src/middleware/user.js

'use strict';

var async = require('async');
var nconf = require('nconf');

var meta = require('../meta');
var user = require('../user');
var privileges = require('../privileges');
var plugins = require('../plugins');

var controllers = {
	helpers: require('../controllers/helpers'),
};

module.exports = function (middleware) {
	middleware.authenticate = function (req, res, next) {
		if (req.uid) {
			return next();
		}

		if (plugins.hasListeners('action:middleware.authenticate')) {
			return plugins.fireHook('action:middleware.authenticate', {
				req: req,
				res: res,
				next: next,
			});
		}

		controllers.helpers.notAllowed(req, res);
	};

	middleware.ensureSelfOrGlobalPrivilege = function (req, res, next) {
		ensureSelfOrMethod(user.isAdminOrGlobalMod, req, res, next);
	};

	middleware.ensureSelfOrPrivileged = function (req, res, next) {
		ensureSelfOrMethod(user.isPrivileged, req, res, next);
	};

	function ensureSelfOrMethod(method, req, res, next) {
		/*
			The "self" part of this middleware hinges on you having used
			middleware.exposeUid prior to invoking this middleware.
		*/
		async.waterfall([
			function (next) {
				if (!req.uid) {
					return setImmediate(next, null, false);
				}

				if (req.uid === parseInt(res.locals.uid, 10)) {
					return setImmediate(next, null, true);
				}

				method(req.uid, next);
			},
			function (allowed, next) {
				if (!allowed) {
					return controllers.helpers.notAllowed(req, res);
				}
				next();
			},
		], next);
	}

	middleware.checkGlobalPrivacySettings = function (req, res, next) {
		if (!req.uid && !!parseInt(meta.config.privateUserInfo, 10)) {
			return middleware.authenticate(req, res, next);
		}

		next();
	};

	middleware.checkAccountPermissions = function (req, res, next) {
		// This middleware ensures that only the requested user and admins can pass
		async.waterfall([
			function (next) {
				middleware.authenticate(req, res, next);
			},
			function (next) {
				user.getUidByUserslug(req.params.userslug, next);
			},
			function (uid, next) {
				privileges.users.canEdit(req.uid, uid, next);
			},
			function (allowed, next) {
				if (allowed) {
					return next(null, allowed);
				}

				// For the account/info page only, allow plain moderators through
				if (/user\/.+\/info$/.test(req.path)) {
					user.isModeratorOfAnyCategory(req.uid, next);
				} else {
					next(null, false);
				}
			},
			function (allowed) {
				if (allowed) {
					return next();
				}
				controllers.helpers.notAllowed(req, res);
			},
		], next);
	};

	middleware.redirectToAccountIfLoggedIn = function (req, res, next) {
		if (req.session.forceLogin || !req.uid) {
			return next();
		}

		async.waterfall([
			function (next) {
				user.getUserField(req.uid, 'userslug', next);
			},
			function (userslug) {
				controllers.helpers.redirect(res, '/user/' + userslug);
			},
		], next);
	};

	middleware.redirectUidToUserslug = function (req, res, next) {
		var uid = parseInt(req.params.uid, 10);
		if (!uid) {
			return next();
		}
		async.waterfall([
			function (next) {
				user.getUserField(uid, 'userslug', next);
			},
			function (userslug) {
				if (!userslug) {
					return next();
				}
				var path = req.path.replace(/^\/api/, '')
					.replace('uid', 'user')
					.replace(uid, function () { return userslug; });
				controllers.helpers.redirect(res, path);
			},
		], next);
	};

	middleware.redirectMeToUserslug = function (req, res, next) {
		var uid = req.uid;
		async.waterfall([
			function (next) {
				user.getUserField(uid, 'userslug', next);
			},
			function (userslug) {
				if (!userslug) {
					return res.status(401).send('not-authorized');
				}
				var path = req.path.replace(/^(\/api)?\/me/, '/user/' + userslug);
				controllers.helpers.redirect(res, path);
			},
		], next);
	};

	middleware.isAdmin = function (req, res, next) {
		async.waterfall([
			function (next) {
				user.isAdministrator(req.uid, next);
			},
			function (isAdmin, next) {
				if (!isAdmin) {
					return controllers.helpers.notAllowed(req, res);
				}
				user.hasPassword(req.uid, next);
			},
			function (hasPassword, next) {
				if (!hasPassword) {
					return next();
				}

				var loginTime = req.session.meta ? req.session.meta.datetime : 0;
				var adminReloginDuration = (meta.config.adminReloginDuration || 60) * 60000;
				var disabled = parseInt(meta.config.adminReloginDuration, 10) === 0;
				if (disabled || (loginTime && parseInt(loginTime, 10) > Date.now() - adminReloginDuration)) {
					var timeLeft = parseInt(loginTime, 10) - (Date.now() - adminReloginDuration);
					if (timeLeft < Math.min(300000, adminReloginDuration)) {
						req.session.meta.datetime += Math.min(300000, adminReloginDuration);
					}

					return next();
				}

				var returnTo = req.path;
				if (nconf.get('relative_path')) {
					returnTo = req.path.replace(new RegExp('^' + nconf.get('relative_path')), '');
				}
				returnTo = returnTo.replace(/^\/api/, '');

				req.session.returnTo = nconf.get('relative_path') + returnTo;
				req.session.forceLogin = 1;
				if (res.locals.isAPI) {
					res.status(401).json({});
				} else {
					res.redirect(nconf.get('relative_path') + '/login');
				}
			},
		], next);
	};

	middleware.requireUser = function (req, res, next) {
		if (req.uid) {
			return next();
		}

		res.status(403).render('403', { title: '[[global:403.title]]' });
	};

	middleware.registrationComplete = function (req, res, next) {
		// If the user's session contains registration data, redirect the user to complete registration
		if (!req.session.hasOwnProperty('registration')) {
			return next();
		}
		if (!req.path.endsWith('/register/complete')) {
			controllers.helpers.redirect(res, '/register/complete');
		} else {
			return next();
		}
	};
};
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`'use strict';`

			`var async = require('async');`
ESlint keyword-spacing, no-multi-spaces 2017-02-18 01:52:56 -07:00			`var nconf = require('nconf');`
closes #5202 2016-11-15 12:45:00 +03:00
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`var meta = require('../meta');`
			`var user = require('../user');`
closes #5202 2016-11-15 12:45:00 +03:00			`var privileges = require('../privileges');`
more tests 2017-05-12 17:53:23 -04:00			`var plugins = require('../plugins');`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00
			`var controllers = {`
ESlint comma-dangle 2017-02-17 19:31:21 -07:00			`helpers: require('../controllers/helpers'),`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`};`

Fix space-before-function-paren linter rule 2016-10-13 11:43:39 +02:00			`module.exports = function (middleware) {`
more tests 2017-05-12 17:53:23 -04:00			`middleware.authenticate = function (req, res, next) {`
			`if (req.uid) {`
			`return next();`
			`}`

			`if (plugins.hasListeners('action:middleware.authenticate')) {`
			`return plugins.fireHook('action:middleware.authenticate', {`
			`req: req,`
			`res: res,`
			`next: next,`
			`});`
			`}`

			`controllers.helpers.notAllowed(req, res);`
			`};`

			`middleware.ensureSelfOrGlobalPrivilege = function (req, res, next) {`
			`ensureSelfOrMethod(user.isAdminOrGlobalMod, req, res, next);`
			`};`

			`middleware.ensureSelfOrPrivileged = function (req, res, next) {`
			`ensureSelfOrMethod(user.isPrivileged, req, res, next);`
			`};`

			`function ensureSelfOrMethod(method, req, res, next) {`
			`/*`
			`The "self" part of this middleware hinges on you having used`
			`middleware.exposeUid prior to invoking this middleware.`
			`*/`
			`async.waterfall([`
			`function (next) {`
			`if (!req.uid) {`
			`return setImmediate(next, null, false);`
			`}`

			`if (req.uid === parseInt(res.locals.uid, 10)) {`
			`return setImmediate(next, null, true);`
			`}`

			`method(req.uid, next);`
			`},`
			`function (allowed, next) {`
			`if (!allowed) {`
			`return controllers.helpers.notAllowed(req, res);`
			`}`
			`next();`
			`},`
			`], next);`
			`}`

Fix space-before-function-paren linter rule 2016-10-13 11:43:39 +02:00			`middleware.checkGlobalPrivacySettings = function (req, res, next) {`
more tests 2017-05-12 17:53:23 -04:00			`if (!req.uid && !!parseInt(meta.config.privateUserInfo, 10)) {`
updating checkGlobalPrivacySettings middleware to hook into write-api for auth 2017-01-12 15:55:46 -05:00			`return middleware.authenticate(req, res, next);`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`}`

			`next();`
			`};`

Fix space-before-function-paren linter rule 2016-10-13 11:43:39 +02:00			`middleware.checkAccountPermissions = function (req, res, next) {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`// This middleware ensures that only the requested user and admins can pass`
			`async.waterfall([`
			`function (next) {`
			`middleware.authenticate(req, res, next);`
			`},`
			`function (next) {`
			`user.getUidByUserslug(req.params.userslug, next);`
			`},`
			`function (uid, next) {`
closes #5202 2016-11-15 12:45:00 +03:00			`privileges.users.canEdit(req.uid, uid, next);`
allowing moderators access to the account info page 2016-10-24 15:58:57 -04:00			`},`
fix style 2016-10-25 12:53:43 +03:00			`function (allowed, next) {`
allowing moderators access to the account info page 2016-10-24 15:58:57 -04:00			`if (allowed) {`
			`return next(null, allowed);`
			`}`

			`// For the account/info page only, allow plain moderators through`
			`if (/user\/.+\/info$/.test(req.path)) {`
			`user.isModeratorOfAnyCategory(req.uid, next);`
			`} else {`
			`next(null, false);`
			`}`
ESlint comma-dangle 2017-02-17 19:31:21 -07:00			`},`
more tests 2017-05-12 17:53:23 -04:00			`function (allowed) {`
			`if (allowed) {`
			`return next();`
			`}`
			`controllers.helpers.notAllowed(req, res);`
			`},`
			`], next);`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`};`

Fix space-before-function-paren linter rule 2016-10-13 11:43:39 +02:00			`middleware.redirectToAccountIfLoggedIn = function (req, res, next) {`
more tests 2017-05-12 17:53:23 -04:00			`if (req.session.forceLogin \|\| !req.uid) {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`return next();`
			`}`

more tests 2017-05-12 17:53:23 -04:00			`async.waterfall([`
			`function (next) {`
			`user.getUserField(req.uid, 'userslug', next);`
			`},`
			`function (userslug) {`
			`controllers.helpers.redirect(res, '/user/' + userslug);`
			`},`
			`], next);`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`};`

Fix space-before-function-paren linter rule 2016-10-13 11:43:39 +02:00			`middleware.redirectUidToUserslug = function (req, res, next) {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`var uid = parseInt(req.params.uid, 10);`
			`if (!uid) {`
			`return next();`
			`}`
more tests 2017-05-12 17:53:23 -04:00			`async.waterfall([`
			`function (next) {`
			`user.getUserField(uid, 'userslug', next);`
			`},`
			`function (userslug) {`
			`if (!userslug) {`
			`return next();`
			`}`
			`var path = req.path.replace(/^\/api/, '')`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`.replace('uid', 'user')`
Fix space-before-function-paren linter rule 2016-10-13 11:43:39 +02:00			`.replace(uid, function () { return userslug; });`
more tests 2017-05-12 17:53:23 -04:00			`controllers.helpers.redirect(res, path);`
			`},`
			`], next);`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`};`

Add `/me` route which redirects to `/user/[userslug]` (#6063) * Add `/me` route which redirects to the current user's information - `/me` -> `/user/[usertslug]` - `/me/bookmarks` -> `/user/[userslug]/bookmarks` - `/me/settings` -> `/user/[userslug]/settings` etc Add tests for `/me/*` 2017-11-16 15:38:26 -07:00			`middleware.redirectMeToUserslug = function (req, res, next) {`
			`var uid = req.uid;`
			`async.waterfall([`
			`function (next) {`
			`user.getUserField(uid, 'userslug', next);`
			`},`
			`function (userslug) {`
			`if (!userslug) {`
			`return res.status(401).send('not-authorized');`
			`}`
			`var path = req.path.replace(/^(\/api)?\/me/, '/user/' + userslug);`
			`controllers.helpers.redirect(res, path);`
			`},`
			`], next);`
			`};`

Fix space-before-function-paren linter rule 2016-10-13 11:43:39 +02:00			`middleware.isAdmin = function (req, res, next) {`
more tests 2017-05-12 17:53:23 -04:00			`async.waterfall([`
			`function (next) {`
			`user.isAdministrator(req.uid, next);`
			`},`
			`function (isAdmin, next) {`
			`if (!isAdmin) {`
			`return controllers.helpers.notAllowed(req, res);`
			`}`
			`user.hasPassword(req.uid, next);`
			`},`
			`function (hasPassword, next) {`
			`if (!hasPassword) {`
			`return next();`
			`}`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00
more tests 2017-05-12 17:53:23 -04:00			`var loginTime = req.session.meta ? req.session.meta.datetime : 0;`
closes #6037 2017-11-17 15:26:36 -05:00			`var adminReloginDuration = (meta.config.adminReloginDuration \|\| 60) * 60000;`
			`var disabled = parseInt(meta.config.adminReloginDuration, 10) === 0;`
			`if (disabled \|\| (loginTime && parseInt(loginTime, 10) > Date.now() - adminReloginDuration)) {`
			`var timeLeft = parseInt(loginTime, 10) - (Date.now() - adminReloginDuration);`
			`if (timeLeft < Math.min(300000, adminReloginDuration)) {`
			`req.session.meta.datetime += Math.min(300000, adminReloginDuration);`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`}`

more tests 2017-05-12 17:53:23 -04:00			`return next();`
			`}`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00
closes #5847 2017-08-01 13:17:03 -04:00			`var returnTo = req.path;`
			`if (nconf.get('relative_path')) {`
			`returnTo = req.path.replace(new RegExp('^' + nconf.get('relative_path')), '');`
			`}`
			`returnTo = returnTo.replace(/^\/api/, '');`

			`req.session.returnTo = nconf.get('relative_path') + returnTo;`
more tests 2017-05-12 17:53:23 -04:00			`req.session.forceLogin = 1;`
			`if (res.locals.isAPI) {`
			`res.status(401).json({});`
			`} else {`
			`res.redirect(nconf.get('relative_path') + '/login');`
			`}`
			`},`
			`], next);`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`};`

Fix space-before-function-paren linter rule 2016-10-13 11:43:39 +02:00			`middleware.requireUser = function (req, res, next) {`
more tests 2017-05-12 17:53:23 -04:00			`if (req.uid) {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`return next();`
			`}`

ESlint object-curly-spacing 2017-02-18 12:30:49 -07:00			`res.status(403).render('403', { title: '[[global:403.title]]' });`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`};`

Fix space-before-function-paren linter rule 2016-10-13 11:43:39 +02:00			`middleware.registrationComplete = function (req, res, next) {`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`// If the user's session contains registration data, redirect the user to complete registration`
			`if (!req.session.hasOwnProperty('registration')) {`
			`return next();`
ESlint no-useless-escape, no-else-return 2017-02-18 14:27:26 -07:00			`}`
			`if (!req.path.endsWith('/register/complete')) {`
			`controllers.helpers.redirect(res, '/register/complete');`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`} else {`
ESlint no-useless-escape, no-else-return 2017-02-18 14:27:26 -07:00			`return next();`
organize middlewares removed app.locals.middleware middlewares can be required anywhere, ie in controllers 2016-08-26 18:50:37 +03:00			`}`
			`};`
			`};`