nodebb/src/middleware/user.js

'use strict';

var async = require('async');
var nconf = require('nconf');

var meta = require('../meta');
var user = require('../user');
var privileges = require('../privileges');
var plugins = require('../plugins');

var auth = require('../routes/authentication');

var controllers = {
	helpers: require('../controllers/helpers'),
};

module.exports = function (middleware) {
	middleware.authenticate = function (req, res, next) {
		if (req.loggedIn) {
			return next();
		}

		if (plugins.hasListeners('action:middleware.authenticate')) {
			return plugins.fireHook('action:middleware.authenticate', {
				req: req,
				res: res,
				next: function (err) {
					if (err) {
						return next(err);
					}

					auth.setAuthVars(req, res, function () {
						if (req.loggedIn && req.user && req.user.uid) {
							return next();
						}

						controllers.helpers.notAllowed(req, res);
					});
				},
			});
		}

		controllers.helpers.notAllowed(req, res);
	};

	middleware.ensureSelfOrGlobalPrivilege = function (req, res, next) {
		ensureSelfOrMethod(user.isAdminOrGlobalMod, req, res, next);
	};

	middleware.ensureSelfOrPrivileged = function (req, res, next) {
		ensureSelfOrMethod(user.isPrivileged, req, res, next);
	};

	function ensureSelfOrMethod(method, req, res, next) {
		/*
			The "self" part of this middleware hinges on you having used
			middleware.exposeUid prior to invoking this middleware.
		*/
		async.waterfall([
			function (next) {
				if (!req.loggedIn) {
					return setImmediate(next, null, false);
				}

				if (req.uid === parseInt(res.locals.uid, 10)) {
					return setImmediate(next, null, true);
				}

				method(req.uid, next);
			},
			function (allowed, next) {
				if (!allowed) {
					return controllers.helpers.notAllowed(req, res);
				}
				next();
			},
		], next);
	}

	middleware.checkGlobalPrivacySettings = function (req, res, next) {
		if (!req.loggedIn && meta.config.privateUserInfo) {
			return middleware.authenticate(req, res, next);
		}

		next();
	};

	middleware.checkAccountPermissions = function (req, res, next) {
		// This middleware ensures that only the requested user and admins can pass
		async.waterfall([
			function (next) {
				middleware.authenticate(req, res, next);
			},
			function (next) {
				user.getUidByUserslug(req.params.userslug, next);
			},
			function (uid, next) {
				privileges.users.canEdit(req.uid, uid, next);
			},
			function (allowed, next) {
				if (allowed) {
					return next(null, allowed);
				}

				// For the account/info page only, allow plain moderators through
				if (/user\/.+\/info$/.test(req.path)) {
					user.isModeratorOfAnyCategory(req.uid, next);
				} else {
					next(null, false);
				}
			},
			function (allowed) {
				if (allowed) {
					return next();
				}
				controllers.helpers.notAllowed(req, res);
			},
		], next);
	};

	middleware.redirectToAccountIfLoggedIn = function (req, res, next) {
		if (req.session.forceLogin || !req.uid) {
			return next();
		}

		async.waterfall([
			function (next) {
				user.getUserField(req.uid, 'userslug', next);
			},
			function (userslug) {
				controllers.helpers.redirect(res, '/user/' + userslug);
			},
		], next);
	};

	middleware.redirectUidToUserslug = function (req, res, next) {
		var uid = parseInt(req.params.uid, 10);
		if (!uid) {
			return next();
		}
		async.waterfall([
			function (next) {
				user.getUserField(uid, 'userslug', next);
			},
			function (userslug) {
				if (!userslug) {
					return next();
				}
				var path = req.path.replace(/^\/api/, '')
					.replace('uid', 'user')
					.replace(uid, function () { return userslug; });
				controllers.helpers.redirect(res, path);
			},
		], next);
	};

	middleware.redirectMeToUserslug = function (req, res, next) {
		var uid = req.uid;
		async.waterfall([
			function (next) {
				user.getUserField(uid, 'userslug', next);
			},
			function (userslug) {
				if (!userslug) {
					return controllers.helpers.notAllowed(req, res);
				}
				var path = req.path.replace(/^(\/api)?\/me/, '/user/' + userslug);
				controllers.helpers.redirect(res, path);
			},
		], next);
	};

	middleware.isAdmin = function (req, res, next) {
		async.waterfall([
			function (next) {
				user.isAdministrator(req.uid, next);
			},
			function (isAdmin, next) {
				if (!isAdmin) {
					return controllers.helpers.notAllowed(req, res);
				}
				user.hasPassword(req.uid, next);
			},
			function (hasPassword, next) {
				if (!hasPassword) {
					return next();
				}

				var loginTime = req.session.meta ? req.session.meta.datetime : 0;
				var adminReloginDuration = meta.config.adminReloginDuration * 60000;
				var disabled = meta.config.adminReloginDuration === 0;
				if (disabled || (loginTime && parseInt(loginTime, 10) > Date.now() - adminReloginDuration)) {
					var timeLeft = parseInt(loginTime, 10) - (Date.now() - adminReloginDuration);
					if (req.session.meta && timeLeft < Math.min(300000, adminReloginDuration)) {
						req.session.meta.datetime += Math.min(300000, adminReloginDuration);
					}

					return next();
				}

				var returnTo = req.path;
				if (nconf.get('relative_path')) {
					returnTo = req.path.replace(new RegExp('^' + nconf.get('relative_path')), '');
				}
				returnTo = returnTo.replace(/^\/api/, '');

				req.session.returnTo = nconf.get('relative_path') + returnTo;
				req.session.forceLogin = 1;
				if (res.locals.isAPI) {
					res.status(401).json({});
				} else {
					res.redirect(nconf.get('relative_path') + '/login');
				}
			},
		], next);
	};

	middleware.requireUser = function (req, res, next) {
		if (req.loggedIn) {
			return next();
		}

		res.status(403).render('403', { title: '[[global:403.title]]' });
	};

	middleware.registrationComplete = function (req, res, next) {
		// If the user's session contains registration data, redirect the user to complete registration
		if (!req.session.hasOwnProperty('registration')) {
			return setImmediate(next);
		}
		if (!req.path.endsWith('/register/complete')) {
			// Append user data if present
			req.session.registration.uid = req.uid;

			controllers.helpers.redirect(res, '/register/complete');
		} else {
			return setImmediate(next);
		}
	};
};
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`'use strict';`

			`var async = require('async');`
ESlint keyword-spacing, no-multi-spaces 8 years ago			`var nconf = require('nconf');`
closes #5202 8 years ago
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`var meta = require('../meta');`
			`var user = require('../user');`
closes #5202 8 years ago			`var privileges = require('../privileges');`
more tests 8 years ago			`var plugins = require('../plugins');`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago
DRY req props that depend on auth (fix #6727) (#6731) * DRY req props that depend on auth (fix #6727) authentication leads to req.loggedIn and req.uid being set. However, a later authentication event might outdate them. Here, I create one function for setting those properties, and make sure it also is called on the `action:middleware.authenticate` hook, which would be such an authentication event. If there are other places, those should be added as well. * fix lint errors * fix lint error * change exports 7 years ago			`var auth = require('../routes/authentication');`

organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`var controllers = {`
ESlint comma-dangle 8 years ago			`helpers: require('../controllers/helpers'),`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`};`

Fix space-before-function-paren linter rule 9 years ago			`module.exports = function (middleware) {`
more tests 8 years ago			`middleware.authenticate = function (req, res, next) {`
closes #2304 7 years ago			`if (req.loggedIn) {`
more tests 8 years ago			`return next();`
			`}`

			`if (plugins.hasListeners('action:middleware.authenticate')) {`
			`return plugins.fireHook('action:middleware.authenticate', {`
			`req: req,`
			`res: res,`
DRY req props that depend on auth (fix #6727) (#6731) * DRY req props that depend on auth (fix #6727) authentication leads to req.loggedIn and req.uid being set. However, a later authentication event might outdate them. Here, I create one function for setting those properties, and make sure it also is called on the `action:middleware.authenticate` hook, which would be such an authentication event. If there are other places, those should be added as well. * fix lint errors * fix lint error * change exports 7 years ago			`next: function (err) {`
if authenticate middleware is overridden by plugin, check for req.user and return notAllowed helper otherwise /cc @LudwikJaniuk 7 years ago			`if (err) {`
			`return next(err);`
			`}`

			`auth.setAuthVars(req, res, function () {`
			`if (req.loggedIn && req.user && req.user.uid) {`
			`return next();`
			`}`

			`controllers.helpers.notAllowed(req, res);`
			`});`
DRY req props that depend on auth (fix #6727) (#6731) * DRY req props that depend on auth (fix #6727) authentication leads to req.loggedIn and req.uid being set. However, a later authentication event might outdate them. Here, I create one function for setting those properties, and make sure it also is called on the `action:middleware.authenticate` hook, which would be such an authentication event. If there are other places, those should be added as well. * fix lint errors * fix lint error * change exports 7 years ago			`},`
more tests 8 years ago			`});`
			`}`

			`controllers.helpers.notAllowed(req, res);`
			`};`

			`middleware.ensureSelfOrGlobalPrivilege = function (req, res, next) {`
			`ensureSelfOrMethod(user.isAdminOrGlobalMod, req, res, next);`
			`};`

			`middleware.ensureSelfOrPrivileged = function (req, res, next) {`
			`ensureSelfOrMethod(user.isPrivileged, req, res, next);`
			`};`

			`function ensureSelfOrMethod(method, req, res, next) {`
			`/*`
			`The "self" part of this middleware hinges on you having used`
			`middleware.exposeUid prior to invoking this middleware.`
			`*/`
			`async.waterfall([`
			`function (next) {`
closes #2304 7 years ago			`if (!req.loggedIn) {`
more tests 8 years ago			`return setImmediate(next, null, false);`
			`}`

			`if (req.uid === parseInt(res.locals.uid, 10)) {`
			`return setImmediate(next, null, true);`
			`}`

			`method(req.uid, next);`
			`},`
			`function (allowed, next) {`
			`if (!allowed) {`
			`return controllers.helpers.notAllowed(req, res);`
			`}`
			`next();`
			`},`
			`], next);`
			`}`

Fix space-before-function-paren linter rule 9 years ago			`middleware.checkGlobalPrivacySettings = function (req, res, next) {`
Parse int (#6853) * Store config fields as JSON in the db Fewer parseInts * Remove unnecessary parseInts * remove some dupe code add tests * remove console.log * remove more parseInts * WIP: read meta.configs defaults from defaults.json remove more parseInts * more work * add log for failing test * update admin pwd * fix tests, dont require posts/cache before configs are initialized * handle saves * Test boolean conditions * remove more parseInts * Fix boolean values * remove lots more parseInts * removed json parsing * renamed var to number * categories dont have timestamp 6 years ago			`if (!req.loggedIn && meta.config.privateUserInfo) {`
updating checkGlobalPrivacySettings middleware to hook into write-api for auth 8 years ago			`return middleware.authenticate(req, res, next);`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`}`

			`next();`
			`};`

Fix space-before-function-paren linter rule 9 years ago			`middleware.checkAccountPermissions = function (req, res, next) {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`// This middleware ensures that only the requested user and admins can pass`
			`async.waterfall([`
			`function (next) {`
			`middleware.authenticate(req, res, next);`
			`},`
			`function (next) {`
			`user.getUidByUserslug(req.params.userslug, next);`
			`},`
			`function (uid, next) {`
closes #5202 8 years ago			`privileges.users.canEdit(req.uid, uid, next);`
allowing moderators access to the account info page 9 years ago			`},`
fix style 9 years ago			`function (allowed, next) {`
allowing moderators access to the account info page 9 years ago			`if (allowed) {`
			`return next(null, allowed);`
			`}`

			`// For the account/info page only, allow plain moderators through`
			`if (/user\/.+\/info$/.test(req.path)) {`
			`user.isModeratorOfAnyCategory(req.uid, next);`
			`} else {`
			`next(null, false);`
			`}`
ESlint comma-dangle 8 years ago			`},`
more tests 8 years ago			`function (allowed) {`
			`if (allowed) {`
			`return next();`
			`}`
			`controllers.helpers.notAllowed(req, res);`
			`},`
			`], next);`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`};`

Fix space-before-function-paren linter rule 9 years ago			`middleware.redirectToAccountIfLoggedIn = function (req, res, next) {`
more tests 8 years ago			`if (req.session.forceLogin \|\| !req.uid) {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`return next();`
			`}`

more tests 8 years ago			`async.waterfall([`
			`function (next) {`
			`user.getUserField(req.uid, 'userslug', next);`
			`},`
			`function (userslug) {`
			`controllers.helpers.redirect(res, '/user/' + userslug);`
			`},`
			`], next);`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`};`

Fix space-before-function-paren linter rule 9 years ago			`middleware.redirectUidToUserslug = function (req, res, next) {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`var uid = parseInt(req.params.uid, 10);`
			`if (!uid) {`
			`return next();`
			`}`
more tests 8 years ago			`async.waterfall([`
			`function (next) {`
			`user.getUserField(uid, 'userslug', next);`
			`},`
			`function (userslug) {`
			`if (!userslug) {`
			`return next();`
			`}`
			`var path = req.path.replace(/^\/api/, '')`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`.replace('uid', 'user')`
Fix space-before-function-paren linter rule 9 years ago			`.replace(uid, function () { return userslug; });`
more tests 8 years ago			`controllers.helpers.redirect(res, path);`
			`},`
			`], next);`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`};`

Add `/me` route which redirects to `/user/[userslug]` (#6063) * Add `/me` route which redirects to the current user's information - `/me` -> `/user/[usertslug]` - `/me/bookmarks` -> `/user/[userslug]/bookmarks` - `/me/settings` -> `/user/[userslug]/settings` etc Add tests for `/me/*` 7 years ago			`middleware.redirectMeToUserslug = function (req, res, next) {`
			`var uid = req.uid;`
			`async.waterfall([`
			`function (next) {`
			`user.getUserField(uid, 'userslug', next);`
			`},`
			`function (userslug) {`
			`if (!userslug) {`
use helper 7 years ago			`return controllers.helpers.notAllowed(req, res);`
Add `/me` route which redirects to `/user/[userslug]` (#6063) * Add `/me` route which redirects to the current user's information - `/me` -> `/user/[usertslug]` - `/me/bookmarks` -> `/user/[userslug]/bookmarks` - `/me/settings` -> `/user/[userslug]/settings` etc Add tests for `/me/*` 7 years ago			`}`
			`var path = req.path.replace(/^(\/api)?\/me/, '/user/' + userslug);`
			`controllers.helpers.redirect(res, path);`
			`},`
			`], next);`
			`};`

Fix space-before-function-paren linter rule 9 years ago			`middleware.isAdmin = function (req, res, next) {`
more tests 8 years ago			`async.waterfall([`
			`function (next) {`
			`user.isAdministrator(req.uid, next);`
			`},`
			`function (isAdmin, next) {`
			`if (!isAdmin) {`
			`return controllers.helpers.notAllowed(req, res);`
			`}`
			`user.hasPassword(req.uid, next);`
			`},`
			`function (hasPassword, next) {`
			`if (!hasPassword) {`
			`return next();`
			`}`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago
more tests 8 years ago			`var loginTime = req.session.meta ? req.session.meta.datetime : 0;`
Parse int (#6853) * Store config fields as JSON in the db Fewer parseInts * Remove unnecessary parseInts * remove some dupe code add tests * remove console.log * remove more parseInts * WIP: read meta.configs defaults from defaults.json remove more parseInts * more work * add log for failing test * update admin pwd * fix tests, dont require posts/cache before configs are initialized * handle saves * Test boolean conditions * remove more parseInts * Fix boolean values * remove lots more parseInts * removed json parsing * renamed var to number * categories dont have timestamp 6 years ago			`var adminReloginDuration = meta.config.adminReloginDuration * 60000;`
			`var disabled = meta.config.adminReloginDuration === 0;`
closes #6037 7 years ago			`if (disabled \|\| (loginTime && parseInt(loginTime, 10) > Date.now() - adminReloginDuration)) {`
			`var timeLeft = parseInt(loginTime, 10) - (Date.now() - adminReloginDuration);`
fix lint 7 years ago			`if (req.session.meta && timeLeft < Math.min(300000, adminReloginDuration)) {`
closes #6037 7 years ago			`req.session.meta.datetime += Math.min(300000, adminReloginDuration);`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`}`

more tests 8 years ago			`return next();`
			`}`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago
closes #5847 8 years ago			`var returnTo = req.path;`
			`if (nconf.get('relative_path')) {`
			`returnTo = req.path.replace(new RegExp('^' + nconf.get('relative_path')), '');`
			`}`
			`returnTo = returnTo.replace(/^\/api/, '');`

			`req.session.returnTo = nconf.get('relative_path') + returnTo;`
more tests 8 years ago			`req.session.forceLogin = 1;`
			`if (res.locals.isAPI) {`
			`res.status(401).json({});`
			`} else {`
			`res.redirect(nconf.get('relative_path') + '/login');`
			`}`
			`},`
			`], next);`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`};`

Fix space-before-function-paren linter rule 9 years ago			`middleware.requireUser = function (req, res, next) {`
closes #2304 7 years ago			`if (req.loggedIn) {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`return next();`
			`}`

ESlint object-curly-spacing 8 years ago			`res.status(403).render('403', { title: '[[global:403.title]]' });`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`};`

Fix space-before-function-paren linter rule 9 years ago			`middleware.registrationComplete = function (req, res, next) {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`// If the user's session contains registration data, redirect the user to complete registration`
			`if (!req.session.hasOwnProperty('registration')) {`
misc fixes handle spider uids properly 6 years ago			`return setImmediate(next);`
ESlint no-useless-escape, no-else-return 8 years ago			`}`
			`if (!req.path.endsWith('/register/complete')) {`
closes #6483 7 years ago			`// Append user data if present`
			`req.session.registration.uid = req.uid;`

ESlint no-useless-escape, no-else-return 8 years ago			`controllers.helpers.redirect(res, '/register/complete');`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`} else {`
misc fixes handle spider uids properly 6 years ago			`return setImmediate(next);`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 9 years ago			`}`
			`};`
			`};`