mirror of
https://github.com/HabitRPG/habitica.git
synced 2025-12-14 21:27:23 +01:00
113 lines
3.5 KiB
JavaScript
113 lines
3.5 KiB
JavaScript
import nconf from 'nconf';
|
|
import url from 'url';
|
|
import {
|
|
NotAuthorized,
|
|
} from '../libs/errors';
|
|
import {
|
|
model as User,
|
|
} from '../models/user';
|
|
import gcpStackdriverTracer from '../libs/gcpTraceAgent';
|
|
|
|
const COMMUNITY_MANAGER_EMAIL = nconf.get('EMAILS_COMMUNITY_MANAGER_EMAIL');
|
|
const USER_FIELDS_ALWAYS_LOADED = ['_id', 'notifications', 'preferences', 'auth', 'flags'];
|
|
|
|
function getUserFields (options, req) {
|
|
// A list of user fields that aren't needed for the route and are not loaded from the db.
|
|
// Must be an array
|
|
if (options.userFieldsToExclude) {
|
|
return options.userFieldsToExclude
|
|
.filter(field => !USER_FIELDS_ALWAYS_LOADED
|
|
.find(fieldToInclude => field.startsWith(fieldToInclude)))
|
|
.map(field => `-${field}`) // -${field} means exclude ${field} in mongodb
|
|
.join(' ');
|
|
}
|
|
|
|
if (options.userFieldsToInclude) {
|
|
return options.userFieldsToInclude.concat(USER_FIELDS_ALWAYS_LOADED).join(' ');
|
|
}
|
|
|
|
// Allows GET requests to /user to specify a list
|
|
// of user fields to return instead of the entire doc
|
|
const urlPath = url.parse(req.url).pathname;
|
|
const { userFields } = req.query;
|
|
if (!userFields || urlPath !== '/user') return '';
|
|
|
|
const userFieldOptions = userFields.split(',');
|
|
if (userFieldOptions.length === 0) return '';
|
|
|
|
return userFieldOptions.concat(USER_FIELDS_ALWAYS_LOADED).join(' ');
|
|
}
|
|
|
|
// Make sure stackdriver traces are storing the user id
|
|
function stackdriverTraceUserId (userId) {
|
|
if (gcpStackdriverTracer) {
|
|
gcpStackdriverTracer.getCurrentRootSpan().addLabel('userId', userId);
|
|
}
|
|
}
|
|
|
|
// Strins won't be translated here because getUserLanguage has not run yet
|
|
|
|
// Authenticate a request through the x-api-user and x-api key header
|
|
// If optional is true, don't error on missing authentication
|
|
export function authWithHeaders (options = {}) {
|
|
return function authWithHeadersHandler (req, res, next) {
|
|
const userId = req.header('x-api-user');
|
|
const apiToken = req.header('x-api-key');
|
|
const optional = options.optional || false;
|
|
|
|
if (!userId || !apiToken) {
|
|
if (optional) return next();
|
|
return next(new NotAuthorized(res.t('missingAuthHeaders')));
|
|
}
|
|
|
|
const userQuery = {
|
|
_id: userId,
|
|
apiToken,
|
|
};
|
|
|
|
const fields = getUserFields(options, req);
|
|
const findPromise = fields ? User.findOne(userQuery).select(fields) : User.findOne(userQuery);
|
|
|
|
return findPromise
|
|
.exec()
|
|
.then(user => {
|
|
if (!user) throw new NotAuthorized(res.t('invalidCredentials'));
|
|
if (user.auth.blocked) throw new NotAuthorized(res.t('accountSuspended', { communityManagerEmail: COMMUNITY_MANAGER_EMAIL, userId: user._id }));
|
|
|
|
res.locals.user = user;
|
|
req.session.userId = user._id;
|
|
stackdriverTraceUserId(user._id);
|
|
user.auth.timestamps.updated = new Date();
|
|
return next();
|
|
})
|
|
.catch(next);
|
|
};
|
|
}
|
|
|
|
// Authenticate a request through a valid session
|
|
export function authWithSession (req, res, next) {
|
|
const { userId } = req.session;
|
|
|
|
// Always allow authentication with headers
|
|
if (!userId) {
|
|
if (!req.header('x-api-user') || !req.header('x-api-key')) {
|
|
return next(new NotAuthorized(res.t('invalidCredentials')));
|
|
}
|
|
return authWithHeaders()(req, res, next);
|
|
}
|
|
|
|
return User.findOne({
|
|
_id: userId,
|
|
})
|
|
.exec()
|
|
.then(user => {
|
|
if (!user) throw new NotAuthorized(res.t('invalidCredentials'));
|
|
|
|
res.locals.user = user;
|
|
stackdriverTraceUserId(user._id);
|
|
user.auth.timestamps.updated = new Date();
|
|
return next();
|
|
})
|
|
.catch(next);
|
|
}
|