src/routes/authentication.js

(function(Auth) {
	"use strict";

	var passport = require('passport'),
		passportLocal = require('passport-local').Strategy,
		nconf = require('nconf'),
		Password = require('../password'),
		winston = require('winston'),
		async = require('async'),

		meta = require('../meta'),
		user = require('../user'),
		plugins = require('../plugins'),
		db = require('../database'),
		utils = require('../../public/src/utils'),

		login_strategies = [];

	function logout(req, res) {
		if (req.user && parseInt(req.user.uid, 10) > 0) {
			winston.info('[Auth] Session ' + req.sessionID + ' logout (uid: ' + req.user.uid + ')');

			var ws = require('../socket.io');
			ws.logoutUser(req.user.uid);

			req.logout();
		}

		res.send(200);
	}

	function login(req, res, next) {
		var continueLogin = function() {
			passport.authenticate('local', function(err, userData, info) {
				if (err) {
					req.flash('error', info);
					return res.redirect(nconf.get('relative_path') + '/login');
				}

				if (!userData) {
					if (typeof info === 'object') {
						info = '[[error:invalid-username-or-password]]';
					}

					req.flash('error', info);
					return res.redirect(nconf.get('relative_path') + '/login');
				}

				// Alter user cookie depending on passed-in option
				if (req.body.remember === 'true') {
					var duration = 1000*60*60*24*parseInt(meta.configs.loginDays || 14, 10);
					req.session.cookie.maxAge = duration;
					req.session.cookie.expires = new Date(Date.now() + duration);
				} else {
					req.session.cookie.maxAge = false;
					req.session.cookie.expires = false;
				}

				req.login({
					uid: userData.uid
				}, function() {
					if (userData.uid) {
						user.logIP(userData.uid, req.ip);
					}

					if (!req.session.returnTo) {
						res.redirect(nconf.get('relative_path') + '/');
					} else {
						var next = req.session.returnTo;
						delete req.session.returnTo;
						res.redirect(nconf.get('relative_path') + next);
					}
				});
			})(req, res, next);
		};

		if(meta.config.allowLocalLogin !== undefined && parseInt(meta.config.allowLocalLogin, 10) === 0) {
			return res.send(404);
		}

		if (req.body.username && utils.isEmailValid(req.body.username)) {
			user.getUsernameByEmail(req.body.username, function(err, username) {
				if (err) {
					return next(err);
				}
				req.body.username = username ? username : req.body.username;
				continueLogin();
			});
		} else {
			continueLogin();
		}
	}

	function register(req, res) {
		if(meta.config.allowRegistration !== undefined && parseInt(meta.config.allowRegistration, 10) === 0) {
			return res.send(403);
		}

		var userData = {};

		for (var key in req.body) {
			if (req.body.hasOwnProperty(key)) {
				userData[key] = req.body[key];
			}
		}

		plugins.fireHook('filter:register.check', req, res, userData, function(err, req, res, userData) {
			if (err) {
				return res.redirect(nconf.get('relative_path') + '/register' + (err.message ? '?error=' + err.message : ''));
			}

			user.create(userData, function(err, uid) {
				if (err || !uid) {
					return res.redirect(nconf.get('relative_path') + '/register');
				}

				req.login({
					uid: uid
				}, function() {
					user.logIP(uid, req.ip);

					require('../socket.io').emitUserCount();

					plugins.fireHook('filter:register.complete', uid, req.body.referrer, function(err, uid, destination) {
						if (destination) {
							res.redirect(nconf.get('relative_path') + destination);
						} else {
							res.redirect(nconf.get('relative_path') + '/');
						}
					});
				});
			});
		});
	}

	Auth.initialize = function(app) {
		app.use(passport.initialize());
		app.use(passport.session());
	};


	Auth.get_login_strategies = function() {
		return login_strategies;
	};

	Auth.registerApp = function(app) {
		Auth.app = app;
	};

	Auth.createRoutes = function(app, middleware, controllers) {
		plugins.ready(function() {
			plugins.fireHook('filter:auth.init', login_strategies, function(err) {
				if (err) {
					winston.error('filter:auth.init - plugin failure');
				}

				var deprecList = [];
				for (var i in login_strategies) {
					if (login_strategies.hasOwnProperty(i)) {
						var strategy = login_strategies[i];

						/*
							Backwards compatibility block for v0.6.0
							Remove this upon release of v0.6.0-1
							Ref: nodebb/nodebb#1849
						*/
						if (strategy.icon.slice(0, 3) !== 'fa-') {
							deprecList.push(strategy.name);
							strategy.icon = 'fa-' + strategy.icon + '-square';
						}
						/* End backwards compatibility block */

						if (strategy.url) {
							app.get(strategy.url, passport.authenticate(strategy.name, {
								scope: strategy.scope
							}));
						}

						app.get(strategy.callbackURL, passport.authenticate(strategy.name, {
							successRedirect: nconf.get('relative_path') + '/',
							failureRedirect: nconf.get('relative_path') + '/login'
						}));
					}
				}

				/*
					Backwards compatibility block for v0.6.0
					Remove this upon release of v0.6.0-1
					Ref: nodebb/nodebb#1849
				*/
				if (deprecList.length) {
					winston.warn('[plugins] Deprecation notice: SSO plugins should now pass in the full fontawesome icon name (e.g. "fa-facebook-o"). Please update the following plugins:');
					for(var x=0,numDeprec=deprecList.length;x<numDeprec;x++) {
						process.stdout.write('  * ' + deprecList[x] + '\n');
					}
				}
				/* End backwards compatibility block */

				app.post('/logout', logout);
				app.post('/register', register);
				app.post('/login', login);
			});
		});
	};

	Auth.login = function(username, password, next) {
		if (!username || !password) {
			next(new Error('[[error:invalid-password]]'));
			return;
		}

		var userslug = utils.slugify(username);

		user.getUidByUserslug(userslug, function(err, uid) {
			if (err) {
				return next(err);
			}

			if (!uid) {
				setTimeout(function() {
					next(null, false, '[[error:invalid-password]]');
				}, Math.floor((Math.random() * 1000) + 1500));	// Wait between 1-2.5 seconds before returning
				return;
			}

			user.auth.logAttempt(uid, function(err) {
				if (err) {
					return next(null, false, err.message);
				}

				db.getObjectFields('user:' + uid, ['password', 'banned'], function(err, userData) {
					if (err) {
						return next(err);
					}

					if (!userData || !userData.password) {
						return next(new Error('[[error:invalid-user-data]]'));
					}

					if (userData.banned && parseInt(userData.banned, 10) === 1) {
						return next(null, false, '[[error:user-banned]]');
					}

					Password.compare(password, userData.password, function(err, res) {
						if (err) {
							return next(new Error('bcrypt compare error'));
						}

						if (!res) {
							return next(null, false, '[[error:invalid-password]]');
						}

						user.auth.clearLoginAttempts(uid);

						next(null, {
							uid: uid
						}, '[[success:authentication-successful]]');
					});
				});
			});
		});
	};

	passport.use(new passportLocal(Auth.login));

	passport.serializeUser(function(user, done) {
		done(null, user.uid);
	});

	passport.deserializeUser(function(uid, done) {
		done(null, {
			uid: uid
		});
	});
}(exports));
cleaned up webserver a bit, moved over authentication stuff into its own file, got rid of unused routes, user routes still need to be moved out but am waiting for baris to finish 2013-05-09 06:26:32 +00:00			`(function(Auth) {`
random jshinting expedition 2014-03-02 14:45:57 -05:00			`"use strict";`

cleaned up webserver a bit, moved over authentication stuff into its own file, got rid of unused routes, user routes still need to be moved out but am waiting for baris to finish 2013-05-09 06:26:32 +00:00			`var passport = require('passport'),`
			`passportLocal = require('passport-local').Strategy,`
possible fix for #101 2013-07-21 14:25:42 -04:00			`nconf = require('nconf'),`
closes #1976 2014-08-12 21:41:23 -04:00			`Password = require('../password'),`
issue #891 2014-01-27 13:37:31 -05:00			`winston = require('winston'),`
moved login via email detection into the internal login block 2014-05-25 13:08:56 -04:00			`async = require('async'),`
issue #891 2014-01-27 13:37:31 -05:00
closes #1976 2014-08-12 21:41:23 -04:00			`meta = require('../meta'),`
			`user = require('../user'),`
			`plugins = require('../plugins'),`
gravatars will be generated on demand changing the setting in ACP will affect all default gravatars now. 2014-05-04 17:26:56 -04:00			`db = require('../database'),`
closes #1976 2014-08-12 21:41:23 -04:00			`utils = require('../../public/src/utils'),`
issue #891 2014-01-27 13:37:31 -05:00
			`login_strategies = [];`
cleaned up webserver a bit, moved over authentication stuff into its own file, got rid of unused routes, user routes still need to be moved out but am waiting for baris to finish 2013-05-09 06:26:32 +00:00
potentially fixes #1228 2014-03-17 14:18:58 -04:00			`function logout(req, res) {`
			`if (req.user && parseInt(req.user.uid, 10) > 0) {`
			`winston.info('[Auth] Session ' + req.sessionID + ' logout (uid: ' + req.user.uid + ')');`

			`var ws = require('../socket.io');`
			`ws.logoutUser(req.user.uid);`

			`req.logout();`
			`}`

			`res.send(200);`
			`}`

			`function login(req, res, next) {`
moved login via email detection into the internal login block 2014-05-25 13:08:56 -04:00			`var continueLogin = function() {`
			`passport.authenticate('local', function(err, userData, info) {`
			`if (err) {`
refactored login process to be a form submit instead of ajax-redirect, implemented error message parsing using req.flash 2014-08-31 22:41:13 -04:00			`req.flash('error', info);`
			`return res.redirect(nconf.get('relative_path') + '/login');`
moved login via email detection into the internal login block 2014-05-25 13:08:56 -04:00			`}`
closes #1263 2014-04-08 15:29:51 -04:00
moved login via email detection into the internal login block 2014-05-25 13:08:56 -04:00			`if (!userData) {`
refactored login process to be a form submit instead of ajax-redirect, implemented error message parsing using req.flash 2014-08-31 22:41:13 -04:00			`if (typeof info === 'object') {`
			`info = '[[error:invalid-username-or-password]]';`
			`}`

			`req.flash('error', info);`
			`return res.redirect(nconf.get('relative_path') + '/login');`
moved login via email detection into the internal login block 2014-05-25 13:08:56 -04:00			`}`
potentially fixes #1228 2014-03-17 14:18:58 -04:00
moved login via email detection into the internal login block 2014-05-25 13:08:56 -04:00			`// Alter user cookie depending on passed-in option`
			`if (req.body.remember === 'true') {`
			`var duration = 1000606024parseInt(meta.configs.loginDays \|\| 14, 10);`
			`req.session.cookie.maxAge = duration;`
			`req.session.cookie.expires = new Date(Date.now() + duration);`
			`} else {`
			`req.session.cookie.maxAge = false;`
			`req.session.cookie.expires = false;`
			`}`
create auth routes only after plugin system is enabled and auth.init hook is fired 2013-11-28 11:13:03 -05:00
moved login via email detection into the internal login block 2014-05-25 13:08:56 -04:00			`req.login({`
			`uid: userData.uid`
			`}, function() {`
			`if (userData.uid) {`
			`user.logIP(userData.uid, req.ip);`
			`}`
potentially fixes #1228 2014-03-17 14:18:58 -04:00
refactored login process to be a form submit instead of ajax-redirect, implemented error message parsing using req.flash 2014-08-31 22:41:13 -04:00			`if (!req.session.returnTo) {`
			`res.redirect(nconf.get('relative_path') + '/');`
			`} else {`
			`var next = req.session.returnTo;`
			`delete req.session.returnTo;`
			`res.redirect(nconf.get('relative_path') + next);`
			`}`
moved login via email detection into the internal login block 2014-05-25 13:08:56 -04:00			`});`
			`})(req, res, next);`
			`};`

			`if(meta.config.allowLocalLogin !== undefined && parseInt(meta.config.allowLocalLogin, 10) === 0) {`
			`return res.send(404);`
			`}`
potentially fixes #1228 2014-03-17 14:18:58 -04:00
moved login via email detection into the internal login block 2014-05-25 13:08:56 -04:00			`if (req.body.username && utils.isEmailValid(req.body.username)) {`
			`user.getUsernameByEmail(req.body.username, function(err, username) {`
			`if (err) {`
			`return next(err);`
			`}`
			`req.body.username = username ? username : req.body.username;`
			`continueLogin();`
potentially fixes #1228 2014-03-17 14:18:58 -04:00			`});`
moved login via email detection into the internal login block 2014-05-25 13:08:56 -04:00			`} else {`
			`continueLogin();`
			`}`
potentially fixes #1228 2014-03-17 14:18:58 -04:00			`}`
closes #963 2014-03-17 14:56:00 -04:00
potentially fixes #1228 2014-03-17 14:18:58 -04:00			`function register(req, res) {`
			`if(meta.config.allowRegistration !== undefined && parseInt(meta.config.allowRegistration, 10) === 0) {`
			`return res.send(403);`
			`}`
filter:register.complete - plugins can redirect the user elsewhere post-registration 2014-06-04 18:54:41 -04:00
send in the entire registration form for userData 2014-06-04 18:54:11 -04:00			`var userData = {};`
potentially fixes #1228 2014-03-17 14:18:58 -04:00
send in the entire registration form for userData 2014-06-04 18:54:11 -04:00			`for (var key in req.body) {`
			`if (req.body.hasOwnProperty(key)) {`
			`userData[key] = req.body[key];`
			`}`
			`}`
closes #963 2014-03-17 14:56:00 -04:00
closes #1545 2014-05-19 21:28:26 -04:00			`plugins.fireHook('filter:register.check', req, res, userData, function(err, req, res, userData) {`
closes #963 2014-03-17 14:56:00 -04:00			`if (err) {`
changing 'filter:register.check' hook signature to provide req, res and data 2014-05-15 03:10:15 -04:00			`return res.redirect(nconf.get('relative_path') + '/register' + (err.message ? '?error=' + err.message : ''));`
closes #963 2014-03-17 14:56:00 -04:00			`}`

			`user.create(userData, function(err, uid) {`
			`if (err \|\| !uid) {`
forgot to return #963 2014-03-17 14:56:32 -04:00			`return res.redirect(nconf.get('relative_path') + '/register');`
closes #963 2014-03-17 14:56:00 -04:00			`}`

potentially fixes #1228 2014-03-17 14:18:58 -04:00			`req.login({`
			`uid: uid`
			`}, function() {`
log user ip register 2014-04-29 14:08:05 -04:00			`user.logIP(uid, req.ip);`
potentially fixes #1228 2014-03-17 14:18:58 -04:00
			`require('../socket.io').emitUserCount();`

filter:register.complete - plugins can redirect the user elsewhere post-registration 2014-06-04 18:54:41 -04:00			`plugins.fireHook('filter:register.complete', uid, req.body.referrer, function(err, uid, destination) {`
Also add relative_path to destination Because the destination url does not include the relative_path 2014-06-06 18:36:02 +07:00			`if (destination) {`
			`res.redirect(nconf.get('relative_path') + destination);`
filter:register.complete - plugins can redirect the user elsewhere post-registration 2014-06-04 18:54:41 -04:00			`} else {`
			`res.redirect(nconf.get('relative_path') + '/');`
			`}`
			`});`
potentially fixes #1228 2014-03-17 14:18:58 -04:00			`});`
closes #963 2014-03-17 14:56:00 -04:00			`});`
plugins - added filter:auth.init hook to add additional login strategies; fixed callbackURL 2013-11-28 10:30:29 -05:00			`});`
potentially fixes #1228 2014-03-17 14:18:58 -04:00			`}`
plugins - added filter:auth.init hook to add additional login strategies; fixed callbackURL 2013-11-28 10:30:29 -05:00
cleaned up webserver a bit, moved over authentication stuff into its own file, got rid of unused routes, user routes still need to be moved out but am waiting for baris to finish 2013-05-09 06:26:32 +00:00			`Auth.initialize = function(app) {`
			`app.use(passport.initialize());`
			`app.use(passport.session());`
random jshinting expedition 2014-03-02 14:45:57 -05:00			`};`
meta config changes, refactors 2013-08-23 13:14:36 -04:00
cleaned up webserver a bit, moved over authentication stuff into its own file, got rid of unused routes, user routes still need to be moved out but am waiting for baris to finish 2013-05-09 06:26:32 +00:00
			`Auth.get_login_strategies = function() {`
			`return login_strategies;`
random jshinting expedition 2014-03-02 14:45:57 -05:00			`};`
cleaned up webserver a bit, moved over authentication stuff into its own file, got rid of unused routes, user routes still need to be moved out but am waiting for baris to finish 2013-05-09 06:26:32 +00:00
create auth routes only after plugin system is enabled and auth.init hook is fired 2013-11-28 11:13:03 -05:00			`Auth.registerApp = function(app) {`
			`Auth.app = app;`
random jshinting expedition 2014-03-02 14:45:57 -05:00			`};`
create auth routes only after plugin system is enabled and auth.init hook is fired 2013-11-28 11:13:03 -05:00
potentially fixes #1228 2014-03-17 14:18:58 -04:00			`Auth.createRoutes = function(app, middleware, controllers) {`
			`plugins.ready(function() {`
			`plugins.fireHook('filter:auth.init', login_strategies, function(err) {`
fixed login routes on subfolder installs 2014-03-11 23:26:33 -04:00			`if (err) {`
potentially fixes #1228 2014-03-17 14:18:58 -04:00			`winston.error('filter:auth.init - plugin failure');`
fixed login routes on subfolder installs 2014-03-11 23:26:33 -04:00			`}`
cleaned up webserver a bit, moved over authentication stuff into its own file, got rid of unused routes, user routes still need to be moved out but am waiting for baris to finish 2013-05-09 06:26:32 +00:00
updated deprecation notice for social network sso icons 2014-07-18 19:10:53 -04:00			`var deprecList = [];`
potentially fixes #1228 2014-03-17 14:18:58 -04:00			`for (var i in login_strategies) {`
			`if (login_strategies.hasOwnProperty(i)) {`
			`var strategy = login_strategies[i];`
fixed #1849 2014-07-18 11:09:33 -04:00
			`/*`
			`Backwards compatibility block for v0.6.0`
			`Remove this upon release of v0.6.0-1`
			`Ref: nodebb/nodebb#1849`
			`*/`
			`if (strategy.icon.slice(0, 3) !== 'fa-') {`
updated deprecation notice for social network sso icons 2014-07-18 19:10:53 -04:00			`deprecList.push(strategy.name);`
fixed #1849 2014-07-18 11:09:33 -04:00			`strategy.icon = 'fa-' + strategy.icon + '-square';`
			`}`
			`/* End backwards compatibility block */`

only use passport.authenticate if a strategy url is defined 2014-06-23 10:20:23 -04:00			`if (strategy.url) {`
			`app.get(strategy.url, passport.authenticate(strategy.name, {`
			`scope: strategy.scope`
			`}));`
			`}`
potentially fixes #1228 2014-03-17 14:18:58 -04:00
			`app.get(strategy.callbackURL, passport.authenticate(strategy.name, {`
Fix typo 2014-06-06 18:06:42 +07:00			`successRedirect: nconf.get('relative_path') + '/',`
Add relative_path to authentication redirects 2014-06-06 18:05:26 +07:00			`failureRedirect: nconf.get('relative_path') + '/login'`
potentially fixes #1228 2014-03-17 14:18:58 -04:00			`}));`
fixes login/register and auth routes in relative path install 2014-01-04 17:10:56 -05:00			`}`
cleaned up webserver a bit, moved over authentication stuff into its own file, got rid of unused routes, user routes still need to be moved out but am waiting for baris to finish 2013-05-09 06:26:32 +00:00			`}`
potentially fixes #1228 2014-03-17 14:18:58 -04:00
updated deprecation notice for social network sso icons 2014-07-18 19:10:53 -04:00			`/*`
			`Backwards compatibility block for v0.6.0`
			`Remove this upon release of v0.6.0-1`
			`Ref: nodebb/nodebb#1849`
			`*/`
			`if (deprecList.length) {`
			`winston.warn('[plugins] Deprecation notice: SSO plugins should now pass in the full fontawesome icon name (e.g. "fa-facebook-o"). Please update the following plugins:');`
			`for(var x=0,numDeprec=deprecList.length;x<numDeprec;x++) {`
			`process.stdout.write(' * ' + deprecList[x] + '\n');`
			`}`
			`}`
			`/* End backwards compatibility block */`

potentially fixes #1228 2014-03-17 14:18:58 -04:00			`app.post('/logout', logout);`
			`app.post('/register', register);`
moved login via email detection into the internal login block 2014-05-25 13:08:56 -04:00			`app.post('/login', login);`
cleaned up webserver a bit, moved over authentication stuff into its own file, got rid of unused routes, user routes still need to be moved out but am waiting for baris to finish 2013-05-09 06:26:32 +00:00			`});`
			`});`
random jshinting expedition 2014-03-02 14:45:57 -05:00			`};`
issue #891 2014-01-27 13:37:31 -05:00
			`Auth.login = function(username, password, next) {`
			`if (!username \|\| !password) {`
refactored login process to be a form submit instead of ajax-redirect, implemented error message parsing using req.flash 2014-08-31 22:41:13 -04:00			`next(new Error('[[error:invalid-password]]'));`
			`return;`
some login changes 2014-02-20 18:30:15 -05:00			`}`

			`var userslug = utils.slugify(username);`

			`user.getUidByUserslug(userslug, function(err, uid) {`
			`if (err) {`
			`return next(err);`
			`}`
issue #891 2014-01-27 13:37:31 -05:00
refactored login process to be a form submit instead of ajax-redirect, implemented error message parsing using req.flash 2014-08-31 22:41:13 -04:00			`if (!uid) {`
			`setTimeout(function() {`
			`next(null, false, '[[error:invalid-password]]');`
			`}, Math.floor((Math.random() * 1000) + 1500)); // Wait between 1-2.5 seconds before returning`
			`return;`
some login changes 2014-02-20 18:30:15 -05:00			`}`
issue #891 2014-01-27 13:37:31 -05:00
closed #1453 2014-05-11 11:45:20 -04:00			`user.auth.logAttempt(uid, function(err) {`
issue #891 2014-01-27 13:37:31 -05:00			`if (err) {`
closed #1453 2014-05-11 11:45:20 -04:00			`return next(null, false, err.message);`
issue #891 2014-01-27 13:37:31 -05:00			`}`

closed #1453 2014-05-11 11:45:20 -04:00			`db.getObjectFields('user:' + uid, ['password', 'banned'], function(err, userData) {`
some login changes 2014-02-20 18:30:15 -05:00			`if (err) {`
closed #1453 2014-05-11 11:45:20 -04:00			`return next(err);`
issue #891 2014-01-27 13:37:31 -05:00			`}`

closed #1453 2014-05-11 11:45:20 -04:00			`if (!userData \|\| !userData.password) {`
			`return next(new Error('[[error:invalid-user-data]]'));`
some login changes 2014-02-20 18:30:15 -05:00			`}`

closed #1453 2014-05-11 11:45:20 -04:00			`if (userData.banned && parseInt(userData.banned, 10) === 1) {`
			`return next(null, false, '[[error:user-banned]]');`
			`}`

closes #1976 2014-08-12 21:41:23 -04:00			`Password.compare(password, userData.password, function(err, res) {`
closed #1453 2014-05-11 11:45:20 -04:00			`if (err) {`
			`return next(new Error('bcrypt compare error'));`
			`}`

			`if (!res) {`
			`return next(null, false, '[[error:invalid-password]]');`
			`}`

			`user.auth.clearLoginAttempts(uid);`

			`next(null, {`
			`uid: uid`
			`}, '[[success:authentication-successful]]');`
			`});`
issue #891 2014-01-27 13:37:31 -05:00			`});`
			`});`
some login changes 2014-02-20 18:30:15 -05:00			`});`
random jshinting expedition 2014-03-02 14:45:57 -05:00			`};`
some login changes 2014-02-20 18:30:15 -05:00
			`passport.use(new passportLocal(Auth.login));`

			`passport.serializeUser(function(user, done) {`
			`done(null, user.uid);`
			`});`

			`passport.deserializeUser(function(uid, done) {`
			`done(null, {`
			`uid: uid`
			`});`
			`});`
Add missing new lines at end of files. 2014-04-10 20:31:57 +01:00			`}(exports));`