if (req.session.forceLogin || req.uid <= 0) {
			return next();
		}

		async.waterfall([
			function (next) {
				user.getUserField(req.uid, 'userslug', next);
			},
			function (userslug) {
				controllers.helpers.redirect(res, '/user/' + userslug);
			},
		], next);
	};

	middleware.redirectUidToUserslug = function redirectUidToUserslug(req, res, next) {
		var uid = parseInt(req.params.uid, 10);
		if (uid <= 0) {
			return next();
		}
		async.waterfall([
			function (next) {
				user.getUserField(uid, 'userslug', next);
			},
			function (userslug) {
				if (!userslug) {
					return next();
				}
				var path = req.path.replace(/^\/api/, '')
					.replace('uid', 'user')
					.replace(uid, function () { return userslug; });
				controllers.helpers.redirect(res, path);
			},
		], next);
	};

	middleware.redirectMeToUserslug = function redirectMeToUserslug(req, res, next) {
		var uid = req.uid;
		async.waterfall([
			function (next) {
				user.getUserField(uid, 'userslug', next);
			},
			function (userslug) {
				if (!userslug) {
					return controllers.helpers.notAllowed(req, res);
				}
				var path = req.path.replace(/^(\/api)?\/me/, '/user/' + userslug);
				controllers.helpers.redirect(res, path);
			},
		], next);
	};

	middleware.isAdmin = async function isAdmin(req, res, next) {
		const isAdmin = await user.isAdministrator(req.uid);
		if (!isAdmin) {
			return controllers.helpers.notAllowed(req, res);
		}
		const hasPassword = await user.hasPassword(req.uid);
		if (!hasPassword) {
			return next();
		}

		const loginTime = req.session.meta ? req.session.meta.datetime : 0;
		const adminReloginDuration = meta.config.adminReloginDuration * 60000;
		const disabled = meta.config.adminReloginDuration === 0;
		if (disabled || (loginTime && parseInt(loginTime, 10) > Date.now() - adminReloginDuration)) {
			const timeLeft = parseInt(loginTime, 10) - (Date.now() - adminReloginDuration);
			if (req.session.meta && timeLeft < Math.min(300000, adminReloginDuration)) {
				req.session.meta.datetime += Math.min(300000, adminReloginDuration);
			}

			return next();
		}

		let returnTo = req.path;
		if (nconf.get('relative_path')) {
			returnTo = req.path.replace(new RegExp('^' + nconf.get('relative_path')), '');
		}
		returnTo = returnTo.replace(/^\/api/, '');

		req.session.returnTo = returnTo;
		req.session.forceLogin = 1;
		if (res.locals.isAPI) {
			res.status(401).json({});
		} else {
			res.redirect(nconf.get('relative_path') + '/login?local=1');
		}
	};

	middleware.requireUser = function (req, res, next) {
		if (req.loggedIn) {
			return next();
		}

		res.status(403).render('403', { title: '[[global:403.title]]' });
	};

	middleware.registrationComplete = function registrationComplete(req, res, next) {
		// If the user's session contains registration data, redirect the user to complete registration
		if (!req.session.hasOwnProperty('registration')) {
			return setImmediate(next);
		}
		if (!req.path.endsWith('/register/complete')) {
			// Append user data if present
			req.session.registration.uid = req.uid;

			controllers.helpers.redirect(res, '/register/complete');
		} else {
			setImmediate(next);
		}
	};
};
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`'use strict';`

			`var async = require('async');`
ESlint keyword-spacing, no-multi-spaces 8 years ago			`var nconf = require('nconf');`
fix: #6806 3 new global privileges view:users view:tags view:groups 6 years ago			`var winston = require('winston');`
closes #5202 8 years ago
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`var meta = require('../meta');`
			`var user = require('../user');`
closes #5202 8 years ago			`var privileges = require('../privileges');`
more tests 8 years ago			`var plugins = require('../plugins');`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago
DRY req props that depend on auth (fix #6727) (#6731) * DRY req props that depend on auth (fix #6727) authentication leads to req.loggedIn and req.uid being set. However, a later authentication event might outdate them. Here, I create one function for setting those properties, and make sure it also is called on the `action:middleware.authenticate` hook, which would be such an authentication event. If there are other places, those should be added as well. * fix lint errors * fix lint error * change exports 7 years ago			`var auth = require('../routes/authentication');`

organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`var controllers = {`
ESlint comma-dangle 8 years ago			`helpers: require('../controllers/helpers'),`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`};`

Fix space-before-function-paren linter rule 9 years ago			`module.exports = function (middleware) {`
feat: added new middleware authenticateOrGuest 6 years ago			`function authenticate(req, res, next, callback) {`
closes #2304 7 years ago			`if (req.loggedIn) {`
more tests 8 years ago			`return next();`
			`}`
feat: new hook type: `response` Used in authentication middleware. Instead of firing an action hook, it now fires a response hook. Response hooks are invoked serially, and if headers are sent from one of the hook listeners, all subsequent hook methods are not called. Response hooks should only be used in situations where res.send (or other like methods) are invoked. Existing plugin hooks that pass in res purely for data retrieval purposes have not changed). fixes nodebb/nodebb-plugin-write-api#101 6 years ago			`if (plugins.hasListeners('response:middleware.authenticate')) {`
			`return plugins.fireHook('response:middleware.authenticate', {`
more tests 8 years ago			`req: req,`
			`res: res,`
DRY req props that depend on auth (fix #6727) (#6731) * DRY req props that depend on auth (fix #6727) authentication leads to req.loggedIn and req.uid being set. However, a later authentication event might outdate them. Here, I create one function for setting those properties, and make sure it also is called on the `action:middleware.authenticate` hook, which would be such an authentication event. If there are other places, those should be added as well. * fix lint errors * fix lint error * change exports 7 years ago			`next: function (err) {`
if authenticate middleware is overridden by plugin, check for req.user and return notAllowed helper otherwise /cc @LudwikJaniuk 7 years ago			`if (err) {`
			`return next(err);`
			`}`

			`auth.setAuthVars(req, res, function () {`
			`if (req.loggedIn && req.user && req.user.uid) {`
			`return next();`
			`}`

feat: added new middleware authenticateOrGuest 6 years ago			`callback();`
if authenticate middleware is overridden by plugin, check for req.user and return notAllowed helper otherwise /cc @LudwikJaniuk 7 years ago			`});`
DRY req props that depend on auth (fix #6727) (#6731) * DRY req props that depend on auth (fix #6727) authentication leads to req.loggedIn and req.uid being set. However, a later authentication event might outdate them. Here, I create one function for setting those properties, and make sure it also is called on the `action:middleware.authenticate` hook, which would be such an authentication event. If there are other places, those should be added as well. * fix lint errors * fix lint error * change exports 7 years ago			`},`
more tests 8 years ago			`});`
			`}`

feat: added new middleware authenticateOrGuest 6 years ago			`callback();`
			`}`

fix: loop 6 years ago			`middleware.authenticate = function middlewareAuthenticate(req, res, next) {`
feat: added new middleware authenticateOrGuest 6 years ago			`authenticate(req, res, next, function () {`
			`controllers.helpers.notAllowed(req, res, next);`
			`});`
			`};`

feat: give the rest of the middlewares names 6 years ago			`middleware.authenticateOrGuest = function authenticateOrGuest(req, res, next) {`
feat: added new middleware authenticateOrGuest 6 years ago			`authenticate(req, res, next, next);`
more tests 8 years ago			`};`

feat: give the rest of the middlewares names 6 years ago			`middleware.ensureSelfOrGlobalPrivilege = function ensureSelfOrGlobalPrivilege(req, res, next) {`
more tests 8 years ago			`ensureSelfOrMethod(user.isAdminOrGlobalMod, req, res, next);`
			`};`

feat: give the rest of the middlewares names 6 years ago			`middleware.ensureSelfOrPrivileged = function ensureSelfOrPrivileged(req, res, next) {`
more tests 8 years ago			`ensureSelfOrMethod(user.isPrivileged, req, res, next);`
			`};`

			`function ensureSelfOrMethod(method, req, res, next) {`
			`/*`
			`The "self" part of this middleware hinges on you having used`
			`middleware.exposeUid prior to invoking this middleware.`
			`*/`
			`async.waterfall([`
			`function (next) {`
closes #2304 7 years ago			`if (!req.loggedIn) {`
more tests 8 years ago			`return setImmediate(next, null, false);`
			`}`

			`if (req.uid === parseInt(res.locals.uid, 10)) {`
			`return setImmediate(next, null, true);`
			`}`

			`method(req.uid, next);`
			`},`
			`function (allowed, next) {`
			`if (!allowed) {`
			`return controllers.helpers.notAllowed(req, res);`
			`}`
			`next();`
			`},`
			`], next);`
			`}`

feat: give the rest of the middlewares names 6 years ago			`middleware.checkGlobalPrivacySettings = function checkGlobalPrivacySettings(req, res, next) {`
fix: #6806 3 new global privileges view:users view:tags view:groups 6 years ago			`winston.warn('[middleware], checkGlobalPrivacySettings deprecated, use canViewUsers or canViewGroups');`
			`middleware.canViewUsers(req, res, next);`
			`};`

			`middleware.canViewUsers = function canViewUsers(req, res, next) {`
fix: #7494 6 years ago			`if (parseInt(res.locals.uid, 10) === req.uid) {`
			`return next();`
			`}`
fix: #6806 3 new global privileges view:users view:tags view:groups 6 years ago			`privileges.global.can('view:users', req.uid, function (err, canView) {`
			`if (err \|\| canView) {`
			`return next(err);`
			`}`
			`controllers.helpers.notAllowed(req, res);`
			`});`
			`};`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago
fix: #6806 3 new global privileges view:users view:tags view:groups 6 years ago			`middleware.canViewGroups = function canViewGroups(req, res, next) {`
			`privileges.global.can('view:groups', req.uid, function (err, canView) {`
			`if (err \|\| canView) {`
			`return next(err);`
			`}`
			`controllers.helpers.notAllowed(req, res);`
			`});`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`};`

feat: give the rest of the middlewares names 6 years ago			`middleware.checkAccountPermissions = function checkAccountPermissions(req, res, next) {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`// This middleware ensures that only the requested user and admins can pass`
			`async.waterfall([`
			`function (next) {`
			`middleware.authenticate(req, res, next);`
			`},`
			`function (next) {`
			`user.getUidByUserslug(req.params.userslug, next);`
			`},`
			`function (uid, next) {`
closes #5202 8 years ago			`privileges.users.canEdit(req.uid, uid, next);`
allowing moderators access to the account info page 9 years ago			`},`
fix style 9 years ago			`function (allowed, next) {`
allowing moderators access to the account info page 9 years ago			`if (allowed) {`
			`return next(null, allowed);`
			`}`

			`// For the account/info page only, allow plain moderators through`
			`if (/user\/.+\/info$/.test(req.path)) {`
Add privilege for accessing user information (#7859) * Add view users info global privilege * Show user ip only to global mods and admins * fix missing comma * Hide link for users without correct privilege * move getting privilege information to getAllData * Hide the link from Global Moderators as well * Give Global Moderator view:users:info privilege * Restrict ip in post menu to view:users:info * add some trailing commas.... * Add privilege to categories test * Add group privilege to categories test * add upgrade script * fix style for TravisCI * more styling - change spaces to tabs * some more styling fixes (hopefully final one) * fix style for Travis CI * hide ip in chat messages * Don't show even hidden ips on user profile page 6 years ago			`privileges.global.can('view:users:info', req.uid, next);`
allowing moderators access to the account info page 9 years ago			`} else {`
			`next(null, false);`
			`}`
ESlint comma-dangle 8 years ago			`},`
more tests 8 years ago			`function (allowed) {`
			`if (allowed) {`
			`return next();`
			`}`
			`controllers.helpers.notAllowed(req, res);`
			`},`
			`], next);`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`};`

feat: give the rest of the middlewares names 6 years ago			`middleware.redirectToAccountIfLoggedIn = function redirectToAccountIfLoggedIn(req, res, next) {`
feat: give names to middlewares 6 years ago			`if (req.session.forceLogin \|\| req.uid <= 0) {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`return next();`
			`}`

more tests 8 years ago			`async.waterfall([`
			`function (next) {`
			`user.getUserField(req.uid, 'userslug', next);`
			`},`
			`function (userslug) {`
			`controllers.helpers.redirect(res, '/user/' + userslug);`
			`},`
			`], next);`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`};`

feat: give the rest of the middlewares names 6 years ago			`middleware.redirectUidToUserslug = function redirectUidToUserslug(req, res, next) {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`var uid = parseInt(req.params.uid, 10);`
uid fixes 6 years ago			`if (uid <= 0) {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`return next();`
			`}`
more tests 8 years ago			`async.waterfall([`
			`function (next) {`
			`user.getUserField(uid, 'userslug', next);`
			`},`
			`function (userslug) {`
			`if (!userslug) {`
			`return next();`
			`}`
			`var path = req.path.replace(/^\/api/, '')`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`.replace('uid', 'user')`
Fix space-before-function-paren linter rule 9 years ago			`.replace(uid, function () { return userslug; });`
more tests 8 years ago			`controllers.helpers.redirect(res, path);`
			`},`
			`], next);`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`};`

feat: give the rest of the middlewares names 6 years ago			`middleware.redirectMeToUserslug = function redirectMeToUserslug(req, res, next) {`
Add `/me` route which redirects to `/user/[userslug]` (#6063) * Add `/me` route which redirects to the current user's information - `/me` -> `/user/[usertslug]` - `/me/bookmarks` -> `/user/[userslug]/bookmarks` - `/me/settings` -> `/user/[userslug]/settings` etc Add tests for `/me/*` 7 years ago			`var uid = req.uid;`
			`async.waterfall([`
			`function (next) {`
			`user.getUserField(uid, 'userslug', next);`
			`},`
			`function (userslug) {`
			`if (!userslug) {`
use helper 7 years ago			`return controllers.helpers.notAllowed(req, res);`
Add `/me` route which redirects to `/user/[userslug]` (#6063) * Add `/me` route which redirects to the current user's information - `/me` -> `/user/[usertslug]` - `/me/bookmarks` -> `/user/[userslug]/bookmarks` - `/me/settings` -> `/user/[userslug]/settings` etc Add tests for `/me/*` 7 years ago			`}`
			`var path = req.path.replace(/^(\/api)?\/me/, '/user/' + userslug);`
			`controllers.helpers.redirect(res, path);`
			`},`
			`], next);`
			`};`

feat: convert middleware.isAdmin to async/await 5 years ago			`middleware.isAdmin = async function isAdmin(req, res, next) {`
			`const isAdmin = await user.isAdministrator(req.uid);`
			`if (!isAdmin) {`
refactor: shorter returns 5 years ago			`return controllers.helpers.notAllowed(req, res);`
feat: convert middleware.isAdmin to async/await 5 years ago			`}`
			`const hasPassword = await user.hasPassword(req.uid);`
			`if (!hasPassword) {`
refactor: shorter returns 5 years ago			`return next();`
feat: convert middleware.isAdmin to async/await 5 years ago			`}`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago
feat: convert middleware.isAdmin to async/await 5 years ago			`const loginTime = req.session.meta ? req.session.meta.datetime : 0;`
			`const adminReloginDuration = meta.config.adminReloginDuration * 60000;`
			`const disabled = meta.config.adminReloginDuration === 0;`
			`if (disabled \|\| (loginTime && parseInt(loginTime, 10) > Date.now() - adminReloginDuration)) {`
			`const timeLeft = parseInt(loginTime, 10) - (Date.now() - adminReloginDuration);`
			`if (req.session.meta && timeLeft < Math.min(300000, adminReloginDuration)) {`
			`req.session.meta.datetime += Math.min(300000, adminReloginDuration);`
			`}`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago
refactor: shorter returns 5 years ago			`return next();`
feat: convert middleware.isAdmin to async/await 5 years ago			`}`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago
feat: convert middleware.isAdmin to async/await 5 years ago			`let returnTo = req.path;`
			`if (nconf.get('relative_path')) {`
			`returnTo = req.path.replace(new RegExp('^' + nconf.get('relative_path')), '');`
			`}`
			`returnTo = returnTo.replace(/^\/api/, '');`
closes #5847 8 years ago
feat: convert middleware.isAdmin to async/await 5 years ago			`req.session.returnTo = returnTo;`
			`req.session.forceLogin = 1;`
			`if (res.locals.isAPI) {`
			`res.status(401).json({});`
			`} else {`
			`res.redirect(nconf.get('relative_path') + '/login?local=1');`
			`}`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`};`

Fix space-before-function-paren linter rule 9 years ago			`middleware.requireUser = function (req, res, next) {`
closes #2304 7 years ago			`if (req.loggedIn) {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`return next();`
			`}`

ESlint object-curly-spacing 8 years ago			`res.status(403).render('403', { title: '[[global:403.title]]' });`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`};`

feat: give names to middlewares 6 years ago			`middleware.registrationComplete = function registrationComplete(req, res, next) {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`// If the user's session contains registration data, redirect the user to complete registration`
			`if (!req.session.hasOwnProperty('registration')) {`
misc fixes handle spider uids properly 6 years ago			`return setImmediate(next);`
ESlint no-useless-escape, no-else-return 8 years ago			`}`
			`if (!req.path.endsWith('/register/complete')) {`
closes #6483 7 years ago			`// Append user data if present`
			`req.session.registration.uid = req.uid;`

ESlint no-useless-escape, no-else-return 8 years ago			`controllers.helpers.redirect(res, '/register/complete');`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`} else {`
feat: give names to middlewares 6 years ago			`setImmediate(next);`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`}`
			`};`
			`};`