Bootstrap5 (#10894)

* chore: up deps

* chore: up composer

* fix(deps): bump 2factor to v7

* chore: up harmony

* chore: up harmony

* fix: missing await

* feat: allow middlewares to pass in template values via res.locals

* feat: buildAccountData middleware automatically added ot all account routes

* fix: properly allow values in res.locals.templateValues to be added to the template data

* refactor: user/blocks

* refactor(accounts): categories and consent

* feat: automatically 404 if exposeUid or exposeGroupName come up empty

* refactor: remove calls to getUserDataByUserSlug for most account routes, since it is populated via middleware now

* fix: allow exposeUid and exposeGroupName to work with slugs with mixed capitalization

* fix: move reputation removal check to accountHelpers method

* test: skip i18n tests if ref branch when present is not develop

* fix(deps): bump theme versions

* fix(deps): bump ntfy and 2factor

* chore: up harmony

* fix: add missing return

* fix: #11191, only focus on search input on md environments and up

* feat: allow file uploads on mobile chat

closes https://github.com/NodeBB/NodeBB/issues/11217

* chore: up themes

* chore: add lang string

* fix(deps): bump ntfy to 1.0.15

* refactor: use new if/each syntax

* chore: up composer

* fix: regression from user helper refactor

* chore: up harmony

* chore: up composer

* chore: up harmony

* chore: up harmony

* chore: up harmony

* chore: fix composer version

* feat: add increment helper

* chore: up harmony

* fix: #11228 no timestamps in future ⌛

* chore: up harmony

* check config.theme as well

fire action:posts.loaded after processing dom

* chore: up harmony

* chore: up harmony

* chore: up harmony

* chore: up themes

* chore: up harmony

* remove extra class

* refactor: move these to core from harmony

* chore: up widgets

* chore: up widgets

* height auto

* fix: closes #11238

* dont focus inputs, annoying on mobile

* fix: dont focus twice, only focus on chat input on desktop

dont wrap widget footer in row

* chore: up harmony

* chore: up harmony

* update chat window

* chore: up themes

* fix cache buster for skins

* chat fixes

* chore: up harmony

* chore: up composer

* refactor: change hook logs to debug

* fix: scroll to post right after adding to dom

* fix: hash scrolling and highlighting correct post

* test: re-enable read API schema tests

* fix: add back schema changes for 179faa2270 and c3920ccb10

* fix: schema changes from 488f0978a4

* fix: schema changes for f4cf482a87

* fix: schema update for be6bbabd0e

* fix: schema changes for 69c96078ea

* fix: schema changes for d1364c3130

* fix: schema changes for 84ff1152f7

* fix: schema changes for b860c2605c

* fix: schema changes for 23cb67a112

* fix: schema changes for b916e42f40

* fix: schema change for a9bbb586fc

* fix: schema changes for 4b738c8cd3

* fix: schema changes for 58b5781cea

* fix: schema changes for 794bf01b21

* fix: schema changes for 80ea12c1c1, e368feef51, and 52ead114be

* fix: composer-default object in config?

* fix: schema changes for 9acdc6808c and 0930934200

* fix: schema changes for c0a52924f1

* fix: schema change for aba420a3f3, move loggedInUser to optional props

* fix: schema changes for 8c67031609

* fix: schema changes for 27e53b42f3

* fix: schema changes for 2835966518

* fix: breaking test for email confirmation API call

* fix: schema changes for refactored search page

* fix: schema changes for user object

* fix: schema changes for 9f531f957e

* fix: schema changes for c4042c70de and 23175110a2

* fix: schema changes for 9b3616b103

* fix: schema changes for 5afd5de07d

* fix: schema change for 1d7baf1217

* fix: schema changes for 57bfb37c55 and be6bbabd0e

* fix: schema changes for 6e86b4afa2 and 3efad2e13b and 68f66223e7

* fix: allowing optional qs prop in pagination keys (not sure why this didn't break before)

* fix: re-login on email change

* fix: schema changes for c926358d73

* fix: schema changes for 388a8270c9

* fix: schema change for 2658bcc821

* fix: no need to call account middlewares for chats routes

* fix: schema changes for 71743affc3

* fix: final schema changes

* test: support for anyOf and oneOf

* fix: check thumb

* dont scroll to top on back press

* remove group log

* fix: add top margin to merged and deleted alerts

* chore: up widgets

* fix: improve fix-lists mixin

* chore: up harmony/composer

* feat: allow hiding quicksearch results during search

* dont record searches made by composer

* chore: up 54

* chore: up spam be gone

* feat: add prev/next page and page count into mobile paginator

* chore: up harmony

* chore: up harmony

* use old style for IS

* fix: hide entire toolbar row if no posts or not singlePost

* fix: updated messaging for post-queue template, #11206

* fix: btn-sm on post queue back button

* fix: bump harmony, closes #11206

* fix: remove unused alert module import

* fix: bump harmony

* fix: bump harmony

* chore: up harmony

* refactor: IS scrolltop

* fix: update users:search-user-for-chat source string

* feat: support for mark-read toggle on chats dropdown and recent chats list

* feat: api v3 calls to mark chat read/unread

* feat: send event:chats.mark socket event on mark read or unread

* refactor: allow frontend to mark chats as unread, use new API v3 routes instead of socket calls, better frontend event handling

* docs: openapi schema updates for chat marking

* fix: allow unread state toggling in chats dropdown too

* fix: issue where repeated openings of the chats dropdown would continually add events for mark-read/unread

* fix: debug log

* refactor: move userSearch filter to a module

* feat(routes): allow remounting /categories (#11230)

* feat: send flags count to frontend on flags list page

* refactor: filter form client-side js to extract out some logic

* fix: applyFilters to not take any arguments, update selectedCids in updateButton instead of onHidden

* fix: use userFilter module for assignee, reporterId, targetUid

* fix(openapi): schema changes for updated flags page

* fix: dont allow adding duplicates to userFilter

* use same var

* remove log

* fix: closes #11282

* feat: lang key for x-topics

* chore: up harmony

* chore: up emoji

* chore: up harmony

* fix: update userFilter to allow new option `selectedBlock`

* fix: wrong block name passed to userFilter

* fix: https://github.com/NodeBB/NodeBB/issues/11283

* fix: chats, allow multiple dropdowns like in harmony

* chore: up harmony

* refactor: flag note adding/editing, closes #11285

* fix: remove old prepareEdit logic

* chore: add caveat about hacky code block in userFilter module

* fix: placeholders for userFilter module

* refactor: navigator so it works with multiple thumbs/navigators

* chore: up harmony

* fix: closes #11287, destroy quick reply autocomplete

on navigation

* fix: filter disabled categories on user categories page count

* chore: up harmony

* docs: update openapi spec to include info about passing in timestamps for topic creation, removing timestamp as valid request param for topic replying

* fix: send back null values on ACP search dashboard for startDate and endDate if not expicitly passed in, fix tests

* fix: tweak table order in ACP dash searches

* fix: only invoke navigator click drag on left mouse button

* feat: add back unread indicator to navigator

* clear bookmark on mark unread

* fix: navigator crash on ajaxify

* better thumb top calculation

* fix: reset user bookmark when topic is marked unread

* Revert "fix: reset user bookmark when topic is marked unread"

This reverts commit 9bcd85c2c6.

* fix: update unread indicator on scroll, add unread count

* chore: bump harmony

* fix: crash on navigator unread update when backing out of a topic

* fix: closes #11183

* fix: update topics:recent zset when rescheduling a topic

* fix: dupe quote button, increase delay, hide immediately on empty selection

* fix: navigator not showing up on first load

* refactor: remove glance

assorted fixes to navigator
dont reduce remaning count if user scrolls down and up quickly
only call topic.navigatorCallback when index changes

* more sanity checks for bookmark

dont allow setting bookmark higher than topic postcount

* closes #11218, 🚋

* Revert "fix: update topics:recent zset when rescheduling a topic"

This reverts commit 737973cca9.

* fix: #11306, show proper error if queued post doesn't exist

was showing no-privileges if someone else accepted the post

* https://github.com/NodeBB/NodeBB/issues/11307

dont use li

* chore: up harmony

* chore: bump version string

* fix: copy paste fail

* feat: closes #7382, tag filtering

add client side support for filtering by tags on /category, /recent and /unread

* chore: up harmony

* chore: up harmony

* Revert "fix: add back req.query fallback for backwards compatibility" [breaking]

This reverts commit cf6cc2c454.
This commit is no longer required as passing in a CSRF token via query parameter is no longer supported as of NodeBB v3.x

This is a breaking change.

* fix: pass csrf token in form data, re: NodeBB/NodeBB#11309

* chore: up deps

* fix: tests, use x-csrf-token query param removed

* test: fix csrf_token

* lint: remove unused

* feat: add itemprop="image" to avatar helper

* fix: get chat upload button in chat modal

* breaking: remove deprecated socket.io methods

* test: update messaging tests to not use sockets

* fix: parent post links

* fix: prevent post tooltip if mouse leaves before data/tpl is loaded

* chore: up harmony

* chore: up harmony

* chore: up harmony

* chore: up harmony

* fix: nested replies indices

* fix(deps): bump 2factor

* feat: add loggedIn user to all api routes

* chore: up themes

* refactor: audit admin v3 write api routes as per #11321

* refactor: audit category v3 write api routes as per #11321 [breaking]

docs: fix open api spec for #11321

* refactor: audit chat v3 write api routes as per #11321

* refactor: audit files v3 write api routes as per #11321

* refactor: audit flags v3 write api routes as per #11321

* refactor: audit posts v3 write api routes as per #11321

* refactor: audit topics v3 write api routes as per #11321

* refactor: audit users v3 write api routes as per #11321

* fix: lang string

* remove min height

* fix: empty topic/labels taking up space

* fix: tag filtering when changing filter to watched topics

or changing popular time limit to month

* chore: up harmony

* fix: closes #11354, show no post error if queued post already accepted/rejected

* test: #11354

* test: #11354

* fix(deps): bump 2factor

* fix: #11357 clear cache on thumb remove

* fix: thumb remove on windows, closes #11357

* test: openapi for thumbs

* test: fix openapi

---------

Co-authored-by: Julian Lam <julian@nodebb.org>
Co-authored-by: Opliko <opliko.reg@protonmail.com>

src/api/users.js

@@ -1,5 +1,9 @@
 'use strict';
 
+const util = require('util');
+const path = require('path');
+const fs = require('fs').promises;
+
 const validator = require('validator');
 const winston = require('winston');
 
@@ -14,17 +18,32 @@ const plugins = require('../plugins');
 const events = require('../events');
 const translator = require('../translator');
 const sockets = require('../socket.io');
+const utils = require('../utils');
 
 const usersAPI = module.exports;
 
+const hasAdminPrivilege = async (uid, privilege) => {
+	const ok = await privileges.admin.can(`admin:${privilege}`, uid);
+	if (!ok) {
+		throw new Error('[[error:no-privileges]]');
+	}
+};
+
 usersAPI.create = async function (caller, data) {
 	if (!data) {
 		throw new Error('[[error:invalid-data]]');
 	}
+	await hasAdminPrivilege(caller.uid, 'users');
+
 	const uid = await user.create(data);
 	return await user.getUserData(uid);
 };
 
+usersAPI.get = async (caller, { uid }) => {
+	const userData = await user.getUserData(uid);
+	return await user.hidePrivateData(userData, caller.uid);
+};
+
 usersAPI.update = async function (caller, data) {
 	if (!caller.uid) {
 		throw new Error('[[error:invalid-uid]]');
@@ -90,6 +109,8 @@ usersAPI.deleteAccount = async function (caller, { uid, password }) {
 };
 
 usersAPI.deleteMany = async function (caller, data) {
+	await hasAdminPrivilege(caller.uid, 'users');
+
 	if (await canDeleteUids(data.uids)) {
 		await Promise.all(data.uids.map(uid => processDeletion({ uid, method: 'delete', caller })));
 	}
@@ -286,6 +307,188 @@ usersAPI.unmute = async function (caller, data) {
 	});
 };
 
+usersAPI.generateToken = async (caller, { uid, description }) => {
+	await hasAdminPrivilege(caller.uid, 'settings');
+	if (parseInt(uid, 10) !== parseInt(caller.uid, 10)) {
+		throw new Error('[[error:invalid-uid]]');
+	}
+
+	const settings = await meta.settings.get('core.api');
+	settings.tokens = settings.tokens || [];
+
+	const newToken = {
+		token: utils.generateUUID(),
+		uid: caller.uid,
+		description: description || '',
+		timestamp: Date.now(),
+	};
+	settings.tokens.push(newToken);
+	await meta.settings.set('core.api', settings);
+
+	return newToken;
+};
+
+usersAPI.deleteToken = async (caller, { uid, token }) => {
+	await hasAdminPrivilege(caller.uid, 'settings');
+	if (parseInt(uid, 10) !== parseInt(caller.uid, 10)) {
+		throw new Error('[[error:invalid-uid]]');
+	}
+
+	const settings = await meta.settings.get('core.api');
+	const beforeLen = settings.tokens.length;
+	settings.tokens = settings.tokens.filter(tokenObj => tokenObj.token !== token);
+	if (beforeLen !== settings.tokens.length) {
+		await meta.settings.set('core.api', settings);
+		return true;
+	}
+
+	return false;
+};
+
+const getSessionAsync = util.promisify((sid, callback) => {
+	db.sessionStore.get(sid, (err, sessionObj) => callback(err, sessionObj || null));
+});
+
+usersAPI.revokeSession = async (caller, { uid, uuid }) => {
+	// Only admins or global mods (besides the user themselves) can revoke sessions
+	if (parseInt(uid, 10) !== caller.uid && !await user.isAdminOrGlobalMod(caller.uid)) {
+		throw new Error('[[error:invalid-uid]]');
+	}
+
+	const sids = await db.getSortedSetRange(`uid:${uid}:sessions`, 0, -1);
+	let _id;
+	for (const sid of sids) {
+		/* eslint-disable no-await-in-loop */
+		const sessionObj = await getSessionAsync(sid);
+		if (sessionObj && sessionObj.meta && sessionObj.meta.uuid === uuid) {
+			_id = sid;
+			break;
+		}
+	}
+
+	if (!_id) {
+		throw new Error('[[error:no-session-found]]');
+	}
+
+	await user.auth.revokeSession(_id, uid);
+};
+
+usersAPI.invite = async (caller, { emails, groupsToJoin, uid }) => {
+	if (!emails || !Array.isArray(groupsToJoin)) {
+		throw new Error('[[error:invalid-data]]');
+	}
+
+	// For simplicity, this API route is restricted to self-use only. This can change if needed.
+	if (parseInt(caller.uid, 10) !== parseInt(uid, 10)) {
+		throw new Error('[[error:no-privileges]]');
+	}
+
+	const canInvite = await privileges.users.hasInvitePrivilege(caller.uid);
+	if (!canInvite) {
+		throw new Error('[[error:no-privileges]]');
+	}
+
+	const { registrationType } = meta.config;
+	const isAdmin = await user.isAdministrator(caller.uid);
+	if (registrationType === 'admin-invite-only' && !isAdmin) {
+		throw new Error('[[error:no-privileges]]');
+	}
+
+	const inviteGroups = (await groups.getUserInviteGroups(caller.uid)).map(group => group.name);
+	const cannotInvite = groupsToJoin.some(group => !inviteGroups.includes(group));
+	if (groupsToJoin.length > 0 && cannotInvite) {
+		throw new Error('[[error:no-privileges]]');
+	}
+
+	const max = meta.config.maximumInvites;
+	const emailsArr = emails.split(',').map(email => email.trim()).filter(Boolean);
+
+	for (const email of emailsArr) {
+		/* eslint-disable no-await-in-loop */
+		let invites = 0;
+		if (max) {
+			invites = await user.getInvitesNumber(caller.uid);
+		}
+		if (!isAdmin && max && invites >= max) {
+			throw new Error(`[[error:invite-maximum-met, ${invites}, ${max}]]`);
+		}
+
+		await user.sendInvitationEmail(caller.uid, email, groupsToJoin);
+	}
+};
+
+usersAPI.getInviteGroups = async (caller, { uid }) => {
+	// For simplicity, this API route is restricted to self-use only. This can change if needed.
+	if (parseInt(uid, 10) !== parseInt(caller.uid, 10)) {
+		throw new Error('[[error:no-privileges]]');
+	}
+
+	const userInviteGroups = await groups.getUserInviteGroups(uid);
+	return userInviteGroups.map(group => group.displayName);
+};
+
+usersAPI.addEmail = async (caller, { email, skipConfirmation, uid }) => {
+	const canManageUsers = await privileges.admin.can('admin:users', caller.uid);
+	skipConfirmation = canManageUsers && skipConfirmation;
+
+	if (skipConfirmation) {
+		await user.setUserField(uid, 'email', email);
+		await user.email.confirmByUid(uid);
+	} else {
+		await usersAPI.update(caller, { uid, email });
+	}
+
+	return await db.getSortedSetRangeByScore('email:uid', 0, 500, uid, uid);
+};
+
+usersAPI.listEmails = async (caller, { uid }) => {
+	const [isPrivileged, { showemail }] = await Promise.all([
+		user.isPrivileged(caller.uid),
+		user.getSettings(uid),
+	]);
+	const isSelf = caller.uid === parseInt(uid, 10);
+
+	if (isSelf || isPrivileged || showemail) {
+		return await db.getSortedSetRangeByScore('email:uid', 0, 500, uid, uid);
+	}
+
+	return null;
+};
+
+usersAPI.getEmail = async (caller, { uid, email }) => {
+	const [isPrivileged, { showemail }, exists] = await Promise.all([
+		user.isPrivileged(caller.uid),
+		user.getSettings(uid),
+		db.isSortedSetMember('email:uid', email.toLowerCase()),
+	]);
+	const isSelf = caller.uid === parseInt(uid, 10);
+
+	return exists && (isSelf || isPrivileged || showemail);
+};
+
+usersAPI.confirmEmail = async (caller, { uid, email, sessionId }) => {
+	const [pending, current, canManage] = await Promise.all([
+		user.email.isValidationPending(uid, email),
+		user.getUserField(uid, 'email'),
+		privileges.admin.can('admin:users', caller.uid),
+	]);
+
+	if (!canManage) {
+		throw new Error('[[error:no-privileges]]');
+	}
+
+	if (pending) { // has active confirmation request
+		const code = await db.get(`confirm:byUid:${uid}`);
+		await user.email.confirmByCode(code, sessionId);
+		return true;
+	} else if (current && current === email) { // i.e. old account w/ unconf. email in user hash
+		await user.email.confirmByUid(uid);
+		return true;
+	}
+
+	return false;
+};
+
 async function isPrivilegedOrSelfAndPasswordMatch(caller, data) {
 	const { uid } = caller;
 	const isSelf = parseInt(uid, 10) === parseInt(data.uid, 10);
@@ -442,6 +645,37 @@ usersAPI.changePicture = async (caller, data) => {
 	}, ['picture', 'icon:bgColor']);
 };
 
+const exportMetadata = new Map([
+	['posts', ['csv', 'text/csv']],
+	['uploads', ['zip', 'application/zip']],
+	['profile', ['json', 'application/json']],
+]);
+
+const prepareExport = async ({ uid, type }) => {
+	const [extension] = exportMetadata.get(type);
+	const filename = `${uid}_${type}.${extension}`;
+	try {
+		const stat = await fs.stat(path.join(__dirname, '../../build/export', filename));
+		return stat;
+	} catch (e) {
+		return false;
+	}
+};
+
+usersAPI.checkExportByType = async (caller, { uid, type }) => await prepareExport({ uid, type });
+
+usersAPI.getExportByType = async (caller, { uid, type }) => {
+	const [extension, mime] = exportMetadata.get(type);
+	const filename = `${uid}_${type}.${extension}`;
+
+	const exists = await prepareExport({ uid, type });
+	if (exists) {
+		return { filename, mime };
+	}
+
+	return false;
+};
+
 usersAPI.generateExport = async (caller, { uid, type }) => {
 	const count = await db.incrObjectField('locks', `export:${uid}${type}`);
 	if (count > 1) {
@@ -458,11 +692,10 @@ usersAPI.generateExport = async (caller, { uid, type }) => {
 	});
 	child.on('exit', async () => {
 		await db.deleteObjectField('locks', `export:${uid}${type}`);
-		const userData = await user.getUserFields(uid, ['username', 'userslug']);
-		const { displayname } = userData;
+		const { displayname } = await user.getUserFields(uid, ['username']);
 		const n = await notifications.create({
 			bodyShort: `[[notifications:${type}-exported, ${displayname}]]`,
-			path: `/api/user/${userData.userslug}/export/${type}`,
+			path: `/api/v3/users/${uid}/exports/${type}`,
 			nid: `${type}:export:${uid}`,
 			from: uid,
 		});