nodebb/src/middleware/user.js

'use strict';

const util = require('util');
const nconf = require('nconf');
const winston = require('winston');

const meta = require('../meta');
const user = require('../user');
const privileges = require('../privileges');
const plugins = require('../plugins');

const auth = require('../routes/authentication');

const controllers = {
	helpers: require('../controllers/helpers'),
};

module.exports = function (middleware) {
	function authenticate(req, res, next, callback) {
		if (req.loggedIn) {
			return next();
		}
		if (plugins.hasListeners('response:middleware.authenticate')) {
			return plugins.fireHook('response:middleware.authenticate', {
				req: req,
				res: res,
				next: function (err) {
					if (err) {
						return next(err);
					}

					auth.setAuthVars(req, res, function () {
						if (req.loggedIn && req.user && req.user.uid) {
							return next();
						}

						callback();
					});
				},
			});
		}

		callback();
	}

	middleware.authenticate = function middlewareAuthenticate(req, res, next) {
		authenticate(req, res, next, function () {
			controllers.helpers.notAllowed(req, res, next);
		});
	};

	const authenticateAsync = util.promisify(middleware.authenticate);

	middleware.authenticateOrGuest = function authenticateOrGuest(req, res, next) {
		authenticate(req, res, next, next);
	};

	middleware.ensureSelfOrGlobalPrivilege = function ensureSelfOrGlobalPrivilege(req, res, next) {
		ensureSelfOrMethod(user.isAdminOrGlobalMod, req, res, next);
	};

	middleware.ensureSelfOrPrivileged = function ensureSelfOrPrivileged(req, res, next) {
		ensureSelfOrMethod(user.isPrivileged, req, res, next);
	};

	async function ensureSelfOrMethod(method, req, res, next) {
		/*
			The "self" part of this middleware hinges on you having used
			middleware.exposeUid prior to invoking this middleware.
		*/
		if (!req.loggedIn) {
			return controllers.helpers.notAllowed(req, res);
		}
		if (req.uid === parseInt(res.locals.uid, 10)) {
			return setImmediate(next);
		}
		const allowed = await method(req.uid);
		if (!allowed) {
			return controllers.helpers.notAllowed(req, res);
		}
	}

	middleware.checkGlobalPrivacySettings = function checkGlobalPrivacySettings(req, res, next) {
		winston.warn('[middleware], checkGlobalPrivacySettings deprecated, use canViewUsers or canViewGroups');
		middleware.canViewUsers(req, res, next);
	};

	middleware.canViewUsers = async function canViewUsers(req, res, next) {
		if (parseInt(res.locals.uid, 10) === req.uid) {
			return next();
		}
		const canView = await privileges.global.can('view:users', req.uid);
		if (canView) {
			return next();
		}
		controllers.helpers.notAllowed(req, res);
	};

	middleware.canViewGroups = async function canViewGroups(req, res, next) {
		const canView = await privileges.global.can('view:groups', req.uid);
		if (canView) {
			return next();
		}
		controllers.helpers.notAllowed(req, res);
	};

	middleware.checkAccountPermissions = async function checkAccountPermissions(req, res, next) {
		// This middleware ensures that only the requested user and admins can pass
		await authenticateAsync(req, res);
		const uid = await user.getUidByUserslug(req.params.userslug);
		let allowed = await privileges.users.canEdit(req.uid, uid);
		if (allowed) {
			return next();
		}

		if (/user\/.+\/info$/.test(req.path)) {
			allowed = await privileges.global.can('view:users:info', req.uid);
		}
		if (allowed) {
			return next();
		}
		controllers.helpers.notAllowed(req, res);
	};

	middleware.redirectToAccountIfLoggedIn = async function redirectToAccountIfLoggedIn(req, res, next) {
		if (req.session.forceLogin || req.uid <= 0) {
			return next();
		}
		const userslug = await user.getUserField(req.uid, 'userslug');
		controllers.helpers.redirect(res, '/user/' + userslug);
	};

	middleware.redirectUidToUserslug = async function redirectUidToUserslug(req, res, next) {
		const uid = parseInt(req.params.uid, 10);
		if (uid <= 0) {
			return next();
		}
		const userslug = await user.getUserField(uid, 'userslug');
		if (!userslug) {
			return next();
		}
		const path = req.path.replace(/^\/api/, '')
			.replace('uid', 'user')
			.replace(uid, function () { return userslug; });
		controllers.helpers.redirect(res, path);
	};

	middleware.redirectMeToUserslug = async function redirectMeToUserslug(req, res) {
		const userslug = await user.getUserField(req.uid, 'userslug');
		if (!userslug) {
			return controllers.helpers.notAllowed(req, res);
		}
		const path = req.path.replace(/^(\/api)?\/me/, '/user/' + userslug);
		controllers.helpers.redirect(res, path);
	};

	middleware.isAdmin = async function isAdmin(req, res, next) {
		const isAdmin = await user.isAdministrator(req.uid);
		if (!isAdmin) {
			return controllers.helpers.notAllowed(req, res);
		}
		const hasPassword = await user.hasPassword(req.uid);
		if (!hasPassword) {
			return next();
		}

		const loginTime = req.session.meta ? req.session.meta.datetime : 0;
		const adminReloginDuration = meta.config.adminReloginDuration * 60000;
		const disabled = meta.config.adminReloginDuration === 0;
		if (disabled || (loginTime && parseInt(loginTime, 10) > Date.now() - adminReloginDuration)) {
			const timeLeft = parseInt(loginTime, 10) - (Date.now() - adminReloginDuration);
			if (req.session.meta && timeLeft < Math.min(300000, adminReloginDuration)) {
				req.session.meta.datetime += Math.min(300000, adminReloginDuration);
			}

			return next();
		}

		let returnTo = req.path;
		if (nconf.get('relative_path')) {
			returnTo = req.path.replace(new RegExp('^' + nconf.get('relative_path')), '');
		}
		returnTo = returnTo.replace(/^\/api/, '');

		req.session.returnTo = returnTo;
		req.session.forceLogin = 1;
		if (res.locals.isAPI) {
			res.status(401).json({});
		} else {
			res.redirect(nconf.get('relative_path') + '/login?local=1');
		}
	};

	middleware.requireUser = function (req, res, next) {
		if (req.loggedIn) {
			return next();
		}

		res.status(403).render('403', { title: '[[global:403.title]]' });
	};

	middleware.registrationComplete = function registrationComplete(req, res, next) {
		// If the user's session contains registration data, redirect the user to complete registration
		if (!req.session.hasOwnProperty('registration')) {
			return setImmediate(next);
		}
		if (!req.path.endsWith('/register/complete')) {
			// Append user data if present
			req.session.registration.uid = req.uid;

			controllers.helpers.redirect(res, '/register/complete');
		} else {
			setImmediate(next);
		}
	};
};
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`'use strict';`

refactor: async/await middleware 5 years ago			`const util = require('util');`
			`const nconf = require('nconf');`
			`const winston = require('winston');`
closes #5202 8 years ago
refactor: async/await middleware 5 years ago			`const meta = require('../meta');`
			`const user = require('../user');`
			`const privileges = require('../privileges');`
			`const plugins = require('../plugins');`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago
refactor: async/await middleware 5 years ago			`const auth = require('../routes/authentication');`
DRY req props that depend on auth (fix #6727) (#6731) * DRY req props that depend on auth (fix #6727) authentication leads to req.loggedIn and req.uid being set. However, a later authentication event might outdate them. Here, I create one function for setting those properties, and make sure it also is called on the `action:middleware.authenticate` hook, which would be such an authentication event. If there are other places, those should be added as well. * fix lint errors * fix lint error * change exports 7 years ago
refactor: async/await middleware 5 years ago			`const controllers = {`
ESlint comma-dangle 8 years ago			`helpers: require('../controllers/helpers'),`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`};`

Fix space-before-function-paren linter rule 9 years ago			`module.exports = function (middleware) {`
feat: added new middleware authenticateOrGuest 6 years ago			`function authenticate(req, res, next, callback) {`
closes #2304 7 years ago			`if (req.loggedIn) {`
more tests 8 years ago			`return next();`
			`}`
feat: new hook type: `response` Used in authentication middleware. Instead of firing an action hook, it now fires a response hook. Response hooks are invoked serially, and if headers are sent from one of the hook listeners, all subsequent hook methods are not called. Response hooks should only be used in situations where res.send (or other like methods) are invoked. Existing plugin hooks that pass in res purely for data retrieval purposes have not changed). fixes nodebb/nodebb-plugin-write-api#101 6 years ago			`if (plugins.hasListeners('response:middleware.authenticate')) {`
			`return plugins.fireHook('response:middleware.authenticate', {`
more tests 8 years ago			`req: req,`
			`res: res,`
DRY req props that depend on auth (fix #6727) (#6731) * DRY req props that depend on auth (fix #6727) authentication leads to req.loggedIn and req.uid being set. However, a later authentication event might outdate them. Here, I create one function for setting those properties, and make sure it also is called on the `action:middleware.authenticate` hook, which would be such an authentication event. If there are other places, those should be added as well. * fix lint errors * fix lint error * change exports 7 years ago			`next: function (err) {`
if authenticate middleware is overridden by plugin, check for req.user and return notAllowed helper otherwise /cc @LudwikJaniuk 7 years ago			`if (err) {`
			`return next(err);`
			`}`

			`auth.setAuthVars(req, res, function () {`
			`if (req.loggedIn && req.user && req.user.uid) {`
			`return next();`
			`}`

feat: added new middleware authenticateOrGuest 6 years ago			`callback();`
if authenticate middleware is overridden by plugin, check for req.user and return notAllowed helper otherwise /cc @LudwikJaniuk 7 years ago			`});`
DRY req props that depend on auth (fix #6727) (#6731) * DRY req props that depend on auth (fix #6727) authentication leads to req.loggedIn and req.uid being set. However, a later authentication event might outdate them. Here, I create one function for setting those properties, and make sure it also is called on the `action:middleware.authenticate` hook, which would be such an authentication event. If there are other places, those should be added as well. * fix lint errors * fix lint error * change exports 7 years ago			`},`
more tests 8 years ago			`});`
			`}`

feat: added new middleware authenticateOrGuest 6 years ago			`callback();`
			`}`

fix: loop 6 years ago			`middleware.authenticate = function middlewareAuthenticate(req, res, next) {`
feat: added new middleware authenticateOrGuest 6 years ago			`authenticate(req, res, next, function () {`
			`controllers.helpers.notAllowed(req, res, next);`
			`});`
			`};`

refactor: async/await middleware 5 years ago			`const authenticateAsync = util.promisify(middleware.authenticate);`

feat: give the rest of the middlewares names 6 years ago			`middleware.authenticateOrGuest = function authenticateOrGuest(req, res, next) {`
feat: added new middleware authenticateOrGuest 6 years ago			`authenticate(req, res, next, next);`
more tests 8 years ago			`};`

feat: give the rest of the middlewares names 6 years ago			`middleware.ensureSelfOrGlobalPrivilege = function ensureSelfOrGlobalPrivilege(req, res, next) {`
more tests 8 years ago			`ensureSelfOrMethod(user.isAdminOrGlobalMod, req, res, next);`
			`};`

feat: give the rest of the middlewares names 6 years ago			`middleware.ensureSelfOrPrivileged = function ensureSelfOrPrivileged(req, res, next) {`
more tests 8 years ago			`ensureSelfOrMethod(user.isPrivileged, req, res, next);`
			`};`

refactor: async/await middleware 5 years ago			`async function ensureSelfOrMethod(method, req, res, next) {`
more tests 8 years ago			`/*`
			`The "self" part of this middleware hinges on you having used`
			`middleware.exposeUid prior to invoking this middleware.`
			`*/`
refactor: async/await middleware 5 years ago			`if (!req.loggedIn) {`
			`return controllers.helpers.notAllowed(req, res);`
			`}`
			`if (req.uid === parseInt(res.locals.uid, 10)) {`
			`return setImmediate(next);`
			`}`
			`const allowed = await method(req.uid);`
			`if (!allowed) {`
			`return controllers.helpers.notAllowed(req, res);`
			`}`
more tests 8 years ago			`}`

feat: give the rest of the middlewares names 6 years ago			`middleware.checkGlobalPrivacySettings = function checkGlobalPrivacySettings(req, res, next) {`
fix: #6806 3 new global privileges view:users view:tags view:groups 6 years ago			`winston.warn('[middleware], checkGlobalPrivacySettings deprecated, use canViewUsers or canViewGroups');`
			`middleware.canViewUsers(req, res, next);`
			`};`

refactor: async/await middleware 5 years ago			`middleware.canViewUsers = async function canViewUsers(req, res, next) {`
fix: #7494 6 years ago			`if (parseInt(res.locals.uid, 10) === req.uid) {`
			`return next();`
			`}`
refactor: async/await middleware 5 years ago			`const canView = await privileges.global.can('view:users', req.uid);`
			`if (canView) {`
			`return next();`
			`}`
			`controllers.helpers.notAllowed(req, res);`
fix: #6806 3 new global privileges view:users view:tags view:groups 6 years ago			`};`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago
refactor: async/await middleware 5 years ago			`middleware.canViewGroups = async function canViewGroups(req, res, next) {`
			`const canView = await privileges.global.can('view:groups', req.uid);`
			`if (canView) {`
			`return next();`
			`}`
			`controllers.helpers.notAllowed(req, res);`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`};`

refactor: async/await middleware 5 years ago			`middleware.checkAccountPermissions = async function checkAccountPermissions(req, res, next) {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`// This middleware ensures that only the requested user and admins can pass`
refactor: async/await middleware 5 years ago			`await authenticateAsync(req, res);`
			`const uid = await user.getUidByUserslug(req.params.userslug);`
			`let allowed = await privileges.users.canEdit(req.uid, uid);`
			`if (allowed) {`
			`return next();`
			`}`

			`if (/user\/.+\/info$/.test(req.path)) {`
			`allowed = await privileges.global.can('view:users:info', req.uid);`
			`}`
			`if (allowed) {`
			`return next();`
			`}`
			`controllers.helpers.notAllowed(req, res);`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`};`

refactor: async/await middleware 5 years ago			`middleware.redirectToAccountIfLoggedIn = async function redirectToAccountIfLoggedIn(req, res, next) {`
feat: give names to middlewares 6 years ago			`if (req.session.forceLogin \|\| req.uid <= 0) {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`return next();`
			`}`
refactor: async/await middleware 5 years ago			`const userslug = await user.getUserField(req.uid, 'userslug');`
			`controllers.helpers.redirect(res, '/user/' + userslug);`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`};`

refactor: async/await middleware 5 years ago			`middleware.redirectUidToUserslug = async function redirectUidToUserslug(req, res, next) {`
			`const uid = parseInt(req.params.uid, 10);`
uid fixes 6 years ago			`if (uid <= 0) {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`return next();`
			`}`
refactor: async/await middleware 5 years ago			`const userslug = await user.getUserField(uid, 'userslug');`
			`if (!userslug) {`
			`return next();`
			`}`
			`const path = req.path.replace(/^\/api/, '')`
			`.replace('uid', 'user')`
			`.replace(uid, function () { return userslug; });`
			`controllers.helpers.redirect(res, path);`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`};`

refactor: async/await middleware 5 years ago			`middleware.redirectMeToUserslug = async function redirectMeToUserslug(req, res) {`
			`const userslug = await user.getUserField(req.uid, 'userslug');`
			`if (!userslug) {`
			`return controllers.helpers.notAllowed(req, res);`
			`}`
			`const path = req.path.replace(/^(\/api)?\/me/, '/user/' + userslug);`
			`controllers.helpers.redirect(res, path);`
Add `/me` route which redirects to `/user/[userslug]` (#6063) * Add `/me` route which redirects to the current user's information - `/me` -> `/user/[usertslug]` - `/me/bookmarks` -> `/user/[userslug]/bookmarks` - `/me/settings` -> `/user/[userslug]/settings` etc Add tests for `/me/*` 7 years ago			`};`

feat: convert middleware.isAdmin to async/await 5 years ago			`middleware.isAdmin = async function isAdmin(req, res, next) {`
			`const isAdmin = await user.isAdministrator(req.uid);`
			`if (!isAdmin) {`
refactor: shorter returns 5 years ago			`return controllers.helpers.notAllowed(req, res);`
feat: convert middleware.isAdmin to async/await 5 years ago			`}`
			`const hasPassword = await user.hasPassword(req.uid);`
			`if (!hasPassword) {`
refactor: shorter returns 5 years ago			`return next();`
feat: convert middleware.isAdmin to async/await 5 years ago			`}`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago
feat: convert middleware.isAdmin to async/await 5 years ago			`const loginTime = req.session.meta ? req.session.meta.datetime : 0;`
			`const adminReloginDuration = meta.config.adminReloginDuration * 60000;`
			`const disabled = meta.config.adminReloginDuration === 0;`
			`if (disabled \|\| (loginTime && parseInt(loginTime, 10) > Date.now() - adminReloginDuration)) {`
			`const timeLeft = parseInt(loginTime, 10) - (Date.now() - adminReloginDuration);`
			`if (req.session.meta && timeLeft < Math.min(300000, adminReloginDuration)) {`
			`req.session.meta.datetime += Math.min(300000, adminReloginDuration);`
			`}`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago
refactor: shorter returns 5 years ago			`return next();`
feat: convert middleware.isAdmin to async/await 5 years ago			`}`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago
feat: convert middleware.isAdmin to async/await 5 years ago			`let returnTo = req.path;`
			`if (nconf.get('relative_path')) {`
			`returnTo = req.path.replace(new RegExp('^' + nconf.get('relative_path')), '');`
			`}`
			`returnTo = returnTo.replace(/^\/api/, '');`
closes #5847 8 years ago
feat: convert middleware.isAdmin to async/await 5 years ago			`req.session.returnTo = returnTo;`
			`req.session.forceLogin = 1;`
			`if (res.locals.isAPI) {`
			`res.status(401).json({});`
			`} else {`
			`res.redirect(nconf.get('relative_path') + '/login?local=1');`
			`}`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`};`

Fix space-before-function-paren linter rule 9 years ago			`middleware.requireUser = function (req, res, next) {`
closes #2304 7 years ago			`if (req.loggedIn) {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`return next();`
			`}`

ESlint object-curly-spacing 8 years ago			`res.status(403).render('403', { title: '[[global:403.title]]' });`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`};`

feat: give names to middlewares 6 years ago			`middleware.registrationComplete = function registrationComplete(req, res, next) {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`// If the user's session contains registration data, redirect the user to complete registration`
			`if (!req.session.hasOwnProperty('registration')) {`
misc fixes handle spider uids properly 6 years ago			`return setImmediate(next);`
ESlint no-useless-escape, no-else-return 8 years ago			`}`
			`if (!req.path.endsWith('/register/complete')) {`
closes #6483 7 years ago			`// Append user data if present`
			`req.session.registration.uid = req.uid;`

ESlint no-useless-escape, no-else-return 8 years ago			`controllers.helpers.redirect(res, '/register/complete');`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`} else {`
feat: give names to middlewares 6 years ago			`setImmediate(next);`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`}`
			`};`
			`};`