Working login flow
This commit is contained in:
Cohee
parent
af8627b999
commit
3f3e23420d
|
|
@ -0,0 +1,35 @@
|
|||
body.login #shadow_popup {
|
||||
opacity: 1;
|
||||
display: flex;
|
||||
}
|
||||
|
||||
body.login .logo {
|
||||
max-width: 30px;
|
||||
}
|
||||
|
||||
body.login #logoBlock {
|
||||
align-items: center;
|
||||
margin: 0 auto;
|
||||
gap: 10px;
|
||||
}
|
||||
|
||||
body.login .userSelect {
|
||||
display: flex;
|
||||
flex-direction: column;
|
||||
color: var(--SmartThemeBodyColor);
|
||||
border: 1px solid var(--SmartThemeBorderColor);
|
||||
border-radius: 5px;
|
||||
padding: 3px 5px;
|
||||
width: min-content;
|
||||
cursor: pointer;
|
||||
margin: 5px 0;
|
||||
transition: background-color 0.15s ease-in-out;
|
||||
display: flex;
|
||||
align-items: center;
|
||||
justify-content: center;
|
||||
text-align: center;
|
||||
}
|
||||
|
||||
body.login .userSelect:hover {
|
||||
background-color: var(--black30a);
|
||||
}
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 23 KiB |
|
|
@ -0,0 +1,71 @@
|
|||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<base href="/">
|
||||
<meta charset="utf-8">
|
||||
<meta name="viewport"
|
||||
content="width=device-width, viewport-fit=cover, initial-scale=1, maximum-scale=1.0, user-scalable=no">
|
||||
<meta name="apple-mobile-web-app-capable" content="yes">
|
||||
<meta name="darkreader-lock">
|
||||
<meta name="robots" content="noindex, nofollow" />
|
||||
<link rel="apple-touch-icon" sizes="57x57" href="img/apple-icon-57x57.png" />
|
||||
<link rel="apple-touch-icon" sizes="72x72" href="img/apple-icon-72x72.png" />
|
||||
<link rel="apple-touch-icon" sizes="114x114" href="img/apple-icon-114x114.png" />
|
||||
<link rel="apple-touch-icon" sizes="144x144" href="img/apple-icon-144x144.png" />
|
||||
<link rel="stylesheet" type="text/css" href="style.css">
|
||||
<link rel="stylesheet" type="text/css" href="css/st-tailwind.css">
|
||||
<link rel="stylesheet" type="text/css" href="css/login.css">
|
||||
<link rel="manifest" crossorigin="use-credentials" href="manifest.json">
|
||||
<link href="webfonts/NotoSans/stylesheet.css" rel="stylesheet">
|
||||
<!-- fontawesome webfonts-->
|
||||
<link href="css/fontawesome.css" rel="stylesheet">
|
||||
<link href="css/solid.css" rel="stylesheet">
|
||||
<script src="lib/jquery-3.5.1.min.js"></script>
|
||||
<script src="scripts/login.js"></script>
|
||||
<title>SillyTavern</title>
|
||||
</head>
|
||||
|
||||
<body class="login" style="display: none;">
|
||||
<div id="shadow_popup">
|
||||
<div id="dialogue_popup">
|
||||
<div id="dialogue_popup_holder">
|
||||
<div id="dialogue_popup_text">
|
||||
<div id="userSelectBlock" class="flex-container flexFlowColumn alignItemsCenter">
|
||||
<h2 id="logoBlock" class="flex-container">
|
||||
<img src="img/logo.png" alt="SillyTavern" class="logo">
|
||||
<span>Welcome to SillyTavern</span>
|
||||
</h2>
|
||||
<h3>Select a User</h3>
|
||||
<div id="userListBlock" class="wide100p">
|
||||
<div id="userList" class="flex-container justifyCenter"></div>
|
||||
<div id="passwordEntryBlock" style="display:none;"
|
||||
class="flex-container flexFlowColumn alignItemsCenter">
|
||||
<input id="userPassword" class="text_pole" type="password" placeholder="Enter a password...">
|
||||
<div class="flex-container">
|
||||
<div id="loginButton" class="menu_button">Login</div>
|
||||
<div id="recoverPassword" class="menu_button">Recover</div>
|
||||
</div>
|
||||
</div>
|
||||
<div id="passwordRecoveryBlock" style="display:none;"
|
||||
class="flex-container flexFlowColumn alignItemsCenter">
|
||||
<div id="recoverMessage">
|
||||
Recovery code has been posted to the server console.
|
||||
</div>
|
||||
<input id="recoveryCode" class="text_pole" type="text" placeholder="Recovery code">
|
||||
<input id="newPassword" class="text_pole" type="password" placeholder="New password...">
|
||||
<div class="flex-container">
|
||||
<div id="sendRecovery" class="menu_button">Send</div>
|
||||
<div id="cancelRecovery" class="menu_button">Cancel</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
<div class="neutral_warning" id="errorMessage">
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
|
@ -1,7 +1,5 @@
|
|||
const ELEMENT_ID = 'loader';
|
||||
|
||||
import { populateUserList } from './userManagement.js'
|
||||
|
||||
export function showLoader() {
|
||||
const container = $('<div></div>').attr('id', ELEMENT_ID);
|
||||
const loader = $('<div></div>').attr('id', 'load-spinner').addClass('fa-solid fa-gear fa-spin fa-3x');
|
||||
|
|
@ -10,7 +8,6 @@ export function showLoader() {
|
|||
}
|
||||
|
||||
export async function hideLoader() {
|
||||
|
||||
//Sets up a 2-step animation. Spinner blurs/fades out, and then the loader shadow does the same.
|
||||
$('#load-spinner').on('transitionend webkitTransitionEnd oTransitionEnd MSTransitionEnd', function () {
|
||||
//uncomment this as part of user selection enabling
|
||||
|
|
@ -35,8 +32,4 @@ export async function hideLoader() {
|
|||
|
||||
//uncomment to make user selection live
|
||||
//await populateUserList()
|
||||
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,142 @@
|
|||
async function getUserList() {
|
||||
const response = await fetch('/api/users/list');
|
||||
const userListObj = await response.json();
|
||||
console.log(userListObj);
|
||||
return userListObj;
|
||||
}
|
||||
|
||||
async function sendRecoveryPart1(handle) {
|
||||
const response = await fetch('/api/users/recover-step1', {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'Content-Type': 'application/json',
|
||||
},
|
||||
body: JSON.stringify({ handle }),
|
||||
});
|
||||
|
||||
if (!response.ok) {
|
||||
const errorData = await response.json();
|
||||
return displayError(errorData.error || 'An error occurred');
|
||||
}
|
||||
|
||||
showRecoveryBlock();
|
||||
}
|
||||
|
||||
async function sendRecoveryPart2(handle, code, newPassword) {
|
||||
const recoveryData = {
|
||||
handle,
|
||||
code,
|
||||
newPassword,
|
||||
};
|
||||
|
||||
const response = await fetch('/api/users/recover-step2', {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'Content-Type': 'application/json',
|
||||
},
|
||||
body: JSON.stringify(recoveryData),
|
||||
});
|
||||
|
||||
if (!response.ok) {
|
||||
const errorData = await response.json();
|
||||
return displayError(errorData.error || 'An error occurred');
|
||||
}
|
||||
|
||||
console.log(`Successfully recovered password for ${handle}!`);
|
||||
await performLogin(handle, newPassword);
|
||||
}
|
||||
|
||||
async function onUserSelected(user) {
|
||||
// No password, just log in
|
||||
if (!user.password) {
|
||||
return await performLogin(user.handle, '');
|
||||
}
|
||||
|
||||
$('#passwordRecoveryBlock').hide();
|
||||
$('#passwordEntryBlock').show();
|
||||
$('#loginButton').off('click').on('click', async () => {
|
||||
const password = String($('#userPassword').val());
|
||||
await performLogin(user.handle, password);
|
||||
});
|
||||
|
||||
$('#recoverPassword').off('click').on('click', async () => {
|
||||
await sendRecoveryPart1(user.handle);
|
||||
});
|
||||
|
||||
$('#sendRecovery').off('click').on('click', async () => {
|
||||
const code = String($('#recoveryCode').val());
|
||||
const newPassword = String($('#newPassword').val());
|
||||
await sendRecoveryPart2(user.handle, code, newPassword);
|
||||
});
|
||||
|
||||
displayError('');
|
||||
}
|
||||
|
||||
function displayError(message) {
|
||||
$('#errorMessage').text(message);
|
||||
}
|
||||
|
||||
async function performLogin(handle, password) {
|
||||
const userInfo = {
|
||||
handle: handle,
|
||||
password: password,
|
||||
};
|
||||
|
||||
try {
|
||||
const response = await fetch('/api/users/login', {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'Content-Type': 'application/json',
|
||||
},
|
||||
body: JSON.stringify(userInfo),
|
||||
});
|
||||
|
||||
if (!response.ok) {
|
||||
const errorData = await response.json();
|
||||
return displayError(errorData.error || 'An error occurred');
|
||||
}
|
||||
|
||||
const data = await response.json();
|
||||
|
||||
if (data.handle) {
|
||||
console.log(`Successfully logged in as ${handle}!`);
|
||||
redirectToHome();
|
||||
}
|
||||
} catch (error) {
|
||||
console.error('Error logging in:', error);
|
||||
displayError(String(error));
|
||||
}
|
||||
}
|
||||
|
||||
function redirectToHome() {
|
||||
window.location.href = '/';
|
||||
}
|
||||
|
||||
function showRecoveryBlock() {
|
||||
$('#passwordEntryBlock').hide();
|
||||
$('#passwordRecoveryBlock').show();
|
||||
displayError('');
|
||||
}
|
||||
|
||||
function onCancelRecoveryClick() {
|
||||
$('#passwordRecoveryBlock').hide();
|
||||
$('#passwordEntryBlock').show();
|
||||
displayError('');
|
||||
}
|
||||
|
||||
(async function () {
|
||||
const userList = await getUserList();
|
||||
console.log(userList);
|
||||
for (const user of userList) {
|
||||
const userBlock = $('<div></div>').addClass('userSelect');
|
||||
const avatarBlock = $('<div></div>').addClass('avatar');
|
||||
avatarBlock.append($('<img>').attr('src', user.avatar));
|
||||
userBlock.append(avatarBlock);
|
||||
userBlock.append($('<span></span>').text(user.name));
|
||||
userBlock.append($('<small></small>').text(user.handle));
|
||||
userBlock.on('click', () => onUserSelected(user));
|
||||
$('#userList').append(userBlock);
|
||||
}
|
||||
document.body.style.display = '';
|
||||
$('#cancelRecovery').on('click', onCancelRecoveryClick);
|
||||
})();
|
||||
|
|
@ -1,10 +1,3 @@
|
|||
async function getUserList() {
|
||||
const response = await fetch('/api/users/list');
|
||||
const userListObj = await response.json(); // Assuming the response is in JSON format
|
||||
console.log(userListObj)
|
||||
return userListObj;
|
||||
}
|
||||
|
||||
async function registerNewUser() {
|
||||
let handle = String($("#newUserHandle").val());
|
||||
let name = String($("#newUserName").val());
|
||||
|
|
@ -111,17 +104,6 @@ export async function populateUserList() {
|
|||
`
|
||||
|
||||
const userSelectHTML = `
|
||||
<div id="userSelectBlock" class="flex-container flexFlowColumn alignItemsCenter">
|
||||
<h3>Select User</h3>
|
||||
<small>This is merely a test. <br> Click a user, and then click Login to proceed.</small>
|
||||
<div id="userListBlock">
|
||||
<div id="userList" class="flex-container justifyCenter"></div>
|
||||
<div id="passwordEntryBlock" style="display:none;" class="flex-container flexFlowColumn alignItemsCenter">
|
||||
<h4 id="passwordHeaderText"></h4>
|
||||
<input id="userPassword" class="text_pole" type="password">
|
||||
<div id="loginButton" class='menu_button'>Login</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div id="registerNewUserBlock" style="display:none;">
|
||||
${newUserRegisterationHTML}
|
||||
|
|
|
|||
131
server.js
131
server.js
|
|
@ -18,6 +18,7 @@ const doubleCsrf = require('csrf-csrf').doubleCsrf;
|
|||
const express = require('express');
|
||||
const compression = require('compression');
|
||||
const cookieParser = require('cookie-parser');
|
||||
const cookieSession = require('cookie-session');
|
||||
const multer = require('multer');
|
||||
const responseTime = require('response-time');
|
||||
const helmet = require('helmet').default;
|
||||
|
|
@ -33,14 +34,7 @@ util.inspect.defaultOptions.maxStringLength = null;
|
|||
util.inspect.defaultOptions.depth = 4;
|
||||
|
||||
// local library imports
|
||||
const {
|
||||
initUserStorage,
|
||||
ensurePublicDirectoriesExist,
|
||||
userDataMiddleware,
|
||||
migrateUserData,
|
||||
getCsrfSecret,
|
||||
getCookieSecret,
|
||||
} = require('./src/users');
|
||||
const userModule = require('./src/users');
|
||||
const basicAuthMiddleware = require('./src/middleware/basicAuth');
|
||||
const whitelistMiddleware = require('./src/middleware/whitelist');
|
||||
const contentManager = require('./src/endpoints/content-manager');
|
||||
|
|
@ -122,6 +116,7 @@ const autorun = (cliArguments.autorun ?? getConfigValue('autorun', DEFAULT_AUTOR
|
|||
const listen = cliArguments.listen ?? getConfigValue('listen', DEFAULT_LISTEN);
|
||||
const enableCorsProxy = cliArguments.corsProxy ?? getConfigValue('enableCorsProxy', DEFAULT_CORS_PROXY);
|
||||
const basicAuthMode = getConfigValue('basicAuthMode', false);
|
||||
const enableAccounts = getConfigValue('enableUserAccounts', false);
|
||||
|
||||
const { UPLOADS_PATH } = require('./src/constants');
|
||||
|
||||
|
|
@ -136,40 +131,6 @@ app.use(CORS);
|
|||
if (listen && basicAuthMode) app.use(basicAuthMiddleware);
|
||||
|
||||
app.use(whitelistMiddleware(listen));
|
||||
app.use(userDataMiddleware(app));
|
||||
|
||||
// CSRF Protection //
|
||||
if (!cliArguments.disableCsrf) {
|
||||
const COOKIES_SECRET = getCookieSecret();
|
||||
|
||||
const { generateToken, doubleCsrfProtection } = doubleCsrf({
|
||||
getSecret: getCsrfSecret,
|
||||
cookieName: 'X-CSRF-Token',
|
||||
cookieOptions: {
|
||||
httpOnly: true,
|
||||
sameSite: 'strict',
|
||||
secure: false,
|
||||
},
|
||||
size: 64,
|
||||
getTokenFromRequest: (req) => req.headers['x-csrf-token'],
|
||||
});
|
||||
|
||||
app.get('/csrf-token', (req, res) => {
|
||||
res.json({
|
||||
'token': generateToken(res, req),
|
||||
});
|
||||
});
|
||||
|
||||
app.use(cookieParser(COOKIES_SECRET));
|
||||
app.use(doubleCsrfProtection);
|
||||
} else {
|
||||
console.warn('\nCSRF protection is disabled. This will make your server vulnerable to CSRF attacks.\n');
|
||||
app.get('/csrf-token', (req, res) => {
|
||||
res.json({
|
||||
'token': 'disabled',
|
||||
});
|
||||
});
|
||||
}
|
||||
|
||||
if (enableCorsProxy) {
|
||||
const bodyParser = require('body-parser');
|
||||
|
|
@ -221,17 +182,85 @@ if (enableCorsProxy) {
|
|||
});
|
||||
}
|
||||
|
||||
app.use(express.static(process.cwd() + '/public', {}));
|
||||
app.use('/', require('./src/users').router);
|
||||
app.use(cookieSession({
|
||||
name: userModule.getCookieSessionName(),
|
||||
sameSite: 'strict',
|
||||
httpOnly: true,
|
||||
maxAge: 24 * 60 * 60 * 1000, // 24 hours
|
||||
secret: userModule.getCookieSecret(),
|
||||
}));
|
||||
|
||||
app.use(multer({ dest: UPLOADS_PATH, limits: { fieldSize: 10 * 1024 * 1024 } }).single('avatar'));
|
||||
app.get('/', function (request, response) {
|
||||
response.sendFile(process.cwd() + '/public/index.html');
|
||||
app.use(userModule.setUserDataMiddleware);
|
||||
|
||||
// Static files
|
||||
// Host index page
|
||||
app.get('/', (request, response) => {
|
||||
if (userModule.shouldRedirectToLogin(request)) {
|
||||
return response.redirect('/login');
|
||||
}
|
||||
|
||||
return response.sendFile('index.html', { root: path.join(process.cwd(), 'public') });
|
||||
});
|
||||
// Host login page
|
||||
app.get('/login', (_request, response) => {
|
||||
app.get('/login', async (request, response) => {
|
||||
if (!enableAccounts) {
|
||||
console.log('User accounts are disabled. Redirecting to index page.');
|
||||
return response.redirect('/');
|
||||
}
|
||||
|
||||
const autoLogin = await userModule.tryAutoLogin(request);
|
||||
|
||||
if (autoLogin) {
|
||||
return response.redirect('/');
|
||||
}
|
||||
|
||||
return response.sendFile('login.html', { root: path.join(process.cwd(), 'public') });
|
||||
});
|
||||
app.use(express.static(process.cwd() + '/public', {}));
|
||||
|
||||
app.use('/api/users', userModule.publicEndpoints);
|
||||
|
||||
app.use(userModule.requireLoginMiddleware);
|
||||
|
||||
// CSRF Protection //
|
||||
if (!cliArguments.disableCsrf) {
|
||||
const COOKIES_SECRET = userModule.getCookieSecret();
|
||||
|
||||
const { generateToken, doubleCsrfProtection } = doubleCsrf({
|
||||
getSecret: userModule.getCsrfSecret,
|
||||
cookieName: 'X-CSRF-Token',
|
||||
cookieOptions: {
|
||||
httpOnly: true,
|
||||
sameSite: 'strict',
|
||||
secure: false,
|
||||
},
|
||||
size: 64,
|
||||
getTokenFromRequest: (req) => req.headers['x-csrf-token'],
|
||||
});
|
||||
|
||||
app.get('/csrf-token', (req, res) => {
|
||||
res.json({
|
||||
'token': generateToken(res, req),
|
||||
});
|
||||
});
|
||||
|
||||
app.use(cookieParser(COOKIES_SECRET));
|
||||
app.use(doubleCsrfProtection);
|
||||
} else {
|
||||
console.warn('\nCSRF protection is disabled. This will make your server vulnerable to CSRF attacks.\n');
|
||||
app.get('/csrf-token', (req, res) => {
|
||||
res.json({
|
||||
'token': 'disabled',
|
||||
});
|
||||
});
|
||||
}
|
||||
|
||||
// User management
|
||||
app.use('/', userModule.router);
|
||||
app.use('/api/users', userModule.authenticatedEndpoints);
|
||||
app.use('/api/users', userModule.adminEndpoints);
|
||||
|
||||
app.use(multer({ dest: UPLOADS_PATH, limits: { fieldSize: 10 * 1024 * 1024 } }).single('avatar'));
|
||||
app.get('/version', async function (_, response) {
|
||||
const data = await getVersion();
|
||||
response.send(data);
|
||||
|
|
@ -481,10 +510,10 @@ const setupTasks = async function () {
|
|||
|
||||
// TODO: do endpoint init functions depend on certain directories existing or not existing? They should be callable
|
||||
// in any order for encapsulation reasons, but right now it's unknown if that would break anything.
|
||||
await initUserStorage();
|
||||
await userModule.initUserStorage();
|
||||
await settingsEndpoint.init();
|
||||
const directories = await ensurePublicDirectoriesExist();
|
||||
await migrateUserData();
|
||||
const directories = await userModule.ensurePublicDirectoriesExist();
|
||||
await userModule.migrateUserData();
|
||||
await contentManager.checkForNewContent(directories);
|
||||
await ensureThumbnailCache();
|
||||
cleanUploads();
|
||||
|
|
|
|||
383
src/users.js
383
src/users.js
|
|
@ -7,7 +7,6 @@ const os = require('os');
|
|||
// Express and other dependencies
|
||||
const storage = require('node-persist');
|
||||
const express = require('express');
|
||||
const cookieSession = require('cookie-session');
|
||||
const uuid = require('uuid');
|
||||
const mime = require('mime-types');
|
||||
const slugify = require('slugify').default;
|
||||
|
|
@ -400,7 +399,7 @@ function getCsrfSecret(request) {
|
|||
* @returns {Promise<string[]>} - The list of user handles
|
||||
*/
|
||||
async function getAllUserHandles() {
|
||||
const keys = await storage.keys(x=> x.key.startsWith(KEY_PREFIX));
|
||||
const keys = await storage.keys(x => x.key.startsWith(KEY_PREFIX));
|
||||
const handles = keys.map(x => x.replace(KEY_PREFIX, ''));
|
||||
return handles;
|
||||
}
|
||||
|
|
@ -455,87 +454,100 @@ function getUserAvatar(handle) {
|
|||
}
|
||||
|
||||
/**
|
||||
* Middleware to add user data to the request object.
|
||||
* @param {import('express').Express} app Express app
|
||||
* @returns {import('express').RequestHandler}
|
||||
* Checks if the user should be redirected to the login page.
|
||||
* @param {import('express').Request} request Request object
|
||||
* @returns {boolean} Whether the user should be redirected to the login page
|
||||
*/
|
||||
function userDataMiddleware(app) {
|
||||
app.use(cookieSession({
|
||||
name: getCookieSessionName(),
|
||||
sameSite: 'strict',
|
||||
httpOnly: true,
|
||||
maxAge: 24 * 60 * 60 * 1000, // 24 hours
|
||||
secret: getCookieSecret(),
|
||||
}));
|
||||
function shouldRedirectToLogin(request) {
|
||||
return ENABLE_ACCOUNTS && !request.user;
|
||||
}
|
||||
|
||||
/**
|
||||
* Middleware to add user data to the request object.
|
||||
* @param {import('express').Request} req Request object
|
||||
* @param {import('express').Response} res Response object
|
||||
* @param {import('express').NextFunction} next Next function
|
||||
*/
|
||||
return async (req, res, next) => {
|
||||
// Skip for login page
|
||||
if (req.path === '/login') {
|
||||
return next();
|
||||
/**
|
||||
* Tries auto-login if there is only one user and it's not password protected.
|
||||
* @param {import('express').Request} request Request object
|
||||
* @returns {Promise<boolean>} Whether auto-login was performed
|
||||
*/
|
||||
async function tryAutoLogin(request) {
|
||||
if (!ENABLE_ACCOUNTS || request.user || !request.session) {
|
||||
return false;
|
||||
}
|
||||
|
||||
const userHandles = await getAllUserHandles();
|
||||
if (userHandles.length === 1) {
|
||||
const user = await storage.getItem(toKey(userHandles[0]));
|
||||
if (!user.password) {
|
||||
request.session.handle = userHandles[0];
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
// If user accounts are disabled, use the default user
|
||||
if (!ENABLE_ACCOUNTS) {
|
||||
const handle = DEFAULT_USER.handle;
|
||||
const directories = getUserDirectories(handle);
|
||||
req.user = {
|
||||
profile: DEFAULT_USER,
|
||||
directories: directories,
|
||||
};
|
||||
return next();
|
||||
}
|
||||
|
||||
if (!req.session) {
|
||||
console.error('Session not available');
|
||||
return res.sendStatus(500);
|
||||
}
|
||||
|
||||
// If user accounts are enabled, get the user from the session
|
||||
let handle = req.session?.handle;
|
||||
|
||||
// If we have the only user and it's not password protected, use it
|
||||
if (!handle) {
|
||||
const handles = await getAllUserHandles();
|
||||
if (handles.length === 1) {
|
||||
/** @type {User} */
|
||||
const user = await storage.getItem(toKey(handles[0]));
|
||||
if (!user.password) {
|
||||
handle = user.handle;
|
||||
req.session.handle = handle;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (!handle) {
|
||||
return res.redirect('/login');
|
||||
}
|
||||
|
||||
/** @type {User} */
|
||||
const user = await storage.getItem(toKey(handle));
|
||||
|
||||
if (!user) {
|
||||
console.error('User not found:', handle);
|
||||
return res.redirect('/login');
|
||||
}
|
||||
|
||||
if (!user.enabled) {
|
||||
console.error('User is disabled:', handle);
|
||||
return res.redirect('/login');
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Middleware to add user data to the request object.
|
||||
* @param {import('express').Request} request Request object
|
||||
* @param {import('express').Response} response Response object
|
||||
* @param {import('express').NextFunction} next Next function
|
||||
*/
|
||||
async function setUserDataMiddleware(request, response, next) {
|
||||
// If user accounts are disabled, use the default user
|
||||
if (!ENABLE_ACCOUNTS) {
|
||||
const handle = DEFAULT_USER.handle;
|
||||
const directories = getUserDirectories(handle);
|
||||
req.user = {
|
||||
profile: user,
|
||||
request.user = {
|
||||
profile: DEFAULT_USER,
|
||||
directories: directories,
|
||||
};
|
||||
return next();
|
||||
}
|
||||
|
||||
if (!request.session) {
|
||||
console.error('Session not available');
|
||||
return response.sendStatus(500);
|
||||
}
|
||||
|
||||
// If user accounts are enabled, get the user from the session
|
||||
let handle = request.session?.handle;
|
||||
|
||||
// If we have the only user and it's not password protected, use it
|
||||
if (!handle) {
|
||||
return next();
|
||||
}
|
||||
|
||||
/** @type {User} */
|
||||
const user = await storage.getItem(toKey(handle));
|
||||
|
||||
if (!user) {
|
||||
console.error('User not found:', handle);
|
||||
return next();
|
||||
}
|
||||
|
||||
if (!user.enabled) {
|
||||
console.error('User is disabled:', handle);
|
||||
return next();
|
||||
}
|
||||
|
||||
const directories = getUserDirectories(handle);
|
||||
request.user = {
|
||||
profile: user,
|
||||
directories: directories,
|
||||
};
|
||||
return next();
|
||||
}
|
||||
|
||||
/**
|
||||
* Middleware to add user data to the request object.
|
||||
* @param {import('express').Request} request Request object
|
||||
* @param {import('express').Response} response Response object
|
||||
* @param {import('express').NextFunction} next Next function
|
||||
*/
|
||||
function requireLoginMiddleware(request, response, next) {
|
||||
if (!request.user) {
|
||||
return response.sendStatus(401);
|
||||
}
|
||||
|
||||
return next();
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -588,40 +600,60 @@ router.use('/user/images/*', createRouteHandler(req => req.user.directories.user
|
|||
router.use('/user/files/*', createRouteHandler(req => req.user.directories.files));
|
||||
router.use('/scripts/extensions/third-party/*', createRouteHandler(req => req.user.directories.extensions));
|
||||
|
||||
const endpoints = express.Router();
|
||||
const publicEndpoints = express.Router();
|
||||
|
||||
endpoints.get('/list', async (_request, response) => {
|
||||
publicEndpoints.get('/list', async (_request, response) => {
|
||||
/** @type {User[]} */
|
||||
const users = await storage.values();
|
||||
const viewModels = users.filter(x => x.enabled).map(user => ({
|
||||
handle: user.handle,
|
||||
name: user.name,
|
||||
avatar: getUserAvatar(user.handle),
|
||||
admin: user.admin,
|
||||
password: !!user.password,
|
||||
}));
|
||||
const viewModels = users
|
||||
.filter(x => x.enabled)
|
||||
.sort((x, y) => x.created - y.created)
|
||||
.map(user => ({
|
||||
handle: user.handle,
|
||||
name: user.name,
|
||||
avatar: getUserAvatar(user.handle),
|
||||
admin: user.admin,
|
||||
password: !!user.password,
|
||||
}));
|
||||
|
||||
return response.json(viewModels);
|
||||
});
|
||||
|
||||
endpoints.get('/me', async (request, response) => {
|
||||
if (!request.user) {
|
||||
return response.sendStatus(401);
|
||||
publicEndpoints.post('/login', jsonParser, async (request, response) => {
|
||||
if (!request.body.handle) {
|
||||
console.log('Login failed: Missing required fields');
|
||||
return response.status(400).json({ error: 'Missing required fields' });
|
||||
}
|
||||
|
||||
const user = request.user.profile;
|
||||
const viewModel = {
|
||||
handle: user.handle,
|
||||
name: user.name,
|
||||
avatar: getUserAvatar(user.handle),
|
||||
admin: user.admin,
|
||||
password: !!user.password,
|
||||
};
|
||||
/** @type {User} */
|
||||
const user = await storage.getItem(toKey(request.body.handle));
|
||||
|
||||
return response.json(viewModel);
|
||||
if (!user) {
|
||||
console.log('Login failed: User not found');
|
||||
return response.status(401).json({ error: 'User not found' });
|
||||
}
|
||||
|
||||
if (!user.enabled) {
|
||||
console.log('Login failed: User is disabled');
|
||||
return response.status(403).json({ error: 'User is disabled' });
|
||||
}
|
||||
|
||||
if (user.password && user.password !== getPasswordHash(request.body.password, user.salt)) {
|
||||
console.log('Login failed: Incorrect password');
|
||||
return response.status(401).json({ error: 'Incorrect password' });
|
||||
}
|
||||
|
||||
if (!request.session) {
|
||||
console.error('Session not available');
|
||||
return response.sendStatus(500);
|
||||
}
|
||||
|
||||
request.session.handle = user.handle;
|
||||
console.log('Login successful:', user.handle, request.session);
|
||||
return response.json({ handle: user.handle });
|
||||
});
|
||||
|
||||
endpoints.post('/recover-step1', jsonParser, async (request, response) => {
|
||||
publicEndpoints.post('/recover-step1', jsonParser, async (request, response) => {
|
||||
if (!request.body.handle) {
|
||||
console.log('Recover step 1 failed: Missing required fields');
|
||||
return response.status(400).json({ error: 'Missing required fields' });
|
||||
|
|
@ -641,13 +673,15 @@ endpoints.post('/recover-step1', jsonParser, async (request, response) => {
|
|||
}
|
||||
|
||||
const mfaCode = Math.floor(Math.random() * 1000000).toString().padStart(6, '0');
|
||||
console.log(color.blue(`${user.name} YOUR PASSWORD RECOVERY CODE IS: `) + color.magenta(mfaCode));
|
||||
console.log();
|
||||
console.log(color.blue(`${user.name}, your password recovery code is: `) + color.magenta(mfaCode));
|
||||
console.log();
|
||||
MFA_CACHE.set(user.handle, mfaCode);
|
||||
return response.sendStatus(204);
|
||||
});
|
||||
|
||||
endpoints.post('/recover-step2', jsonParser, async (request, response) => {
|
||||
if (!request.body.handle || !request.body.code || !request.body.password) {
|
||||
publicEndpoints.post('/recover-step2', jsonParser, async (request, response) => {
|
||||
if (!request.body.handle || !request.body.code) {
|
||||
console.log('Recover step 2 failed: Missing required fields');
|
||||
return response.status(400).json({ error: 'Missing required fields' });
|
||||
}
|
||||
|
|
@ -672,101 +706,40 @@ endpoints.post('/recover-step2', jsonParser, async (request, response) => {
|
|||
return response.status(401).json({ error: 'Incorrect code' });
|
||||
}
|
||||
|
||||
const newPassword = request.body.newPassword || '';
|
||||
const salt = getPasswordSalt();
|
||||
user.password = getPasswordHash(request.body.password, salt);
|
||||
user.password = getPasswordHash(newPassword, salt);
|
||||
user.salt = salt;
|
||||
await storage.setItem(toKey(user.handle), user);
|
||||
return response.sendStatus(204);
|
||||
});
|
||||
|
||||
endpoints.post('/login', jsonParser, async (request, response) => {
|
||||
if (!request.body.handle || !request.body.password) {
|
||||
console.log('Login failed: Missing required fields');
|
||||
return response.status(400).json({ error: 'Missing required fields' });
|
||||
}
|
||||
const authenticatedEndpoints = express.Router();
|
||||
|
||||
/** @type {User} */
|
||||
const user = await storage.getItem(toKey(request.body.handle));
|
||||
|
||||
if (!user) {
|
||||
console.log('Login failed: User not found');
|
||||
return response.status(401).json({ error: 'User not found' });
|
||||
}
|
||||
|
||||
if (!user.enabled) {
|
||||
console.log('Login failed: User is disabled');
|
||||
return response.status(403).json({ error: 'User is disabled' });
|
||||
}
|
||||
|
||||
if (user.password && user.password !== getPasswordHash(request.body.password, user.salt)) {
|
||||
console.log('Login failed: Incorrect password');
|
||||
return response.status(401).json({ error: 'Incorrect password' });
|
||||
}
|
||||
|
||||
if (!request.session) {
|
||||
console.error('Login failed: Session not available');
|
||||
return response.status(500).json({ error: 'Session not available' });
|
||||
}
|
||||
|
||||
// Regenerate session to prevent session fixation attacks
|
||||
await new Promise(resolve => request.session?.regenerate(resolve));
|
||||
|
||||
|
||||
request.session.handle = user.handle;
|
||||
console.log('Login successful:', user.handle, request.session);
|
||||
return response.json({ handle: user.handle });
|
||||
});
|
||||
|
||||
endpoints.post('/logout', async (request, response) => {
|
||||
authenticatedEndpoints.post('/logout', async (request, response) => {
|
||||
request.session?.destroy(() => {
|
||||
return response.sendStatus(204);
|
||||
});
|
||||
});
|
||||
|
||||
endpoints.post('/disable', requireAdminMiddleware, jsonParser, async (request, response) => {
|
||||
if (!request.body.handle) {
|
||||
console.log('Disable user failed: Missing required fields');
|
||||
return response.status(400).json({ error: 'Missing required fields' });
|
||||
authenticatedEndpoints.get('/me', async (request, response) => {
|
||||
if (!request.user) {
|
||||
return response.sendStatus(401);
|
||||
}
|
||||
|
||||
if (request.body.handle === request.user.profile.handle) {
|
||||
console.log('Disable user failed: Cannot disable yourself');
|
||||
return response.status(400).json({ error: 'Cannot disable yourself' });
|
||||
}
|
||||
const user = request.user.profile;
|
||||
const viewModel = {
|
||||
handle: user.handle,
|
||||
name: user.name,
|
||||
avatar: getUserAvatar(user.handle),
|
||||
admin: user.admin,
|
||||
password: !!user.password,
|
||||
};
|
||||
|
||||
/** @type {User} */
|
||||
const user = await storage.getItem(toKey(request.body.handle));
|
||||
|
||||
if (!user) {
|
||||
console.log('Disable user failed: User not found');
|
||||
return response.status(404).json({ error: 'User not found' });
|
||||
}
|
||||
|
||||
user.enabled = false;
|
||||
await storage.setItem(toKey(request.body.handle), user);
|
||||
return response.sendStatus(204);
|
||||
return response.json(viewModel);
|
||||
});
|
||||
|
||||
endpoints.post('/enable', requireAdminMiddleware, jsonParser, async (request, response) => {
|
||||
if (!request.body.handle) {
|
||||
console.log('Enable user failed: Missing required fields');
|
||||
return response.status(400).json({ error: 'Missing required fields' });
|
||||
}
|
||||
|
||||
/** @type {User} */
|
||||
const user = await storage.getItem(toKey(request.body.handle));
|
||||
|
||||
if (!user) {
|
||||
console.log('Enable user failed: User not found');
|
||||
return response.status(404).json({ error: 'User not found' });
|
||||
}
|
||||
|
||||
user.enabled = true;
|
||||
await storage.setItem(toKey(request.body.handle), user);
|
||||
return response.sendStatus(204);
|
||||
});
|
||||
|
||||
endpoints.post('/change-password', jsonParser, async (request, response) => {
|
||||
authenticatedEndpoints.post('/change-password', jsonParser, async (request, response) => {
|
||||
if (!request.body.handle || !request.body.oldPassword || !request.body.newPassword) {
|
||||
console.log('Change password failed: Missing required fields');
|
||||
return response.status(400).json({ error: 'Missing required fields' });
|
||||
|
|
@ -797,7 +770,52 @@ endpoints.post('/change-password', jsonParser, async (request, response) => {
|
|||
return response.sendStatus(204);
|
||||
});
|
||||
|
||||
endpoints.post('/create', requireAdminMiddleware, jsonParser, async (request, response) => {
|
||||
const adminEndpoints = express.Router();
|
||||
|
||||
adminEndpoints.post('/disable', requireAdminMiddleware, jsonParser, async (request, response) => {
|
||||
if (!request.body.handle) {
|
||||
console.log('Disable user failed: Missing required fields');
|
||||
return response.status(400).json({ error: 'Missing required fields' });
|
||||
}
|
||||
|
||||
if (request.body.handle === request.user.profile.handle) {
|
||||
console.log('Disable user failed: Cannot disable yourself');
|
||||
return response.status(400).json({ error: 'Cannot disable yourself' });
|
||||
}
|
||||
|
||||
/** @type {User} */
|
||||
const user = await storage.getItem(toKey(request.body.handle));
|
||||
|
||||
if (!user) {
|
||||
console.log('Disable user failed: User not found');
|
||||
return response.status(404).json({ error: 'User not found' });
|
||||
}
|
||||
|
||||
user.enabled = false;
|
||||
await storage.setItem(toKey(request.body.handle), user);
|
||||
return response.sendStatus(204);
|
||||
});
|
||||
|
||||
adminEndpoints.post('/enable', requireAdminMiddleware, jsonParser, async (request, response) => {
|
||||
if (!request.body.handle) {
|
||||
console.log('Enable user failed: Missing required fields');
|
||||
return response.status(400).json({ error: 'Missing required fields' });
|
||||
}
|
||||
|
||||
/** @type {User} */
|
||||
const user = await storage.getItem(toKey(request.body.handle));
|
||||
|
||||
if (!user) {
|
||||
console.log('Enable user failed: User not found');
|
||||
return response.status(404).json({ error: 'User not found' });
|
||||
}
|
||||
|
||||
user.enabled = true;
|
||||
await storage.setItem(toKey(request.body.handle), user);
|
||||
return response.sendStatus(204);
|
||||
});
|
||||
|
||||
adminEndpoints.post('/create', requireAdminMiddleware, jsonParser, async (request, response) => {
|
||||
if (!request.body.handle || !request.body.name) {
|
||||
console.log('Create user failed: Missing required fields');
|
||||
return response.status(400).json({ error: 'Missing required fields' });
|
||||
|
|
@ -834,16 +852,21 @@ endpoints.post('/create', requireAdminMiddleware, jsonParser, async (request, re
|
|||
return response.json({ handle: newUser.handle });
|
||||
});
|
||||
|
||||
router.use('/api/users', endpoints);
|
||||
|
||||
module.exports = {
|
||||
initUserStorage,
|
||||
ensurePublicDirectoriesExist,
|
||||
getAllUserHandles,
|
||||
getUserDirectories,
|
||||
userDataMiddleware,
|
||||
setUserDataMiddleware,
|
||||
requireLoginMiddleware,
|
||||
migrateUserData,
|
||||
getCsrfSecret,
|
||||
getCookieSecret,
|
||||
getCookieSessionName,
|
||||
router,
|
||||
publicEndpoints,
|
||||
authenticatedEndpoints,
|
||||
adminEndpoints,
|
||||
shouldRedirectToLogin,
|
||||
tryAutoLogin,
|
||||
};
|
||||
|
|
|
|||
Loading…
Reference in New Issue