mirror of
https://github.com/HabitRPG/habitica.git
synced 2025-12-17 22:57:21 +01:00
28f2e9c356
* Fixed more tests * Added tags into user service * Added api-v3 auth urls * v3: fix package.json * v3: fix package.json * Fixed auth tests. Updated Authctrl response * v3: remove newrelic config file in favour of env variables * v3: upgrade some deps * switch from Q to Bluebird * v3 fix tests with deferred * Removed extra consoles.log. Changed data.data to res.data * v3 fix tests and use coroutines instead of regenerator * v3: fix tests * v3: do not await a non promise * v3: q -> bluebird * Changed id param for registration response * Updated party query and create * Ensured login callback happens after user sync * Add challenges to groups. Fixed isMemberOfGuild check * Updated party and group tests * Fixed cron test * return user.id and send analytics event before changing page * fix trailing spaces * disable redirects * Api v3 party tavern fixes (#7191) * Added check if user is in party before query * Cached party query. Prevented party request when user is not in party. Updated Party create with no invites * Update tavern ctrl to use new promise * v3: misc fixes * Api v3 task fixes (#7193) * Update task view to use _id * Added try catch to user service ops calls * v3 client: saving after syncing is complete * Fixed test broken by part sync change (#7195) * v3: fix todo scoring and try to fix production testing problem * revert changes to mongoose config * mongoose: increase keepAlive * test mongoose fix * fix: Only apply captureStackTrace if it exists on the error object * v3: fix reminders with no startDate * mongoose: use options * chore(): rename website/src -> website/server and website/public -> website/client (#7199) * v3 fix GET /groups: return an error only if an invalid type is supplied not when there are 0 results (#7203) * [API v3] Fix calls to user.ops and deleting tags (#7204) * v3: fixes calls to user.ops from views and deleting tags * v3: fix tests that use user._statsComputed * Api v3 fixes continued (#7205) * Added timzeone offset back * Added APIToken back to settings page * Fixed fetch recent messages for party * Fixed returning group description * Fixed check if user is member of challenge * Fixed party members appearing in header * Updated get myGroups param to include public groups. Fixed isMemberOf group * Fixed hourglass purchase * Fixed challenge addding tasks on first creating * Updated tests to accomidate new changes * fix: Correct checklist on client Closes #7207 * fix: Pin eslint to 2.9 * minor improvements to cron code for clarity; fix inaccurate comments; add TODOs for rest-in-inn actions * fix: Add missing type param to equip call closes #7212 * rename and reword pubChalsMinPrize to reflect that it's only for Tavern challenges * allows players to send gems to each other; other minor related changes - fixes https://github.com/HabitRPG/habitrpg/issues/7227 * fix tests for /members/transfer-gems * fix: Set gems sent notification as translatable string * chore: Remove unusued variable * fix: Remove requirement on message paramter in transfer-gems * add a missing variable declaration * chore: clarify comments on cron code * fix: Correct client request from habitrpg -> tavern * update apidoc URL in package.json Closes #7222 * Fixed start party by invites * Updated spell casting to v3 * Fixed adding and removing tags on tasks * Fixed page reload on settings change * Fixed battle monsters with friends button * Loaded completed todos when done is clicked * chore: Reinstate floating version number for eslint babel-eslint regression fixed * Fixed reload tests * change "an user" to "a user" in comments and text (no code changes) (#7257) * fix: Alert user that drops were recieved * remove userServices.js from karma.conf - it's been moved to website/client/js/services * feat: Create debug update user route * fix: Correct set cron debug function * feat: Add make admin button to debug menu * lint: Add missing semicolons in test * fix: Temporarilly comment out udpate user debug route * v3: fix _tmp for crit and streakBonus * v3: execute all actions when leaving a solo party * v3 client: fix group not found when leaving party * v3 migration: fix challenge prize * v3 cron: only save modified tasks * v3: add CHALLENGE_TASK_NOT_FOUND to valid broken reasons * v3: fix tasks chart * v3 client: fix ability to leave challenge * v3 client: fix filtering by tag and correctly show tag tooltip * v3 common: fix tags tests * v3 client: support unlinking not found challenges tasks * v3: disable Bluebird warning for missing return, fixes #7269 * feat: Separate out update-user into set-cron and make-admin debug routes * chore: Disable make admin debug route for v3 prod testing * v3: misc fixes * v3: misc fixes * v3: fix adding multiple tasks * Fixed join/leave button updates * Queried only user groups to be available when creating challenges * Fixed bulk add tasks to challenge * Synced challenge tasks after leave and join. * Fixed default selected group * Fixed challenge member info. Fixed challenge winner selection * Fixed deleting challenge tasks * Fixed particiapting filter * v3 client: fix casting spells * v3: do not log sensitive data * v3: always save user when casting spell * v3: always save user when casting spell * v3: more fixes for spells * fix typos and missing information in apidocs - fixes https://github.com/HabitRPG/habitrpg/issues/7277 (#7282) * v3: add TODO for client side spells * feat: Add modify inventory debug menu * Fixed viewing user progress on challenge * Updated tests * fix: Fix quest progress button * fix incorrect Armoire test; remove unneeded param details from apidocs; disambiguate health potion * v3: fix stealth casting * v3: fix tasks saving and selection for rebirth reroll and reset (server-only) * v3: fix auto allocation * v3 client: misc fixes * rename buyPotion and buy-potion to buyHealthPotion and buy-health-potion; fix apidoc param error * Added delete for saved challenge task * Fixed member modal on front page * adjust text in apidocs for errors / clarity / consistency / standard terminology (no code changes) (#7298) * fix bug in Rebirth test, add new tests, adjust apidocs (#7293) * Updated task model to allow setting streak (#7306) * fix: Correct missing * in apidoc comments * Api v3 challenge fixes (#7287) * Fixed join/leave button updates * Queried only user groups to be available when creating challenges * Fixed bulk add tasks to challenge * Synced challenge tasks after leave and join. * Fixed default selected group * Fixed challenge member info. Fixed challenge winner selection * Fixed deleting challenge tasks * Fixed particiapting filter * Fixed viewing user progress on challenge * Updated tests * Added delete for saved challenge task * v3: fix sorting * [API v3] add CRON_SAFE_MODE (#7286) * add CRON_SAFE_MODE to example config file, fix some bugs, add an unrelated low-priority TODO * create CRON_SAFE_MODE to disable parts of cron for use after extended outage - fixes https://github.com/HabitRPG/habitrpg/issues/7161 * fix a bug with CRON_SAFE_MODE, remove duplicated code, remove completed TODO comment * fix check for CRON_SAFE_MODE * v3 client: fix typo * adjust debug menu Modify Inventory: hungrier pets, fewer Special items, "Hide" buttons * completed To-Dos: return the 30 most recent instead of 30 oldest (#7318) * v3 migration: fix createdAt date * adjust locales text, key names, and files for Rebirth, Reset, and Fortify / ReRoll for consistency with existing strings (#7321) * v3: fix unlinking multiple tasks * v3 fix releasing pets * v3: fix authenticating with apiUrl * v3: fix typo * v3 fix client tests for unlinking * v3 client: do not show start quest button when quest is active * v3 client: fix ability to send cards * v3 client: fix misc challenge issues * v3: fix notifications * v3 client: more user friendly errors * v3 client: only load completed todos once * v3 client: fix tests * v3: move TAVERN_ID to common code * fix: Provide default type and text for new task creation in score route * fix: Provide default history [] for habit in score route * fix: Add _legacyId prop to tasks to support non-uuid identifiers * chore: Change v3 migration to use _legacyId instead of legacyId * fix: check for _legacyId in tasks if id does not exist * refactor: Extract out finding task by id or _legacyId into a function * Api v3 party quest fixes (#7341) * Fix display of add challenge message when group challenges are empty * Fixed forced quest start to update quest without reload * Fixed needing to reload when accepting party invite * Fix group leave and join reload * Fixed leave current party and join another * Updated party tests * v3 client: remove console.log statement * v3: misc fixes * v3 client: fix predicatbale random * v3: info about API v3 * v3: update footer with links to developer resources * v3: support party invitation from email * v3 client: fix chat flagging * fix: Correct get tasks route to properly get todos (#7349) * move locales strings from api-v3.json to other locales files (#7347) * move locales strings from api-v3.json: authentication strings -> front.json * move locales strings from api-v3.json: authentication strings -> tasks.json * move locales strings from api-v3.json: authentication strings -> groups.json * move locales strings from api-v3.json: authentication strings -> challenge.json * move locales strings from api-v3.json: authentication strings -> groups.json (again) * move locales strings from api-v3.json: authentication strings -> quests.json * move locales strings from api-v3.json: authentication strings -> subscriber.json * move locales strings from api-v3.json: authentication strings -> spells.json * move locales strings from api-v3.json: authentication strings -> character.json * move locales strings from api-v3.json: authentication strings -> groups.json (PMs) * move locales strings from api-v3.json: authentication strings -> npc.json * move locales strings from api-v3.json: authentication strings -> pets.json * move locales strings from api-v3.json: authentication strings -> miscellaneous * move locales strings from api-v3.json: authentication strings -> contrib.json and settings.json * move locales strings from api-v3.json: delete unused string (invalidTasksOwner), delete api-v3.json, whitespace cleanup * v3 client: fix sticky header * v3: remove unused code * v3 client: correctly redirect after inviting * Removed v2 calls from views (#7351) * v3: fix tests for challenge export * v3: fallbackto authWithHeaders if wuthWithSession or authWithUrl fails * Added force cache update when fetching new messages (#7360) * v3: fetch whole user when booting from group tto avoid issues with pre save hook expecting all data * v3: misc fixes for payments * v3: limit fields of challenge tasks that can be updated * fix(tests): never connect to NODE_DB_URI for tests * Added new route for setting last cron and updated front end * v3: fix iap url * v3: fix build and ios IAP * Changed route to user set custom day start * v3: iap accessible under /api/v3, fixes to spells and groups invitations * v3: correctly use v3 routes in client * remove XP, GP when unticking a Daily with a completed checklist - fixes https://github.com/HabitRPG/habitrpg/issues/7246 * use natural language for error message about skills on challenge tasks (#7336), fix other gramatical error * Updated ui when user rejects a guild invite (#7368) * feat: complete custom day start route Closes #7363 * fix: Correct spelling of healAll skill fix: Correct sprite name of healAll skill * fix: Change all instances of spookDust -> spookySparkles * add dateCreated to all tasks; add empty challenge object to tasks that don't have one (#7386) * add plumilla to artists for Tangle Tree in Bailey message * Fixed quest drop modal (#7377) * Fixed quest drop modal * Fixed broken party test * [API v3] Maintenance Mode (#7367) * WIP(maintenance): maintenance * WIP(maintenance): working locale features * fix(maintenance): don't translate info page target * WIP(maintenance): start adding info page * fix(maintenance): linting * feat: Add container to maintenance info page * fix(maintenance): add config.json edits Also DRY variables for main vs info pages * fix(maintenance): linting * refactor(maintenance): further slim down variables * refactor: Remove unnecessary variables * fix: Correct string interpolation in maintenace view * feat: Dynamically add time to maintenance pages * maintenance mode: do not connect to mongodb * fix(maintenance): clean up timezones etc. * fix(maintenance): remove unneeded sprite * Tavern party challenges invites fix (#7394) * Added challenges and invitations to party * Loaded tavern challenges * Updated group and quest services tests * v3: implement automatic syncing if user is not up to date * Removed unnecessary fields when updating groups and challenges (#7395) * v3: do not saved populated user * v3: correctly return user subset * Chained party promises together (#7396) * v3: $w -> splitWhitespace * use bluebird * use babel polyfill * migration: fix items * update links for v3 * Updated shortname validation to support multiple browsers * Docs changes (#7401) * chore: Clarify transfer-gems documentation * chore: Clarify api status route documentation * chore: Mark webhooks as BETA * Added tags update route. Added sort to user service (#7381) * Added tags update route. Added sort to user service * Change update tasks route to reorder tasks * Fixed linting issue * Changed params for reorder tags route * Fixed not found tag and added test * Added password confirmation when deleteing account (#7402) * fix production logging * feat(commit): push * empty commit * feat(maintenance): post-downtime news & awards (#7406) * fix exporting avatar * second attempt at fixing exporting avatar * fix production logging * s3: convert moment to date instance * fix avatar sharing and caching (30 minutes) * fix: Correct missing parameter Closes #7433 * fix: Validate challenge shortname on server * adjust text strings - fixes https://github.com/HabitRPG/habitrpg/issues/5631 and also Short Name -> Tag Name
513 lines
17 KiB
JavaScript
513 lines
17 KiB
JavaScript
import validator from 'validator';
|
|
import moment from 'moment';
|
|
import passport from 'passport';
|
|
import nconf from 'nconf';
|
|
import {
|
|
authWithHeaders,
|
|
} from '../../middlewares/api-v3/auth';
|
|
import {
|
|
NotAuthorized,
|
|
BadRequest,
|
|
NotFound,
|
|
} from '../../libs/api-v3/errors';
|
|
import Bluebird from 'bluebird';
|
|
import * as passwordUtils from '../../libs/api-v3/password';
|
|
import logger from '../../libs/api-v3/logger';
|
|
import { model as User } from '../../models/user';
|
|
import { model as Group } from '../../models/group';
|
|
import { model as EmailUnsubscription } from '../../models/emailUnsubscription';
|
|
import { sendTxn as sendTxnEmail } from '../../libs/api-v3/email';
|
|
import { decrypt } from '../../libs/api-v3/encryption';
|
|
import FirebaseTokenGenerator from 'firebase-token-generator';
|
|
import { send as sendEmail } from '../../libs/api-v3/email';
|
|
|
|
let api = {};
|
|
|
|
// When the user signed up after having been invited to a group, invite them automatically to the group
|
|
async function _handleGroupInvitation (user, invite) {
|
|
// wrapping the code in a try because we don't want it to prevent the user from signing up
|
|
// that's why errors are not translated
|
|
try {
|
|
let {sentAt, id: groupId, inviter} = JSON.parse(decrypt(invite));
|
|
|
|
// check that the invite has not expired (after 7 days)
|
|
if (sentAt && moment().subtract(7, 'days').isAfter(sentAt)) {
|
|
let err = new Error('Invite expired.');
|
|
err.privateData = invite;
|
|
throw err;
|
|
}
|
|
|
|
let group = await Group.getGroup({user, optionalMembership: true, groupId, fields: 'name type'});
|
|
if (!group) throw new NotFound('Group not found.');
|
|
|
|
if (group.type === 'party') {
|
|
user.invitations.party = {id: group._id, name: group.name, inviter};
|
|
} else {
|
|
user.invitations.guilds.push({id: group._id, name: group.name, inviter});
|
|
}
|
|
} catch (err) {
|
|
logger.error(err);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* @api {post} /api/v3/user/auth/local/register Register
|
|
* @apiDescription Register a new user with email, username and password or attach local auth to a social user
|
|
* @apiVersion 3.0.0
|
|
* @apiName UserRegisterLocal
|
|
* @apiGroup User
|
|
*
|
|
* @apiParam {String} username Body parameter - Username of the new user
|
|
* @apiParam {String} email Body parameter - Email address of the new user
|
|
* @apiParam {String} password Body parameter - Password for the new user
|
|
* @apiParam {String} confirmPassword Body parameter - Password confirmation
|
|
*
|
|
* @apiSuccess {Object} data The user object, if local auth was just attached to a social user then only user.auth.local
|
|
*/
|
|
api.registerLocal = {
|
|
method: 'POST',
|
|
middlewares: [authWithHeaders(true)],
|
|
url: '/user/auth/local/register',
|
|
async handler (req, res) {
|
|
let fbUser = res.locals.user; // If adding local auth to social user
|
|
|
|
req.checkBody({
|
|
email: {
|
|
notEmpty: {errorMessage: res.t('missingEmail')},
|
|
isEmail: {errorMessage: res.t('notAnEmail')},
|
|
},
|
|
username: {notEmpty: {errorMessage: res.t('missingUsername')}},
|
|
password: {
|
|
notEmpty: {errorMessage: res.t('missingPassword')},
|
|
equals: {options: [req.body.confirmPassword], errorMessage: res.t('passwordConfirmationMatch')},
|
|
},
|
|
});
|
|
let validationErrors = req.validationErrors();
|
|
if (validationErrors) throw validationErrors;
|
|
|
|
let { email, username, password } = req.body;
|
|
|
|
// Get the lowercase version of username to check that we do not have duplicates
|
|
// So we can search for it in the database and then reject the choosen username if 1 or more results are found
|
|
email = email.toLowerCase();
|
|
let lowerCaseUsername = username.toLowerCase();
|
|
|
|
// Search for duplicates using lowercase version of username
|
|
let user = await User.findOne({$or: [
|
|
{'auth.local.email': email},
|
|
{'auth.local.lowerCaseUsername': lowerCaseUsername},
|
|
]}, {'auth.local': 1}).exec();
|
|
|
|
if (user) {
|
|
if (email === user.auth.local.email) throw new NotAuthorized(res.t('emailTaken'));
|
|
// Check that the lowercase username isn't already used
|
|
if (lowerCaseUsername === user.auth.local.lowerCaseUsername) throw new NotAuthorized(res.t('usernameTaken'));
|
|
}
|
|
|
|
let salt = passwordUtils.makeSalt();
|
|
let hashed_password = passwordUtils.encrypt(password, salt); // eslint-disable-line camelcase
|
|
let newUser = {
|
|
auth: {
|
|
local: {
|
|
username,
|
|
lowerCaseUsername,
|
|
email,
|
|
salt,
|
|
hashed_password, // eslint-disable-line camelcase
|
|
},
|
|
},
|
|
preferences: {
|
|
language: req.language,
|
|
},
|
|
};
|
|
|
|
if (fbUser) {
|
|
if (!fbUser.auth.facebook.id) throw new NotAuthorized(res.t('onlySocialAttachLocal'));
|
|
fbUser.auth.local = newUser.auth.local;
|
|
newUser = fbUser;
|
|
} else {
|
|
newUser = new User(newUser);
|
|
newUser.registeredThrough = req.headers['x-client']; // Not saved, used to create the correct tasks based on the device used
|
|
}
|
|
|
|
// we check for partyInvite for backward compatibility
|
|
if (req.query.groupInvite || req.query.partyInvite) {
|
|
await _handleGroupInvitation(newUser, req.query.groupInvite || req.query.partyInvite);
|
|
}
|
|
|
|
let savedUser = await newUser.save();
|
|
|
|
if (savedUser.auth.facebook.id) {
|
|
res.respond(200, savedUser.toJSON().auth.local); // We convert to toJSON to hide private fields
|
|
} else {
|
|
res.respond(201, savedUser);
|
|
}
|
|
|
|
// Clean previous email preferences and send welcome email
|
|
EmailUnsubscription
|
|
.remove({email: savedUser.auth.local.email})
|
|
.then(() => sendTxnEmail(savedUser, 'welcome'));
|
|
|
|
if (!savedUser.auth.facebook.id) {
|
|
res.analytics.track('register', {
|
|
category: 'acquisition',
|
|
type: 'local',
|
|
gaLabel: 'local',
|
|
uuid: savedUser._id,
|
|
});
|
|
}
|
|
|
|
return null;
|
|
},
|
|
};
|
|
|
|
function _loginRes (user, req, res) {
|
|
if (user.auth.blocked) throw new NotAuthorized(res.t('accountSuspended', {userId: user._id}));
|
|
return res.respond(200, {id: user._id, apiToken: user.apiToken});
|
|
}
|
|
|
|
/**
|
|
* @api {post} /api/v3/user/auth/local/login Login
|
|
* @apiDescription Login a user with email / username and password
|
|
* @apiVersion 3.0.0
|
|
* @apiName UserLoginLocal
|
|
* @apiGroup User
|
|
*
|
|
* @apiParam {String} username Body parameter - Username or email of the user
|
|
* @apiParam {String} password Body parameter - The user's password
|
|
*
|
|
* @apiSuccess {String} data._id The user's unique identifier
|
|
* @apiSuccess {String} data.apiToken The user's api token that must be used to authenticate requests.
|
|
*/
|
|
api.loginLocal = {
|
|
method: 'POST',
|
|
url: '/user/auth/local/login',
|
|
middlewares: [],
|
|
async handler (req, res) {
|
|
req.checkBody({
|
|
username: {
|
|
notEmpty: true,
|
|
errorMessage: res.t('missingUsernameEmail'),
|
|
},
|
|
password: {
|
|
notEmpty: true,
|
|
errorMessage: res.t('missingPassword'),
|
|
},
|
|
});
|
|
let validationErrors = req.validationErrors();
|
|
if (validationErrors) throw validationErrors;
|
|
|
|
req.sanitizeBody('username').trim();
|
|
req.sanitizeBody('password').trim();
|
|
|
|
let login;
|
|
let username = req.body.username;
|
|
|
|
if (validator.isEmail(username)) {
|
|
login = {'auth.local.email': username.toLowerCase()}; // Emails are stored lowercase
|
|
} else {
|
|
login = {'auth.local.username': username};
|
|
}
|
|
|
|
let user = await User.findOne(login, {auth: 1, apiToken: 1}).exec();
|
|
let isValidPassword = user && user.auth.local.hashed_password === passwordUtils.encrypt(req.body.password, user.auth.local.salt);
|
|
if (!isValidPassword) throw new NotAuthorized(res.t('invalidLoginCredentialsLong'));
|
|
return _loginRes(user, ...arguments);
|
|
},
|
|
};
|
|
|
|
function _passportFbProfile (accessToken) {
|
|
return new Bluebird((resolve, reject) => {
|
|
passport._strategies.facebook.userProfile(accessToken, (err, profile) => {
|
|
if (err) {
|
|
reject(err);
|
|
} else {
|
|
resolve(profile);
|
|
}
|
|
});
|
|
});
|
|
}
|
|
|
|
// Called as a callback by Facebook (or other social providers). Internal route
|
|
api.loginSocial = {
|
|
method: 'POST',
|
|
url: '/user/auth/social', // this isn't the most appropriate url but must be the same as v2
|
|
async handler (req, res) {
|
|
let accessToken = req.body.authResponse.access_token;
|
|
let network = req.body.network;
|
|
|
|
if (network !== 'facebook') throw new NotAuthorized(res.t('onlyFbSupported'));
|
|
|
|
let profile = await _passportFbProfile(accessToken);
|
|
|
|
let user = await User.findOne({
|
|
[`auth.${network}.id`]: profile.id,
|
|
}, {_id: 1, apiToken: 1, auth: 1}).exec();
|
|
|
|
// User already signed up
|
|
if (user) {
|
|
_loginRes(user, ...arguments);
|
|
} else { // Create new user
|
|
user = new User({
|
|
auth: {
|
|
[network]: profile,
|
|
},
|
|
preferences: {
|
|
language: req.language,
|
|
},
|
|
});
|
|
user.registeredThrough = req.headers['x-client'];
|
|
|
|
let savedUser = await user.save();
|
|
|
|
_loginRes(user, ...arguments);
|
|
|
|
// Clean previous email preferences
|
|
if (savedUser.auth[network].emails && savedUser.auth.facebook.emails[0] && savedUser.auth[network].emails[0].value) {
|
|
EmailUnsubscription
|
|
.remove({email: savedUser.auth[network].emails[0].value.toLowerCase()})
|
|
.exec()
|
|
.then(() => sendTxnEmail(savedUser, 'welcome')); // eslint-disable-line max-nested-callbacks
|
|
}
|
|
|
|
res.analytics.track('register', {
|
|
category: 'acquisition',
|
|
type: network,
|
|
gaLabel: network,
|
|
uuid: savedUser._id,
|
|
});
|
|
|
|
return null;
|
|
}
|
|
},
|
|
};
|
|
|
|
/**
|
|
* @api {put} /api/v3/user/auth/update-username Update username
|
|
* @apiDescription Update the username of a local user
|
|
* @apiVersion 3.0.0
|
|
* @apiName UpdateUsername
|
|
* @apiGroup User
|
|
*
|
|
* @apiParam {string} password Body parameter - The current user password
|
|
* @apiParam {string} username Body parameter - The new username
|
|
|
|
* @apiSuccess {String} data.username The new username
|
|
**/
|
|
api.updateUsername = {
|
|
method: 'PUT',
|
|
middlewares: [authWithHeaders()],
|
|
url: '/user/auth/update-username',
|
|
async handler (req, res) {
|
|
let user = res.locals.user;
|
|
|
|
req.checkBody({
|
|
password: {
|
|
notEmpty: {errorMessage: res.t('missingPassword')},
|
|
},
|
|
username: {
|
|
notEmpty: { errorMessage: res.t('missingUsername') },
|
|
},
|
|
});
|
|
|
|
let validationErrors = req.validationErrors();
|
|
if (validationErrors) throw validationErrors;
|
|
|
|
if (!user.auth.local.username) throw new BadRequest(res.t('userHasNoLocalRegistration'));
|
|
|
|
let oldPassword = passwordUtils.encrypt(req.body.password, user.auth.local.salt);
|
|
if (oldPassword !== user.auth.local.hashed_password) throw new NotAuthorized(res.t('wrongPassword'));
|
|
|
|
let count = await User.count({ 'auth.local.lowerCaseUsername': req.body.username.toLowerCase() });
|
|
if (count > 0) throw new BadRequest(res.t('usernameTaken'));
|
|
|
|
// save username
|
|
user.auth.local.lowerCaseUsername = req.body.username.toLowerCase();
|
|
user.auth.local.username = req.body.username;
|
|
await user.save();
|
|
|
|
res.respond(200, { username: req.body.username });
|
|
},
|
|
};
|
|
|
|
/**
|
|
* @api {put} /api/v3/user/auth/update-password
|
|
* @apiDescription Update the password of a local user
|
|
* @apiVersion 3.0.0
|
|
* @apiName UpdatePassword
|
|
* @apiGroup User
|
|
*
|
|
* @apiParam {string} password Body parameter - The old password
|
|
* @apiParam {string} newPassword Body parameter - The new password
|
|
* @apiParam {string} confirmPassword Body parameter - New password confirmation
|
|
*
|
|
* @apiSuccess {Object} data An empty object
|
|
**/
|
|
api.updatePassword = {
|
|
method: 'PUT',
|
|
middlewares: [authWithHeaders()],
|
|
url: '/user/auth/update-password',
|
|
async handler (req, res) {
|
|
let user = res.locals.user;
|
|
|
|
if (!user.auth.local.hashed_password) throw new BadRequest(res.t('userHasNoLocalRegistration'));
|
|
|
|
let oldPassword = passwordUtils.encrypt(req.body.password, user.auth.local.salt);
|
|
if (oldPassword !== user.auth.local.hashed_password) throw new NotAuthorized(res.t('wrongPassword'));
|
|
|
|
req.checkBody({
|
|
password: {
|
|
notEmpty: {errorMessage: res.t('missingNewPassword')},
|
|
},
|
|
newPassword: {
|
|
notEmpty: {errorMessage: res.t('missingPassword')},
|
|
},
|
|
});
|
|
|
|
if (req.body.newPassword !== req.body.confirmPassword) throw new NotAuthorized(res.t('passwordConfirmationMatch'));
|
|
|
|
user.auth.local.hashed_password = passwordUtils.encrypt(req.body.newPassword, user.auth.local.salt); // eslint-disable-line camelcase
|
|
await user.save();
|
|
res.respond(200, {});
|
|
},
|
|
};
|
|
|
|
/**
|
|
* @api {post} /api/v3/user/reset-password Reset password
|
|
* @apiDescription Reset the user password
|
|
* @apiVersion 3.0.0
|
|
* @apiName ResetPassword
|
|
* @apiGroup User
|
|
*
|
|
* @apiParam {string} email Body parameter - The email address of the user
|
|
*
|
|
* @apiSuccess {string} message The localized success message
|
|
**/
|
|
api.resetPassword = {
|
|
method: 'POST',
|
|
middlewares: [],
|
|
url: '/user/reset-password',
|
|
async handler (req, res) {
|
|
req.checkBody({
|
|
email: {
|
|
notEmpty: {errorMessage: res.t('missingEmail')},
|
|
},
|
|
});
|
|
let validationErrors = req.validationErrors();
|
|
if (validationErrors) throw validationErrors;
|
|
|
|
let email = req.body.email.toLowerCase();
|
|
let salt = passwordUtils.makeSalt();
|
|
let newPassword = passwordUtils.makeSalt(); // use a salt as the new password too (they'll change it later)
|
|
let hashedPassword = passwordUtils.encrypt(newPassword, salt);
|
|
|
|
let user = await User.findOne({ 'auth.local.email': email }, { 'auth.local': 1 });
|
|
|
|
if (user) {
|
|
user.auth.local.salt = salt;
|
|
user.auth.local.hashed_password = hashedPassword; // eslint-disable-line camelcase
|
|
sendEmail({
|
|
from: 'Habitica <admin@habitica.com>',
|
|
to: email,
|
|
subject: res.t('passwordResetEmailSubject'),
|
|
text: res.t('passwordResetEmailText', { username: user.auth.local.username,
|
|
newPassword,
|
|
baseUrl: nconf.get('BASE_URL'),
|
|
}),
|
|
html: res.t('passwordResetEmailHtml', { username: user.auth.local.username,
|
|
newPassword,
|
|
baseUrl: nconf.get('BASE_URL'),
|
|
}),
|
|
});
|
|
await user.save();
|
|
}
|
|
res.respond(200, {}, res.t('passwordReset'));
|
|
},
|
|
};
|
|
|
|
/**
|
|
* @api {put} /api/v3/user/auth/update-email Update email
|
|
* @apiDescription Change the user email address
|
|
* @apiVersion 3.0.0
|
|
* @apiName UpdateEmail
|
|
* @apiGroup User
|
|
*
|
|
* @apiParam {string} Body parameter - newEmail The new email address.
|
|
* @apiParam {string} Body parameter - password The user password.
|
|
*
|
|
* @apiSuccess {string} data.email The updated email address
|
|
*/
|
|
api.updateEmail = {
|
|
method: 'PUT',
|
|
middlewares: [authWithHeaders()],
|
|
url: '/user/auth/update-email',
|
|
async handler (req, res) {
|
|
let user = res.locals.user;
|
|
|
|
if (!user.auth.local.email) throw new BadRequest(res.t('userHasNoLocalRegistration'));
|
|
|
|
req.checkBody('newEmail', res.t('newEmailRequired')).notEmpty().isEmail();
|
|
req.checkBody('password', res.t('missingPassword')).notEmpty();
|
|
let validationErrors = req.validationErrors();
|
|
if (validationErrors) throw validationErrors;
|
|
|
|
let candidatePassword = passwordUtils.encrypt(req.body.password, user.auth.local.salt);
|
|
if (candidatePassword !== user.auth.local.hashed_password) throw new NotAuthorized(res.t('wrongPassword'));
|
|
|
|
user.auth.local.email = req.body.newEmail;
|
|
await user.save();
|
|
|
|
return res.respond(200, { email: user.auth.local.email });
|
|
},
|
|
};
|
|
|
|
const firebaseTokenGenerator = new FirebaseTokenGenerator(nconf.get('FIREBASE:SECRET'));
|
|
|
|
// Internal route
|
|
api.getFirebaseToken = {
|
|
method: 'POST',
|
|
url: '/user/auth/firebase',
|
|
middlewares: [authWithHeaders()],
|
|
async handler (req, res) {
|
|
let user = res.locals.user;
|
|
// Expires 24 hours from now (60*60*24*1000) (in milliseconds)
|
|
let expires = new Date();
|
|
expires.setTime(expires.getTime() + 86400000);
|
|
|
|
let token = firebaseTokenGenerator.createToken({
|
|
uid: user._id,
|
|
isHabiticaUser: true,
|
|
}, { expires });
|
|
|
|
res.respond(200, {token, expires});
|
|
},
|
|
};
|
|
|
|
/**
|
|
* @api {delete} /api/v3/user/auth/social/:network Delete social authentication method
|
|
* @apiDescription Remove a social authentication method (only facebook supported) from a user profile. The user must have local authentication enabled
|
|
* @apiVersion 3.0.0
|
|
* @apiName UserDeleteSocial
|
|
* @apiGroup User
|
|
*
|
|
* @apiSuccess {Object} data Empty object
|
|
*/
|
|
api.deleteSocial = {
|
|
method: 'DELETE',
|
|
url: '/user/auth/social/:network',
|
|
middlewares: [authWithHeaders()],
|
|
async handler (req, res) {
|
|
let user = res.locals.user;
|
|
let network = req.params.network;
|
|
|
|
if (network !== 'facebook') throw new NotAuthorized(res.t('onlyFbSupported'));
|
|
if (!user.auth.local.username) throw new NotAuthorized(res.t('cantDetachFb'));
|
|
|
|
await User.update({_id: user._id}, {$unset: {'auth.facebook': 1}}).exec();
|
|
|
|
res.respond(200, {});
|
|
},
|
|
};
|
|
|
|
module.exports = api;
|