krikkert/habitica
1
0
Fork 0
mirror of https://github.com/HabitRPG/habitica.git synced 2025-12-16 22:27:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

API v3 [WIP] (#6144)

Browse Source 
* Fixed more tests

* Added tags into user service

* Added api-v3 auth urls

* v3: fix package.json

* v3: fix package.json

* Fixed auth tests. Updated Authctrl response

* v3: remove newrelic config file in favour of env variables

* v3: upgrade some deps

* switch from Q to Bluebird

* v3 fix tests with deferred

* Removed extra consoles.log. Changed data.data to res.data

* v3 fix tests and use coroutines instead of regenerator

* v3: fix tests

* v3: do not await a non promise

* v3: q -> bluebird

* Changed id param for registration response

* Updated party query and create

* Ensured login callback happens after user sync

* Add challenges to groups. Fixed isMemberOfGuild check

* Updated party and group tests

* Fixed cron test

* return user.id and send analytics event before changing page

* fix trailing spaces

* disable redirects

* Api v3 party tavern fixes (#7191)

* Added check if user is in party before query

* Cached party query. Prevented party request when user is not in party. Updated Party create with no invites

* Update tavern ctrl to use new promise

* v3: misc fixes

* Api v3 task fixes (#7193)

* Update task view to use _id

* Added try catch to user service ops calls

* v3 client: saving after syncing is complete

* Fixed test broken by part sync change (#7195)

* v3: fix todo scoring and try to fix production testing problem

* revert changes to mongoose config

* mongoose: increase keepAlive

* test mongoose fix

* fix: Only apply captureStackTrace if it exists on the error object

* v3: fix reminders with no startDate

* mongoose: use options

* chore(): rename website/src -> website/server and website/public -> website/client (#7199)

* v3 fix GET /groups: return an error only if an invalid type is supplied not when there are 0 results (#7203)

* [API v3] Fix calls to user.ops and deleting tags (#7204)

* v3: fixes calls to user.ops from views and deleting tags

* v3: fix tests that use user._statsComputed

* Api v3 fixes continued (#7205)

* Added timzeone offset back

* Added APIToken back to settings page

* Fixed fetch recent messages for party

* Fixed returning group description

* Fixed check if user is member of challenge

* Fixed party members appearing in header

* Updated get myGroups param to include public groups. Fixed isMemberOf group

* Fixed hourglass purchase

* Fixed challenge addding tasks on first creating

* Updated tests to accomidate new changes

* fix: Correct checklist on client

Closes #7207

* fix: Pin eslint to 2.9

* minor improvements to cron code for clarity; fix inaccurate comments; add TODOs for rest-in-inn actions

* fix: Add missing type param to equip call

closes #7212

* rename and reword pubChalsMinPrize to reflect that it's only for Tavern challenges

* allows players to send gems to each other; other minor related changes - fixes https://github.com/HabitRPG/habitrpg/issues/7227

* fix tests for /members/transfer-gems

* fix: Set gems sent notification as translatable string

* chore: Remove unusued variable

* fix: Remove requirement on message paramter in transfer-gems

* add a missing variable declaration

* chore: clarify comments on cron code

* fix: Correct client request from habitrpg -> tavern

* update apidoc URL in package.json

Closes #7222

* Fixed start party by invites

* Updated spell casting to v3

* Fixed adding and removing tags on tasks

* Fixed page reload on settings change

* Fixed battle monsters with friends button

* Loaded completed todos when done is clicked

* chore: Reinstate floating version number for eslint

babel-eslint regression fixed

* Fixed reload tests

* change "an user" to "a user" in comments and text (no code changes) (#7257)

* fix: Alert user that drops were recieved

* remove userServices.js from karma.conf - it's been moved to website/client/js/services

* feat: Create debug update user route

* fix: Correct set cron debug function

* feat: Add make admin button to debug menu

* lint: Add missing semicolons in test

* fix: Temporarilly comment out udpate user debug route

* v3: fix _tmp for crit and streakBonus

* v3: execute all actions when leaving a solo party

* v3 client: fix group not found when leaving party

* v3 migration: fix challenge prize

* v3 cron: only save modified tasks

* v3: add CHALLENGE_TASK_NOT_FOUND to valid broken reasons

* v3: fix tasks chart

* v3 client: fix ability to leave challenge

* v3 client: fix filtering by tag and correctly show tag tooltip

* v3 common: fix tags tests

* v3 client: support unlinking not found challenges tasks

* v3: disable Bluebird warning for missing return, fixes #7269

* feat: Separate out update-user into set-cron and make-admin debug routes

* chore: Disable make admin debug route for v3 prod testing

* v3: misc fixes

* v3: misc fixes

* v3: fix adding multiple tasks

* Fixed join/leave button updates

* Queried only user groups to be available when creating challenges

* Fixed bulk add tasks to challenge

* Synced challenge tasks after leave and join.

* Fixed default selected group

* Fixed challenge member info. Fixed challenge winner selection

* Fixed deleting challenge tasks

* Fixed particiapting filter

* v3 client: fix casting spells

* v3: do not log sensitive data

* v3: always save user when casting spell

* v3: always save user when casting spell

* v3: more fixes for spells

* fix typos and missing information in apidocs - fixes https://github.com/HabitRPG/habitrpg/issues/7277 (#7282)

* v3: add TODO for client side spells

* feat: Add modify inventory debug menu

* Fixed viewing user progress on challenge

* Updated tests

* fix: Fix quest progress button

* fix incorrect Armoire test; remove unneeded param details from apidocs; disambiguate health potion

* v3: fix stealth casting

* v3: fix tasks saving and selection for rebirth reroll and reset (server-only)

* v3: fix auto allocation

* v3 client: misc fixes

* rename buyPotion and buy-potion to buyHealthPotion and buy-health-potion; fix apidoc param error

* Added delete for saved challenge task

* Fixed member modal on front page

* adjust text in apidocs for errors / clarity / consistency / standard terminology (no code changes) (#7298)

* fix bug in Rebirth test, add new tests, adjust apidocs (#7293)

* Updated task model to allow setting streak (#7306)

* fix: Correct missing * in apidoc comments

* Api v3 challenge fixes (#7287)

* Fixed join/leave button updates

* Queried only user groups to be available when creating challenges

* Fixed bulk add tasks to challenge

* Synced challenge tasks after leave and join.

* Fixed default selected group

* Fixed challenge member info. Fixed challenge winner selection

* Fixed deleting challenge tasks

* Fixed particiapting filter

* Fixed viewing user progress on challenge

* Updated tests

* Added delete for saved challenge task

* v3: fix sorting

* [API v3] add CRON_SAFE_MODE (#7286)

* add CRON_SAFE_MODE to example config file, fix some bugs, add an unrelated low-priority TODO

* create CRON_SAFE_MODE to disable parts of cron for use after extended outage - fixes https://github.com/HabitRPG/habitrpg/issues/7161

* fix a bug with CRON_SAFE_MODE, remove duplicated code, remove completed TODO comment

* fix check for CRON_SAFE_MODE

* v3 client: fix typo

* adjust debug menu Modify Inventory: hungrier pets, fewer Special items, "Hide" buttons

* completed To-Dos: return the 30 most recent instead of 30 oldest (#7318)

* v3 migration: fix createdAt date

* adjust locales text, key names, and files for Rebirth, Reset, and Fortify / ReRoll for consistency with existing strings (#7321)

* v3: fix unlinking multiple tasks

* v3 fix releasing pets

* v3: fix authenticating with apiUrl

* v3: fix typo

* v3 fix client tests for unlinking

* v3 client: do not show start quest button when quest is active

* v3 client: fix ability to send cards

* v3 client: fix misc challenge issues

* v3: fix notifications

* v3 client: more user friendly errors

* v3 client: only load completed todos once

* v3 client: fix tests

* v3: move TAVERN_ID to common code

* fix: Provide default type and text for new task creation in score route

* fix: Provide default history [] for habit in score route

* fix: Add _legacyId prop to tasks to support non-uuid identifiers

* chore: Change v3 migration to use _legacyId instead of legacyId

* fix: check for _legacyId in tasks if id does not exist

* refactor: Extract out finding task by id or _legacyId into a function

* Api v3 party quest fixes (#7341)

* Fix display of add challenge message when group challenges are empty

* Fixed forced quest start to update quest without reload

* Fixed needing to reload when accepting party invite

* Fix group leave and join reload

* Fixed leave current party and join another

* Updated party tests

* v3 client: remove console.log statement

* v3: misc fixes

* v3 client: fix predicatbale random

* v3: info about API v3

* v3: update footer with links to developer resources

* v3: support party invitation from email

* v3 client: fix chat flagging

* fix: Correct get tasks route to properly get todos (#7349)

* move locales strings from api-v3.json to other locales files (#7347)

* move locales strings from api-v3.json: authentication strings -> front.json

* move locales strings from api-v3.json: authentication strings -> tasks.json

* move locales strings from api-v3.json: authentication strings -> groups.json

* move locales strings from api-v3.json: authentication strings -> challenge.json

* move locales strings from api-v3.json: authentication strings -> groups.json (again)

* move locales strings from api-v3.json: authentication strings -> quests.json

* move locales strings from api-v3.json: authentication strings -> subscriber.json

* move locales strings from api-v3.json: authentication strings -> spells.json

* move locales strings from api-v3.json: authentication strings -> character.json

* move locales strings from api-v3.json: authentication strings -> groups.json (PMs)

* move locales strings from api-v3.json: authentication strings -> npc.json

* move locales strings from api-v3.json: authentication strings -> pets.json

* move locales strings from api-v3.json: authentication strings -> miscellaneous

* move locales strings from api-v3.json: authentication strings -> contrib.json and settings.json

* move locales strings from api-v3.json: delete unused string (invalidTasksOwner), delete api-v3.json, whitespace cleanup

* v3 client: fix sticky header

* v3: remove unused code

* v3 client: correctly redirect after inviting

* Removed v2 calls from views (#7351)

* v3: fix tests for challenge export

* v3: fallbackto authWithHeaders if wuthWithSession or authWithUrl fails

* Added force cache update when fetching new messages (#7360)

* v3: fetch whole user when booting from group tto avoid issues with pre save hook expecting all data

* v3: misc fixes for payments

* v3: limit fields of challenge tasks that can be updated

* fix(tests): never connect to NODE_DB_URI for tests

* Added new route for setting last cron and updated front end

* v3: fix iap url

* v3: fix build and ios IAP

* Changed route to user set custom day start

* v3: iap accessible under /api/v3, fixes to spells and groups invitations

* v3: correctly use v3 routes in client

* remove XP, GP when unticking a Daily with a completed checklist - fixes https://github.com/HabitRPG/habitrpg/issues/7246

* use natural language for error message about skills on challenge tasks (#7336), fix other gramatical error

* Updated ui when user rejects a guild invite (#7368)

* feat: complete custom day start route

Closes #7363

* fix: Correct spelling of healAll skill

fix: Correct sprite name of healAll skill

* fix: Change all instances of spookDust -> spookySparkles

* add dateCreated to all tasks; add empty challenge object to tasks that don't have one (#7386)

* add plumilla to artists for Tangle Tree in Bailey message

* Fixed quest drop modal (#7377)

* Fixed quest drop modal

* Fixed broken party test

* [API v3] Maintenance Mode (#7367)

* WIP(maintenance): maintenance

* WIP(maintenance): working locale features

* fix(maintenance): don't translate info page target

* WIP(maintenance): start adding info page

* fix(maintenance): linting

* feat: Add container to maintenance info page

* fix(maintenance): add config.json edits
Also DRY variables for main vs info pages

* fix(maintenance): linting

* refactor(maintenance): further slim down variables

* refactor: Remove unnecessary variables

* fix: Correct string interpolation in maintenace view

* feat: Dynamically add time to maintenance pages

* maintenance mode: do not connect to mongodb

* fix(maintenance): clean up timezones etc.

* fix(maintenance): remove unneeded sprite

* Tavern party challenges invites fix (#7394)

* Added challenges and invitations to party

* Loaded tavern challenges

* Updated group and quest services tests

* v3: implement automatic syncing if user is not up to date

* Removed unnecessary fields when updating groups and challenges (#7395)

* v3: do not saved populated user

* v3: correctly return user subset

* Chained party promises together (#7396)

* v3: $w -> splitWhitespace

* use bluebird

* use babel polyfill

* migration: fix items

* update links for v3

* Updated shortname validation to support multiple browsers

* Docs changes (#7401)

* chore: Clarify transfer-gems documentation

* chore: Clarify api status route documentation

* chore: Mark webhooks as BETA

* Added tags update route. Added sort to user service (#7381)

* Added tags update route. Added sort to user service

* Change update tasks route to reorder tasks

* Fixed linting issue

* Changed params for reorder tags route

* Fixed not found tag and added test

* Added password confirmation when deleteing account (#7402)

* fix production logging

* feat(commit): push

* empty commit

* feat(maintenance): post-downtime news & awards (#7406)

* fix exporting avatar

* second attempt at fixing exporting avatar

* fix production logging

* s3: convert moment to date instance

* fix avatar sharing and caching (30 minutes)

* fix: Correct missing parameter

Closes #7433

* fix: Validate challenge shortname on server

* adjust text strings - fixes https://github.com/HabitRPG/habitrpg/issues/5631 and also Short Name -> Tag Name
This commit is contained in:
Matteo Pagliazzi
2016-05-23 13:58:31 +02:00
parent ef3a2fc286
commit 28f2e9c356
993 changed files with 44888 additions and 12883 deletions
Download Patch File Download Diff File Expand all files Collapse all files

385
website/server/controllers/api-v2/auth.js Normal file
View File

@@ -0,0 +1,385 @@
var _ = require('lodash');
var validator = require('validator');
var passport = require('passport');
var shared = require('../../../../common');
var async = require('async');
var utils = require('../../libs/api-v2/utils');
var nconf = require('nconf');
var request = require('request');
var FirebaseTokenGenerator = require('firebase-token-generator');
import {
model as User,
} from '../../models/user';
import {
model as EmailUnsubscription,
} from '../../models/emailUnsubscription';
var analytics = utils.analytics;
var i18n = require('./../../libs/api-v2/i18n');
var isProd = nconf.get('NODE_ENV') === 'production';
var api = module.exports;
var NO_TOKEN_OR_UID = { err: shared.i18n.t('messageAuthMustIncludeTokens') };
var NO_USER_FOUND = {err: shared.i18n.t('messageAuthNoUserFound') };
var NO_SESSION_FOUND = { err: shared.i18n.t('messageAuthMustBeLoggedIn') };
var accountSuspended = function(uuid){
return {
err: 'Account has been suspended, please contact leslie@habitica.com with your UUID ('+uuid+') for assistance.',
code: 'ACCOUNT_SUSPENDED'
};
}
api.auth = function(req, res, next) {
var uid = req.headers['x-api-user'];
var token = req.headers['x-api-key'];
if (!(uid && token)) return res.status(401).json(NO_TOKEN_OR_UID);
User.findOne({_id: uid, apiToken: token}, function(err, user) {
if (err) return next(err);
if (_.isEmpty(user)) return res.status(401).json(NO_USER_FOUND);
if (user.auth.blocked) return res.status(401).json(accountSuspended(user._id));
res.locals.wasModified = req.query._v ? +user._v !== +req.query._v : true;
res.locals.user = user;
req.session.userId = user._id;
return next();
});
};
api.authWithSession = function(req, res, next) { //[todo] there is probably a more elegant way of doing this...
if (!(req.session && req.session.userId))
return res.status(401).json(NO_SESSION_FOUND);
User.findOne({_id: req.session.userId}, function(err, user) {
if (err) return next(err);
if (_.isEmpty(user)) return res.status(401).json(NO_USER_FOUND);
res.locals.user = user;
next();
});
};
// TODO passing auth params as query params is not safe as they are logged by browser history, ...
api.authWithUrl = function(req, res, next) {
User.findOne({_id:req.query._id, apiToken:req.query.apiToken}, function(err,user){
if (err) return next(err);
if (_.isEmpty(user)) return res.status(401).json(NO_USER_FOUND);
res.locals.user = user;
next();
});
}
api.registerUser = function(req, res, next) {
var email = req.body.email && req.body.email.toLowerCase();
var username = req.body.username;
// Get the lowercase version of username to check that we do not have duplicates
// So we can search for it in the database and then reject the choosen username if 1 or more results are found
var lowerCaseUsername = username && username.toLowerCase();
async.auto({
validate: function(cb) {
if (!(username && req.body.password && email))
return cb({code:401, err: shared.i18n.t('messageAuthCredentialsRequired')});
if (req.body.password !== req.body.confirmPassword)
return cb({code:401, err: shared.i18n.t('messageAuthPasswordMustMatch')});
if (!validator.isEmail(email))
return cb({code:401, err: ":email invalid"});
cb();
},
findReg: function(cb) {
// Search for duplicates using lowercase version of username
User.findOne({$or:[{'auth.local.email': email}, {'auth.local.lowerCaseUsername': lowerCaseUsername}]}, {'auth.local':1}, cb);
},
findFacebook: function(cb){
User.findOne({_id: req.headers['x-api-user'], apiToken: req.headers['x-api-key']}, {auth:1}, cb);
},
register: ['validate', 'findReg', 'findFacebook', function(cb, data) {
if (data.findReg) {
if (email === data.findReg.auth.local.email) return cb({code:401, err:"Email already taken"});
// Check that the lowercase username isn't already used
if (lowerCaseUsername === data.findReg.auth.local.lowerCaseUsername) return cb({code:401, err: shared.i18n.t('messageAuthUsernameTaken')});
}
var salt = utils.makeSalt();
var newUser = {
auth: {
local: {
username: username,
lowerCaseUsername: lowerCaseUsername, // Store the lowercase version of the username
email: email, // Store email as lowercase
salt: salt,
hashed_password: utils.encryptPassword(req.body.password, salt)
},
timestamps: {created: +new Date(), loggedIn: +new Date()}
}
};
// existing user, allow them to add local authentication
if (data.findFacebook) {
data.findFacebook.auth.local = newUser.auth.local;
data.findFacebook.registeredThrough = newUser.registeredThrough;
data.findFacebook.save(cb);
// new user, register them
} else {
newUser.preferences = newUser.preferences || {};
newUser.preferences.language = req.language; // User language detected from browser, not saved
var user = new User(newUser);
user.registeredThrough = req.headers['x-client'];
var analyticsData = {
category: 'acquisition',
type: 'local',
gaLabel: 'local',
uuid: user._id,
};
analytics.track('register', analyticsData)
user.save(function(err, savedUser){
if (err) return cb(err);
// Clean previous email preferences
EmailUnsubscription.remove({email: savedUser.auth.local.email}, function(){
utils.txnEmail(savedUser, 'welcome');
});
cb.apply(cb, arguments);
});
}
}]
}, function(err, data) {
if (err) return err.code ? res.status(err.code).json(err) : next(err);
data.register[0].getTransformedData(function(err, userTransformed){
if(err) return next(err);
res.status(200).json(userTransformed);
});
});
};
api.loginLocal = function(req, res, next) {
var username = req.body.username;
var password = req.body.password;
if (!(username && password)) return res.status(401).json({err:'Missing :username or :password in request body, please provide both'});
var login = validator.isEmail(username) ?
{'auth.local.email':username.toLowerCase()} : // Emails are all lowercase
{'auth.local.username':username}; // Use the username as the user typed it
User.findOne(login, {auth:1}, function(err, user){
if (err) return next(err);
if (!user) return res.status(401).json({err:"Uh-oh - your username or password is incorrect.\n- Make sure your username or email is typed correctly.\n- You may have signed up with Facebook, not email. Double-check by trying Facebook login.\n- If you forgot your password, click \"Forgot Password\" on the habitica.com website's login form."});
if (user.auth.blocked) return res.status(401).json(accountSuspended(user._id));
// We needed the whole user object first so we can get his salt to encrypt password comparison
User.findOne(
{$and: [login, {'auth.local.hashed_password': utils.encryptPassword(password, user.auth.local.salt)}]}
, {_id:1, apiToken:1}
, function(err, user){
if (err) return next(err);
if (!user) return res.status(401).json({err:"Uh-oh - your username or password is incorrect.\n- Make sure your username or email is typed correctly.\n- You may have signed up with Facebook, not email. Double-check by trying Facebook login.\n- If you forgot your password, click \"Forgot Password\" on the habitica.com website's login form."});
res.json({id: user._id,token: user.apiToken});
password = null;
});
});
};
/*
POST /user/auth/social
*/
api.loginSocial = function(req, res, next) {
var access_token = req.body.authResponse.access_token,
network = req.body.network;
if (network!=='facebook')
return res.status(401).json({err:"Only Facebook supported currently."});
async.auto({
profile: function (cb) {
passport._strategies[network].userProfile(access_token, cb);
},
user: ['profile', function (cb, results) {
var q = {};
q['auth.' + network + '.id'] = results.profile.id;
User.findOne(q, {_id: 1, apiToken: 1, auth: 1}, cb);
}],
register: ['profile', 'user', function (cb, results) {
if (results.user) return cb(null, results.user);
// Create new user
var prof = results.profile;
var user = {
preferences: {
language: req.language // User language detected from browser, not saved
},
auth: {
timestamps: {created: +new Date(), loggedIn: +new Date()}
}
};
user.auth[network] = prof;
user = new User(user);
user.registeredThrough = req.headers['x-client'];
user.save(function(err, savedUser){
// Clean previous email preferences
if(savedUser.auth.facebook.emails && savedUser.auth.facebook.emails[0] && savedUser.auth.facebook.emails[0].value){
EmailUnsubscription.remove({email: savedUser.auth.facebook.emails[0].value}, function(){
utils.txnEmail(savedUser, 'welcome');
});
}
cb.apply(cb, arguments);
});
var analyticsData = {
category: 'acquisition',
type: network,
gaLabel: network,
uuid: user._id,
};
analytics.track('register', analyticsData)
}]
}, function(err, results){
if (err) return res.status(401).json({err: err.toString ? err.toString() : err});
var acct = results.register[0] ? results.register[0] : results.register;
if (acct.auth.blocked) return res.status(401).json(accountSuspended(acct._id));
return res.status(200).json({id:acct._id, token:acct.apiToken});
})
};
/**
* DELETE /user/auth/social
*/
api.deleteSocial = function(req,res,next){
if (!res.locals.user.auth.local.username)
return res.status(401).json({err:"Account lacks another authentication method, can't detach Facebook"});
//TODO for some reason, the following gives https://gist.github.com/lefnire/f93eb306069b9089d123
//res.locals.user.auth.facebook = null;
//res.locals.user.auth.save(function(err, saved){
User.update({_id:res.locals.user._id}, {$unset:{'auth.facebook':1}}, function(err){
if (err) return next(err);
res.sendStatus(200);
})
}
api.resetPassword = function(req, res, next){
var email = req.body.email && req.body.email.toLowerCase(), // Emails are all lowercase
salt = utils.makeSalt(),
newPassword = utils.makeSalt(), // use a salt as the new password too (they'll change it later)
hashed_password = utils.encryptPassword(newPassword, salt);
if(!email) return res.status(400).json({err: "Email not provided"});
User.findOne({'auth.local.email': email}, function(err, user){
if (err) return next(err);
if (!user) return res.status(401).json({err:"Sorry, we can't find a user registered with email " + email + "\n- Make sure your email address is typed correctly.\n- You may have signed up with Facebook, not email. Double-check by trying Facebook login."});
user.auth.local.salt = salt;
user.auth.local.hashed_password = hashed_password;
utils.sendEmail({
from: "Habitica <admin@habitica.com>",
to: email,
subject: "Password Reset for Habitica",
text: "Password for " + user.auth.local.username + " has been reset to " + newPassword + " Important! Both username and password are case-sensitive -- you must enter both exactly as shown here. We recommend copying and pasting both instead of typing them. Log in at " + nconf.get('BASE_URL') + ". After you've logged in, head to " + nconf.get('BASE_URL') + "/#/options/settings/settings and change your password.",
html: "Password for <strong>" + user.auth.local.username + "</strong> has been reset to <strong>" + newPassword + "</strong><br /><br />Important! Both username and password are case-sensitive -- you must enter both exactly as shown here. We recommend copying and pasting both instead of typing them.<br /><br />Log in at " + nconf.get('BASE_URL') + ". After you've logged in, head to " + nconf.get('BASE_URL') + "/#/options/settings/settings and change your password."
});
user.save(function(err){
if(err) return next(err);
res.send('New password sent to '+ email);
email = salt = newPassword = hashed_password = null;
});
});
};
var invalidPassword = function(user, password){
var hashed_password = utils.encryptPassword(password, user.auth.local.salt);
if (hashed_password !== user.auth.local.hashed_password)
return {code:401, err:"Incorrect password"};
return false;
}
api.changeUsername = function(req, res, next) {
var user = res.locals.user;
var username = req.body.username;
var lowerCaseUsername = username && username.toLowerCase(); // we search for the lowercased version to intercept duplicates
if(!username) return res.status(400).json({err: "Username not provided"});
async.waterfall([
function(cb){
User.findOne({'auth.local.lowerCaseUsername': lowerCaseUsername}, {auth:1}, cb);
},
function(found, cb){
if (found) return cb({code:401, err: "Username already taken"});
if (invalidPassword(user, req.body.password)) return cb(invalidPassword(user, req.body.password));
user.auth.local.username = username;
user.auth.local.lowerCaseUsername = lowerCaseUsername;
user.save(cb);
}
], function(err){
if (err) return err.code ? res.status(err.code).json(err) : next(err);
res.sendStatus(200);
})
}
api.changeEmail = function(req, res, next){
var email = req.body.email && req.body.email.toLowerCase(); // emails are all lowercase
if(!email) return res.status(400).json({err: "Email not provided"});
async.waterfall([
function(cb){
User.findOne({'auth.local.email': email}, {auth:1}, cb);
},
function(found, cb){
if(found) return cb({code:401, err: shared.i18n.t('messageAuthEmailTaken')});
if (invalidPassword(res.locals.user, req.body.password)) return cb(invalidPassword(res.locals.user, req.body.password));
res.locals.user.auth.local.email = email;
res.locals.user.save(cb);
}
], function(err){
if (err) return err.code ? res.status(err.code).json(err) : next(err);
res.sendStatus(200);
})
}
api.changePassword = function(req, res, next) {
var user = res.locals.user,
oldPassword = req.body.oldPassword,
newPassword = req.body.newPassword,
confirmNewPassword = req.body.confirmNewPassword;
if (newPassword != confirmNewPassword)
return res.status(401).json({err: "Password & Confirm don't match"});
var salt = user.auth.local.salt,
hashed_old_password = utils.encryptPassword(oldPassword, salt),
hashed_new_password = utils.encryptPassword(newPassword, salt);
if (hashed_old_password !== user.auth.local.hashed_password)
return res.status(401).json({err:"Old password doesn't match"});
user.auth.local.hashed_password = hashed_new_password;
user.save(function(err, saved){
if (err) next(err);
res.sendStatus(200);
})
};
// DISABLED FOR API v2
/*var firebaseTokenGeneratorInstance = new FirebaseTokenGenerator(nconf.get('FIREBASE:SECRET'));
api.getFirebaseToken = function(req, res, next) {
var user = res.locals.user;
// Expires 24 hours after now (60*60*24*1000) (in milliseconds)
var expires = new Date();
expires.setTime(expires.getTime() + 86400000);
var token = firebaseTokenGeneratorInstance
.createToken({
uid: user._id,
isHabiticaUser: true
}, {
expires: expires
});
res.status(200).json({
token: token,
expires: expires
});
};*/
// DISABLED FOR API v2
/*api.setupPassport = function(router) {
router.get('/logout', i18n.getUserLanguage, function(req, res) {
req.logout();
delete req.session.userId;
res.redirect('/');
})
};*/

428
website/server/controllers/api-v2/challenges.js Normal file
View File

@@ -0,0 +1,428 @@
// @see ../routes for routing
var _ = require('lodash');
var nconf = require('nconf');
var async = require('async');
var shared = require('../../../../common');
import {
model as User,
} from '../../models/user';
import {
model as Group,
basicFields as basicGroupFields,
TAVERN_ID,
} from '../../models/group';
import {
model as Challenge,
} from '../../models/challenge';
import * as Tasks from '../../models/task';
var logging = require('./../../libs/api-v2/logging');
var csvStringify = require('csv-stringify');
var utils = require('../../libs/api-v2/utils');
var api = module.exports;
var pushNotify = require('./pushNotifications');
import Bluebird from 'bluebird';
import v3MembersController from '../api-v3/members';
/*
------------------------------------------------------------------------
Challenges
------------------------------------------------------------------------
*/
var nameFields = 'profile.name';
api.list = async function(req, res, next) {
try {
var user = res.locals.user;
let challenges = await Challenge.find({
$or: [
{_id: {$in: user.challenges}}, // Challenges where the user is participating
{group: {$in: user.getGroups()}}, // Challenges in groups where I'm a member
{leader: user._id}, // Challenges where I'm the leader
],
_id: {$ne: '95533e05-1ff9-4e46-970b-d77219f199e9'}, // remove the Spread the Word Challenge for now, will revisit when we fix the closing-challenge bug TODO revisit
})
.sort('-official -timestamp')
// .populate('group', basicGroupFields)
// .populate('leader', nameFields)
.exec();
let resChals = challenges.map(challenge => {
let obj = challenge.toJSON();
obj._isMember = user.challenges.indexOf(challenge._id) !== -1;
return obj;
});
// Instead of populate we make a find call manually because of https://github.com/Automattic/mongoose/issues/3833
await Bluebird.all(resChals.map((chal, index) => {
return Bluebird.all([
User.findById(chal.leader).select(nameFields).exec(),
Group.findById(chal.group).select(basicGroupFields).exec(),
]).then(populatedData => {
resChals[index].leader = populatedData[0] ? populatedData[0].toJSON({minimize: true}) : null;
resChals[index].group = populatedData[1] ? populatedData[1].toJSON({minimize: true}) : null;
});
}));
res.json(resChals);
} catch (err) {
next(err);
}
}
// GET
api.get = async function(req, res, next) {
try {
let user = res.locals.user;
let challengeId = req.params.cid;
let challenge = await Challenge.findById(challengeId)
// Don't populate the group as we'll fetch it manually later
// .populate('leader', nameFields)
.exec();
if (!challenge) return res.status(404).json({err: 'Challenge ' + req.params.cid + ' not found'});
// Fetching basic group data
let group = await Group.getGroup({user, groupId: challenge.group, optionalMembership: true});
if (!group || !challenge.canView(user, group)) return res.status(404).json({err: 'Challenge ' + req.params.cid + ' not found'});
let leaderRes = await User.findById(challenge.leader).select('profile.name').exec();
leaderRes = leaderRes ? leaderRes.toJSON({minimize: true}) : null;
challenge.getTransformedData({
populateMembers: 'profile.name',
cb (err, transformedChal) {
transformedChal.group = group.toJSON({minimize: true});
transformedChal.leader = leaderRes;
transformedChal._isMember = user.challenges.indexOf(transformedChal._id) !== -1;
res.json(transformedChal);
}
});
} catch (err) {
next(err);
}
}
api.csv = function(req, res, next) {
var cid = req.params.cid;
req.params.challengeId = cid;
v3MembersController.exportChallengeCsv.handler(req, res, next).catch(next);
}
api.getMember = function(req, res, next) {
var cid = req.params.cid;
var uid = req.params.uid;
req.params.memberId = uid;
req.params.challengeId = cid;
v3MembersController.getChallengeMemberProgress.handler(req, res, next)
.then(result => {
let newResult = {
profile: {
name: result.profile.name,
},
habits: [],
dailys: [],
todos: [],
rewards: [],
};
let tasks = result.tasks;
tasks.forEach(task => {
let taskObj = task.toJSONV2();
newResult[taskObj.type + 's'].push(taskObj);
});
res.json(newResult);
})
.catch(next);
}
// CREATE
api.create = async function(req, res, next){
try {
var user = res.locals.user;
let groupId = req.body.group;
let prize = req.body.prize;
let group = await Group.getGroup({user, groupId, fields: '-chat', mustBeMember: true});
if (!group) return res.status(404).json({err:"Group." + req.body.group + " not found"});
if (!group.isMember(user)) return res.status(404).json({err:"Group." + req.body.group + " not found"});
if (group.leaderOnly && group.leaderOnly.challenges && group.leader !== user._id) {
return res.status(401).json({err:"Only the group leader can create challenges"});
}
if (group._id === TAVERN_ID && prize < 1) {
return res.status(401).json({err: 'Prize must be at least 1 Gem for public challenges.'})
}
if (prize > 0) {
let groupBalance = group.balance && group.leader === user._id ? group.balance : 0;
let prizeCost = prize / 4;
if (prizeCost > user.balance + groupBalance) {
return res.status(401).json({err: 'You can\'t afford this prize. Purchase more gems or lower the prize amount.'});
}
if (groupBalance >= prizeCost) {
// Group pays for all of prize
group.balance -= prizeCost;
} else if (groupBalance > 0) {
// User pays remainder of prize cost after group
let remainder = prizeCost - group.balance;
group.balance = 0;
user.balance -= remainder;
} else {
// User pays for all of prize
user.balance -= prizeCost;
}
}
group.challengeCount += 1;
req.body.leader = user._id;
req.body.official = user.contributor.admin && req.body.official;
let challenge = new Challenge(Challenge.sanitize(req.body));
// First validate challenge so we don't save group if it's invalid (only runs sync validators)
let challengeValidationErrors = challenge.validateSync();
if (challengeValidationErrors) throw challengeValidationErrors;
req.body.habits = req.body.habits || [];
req.body.todos = req.body.todos || [];
req.body.dailys = req.body.dailys || [];
req.body.rewards = req.body.rewards || [];
var chalTasks = req.body.habits.concat(req.body.rewards)
.concat(req.body.dailys).concat(req.body.todos)
.map(v2Task => Tasks.Task.fromJSONV2(v2Task));
chalTasks = chalTasks.map(function(task) {
var newTask = new Tasks[task.type](Tasks.Task.sanitize(task));
newTask.challenge.id = challenge._id;
return newTask.save();
});
let results = await Bluebird.all([challenge.save({
validateBeforeSave: false, // already validated
}), group.save()].concat(chalTasks));
let savedChal = results[0];
await savedChal.syncToUser(user); // (it also saves the user)
savedChal.getTransformedData({
cb (err, transformedChal) {
res.status(201).json(transformedChal);
},
});
} catch (err) {
next(err);
}
}
// UPDATE
api.update = function(req, res, next){
var cid = req.params.cid;
var user = res.locals.user;
var before;
var updatedTasks;
async.waterfall([
function(cb){
// We first need the original challenge data, since we're going to compare against new & decide to sync users
Challenge.findById(cid, cb);
},
function(chal, cb){
if(!chal) return cb({chal: null});
chal.getTasks(function(err, tasks){
cb(err, {
chal: chal,
tasks: tasks
});
});
},
function(_before, cb) {
if (!_before.chal) return cb('Challenge ' + cid + ' not found');
if (_before.chal.leader != user._id && !user.contributor.admin) return cb({code: 401, err: shared.i18n.t('noPermissionEditChallenge', req.language)});
// Update the challenge, since syncing will need the updated challenge. But store `before` we're going to do some
// before-save / after-save comparison to determine if we need to sync to users
before = {chal: _before.chal, tasks: _before.tasks};
var chalAttrs = _.pick(req.body, 'name shortName description date'.split(' '));
async.parallel({
chal: function(cb1){
Challenge.findByIdAndUpdate(cid, {$set:chalAttrs}, {new: true}, cb1);
},
tasks: function(cb1) {
// Convert to map of {id: task} so we can easily match them
var _beforeClonedTasks = _before.tasks;
updatedTasks = _.object(_.pluck(_beforeClonedTasks, '_id'), _beforeClonedTasks);
var newTasks = req.body.habits.concat(req.body.dailys)
.concat(req.body.todos).concat(req.body.rewards);
var newTasksObj = _.object(_.pluck(newTasks, '_id'), newTasks);
async.forEachOf(newTasksObj, function(newTask, taskId, cb2){
// some properties can't be changed
newTask = Tasks.Task.sanitize(newTask);
// we have to convert task to an object because otherwise things don't get merged correctly. Bad for performances?
_.assign(updatedTasks[taskId], shared.ops.updateTask(updatedTasks[taskId].toObject(), {body: newTask}));
_before.chal.updateTask(updatedTasks[taskId]).then(cb2).catch(cb2);
}, cb1);
}
}, cb);
},
], function(err, saved){
if(err) {
return err.code ? res.json(err.code, err) : next(err);
}
saved.chal.getTransformedData({cb: function(err, newChal){
if(err) return next(err);
res.json(newChal);
}})
cid = user = before = null;
});
}
/**
* Delete & close
*/
api.delete = async function(req, res, next){
try {
var user = res.locals.user;
var cid = req.params.cid;
let challenge = await Challenge.findOne({_id: req.params.cid}).exec();
if (!challenge) return next('Challenge ' + cid + ' not found');
if (!challenge.canModify(user)) return next(shared.i18n.t('noPermissionCloseChallenge'));
// Close channel in background, some ops are run in the background without `await`ing
await challenge.closeChal({broken: 'CHALLENGE_DELETED'});
res.sendStatus(200);
} catch (err) {
next(err);
}
}
/**
* Select Winner & Close
*/
api.selectWinner = async function(req, res, next) {
try {
if (!req.query.uid) return res.status(401).json({err: 'Must select a winner'});
let challenge = await Challenge.findOne({_id: req.params.cid}).exec();
if (!challenge) return next('Challenge ' + req.params.cid + ' not found');
if (!challenge.canModify(res.locals.user)) return next(shared.i18n.t('noPermissionCloseChallenge'));
let winner = await User.findOne({_id: req.query.uid}).exec();
if (!winner || winner.challenges.indexOf(challenge._id) === -1) return next('Winner ' + req.query.uid + ' not found.');
// Close channel in background, some ops are run in the background without `await`ing
await challenge.closeChal({broken: 'CHALLENGE_CLOSED', winner});
res.respond(200, {});
} catch (err) {
next(err);
}
}
api.join = async function(req, res, next){
try {
var user = res.locals.user;
var cid = req.params.cid;
let challenge = await Challenge.findOne({ _id: cid });
if (!challenge) return next(shared.i18n.t('challengeNotFound'));
if (challenge.isMember(user)) return next(shared.i18n.t('userAlreadyInChallenge'));
let group = await Group.getGroup({user, groupId: challenge.group, optionalMembership: true});
if (!group || !challenge.hasAccess(user, group)) return next(shared.i18n.t('challengeNotFound'));
challenge.memberCount += 1;
// Add all challenge's tasks to user's tasks and save the challenge
await Bluebird.all([challenge.syncToUser(user), challenge.save()]);
challenge.getTransformedData({
cb (err, transformedChal) {
transformedChal._isMember = true;
res.json(transformedChal);
}
});
} catch (e) {
next(e);
}
}
api.leave = async function(req, res, next){
try {
var user = res.locals.user;
var cid = req.params.cid;
// whether or not to keep challenge's tasks. strictly default to true if "keep-all" isn't provided
var keep = (/^remove-all/i).test(req.query.keep) ? 'remove-all' : 'keep-all';
let challenge = await Challenge.findOne({ _id: cid });
if (!challenge) return next(shared.i18n.t('challengeNotFound'));
let group = await Group.getGroup({user, groupId: challenge.group, fields: '_id type privacy'});
if (!group || !challenge.canView(user, group)) return next(shared.i18n.t('challengeNotFound'));
if (!challenge.isMember(user)) return next(shared.i18n.t('challengeMemberNotFound'));
challenge.memberCount -= 1;
// Unlink challenge's tasks from user's tasks and save the challenge
await Bluebird.all([challenge.unlinkTasks(user, keep), challenge.save()]);
challenge.getTransformedData({
cb (err, transformedChal) {
transformedChal._isMember = false;
res.json(transformedChal);
}
});
} catch (e) {
next(e);
}
}
import { removeFromArray } from '../../libs/api-v3/collectionManipulators';
api.unlink = async function(req, res, next) {
try {
var user = res.locals.user;
var tid = req.params.id;
var cid;
if (!req.query.keep)
return res.status(400).json({err: 'Provide unlink method as ?keep=keep-all (keep, keep-all, remove, remove-all)'});
let keep = req.query.keep;
let task = await Tasks.Task.findOne({
_id: tid,
userId: user._id,
}).exec();
if (!task) return next(shared.i18n.t('taskNotFound'));
if (!task.challenge.id) return next(shared.i18n.t('cantOnlyUnlinkChalTask'));
cid = task.challenge.id;
if (keep === 'keep') {
task.challenge = {};
await task.save();
} else { // remove
if (task.type !== 'todo' || !task.completed) { // eslint-disable-line no-lonely-if
removeFromArray(user.tasksOrder[`${task.type}s`], tid);
await Bluebird.all([user.save(), task.remove()]);
} else {
await task.remove();
}
}
res.sendStatus(200);
} catch (e) {
next(e);
}
}

47
website/server/controllers/api-v2/coupon.js Normal file
View File

@@ -0,0 +1,47 @@
var _ = require('lodash');
import {
model as Coupon,
} from '../../models/coupon';
var api = module.exports;
var csvStringify = require('csv-stringify');
var async = require('async');
api.ensureAdmin = function(req, res, next) {
if (!res.locals.user.contributor.sudo) return res.status(401).json({err:"You don't have admin access"});
next();
}
api.generateCoupons = function(req,res,next) {
let count = Number(req.query.count);
Coupon.generate(req.params.event, count, function(err){
if(err) return next(err);
res.sendStatus(200);
});
}
api.getCoupons = function(req,res,next) {
var options = {sort:'seq'};
if (req.query.limit) options.limit = req.query.limit;
if (req.query.skip) options.skip = req.query.skip;
Coupon.find({},{}, options, function(err,coupons){
let output = [['code']].concat(_.map(coupons, function(c){
return [c._id];
}))
res.set({
'Content-Type': 'text/csv',
'Content-disposition': 'attachment; filename=habitica-coupons.csv',
});
csvStringify(output, (err, csv) => {
if (err) return next(err);
res.status(200).send(csv);
});
});
}
api.enterCode = function(req,res,next) {
Coupon.apply(res.locals.user,req.params.code,function(err,user){
if (err) return res.status(400).json({err:err});
res.json(user);
});
}

153
website/server/controllers/api-v2/dataexport.js Normal file
View File

@@ -0,0 +1,153 @@
var _ = require('lodash');
var express = require('express');
var csvStringify = require('csv-stringify');
var nconf = require('nconf');
var moment = require('moment');
var js2xmlparser = require("js2xmlparser");
var pd = require('pretty-data').pd;
import {
model as User,
} from '../../models/user';
// Avatar screenshot/static-page includes
//var Pageres = require('pageres'); //https://github.com/sindresorhus/pageres
//var AWS = require('aws-sdk');
//AWS.config.update({accessKeyId: nconf.get("S3:accessKeyId"), secretAccessKey: nconf.get("S3:secretAccessKey")});
//var s3Stream = require('s3-upload-stream')(new AWS.S3()); //https://github.com/nathanpeck/s3-upload-stream
//var bucket = nconf.get("S3:bucket");
//var request = require('request');
/*
------------------------------------------------------------------------
Data export
------------------------------------------------------------------------
*/
var dataexport = module.exports;
dataexport.history = function(req, res) {
var user = res.locals.user;
var output = [
["Task Name", "Task ID", "Task Type", "Date", "Value"]
];
_.each(user.tasks, function(task) {
_.each(task.history, function(history) {
output.push([
task.text,
task.id,
task.type,
moment(history.date).format("MM-DD-YYYY HH:mm:ss"),
history.value
]);
});
});
res.set({
'Content-Type': 'text/csv',
'Content-disposition': 'attachment; filename=habitica-tasks-history.csv',
});
csvStringify(output, (err, csv) => {
if (err) return next(err);
res.status(200).send(csv);
});
};
var userdata = function(user) {
if(user.auth && user.auth.local) {
delete user.auth.local.salt;
delete user.auth.local.hashed_password;
}
return user;
}
dataexport.leanuser = function(req, res, next) {
User.findOne({_id: res.locals.user._id}).lean().exec(function(err, user) {
if (err) return res.status(500).json({err: err});
if (_.isEmpty(user)) return res.status(401).json(NO_USER_FOUND);
res.locals.user = user;
return next();
});
};
dataexport.userdata = {
xml: function(req, res) {
var user = userdata(res.locals.user);
return res.xml({data: JSON.stringify(user), rootname: 'user'});
},
json: function(req, res) {
var user = userdata(res.locals.user);
return res.jsonstring(user);
}
}
/*
------------------------------------------------------------------------
Express Extensions (should be refactored into a module)
------------------------------------------------------------------------
*/
var expressres = express.response || http.ServerResponse.prototype;
expressres.xml = function(obj, headers, status) {
var body = '';
this.charset = this.charset || 'utf-8';
this.header('Content-Type', 'text/xml');
this.header('Content-Disposition', 'attachment');
body = pd.xml(js2xmlparser(obj.rootname,obj.data));
return this.send(body, headers, status);
};
expressres.jsonstring = function(obj, headers, status) {
var body = '';
this.charset = this.charset || 'utf-8';
this.header('Content-Type', 'application/json');
this.header('Content-Disposition', 'attachment');
body = pd.json(JSON.stringify(obj));
return this.send(body, headers, status);
};
/*
------------------------------------------------------------------------
Static page and image screenshot of avatar
------------------------------------------------------------------------
*/
dataexport.avatarPage = function(req, res) {
User.findById(req.params.uuid).select('stats profile items achievements preferences backer contributor').exec(function(err, user){
res.render('avatar-static', {
title: user.profile.name,
env: _.defaults({user:user}, res.locals.habitrpg)
});
})
};
dataexport.avatarImage = function(req, res, next) {
var filename = 'avatars/'+req.params.uuid+'.png';
request.head('https://'+bucket+'.s3.amazonaws.com/'+filename, function(err,response,body) {
// cache images for 10 minutes on aws, else upload a new one
if (response.statusCode==200 && moment().diff(response.headers['last-modified'], 'minutes') < 10)
return res.redirect(301, 'https://' + bucket + '.s3.amazonaws.com/' + filename);
new Pageres()//{delay:1}
.src(nconf.get('BASE_URL') + '/export/avatar-' + req.params.uuid + '.html', ['140x147'], {crop: true, filename: filename.replace('.png', '')})
.run()
.then(function (file) {
var upload = s3Stream.upload({
Bucket: bucket,
Key: filename,
ACL: "public-read",
StorageClass: "REDUCED_REDUNDANCY",
ContentType: "image/png",
Expires: +moment().add({minutes: 3})
});
upload.on('error', function (err) {
next(err);
});
upload.on('uploaded', function (details) {
res.redirect(details.Location);
});
file[0].pipe(upload);
}).catch(next);
})
};

1227
website/server/controllers/api-v2/groups.js Normal file
View File

File diff suppressed because it is too large Load Diff

89
website/server/controllers/api-v2/hall.js Normal file
View File

@@ -0,0 +1,89 @@
var _ = require('lodash');
var nconf = require('nconf');
var async = require('async');
var shared = require('../../../../common');
import {
model as User,
} from '../../models/user';
import {
model as Group,
} from '../../models/group';
var api = module.exports;
api.ensureAdmin = function(req, res, next) {
var user = res.locals.user;
if (!(user.contributor && user.contributor.admin)) return res.status(401).json({err:"You don't have admin access"});
next();
}
api.getHeroes = function(req,res,next) {
User.find({'contributor.level':{$gt:0}})
.select('contributor backer balance profile.name')
.sort('-contributor.level')
.exec(function(err, users){
if (err) return next(err);
res.json(users);
});
}
api.getPatrons = function(req,res,next){
var page = req.query.page || 0,
perPage = 50;
User.find({'backer.tier':{$gt:0}})
.select('contributor backer profile.name')
.sort('-backer.tier')
.skip(page*perPage)
.limit(perPage)
.exec(function(err, users){
if (err) return next(err);
res.json(users);
});
}
api.getHero = function(req,res,next) {
User.findById(req.params.uid)
.select('contributor balance profile.name purchased items')
.select('auth.local.username auth.local.email auth.facebook auth.blocked')
.exec(function(err, user){
if (err) return next(err)
if (!user) return res.status(400).json({err:'User not found'});
res.json(user);
});
}
api.updateHero = function(req,res,next) {
async.waterfall([
function(cb){
User.findById(req.params.uid, cb);
},
function(member, cb){
if (!member) return res.status(404).json({err: "User not found"});
member.balance = req.body.balance || 0;
var newTier = req.body.contributor.level; // tier = level in this context
var oldTier = member.contributor && member.contributor.level || 0;
if (newTier > oldTier) {
member.flags.contributor = true;
var gemsPerTier = {1:3, 2:3, 3:3, 4:4, 5:4, 6:4, 7:4, 8:0, 9:0}; // e.g., tier 5 gives 4 gems. Tier 8 = moderator. Tier 9 = staff
var tierDiff = newTier - oldTier; // can be 2+ tier increases at once
while (tierDiff) {
member.balance += gemsPerTier[newTier] / 4; // balance is in $
tierDiff--;
newTier--; // give them gems for the next tier down if they weren't aready that tier
}
}
member.contributor = req.body.contributor;
member.purchased.ads = req.body.purchased.ads;
if (member.contributor.level >= 6) member.items.pets['Dragon-Hydra'] = 5;
if (req.body.itemPath && req.body.itemVal
&& req.body.itemPath.indexOf('items.') === 0
&& User.schema.paths[req.body.itemPath]) {
shared.dotSet(member, req.body.itemPath, req.body.itemVal); // Sanitization at 5c30944 (deemed unnecessary)
}
if (_.isBoolean(req.body.auth.blocked)) member.auth.blocked = req.body.auth.blocked;
member.save(cb);
}
], function(err, saved){
if (err) return next(err);
res.status(204).json({});
})
}

139
website/server/controllers/api-v2/members.js Normal file
View File

@@ -0,0 +1,139 @@
import {
model as groups,
chatDefaults,
} from '../../models/group';
import {
model as User,
} from '../../models/user';
let partyFields = require('./groups').partyFields;
var api = module.exports;
var async = require('async');
var _ = require('lodash');
var shared = require('../../../../common');
var utils = require('../../libs/api-v2/utils');
var nconf = require('nconf');
var pushNotify = require('./pushNotifications');
var fetchMember = function(uuid, restrict){
return function(cb){
var q = User.findById(uuid);
if (restrict) q.select(partyFields);
q.exec(function(err, member){
if (err) return cb(err);
if (!member) return cb({code:404, err: 'User not found'});
return cb(null, member);
})
}
}
var sendErr = function(err, res, next){
err.code ? res.status(err.code).json({err: err.err}) : next(err);
}
api.getMember = function(req, res, next) {
fetchMember(req.params.uuid, true)(function(err, member){
if (err) return sendErr(err, res, next);
res.json(member);
})
}
api.sendMessage = function(user, member, data){
var msg;
if (!data.type) {
msg = data.message
} else {
msg = "`Hello " + member.profile.name + ", " + user.profile.name + " has sent you ";
if (data.type == 'gems') {
var gemAmount = data.gems.amount;
var gemLabel = gemAmount > 1 ? "gems" : "gem";
msg += gemAmount + " " + gemLabel + "!`";
} else {
var monthAmount = shared.content.subscriptionBlocks[data.subscription.key].months;
var monthLabel = monthAmount > 1 ? "months" : "month";
msg += monthAmount + " " + monthLabel + " of subscription!`";
}
msg += data.message ? data.message : '';
}
shared.refPush(member.inbox.messages, chatDefaults(msg, user));
member.inbox.newMessages++;
member._v++;
member.markModified('inbox.messages');
shared.refPush(user.inbox.messages, _.defaults({sent:true}, chatDefaults(msg, member)));
user.markModified('inbox.messages');
}
api.sendPrivateMessage = function(req, res, next){
var fetchedMember;
async.waterfall([
fetchMember(req.params.uuid),
function(member, cb) {
fetchedMember = member;
if (~member.inbox.blocks.indexOf(res.locals.user._id) // can't send message if that user blocked me
|| ~res.locals.user.inbox.blocks.indexOf(member._id) // or if I blocked them
|| member.inbox.optOut) { // or if they've opted out of messaging
return cb({code: 401, err: "Can't send message to this user."});
}
api.sendMessage(res.locals.user, member, {message:req.body.message});
async.parallel([
function (cb2) { member.save(cb2) },
function (cb2) { res.locals.user.save(cb2) }
], cb);
}
], function(err){
if (err) return sendErr(err, res, next);
if(fetchedMember.preferences.emailNotifications.newPM !== false){
utils.txnEmail(fetchedMember, 'new-pm', [
{name: 'SENDER', content: utils.getUserInfo(res.locals.user, ['name']).name},
{name: 'PMS_INBOX_URL', content: '/#/options/groups/inbox'}
]);
}
res.sendStatus(200);
})
}
api.sendGift = function(req, res, next){
async.waterfall([
fetchMember(req.params.uuid),
function(member, cb) {
// Gems
switch (req.body.type) {
case "gems":
var amt = req.body.gems.amount / 4,
user = res.locals.user;
if (member.id == user.id)
return cb({code: 401, err: "Cannot send gems to yourself. Try a subscription instead."});
if (!amt || amt <=0 || user.balance < amt)
return cb({code: 401, err: "Amount must be within 0 and your current number of gems."});
member.balance += amt;
user.balance -= amt;
api.sendMessage(user, member, req.body);
var byUsername = utils.getUserInfo(user, ['name']).name;
if(member.preferences.emailNotifications.giftedGems !== false){
utils.txnEmail(member, 'gifted-gems', [
{name: 'GIFTER', content: byUsername},
{name: 'X_GEMS_GIFTED', content: req.body.gems.amount}
]);
}
pushNotify.sendNotify(member, shared.i18n.t('giftedGems'), shared.i18n.t('giftedGemsInfo', { amount: req.body.gems.amount, name: byUsername }));
return async.parallel([
function (cb2) { member.save(cb2) },
function (cb2) { user.save(cb2) }
], cb);
case "subscription":
return cb();
default:
return cb({code:400, err:"Body must contain a gems:{amount,fromBalance} or subscription:{months} object"});
}
}
], function(err) {
if (err) return sendErr(err, res, next);
res.sendStatus(200);
});
}

58
website/server/controllers/api-v2/pushNotifications.js Normal file
View File

@@ -0,0 +1,58 @@
// TODO move to /api-v2
var api = module.exports;
var _ = require('lodash');
var nconf = require('nconf');
var pushNotify = require('push-notify');
var gcmApiKey = nconf.get("PUSH_CONFIGS:GCM_SERVER_API_KEY");
var gcm = gcmApiKey ? pushNotify.gcm({
apiKey: gcmApiKey,
retries: 3
}) : undefined;
if(gcm){
gcm.on('transmitted', function (result, message, registrationId) {
//console.info("transmitted", result, message, registrationId);
});
gcm.on('transmissionError', function (error, message, registrationId) {
//console.info("transmissionError", error, message, registrationId);
});
gcm.on('updated', function (result, registrationId) {
//console.info("updated", result, registrationId);
});
}
api.sendNotify = function(user, title, msg, timeToLive){
timeToLive = timeToLive || 15;
// need investigation:
// https://github.com/HabitRPG/habitrpg/issues/5252
if(!user)
return;
_.forEach(user.pushDevices, function(pushDevice){
switch(pushDevice.type){
case "android":
if(gcm){
gcm.send({
registrationId: pushDevice.regId,
//collapseKey: 'COLLAPSE_KEY',
delayWhileIdle: true,
timeToLive: timeToLive,
data: {
title: title,
message: msg
}
});
}
break;
case "ios":
break;
}
});
};

40
website/server/controllers/api-v2/unsubscription.js Normal file
View File

@@ -0,0 +1,40 @@
import {
model as User,
} from '../../models/user';
import {
model as EmailUnsubscription,
} from '../../models/emailUnsubscription';
var utils = require('../../libs/api-v2/utils');
var i18n = require('../../../../common').i18n;
var api = module.exports = {};
api.unsubscribe = function(req, res, next){
if(!req.query.code) return res.status(500).json({err: 'Missing unsubscription code.'});
var data = JSON.parse(utils.decrypt(req.query.code));
if(data._id){
User.update({_id: data._id}, {
$set: {'preferences.emailNotifications.unsubscribeFromAll': true}
}, {multi: false}, function(err, updateRes){
if(err) return next(err);
if(updateRes.n !== 1) return res.json(404, {err: 'User not found'});
res.send('<h1>' + i18n.t('unsubscribedSuccessfully', null, req.language) + '</h1>' + i18n.t('unsubscribedTextUsers', null, req.language));
});
}else{
EmailUnsubscription.findOne({email: data.email}, function(err, doc){
if(err) return next(err);
var okRes = '<h1>' + i18n.t('unsubscribedSuccessfully', null, req.language) + '</h1>' + i18n.t('unsubscribedTextOthers', null, req.language);
if(doc) return res.send(okRes);
EmailUnsubscription.create({email: data.email}, function(err, doc){
if(err) return next(err);
res.send(okRes);
})
});
}
};

1053
website/server/controllers/api-v2/user.js Normal file
View File

File diff suppressed because it is too large Load Diff