nodebb/src/controllers/authentication.js

'use strict';

var async = require('async');
var winston = require('winston');
var passport = require('passport');
var nconf = require('nconf');
var validator = require('validator');
var _ = require('lodash');

var db = require('../database');
var meta = require('../meta');
var user = require('../user').async;
var plugins = require('../plugins');
var utils = require('../utils');
var translator = require('../translator');
var helpers = require('./helpers');
var middleware = require('../middleware');
var privileges = require('../privileges');
var sockets = require('../socket.io');

var authenticationController = module.exports;

authenticationController.register = function (req, res) {
	var registrationType = meta.config.registrationType || 'normal';

	if (registrationType === 'disabled') {
		return res.sendStatus(403);
	}

	var userData = req.body;

	async.waterfall([
		function (next) {
			if (registrationType === 'invite-only' || registrationType === 'admin-invite-only') {
				user.verifyInvitation(userData, next);
			} else {
				next();
			}
		},
		function (next) {
			if (!userData.email) {
				return next(new Error('[[error:invalid-email]]'));
			}

			if (!userData.username || userData.username.length < meta.config.minimumUsernameLength || utils.slugify(userData.username).length < meta.config.minimumUsernameLength) {
				return next(new Error('[[error:username-too-short]]'));
			}

			if (userData.username.length > meta.config.maximumUsernameLength) {
				return next(new Error('[[error:username-too-long]]'));
			}

			if (userData.password !== userData['password-confirm']) {
				return next(new Error('[[user:change_password_error_match]]'));
			}

			user.isPasswordValid(userData.password, next);
		},
		function (next) {
			res.locals.processLogin = true;	// set it to false in plugin if you wish to just register only
			plugins.fireHook('filter:register.check', { req: req, res: res, userData: userData }, next);
		},
		function (result, next) {
			registerAndLoginUser(req, res, userData, next);
		},
	], function (err, data) {
		if (err) {
			return helpers.noScriptErrors(req, res, err.message, 400);
		}

		if (data.uid && req.body.userLang) {
			user.setSetting(data.uid, 'userLang', req.body.userLang);
		}

		res.json(data);
	});
};

function registerAndLoginUser(req, res, userData, callback) {
	var uid;
	async.waterfall([
		function (next) {
			plugins.fireHook('filter:register.interstitial', {
				userData: userData,
				interstitials: [],
			}, next);
		},
		function (data, next) {
			// If interstitials are found, save registration attempt into session and abort
			var deferRegistration = data.interstitials.length;

			if (!deferRegistration) {
				return next();
			}
			userData.register = true;
			req.session.registration = userData;

			if (req.body.noscript === 'true') {
				return res.redirect(nconf.get('relative_path') + '/register/complete');
			}
			return res.json({ referrer: nconf.get('relative_path') + '/register/complete' });
		},
		function (next) {
			user.shouldQueueUser(req.ip, next);
		},
		function (queue, next) {
			plugins.fireHook('filter:register.shouldQueue', { req: req, res: res, userData: userData, queue: queue }, next);
		},
		function (data, next) {
			if (data.queue) {
				addToApprovalQueue(req, userData, callback);
			} else {
				user.create(userData, next);
			}
		},
		function (_uid, next) {
			uid = _uid;
			if (res.locals.processLogin) {
				authenticationController.doLogin(req, uid, next);
			} else {
				next();
			}
		},
		function (next) {
			user.deleteInvitationKey(userData.email);
			plugins.fireHook('filter:register.complete', { uid: uid, referrer: req.body.referrer || nconf.get('relative_path') + '/' }, next);
		},
	], callback);
}

function addToApprovalQueue(req, userData, callback) {
	async.waterfall([
		function (next) {
			userData.ip = req.ip;
			user.addToApprovalQueue(userData, next);
		},
		function (next) {
			next(null, { message: '[[register:registration-added-to-queue]]' });
		},
	], callback);
}

authenticationController.registerComplete = function (req, res, next) {
	// For the interstitials that respond, execute the callback with the form body
	plugins.fireHook('filter:register.interstitial', {
		userData: req.session.registration,
		interstitials: [],
	}, function (err, data) {
		if (err) {
			return next(err);
		}

		var callbacks = data.interstitials.reduce(function (memo, cur) {
			if (cur.hasOwnProperty('callback') && typeof cur.callback === 'function') {
				req.body.files = req.files;
				memo.push(function (next) {
					cur.callback(req.session.registration, req.body, function (err) {
						// Pass error as second argument so all callbacks are executed
						next(null, err);
					});
				});
			}

			return memo;
		}, []);

		var done = function (err, data) {
			delete req.session.registration;
			if (err) {
				return res.redirect(nconf.get('relative_path') + '/?register=' + encodeURIComponent(err.message));
			}

			if (!err && data && data.message) {
				return res.redirect(nconf.get('relative_path') + '/?register=' + encodeURIComponent(data.message));
			}
			if (req.session.returnTo) {
				res.redirect(nconf.get('relative_path') + req.session.returnTo);
			} else {
				res.redirect(nconf.get('relative_path') + '/');
			}
		};

		async.parallel(callbacks, async function (_blank, err) {
			if (err.length) {
				err = err.filter(Boolean).map(function (err) {
					return err.message;
				});
			}

			if (err.length) {
				req.flash('errors', err);
				return res.redirect(nconf.get('relative_path') + '/register/complete');
			}

			if (req.session.registration.register === true) {
				res.locals.processLogin = true;
				registerAndLoginUser(req, res, req.session.registration, done);
			} else {
				// Update user hash, clear registration data in session
				const payload = req.session.registration;
				const uid = payload.uid;
				delete payload.uid;
				delete payload.returnTo;

				Object.keys(payload).forEach((prop) => {
					if (typeof payload[prop] === 'boolean') {
						payload[prop] = payload[prop] ? 1 : 0;
					}
				});

				await user.setUserFields(uid, payload);
				done();
			}
		});
	});
};

authenticationController.registerAbort = function (req, res) {
	// End the session and redirect to home
	req.session.destroy(function () {
		res.redirect(nconf.get('relative_path') + '/');
	});
};

authenticationController.login = function (req, res, next) {
	if (plugins.hasListeners('action:auth.overrideLogin')) {
		return continueLogin(req, res, next);
	}

	var loginWith = meta.config.allowLoginWith || 'username-email';
	req.body.username = req.body.username.trim();

	if (req.body.username && utils.isEmailValid(req.body.username) && loginWith.includes('email')) {
		async.waterfall([
			function (next) {
				user.getUsernameByEmail(req.body.username, next);
			},
			function (username, next) {
				req.body.username = username || req.body.username;
				continueLogin(req, res, next);
			},
		], next);
	} else if (loginWith.includes('username') && !validator.isEmail(req.body.username)) {
		continueLogin(req, res, next);
	} else {
		var err = '[[error:wrong-login-type-' + loginWith + ']]';
		helpers.noScriptErrors(req, res, err, 500);
	}
};

function continueLogin(req, res, next) {
	passport.authenticate('local', function (err, userData, info) {
		if (err) {
			return helpers.noScriptErrors(req, res, err.message, 403);
		}

		if (!userData) {
			if (typeof info === 'object') {
				info = '[[error:invalid-username-or-password]]';
			}
			return helpers.noScriptErrors(req, res, info, 403);
		}

		var passwordExpiry = userData.passwordExpiry !== undefined ? parseInt(userData.passwordExpiry, 10) : null;

		// Alter user cookie depending on passed-in option
		if (req.body.remember === 'on') {
			var duration = 1000 * 60 * 60 * 24 * meta.config.loginDays;
			req.session.cookie.maxAge = duration;
			req.session.cookie.expires = new Date(Date.now() + duration);
		} else {
			req.session.cookie.maxAge = false;
			req.session.cookie.expires = false;
		}

		if (passwordExpiry && passwordExpiry < Date.now()) {
			winston.verbose('[auth] Triggering password reset for uid ' + userData.uid + ' due to password policy');
			req.session.passwordExpired = true;

			async.series({
				code: async.apply(user.reset.generate, userData.uid),
				buildHeader: async.apply(middleware.buildHeader, req, res),
				header: async.apply(middleware.generateHeader, req, res, {}),
			}, function (err, payload) {
				if (err) {
					return helpers.noScriptErrors(req, res, err.message, 403);
				}

				res.status(200).send({
					next: nconf.get('relative_path') + '/reset/' + payload.code,
					header: payload.header,
					config: res.locals.config,
				});
			});
		} else {
			delete req.query.lang;

			async.series({
				doLogin: async.apply(authenticationController.doLogin, req, userData.uid),
				buildHeader: async.apply(middleware.buildHeader, req, res),
				header: async.apply(middleware.generateHeader, req, res, {}),
			}, function (err, payload) {
				if (err) {
					return helpers.noScriptErrors(req, res, err.message, 403);
				}

				var destination;
				if (!req.session.returnTo) {
					destination = nconf.get('relative_path') + '/';
				} else {
					destination = req.session.returnTo;
					delete req.session.returnTo;
				}

				if (req.body.noscript === 'true') {
					res.redirect(destination + '?loggedin');
				} else {
					res.status(200).send({
						next: destination,
						header: payload.header,
						config: res.locals.config,
					});
				}
			});
		}
	})(req, res, next);
}

authenticationController.doLogin = function (req, uid, callback) {
	if (!uid) {
		return callback();
	}
	async.waterfall([
		function (next) {
			req.login({ uid: uid }, next);
		},
		function (next) {
			authenticationController.onSuccessfulLogin(req, uid, next);
		},
	], callback);
};

authenticationController.onSuccessfulLogin = function (req, uid, callback) {
	// If already called once, return prematurely
	if (req.res.locals.user) {
		if (typeof callback === 'function') {
			return setImmediate(callback);
		}

		return true;
	}

	var uuid = utils.generateUUID();

	req.uid = uid;
	req.loggedIn = true;

	async.waterfall([
		function (next) {
			meta.blacklist.test(req.ip, next);
		},
		function (next) {
			user.logIP(uid, req.ip, next);
		},
		function (next) {
			req.session.meta = {};

			delete req.session.forceLogin;
			// Associate IP used during login with user account
			req.session.meta.ip = req.ip;

			// Associate metadata retrieved via user-agent
			req.session.meta = _.extend(req.session.meta, {
				uuid: uuid,
				datetime: Date.now(),
				platform: req.useragent.platform,
				browser: req.useragent.browser,
				version: req.useragent.version,
			});

			async.parallel([
				function (next) {
					user.auth.addSession(uid, req.sessionID, next);
				},
				function (next) {
					if (uid > 0) {
						db.setObjectField('uid:' + uid + ':sessionUUID:sessionId', uuid, req.sessionID, next);
					} else {
						next();
					}
				},
				function (next) {
					user.updateLastOnlineTime(uid, next);
				},
				function (next) {
					user.updateOnlineUsers(uid, next);
				},
			], function (err) {
				next(err);
			});
		},
		function (next) {
			// Force session check for all connected socket.io clients with the same session id
			sockets.in('sess_' + req.sessionID).emit('checkSession', uid);

			plugins.fireHook('action:user.loggedIn', { uid: uid, req: req });
			next();
		},
	], function (err) {
		if (err) {
			req.session.destroy();
		}

		if (typeof callback === 'function') {
			callback(err);
		} else {
			return !!err;
		}
	});
};

authenticationController.localLogin = function (req, username, password, next) {
	if (!username) {
		return next(new Error('[[error:invalid-username]]'));
	}

	var userslug = utils.slugify(username);
	var uid;
	var userData = {};

	if (!password || !utils.isPasswordValid(password)) {
		return next(new Error('[[error:invalid-password]]'));
	}

	if (password.length > 4096) {
		return next(new Error('[[error:password-too-long]]'));
	}

	async.waterfall([
		function (next) {
			user.getUidByUserslug(userslug, next);
		},
		function (_uid, next) {
			uid = _uid;

			async.parallel({
				userData: async.apply(db.getObjectFields, 'user:' + uid, ['passwordExpiry']),
				isAdminOrGlobalMod: function (next) {
					user.isAdminOrGlobalMod(uid, next);
				},
				banned: function (next) {
					user.bans.isBanned(uid, next);
				},
				hasLoginPrivilege: function (next) {
					privileges.global.can('local:login', uid, next);
				},
			}, next);
		},
		function (result, next) {
			userData = Object.assign(result.userData, {
				uid: uid,
				isAdminOrGlobalMod: result.isAdminOrGlobalMod,
			});

			if (parseInt(uid, 10) && !result.hasLoginPrivilege) {
				return next(new Error('[[error:local-login-disabled]]'));
			}

			if (result.banned) {
				return getBanInfo(uid, next);
			}

			user.isPasswordCorrect(uid, password, req.ip, next);
		},
		function (passwordMatch, next) {
			if (!passwordMatch) {
				return next(new Error('[[error:invalid-login-credentials]]'));
			}

			next(null, userData, '[[success:authentication-successful]]');
		},
	], next);
};

authenticationController.logout = function (req, res, next) {
	if (!req.loggedIn || !req.sessionID) {
		return res.status(200).send('not-logged-in');
	}
	const uid = req.uid;
	const sessionID = req.sessionID;
	async.waterfall([
		function (next) {
			user.auth.revokeSession(sessionID, uid, next);
		},
		function (next) {
			req.logout();
			req.session.regenerate(function (err) {
				req.uid = 0;
				req.headers['x-csrf-token'] = req.csrfToken();
				next(err);
			});
		},
		function (next) {
			user.setUserField(uid, 'lastonline', Date.now() - (meta.config.onlineCutoff * 60000), next);
		},
		function (next) {
			db.sortedSetAdd('users:online', Date.now() - (meta.config.onlineCutoff * 60000), uid, next);
		},
		function (next) {
			plugins.fireHook('static:user.loggedOut', { req: req, res: res, uid: uid, sessionID: sessionID }, next);
		},
		async.apply(middleware.autoLocale, req, res),
		function () {
			// Force session check for all connected socket.io clients with the same session id
			sockets.in('sess_' + sessionID).emit('checkSession', 0);
			if (req.body.noscript === 'true') {
				res.redirect(nconf.get('relative_path') + '/');
			} else {
				async.series({
					buildHeader: async.apply(middleware.buildHeader, req, res),
					header: async.apply(middleware.generateHeader, req, res, {}),
				}, function (err, payload) {
					if (err) {
						return res.status(500);
					}

					payload = {
						header: payload.header,
						config: res.locals.config,
					};
					plugins.fireHook('filter:user.logout', payload);
					res.status(200).send(payload);
				});
			}
		},
	], next);
};

function getBanInfo(uid, callback) {
	var banInfo;
	async.waterfall([
		function (next) {
			user.getLatestBanInfo(uid, next);
		},
		function (_banInfo, next) {
			banInfo = _banInfo;
			if (banInfo.reason) {
				return next();
			}

			translator.translate('[[user:info.banned-no-reason]]', function (translated) {
				banInfo.reason = translated;
				next();
			});
		},
		function (next) {
			next(new Error(banInfo.banned_until ? '[[error:user-banned-reason-until, ' + banInfo.banned_until_readable + ', ' + banInfo.reason + ']]' : '[[error:user-banned-reason, ' + banInfo.reason + ']]'));
		},
	], function (err) {
		if (err) {
			if (err.message === 'no-ban-info') {
				err.message = '[[error:user-banned]]';
			}
		}
		callback(err);
	});
}