mirror of
https://github.com/HabitRPG/habitica.git
synced 2025-12-16 14:17:22 +01:00
842fbe42a8
* Fix User > Profile showing {getProgressDisplay()}
* Remove bad nextRewardAt check
* 1st iteration of issue #8385 - more pending
* #8385 config and jade fixes, tests pending
* #8385 fixing lint errors
* Fix faqs string and test
* Fix faq.jade and add workaround for faq.js
* Fixing accidental checking for faq.js
* fix emails in faq.js
* fetch emails once in auth.js
* Fixing community manager email in auth.js
91 lines
2.4 KiB
JavaScript
91 lines
2.4 KiB
JavaScript
import {
|
|
NotAuthorized,
|
|
} from '../libs/errors';
|
|
import {
|
|
model as User,
|
|
} from '../models/user';
|
|
import nconf from 'nconf';
|
|
|
|
const COMMUNITY_MANAGER_EMAIL = nconf.get('EMAILS:COMMUNITY_MANAGER_EMAIL');
|
|
|
|
// Strins won't be translated here because getUserLanguage has not run yet
|
|
|
|
// Authenticate a request through the x-api-user and x-api key header
|
|
// If optional is true, don't error on missing authentication
|
|
export function authWithHeaders (optional = false) {
|
|
return function authWithHeadersHandler (req, res, next) {
|
|
let userId = req.header('x-api-user');
|
|
let apiToken = req.header('x-api-key');
|
|
|
|
if (!userId || !apiToken) {
|
|
if (optional) return next();
|
|
return next(new NotAuthorized(res.t('missingAuthHeaders')));
|
|
}
|
|
|
|
return User.findOne({
|
|
_id: userId,
|
|
apiToken,
|
|
})
|
|
.exec()
|
|
.then((user) => {
|
|
if (!user) throw new NotAuthorized(res.t('invalidCredentials'));
|
|
if (user.auth.blocked) throw new NotAuthorized(res.t('accountSuspended', {communityManagerEmail: COMMUNITY_MANAGER_EMAIL, userId: user._id}));
|
|
|
|
res.locals.user = user;
|
|
|
|
req.session.userId = user._id;
|
|
return next();
|
|
})
|
|
.catch(next);
|
|
};
|
|
}
|
|
|
|
// Authenticate a request through a valid session
|
|
export function authWithSession (req, res, next) {
|
|
let userId = req.session.userId;
|
|
|
|
// Always allow authentication with headers
|
|
if (!userId) {
|
|
if (!req.header('x-api-user') || !req.header('x-api-key')) {
|
|
return next(new NotAuthorized(res.t('invalidCredentials')));
|
|
} else {
|
|
return authWithHeaders()(req, res, next);
|
|
}
|
|
}
|
|
|
|
return User.findOne({
|
|
_id: userId,
|
|
})
|
|
.exec()
|
|
.then((user) => {
|
|
if (!user) throw new NotAuthorized(res.t('invalidCredentials'));
|
|
|
|
res.locals.user = user;
|
|
return next();
|
|
})
|
|
.catch(next);
|
|
}
|
|
|
|
export function authWithUrl (req, res, next) {
|
|
let userId = req.query._id;
|
|
let apiToken = req.query.apiToken;
|
|
|
|
// Always allow authentication with headers
|
|
if (!userId || !apiToken) {
|
|
if (!req.header('x-api-user') || !req.header('x-api-key')) {
|
|
return next(new NotAuthorized(res.t('missingAuthParams')));
|
|
} else {
|
|
return authWithHeaders()(req, res, next);
|
|
}
|
|
}
|
|
|
|
return User.findOne({ _id: userId, apiToken }).exec()
|
|
.then((user) => {
|
|
if (!user) throw new NotAuthorized(res.t('invalidCredentials'));
|
|
|
|
res.locals.user = user;
|
|
return next();
|
|
})
|
|
.catch(next);
|
|
}
|