mirror of
https://github.com/HabitRPG/habitica.git
synced 2025-12-15 13:47:33 +01:00
ebf3b4aa47
* Change update username API call
The call no longer requires a password and also validates the username.
* Implement API call to verify username without setting it
* Improve coding style
* Apply username verification to registration
* Update error messages
* Validate display names.
* Fix API early Stat Point allocation (#10680)
* Refactor hasClass check to common so it can be used in shared & server-side code
* Check that user has selected class before allocating stat points
* chore(event): end Ember Hatching Potions
* chore(analytics): reenable navigation tracking
* update bcrypt
* Point achievement modal links to main site (#10709)
* Animal ears after death (#10691)
* Animal Ears purchasable with Gold if lost in Death
* remove ears from pinned items when set is bought
* standardise css and error handling for gems and coins
* revert accidental new line
* fix client tests
* Reduce margin-bottom of checklist-item from 10px to -3px. (#10684)
* chore(i18n): update locales
* 4.61.1
* feat(content): Subscriber Items and Magic Potions
* chore(sprites): compile
* chore(i18n): update locales
* 4.62.0
* Display notification for users to confirm their username
* fix typo
* WIP(usernames): Changes to address #10694
* WIP(usernames): Further changes for #10694
* fix(usernames): don't show spurious headings
* Change verify username notification to new version
* Improve feedback for invalid usernames
* Allow user to set their username again to confirm it
* Improve validation display for usernames
* Temporarily move display name validation outside of schema
* Improve rendering banner about sleeping in the inn
See #10695
* Display settings in one column
* Position inn banner when window is resized
* Update inn banner handling
* Fix banner offset on initial load
* Fix minor issues.
* Issue: 10660 - Fixed. Changed default to Please Enter A Value (#10718)
* Issue: 10660 - Fixed. Changed default to Please Enter A Value
* Issue: 10660 - Fixed/revision 2 Changed default to Enter A Value
* chore(news): Bailey announcements
* chore(i18n): update locales
* 4.62.1
* adjust wiki link for usernameInfo string
https://github.com/HabitRPG/habitica-private/issues/7#issuecomment-425405425
* raise coverage for tasks api calls (#10029)
* - updates a group task - approval is required
- updates a group task with checklist
* add expect to test the new checklist length
* - moves tasks to a specified position out of length
* remove unused line
* website getter tasks tests
* re-add sanitizeUserChallengeTask
* change config.json.example variable to be a string not a boolean
* fix tests - pick the text / up/down props too
* fix test - remove changes on text/up/down - revert sanitize condition - revert sanitization props
* Change update username API call
The call no longer requires a password and also validates the username.
* feat(content): Subscriber Items and Magic Potions
* Re-add register call
* Fix merge issue
* Fix issue with setting username
* Implement new alert style
* Display username confirmation status in settings
* Add disclaimer to change username field
* validate username in settings
* Allow specific fields to be focused when opening site settings
* Implement requested changes.
* Fix merge issue
* Fix failing tests
* verify username when users register with username and password
* Set ID for change username notification
* Disable submit button if username is invalid
* Improve username confirmation handling
* refactor(settings): address remaining code comments on auth form
* Revert "refactor(settings): address remaining code comments on auth form"
This reverts commit 9b6609ad64.
* Social user username (#10620)
* Refactored private functions to library
* Refactored social login code
* Added username to social registration
* Changed id library
* Added new local auth check
* Fixed export error. Fixed password check error
* fix(settings): password not available on client
* refactor(settings): more sensible placement of methods
* chore(migration): script to hand out procgen usernames
* fix(migration): don't give EVERYONE new names you doofus
* fix(migration): limit data retrieved, be extra careful about updates
* fix(migration): use missing field, not migration tag, for query
* fix(migration): unused var
* fix(usernames): only generate 20 characters
* fix(migration): set lowerCaseUsername
496 lines
16 KiB
JavaScript
496 lines
16 KiB
JavaScript
import validator from 'validator';
|
|
import moment from 'moment';
|
|
import nconf from 'nconf';
|
|
|
|
import {
|
|
authWithHeaders,
|
|
} from '../../middlewares/auth';
|
|
import { model as User } from '../../models/user';
|
|
import common from '../../../common';
|
|
import {
|
|
NotAuthorized,
|
|
BadRequest,
|
|
NotFound,
|
|
} from '../../libs/errors';
|
|
import * as passwordUtils from '../../libs/password';
|
|
import { send as sendEmail } from '../../libs/email';
|
|
import pusher from '../../libs/pusher';
|
|
import { validatePasswordResetCodeAndFindUser, convertToBcrypt} from '../../libs/password';
|
|
import { encrypt } from '../../libs/encryption';
|
|
import {
|
|
loginRes,
|
|
hasBackupAuth,
|
|
hasLocalAuth,
|
|
loginSocial,
|
|
registerLocal,
|
|
} from '../../libs/auth';
|
|
|
|
const BASE_URL = nconf.get('BASE_URL');
|
|
const TECH_ASSISTANCE_EMAIL = nconf.get('EMAILS:TECH_ASSISTANCE_EMAIL');
|
|
|
|
let api = {};
|
|
|
|
/**
|
|
* @api {post} /api/v3/user/auth/local/register Register
|
|
* @apiDescription Register a new user with email, login name, and password or attach local auth to a social user
|
|
* @apiName UserRegisterLocal
|
|
* @apiGroup User
|
|
*
|
|
* @apiParam (Body) {String} username Login name of the new user. Must be 1-36 characters, containing only a-z, 0-9, hyphens (-), or underscores (_).
|
|
* @apiParam (Body) {String} email Email address of the new user
|
|
* @apiParam (Body) {String} password Password for the new user
|
|
* @apiParam (Body) {String} confirmPassword Password confirmation
|
|
*
|
|
* @apiSuccess {Object} data The user object, if local auth was just attached to a social user then only user.auth.local
|
|
*/
|
|
api.registerLocal = {
|
|
method: 'POST',
|
|
middlewares: [authWithHeaders({
|
|
optional: true,
|
|
})],
|
|
url: '/user/auth/local/register',
|
|
async handler (req, res) {
|
|
await registerLocal(req, res, { isV3: true });
|
|
},
|
|
};
|
|
|
|
/**
|
|
* @api {post} /api/v3/user/auth/local/login Login
|
|
* @apiDescription Login a user with email / username and password
|
|
* @apiName UserLoginLocal
|
|
* @apiGroup User
|
|
*
|
|
* @apiParam (Body) {String} username Username or email of the user
|
|
* @apiParam (Body) {String} password The user's password
|
|
*
|
|
* @apiSuccess {String} data._id The user's unique identifier
|
|
* @apiSuccess {String} data.apiToken The user's api token that must be used to authenticate requests.
|
|
* @apiSuccess {Boolean} data.newUser Returns true if the user was just created (always false for local login).
|
|
*/
|
|
api.loginLocal = {
|
|
method: 'POST',
|
|
url: '/user/auth/local/login',
|
|
middlewares: [],
|
|
async handler (req, res) {
|
|
req.checkBody({
|
|
username: {
|
|
notEmpty: true,
|
|
errorMessage: res.t('missingUsernameEmail'),
|
|
},
|
|
password: {
|
|
notEmpty: true,
|
|
errorMessage: res.t('missingPassword'),
|
|
},
|
|
});
|
|
let validationErrors = req.validationErrors();
|
|
if (validationErrors) throw validationErrors;
|
|
|
|
req.sanitizeBody('username').trim();
|
|
req.sanitizeBody('password').trim();
|
|
|
|
let login;
|
|
let username = req.body.username;
|
|
let password = req.body.password;
|
|
|
|
if (validator.isEmail(String(username))) {
|
|
login = {'auth.local.email': username.toLowerCase()}; // Emails are stored lowercase
|
|
} else {
|
|
login = {'auth.local.username': username};
|
|
}
|
|
|
|
// load the entire user because we may have to save it to convert the password to bcrypt
|
|
let user = await User.findOne(login).exec();
|
|
|
|
let isValidPassword;
|
|
|
|
if (!user) {
|
|
isValidPassword = false;
|
|
} else {
|
|
isValidPassword = await passwordUtils.compare(user, password);
|
|
}
|
|
|
|
if (!isValidPassword) throw new NotAuthorized(res.t('invalidLoginCredentialsLong'));
|
|
|
|
// convert the hashed password to bcrypt from sha1
|
|
if (user.auth.local.passwordHashMethod === 'sha1') {
|
|
await passwordUtils.convertToBcrypt(user, password);
|
|
await user.save();
|
|
}
|
|
|
|
res.analytics.track('login', {
|
|
category: 'behaviour',
|
|
type: 'local',
|
|
gaLabel: 'local',
|
|
uuid: user._id,
|
|
headers: req.headers,
|
|
});
|
|
|
|
return loginRes(user, ...arguments);
|
|
},
|
|
};
|
|
|
|
// Called as a callback by Facebook (or other social providers). Internal route
|
|
api.loginSocial = {
|
|
method: 'POST',
|
|
middlewares: [authWithHeaders({
|
|
optional: true,
|
|
})],
|
|
url: '/user/auth/social',
|
|
async handler (req, res) {
|
|
return await loginSocial(req, res);
|
|
},
|
|
};
|
|
|
|
/*
|
|
* @apiIgnore Private route
|
|
* @api {post} /api/v3/user/auth/pusher Pusher.com authentication
|
|
* @apiDescription Authentication for Pusher.com private and presence channels
|
|
* @apiName UserAuthPusher
|
|
* @apiGroup User
|
|
*
|
|
* @apiParam (Body) {String} socket_id A unique identifier for the specific client connection to Pusher
|
|
* @apiParam (Body) {String} channel_name The name of the channel being subscribed to
|
|
*
|
|
* @apiSuccess {String} auth The authentication token
|
|
*/
|
|
api.pusherAuth = {
|
|
method: 'POST',
|
|
middlewares: [authWithHeaders()],
|
|
url: '/user/auth/pusher',
|
|
async handler (req, res) {
|
|
let user = res.locals.user;
|
|
|
|
req.checkBody('socket_id').notEmpty();
|
|
req.checkBody('channel_name').notEmpty();
|
|
|
|
let validationErrors = req.validationErrors();
|
|
if (validationErrors) throw validationErrors;
|
|
|
|
let socketId = req.body.socket_id;
|
|
let channelName = req.body.channel_name;
|
|
|
|
// Channel names are in the form of {presence|private}-{group|...}-{resourceId}
|
|
let [channelType, resourceType, ...resourceId] = channelName.split('-');
|
|
|
|
if (['presence'].indexOf(channelType) === -1) { // presence is used only for parties, private for guilds
|
|
throw new BadRequest('Invalid Pusher channel type.');
|
|
}
|
|
|
|
if (resourceType !== 'group') { // only groups are supported
|
|
throw new BadRequest('Invalid Pusher resource type.');
|
|
}
|
|
|
|
resourceId = resourceId.join('-'); // the split at the beginning had split resourceId too
|
|
if (!validator.isUUID(String(resourceId))) {
|
|
throw new BadRequest('Invalid Pusher resource id, must be a UUID.');
|
|
}
|
|
|
|
// Only the user's party is supported for now
|
|
if (user.party._id !== resourceId) {
|
|
throw new NotFound('Resource id must be the user\'s party.');
|
|
}
|
|
|
|
let authResult;
|
|
|
|
// Max 100 members for presence channel - parties only
|
|
if (channelType === 'presence') {
|
|
let presenceData = {
|
|
user_id: user._id, // eslint-disable-line camelcase
|
|
// Max 1KB
|
|
user_info: {}, // eslint-disable-line camelcase
|
|
};
|
|
|
|
authResult = pusher.authenticate(socketId, channelName, presenceData);
|
|
} else {
|
|
authResult = pusher.authenticate(socketId, channelName);
|
|
}
|
|
|
|
// Not using res.respond because Pusher requires a different response format
|
|
res.status(200).json(authResult);
|
|
},
|
|
};
|
|
|
|
/**
|
|
* @api {put} /api/v3/user/auth/update-username Update username
|
|
* @apiDescription Update the username of a local user
|
|
* @apiName UpdateUsername
|
|
* @apiGroup User
|
|
*
|
|
* @apiParam (Body) {String} password The current user password
|
|
* @apiParam (Body) {String} username The new username
|
|
|
|
* @apiSuccess {String} data.username The new username
|
|
**/
|
|
api.updateUsername = {
|
|
method: 'PUT',
|
|
middlewares: [authWithHeaders()],
|
|
url: '/user/auth/update-username',
|
|
async handler (req, res) {
|
|
let user = res.locals.user;
|
|
|
|
req.checkBody({
|
|
password: {
|
|
notEmpty: {errorMessage: res.t('missingPassword')},
|
|
},
|
|
username: {
|
|
notEmpty: {errorMessage: res.t('missingUsername')},
|
|
},
|
|
});
|
|
|
|
let validationErrors = req.validationErrors();
|
|
if (validationErrors) throw validationErrors;
|
|
|
|
if (!hasLocalAuth(user)) throw new BadRequest(res.t('userHasNoLocalRegistration'));
|
|
|
|
let password = req.body.password;
|
|
let isValidPassword = await passwordUtils.compare(user, password);
|
|
if (!isValidPassword) throw new NotAuthorized(res.t('wrongPassword'));
|
|
|
|
let count = await User.count({ 'auth.local.lowerCaseUsername': req.body.username.toLowerCase() });
|
|
if (count > 0) throw new BadRequest(res.t('usernameTaken'));
|
|
|
|
// if password is using old sha1 encryption, change it
|
|
if (user.auth.local.passwordHashMethod === 'sha1') {
|
|
await passwordUtils.convertToBcrypt(user, password); // user is saved a few lines below
|
|
}
|
|
|
|
// save username
|
|
user.auth.local.lowerCaseUsername = req.body.username.toLowerCase();
|
|
user.auth.local.username = req.body.username;
|
|
await user.save();
|
|
|
|
res.respond(200, { username: req.body.username });
|
|
},
|
|
};
|
|
|
|
/**
|
|
* @api {put} /api/v3/user/auth/update-password
|
|
* @apiDescription Update the password of a local user
|
|
* @apiName UpdatePassword
|
|
* @apiGroup User
|
|
*
|
|
* @apiParam (Body) {String} password The old password
|
|
* @apiParam (Body) {String} newPassword The new password
|
|
* @apiParam (Body) {String} confirmPassword New password confirmation
|
|
*
|
|
* @apiSuccess {Object} data An empty object
|
|
**/
|
|
api.updatePassword = {
|
|
method: 'PUT',
|
|
middlewares: [authWithHeaders()],
|
|
url: '/user/auth/update-password',
|
|
async handler (req, res) {
|
|
let user = res.locals.user;
|
|
|
|
if (!user.auth.local.hashed_password) throw new BadRequest(res.t('userHasNoLocalRegistration'));
|
|
|
|
req.checkBody({
|
|
password: {
|
|
notEmpty: {errorMessage: res.t('missingPassword')},
|
|
},
|
|
newPassword: {
|
|
notEmpty: {errorMessage: res.t('missingNewPassword')},
|
|
},
|
|
confirmPassword: {
|
|
notEmpty: {errorMessage: res.t('missingNewPassword')},
|
|
},
|
|
});
|
|
|
|
let validationErrors = req.validationErrors();
|
|
|
|
if (validationErrors) {
|
|
throw validationErrors;
|
|
}
|
|
|
|
let oldPassword = req.body.password;
|
|
let isValidPassword = await passwordUtils.compare(user, oldPassword);
|
|
if (!isValidPassword) throw new NotAuthorized(res.t('wrongPassword'));
|
|
|
|
let newPassword = req.body.newPassword;
|
|
if (newPassword !== req.body.confirmPassword) throw new NotAuthorized(res.t('passwordConfirmationMatch'));
|
|
|
|
// set new password and make sure it's using bcrypt for hashing
|
|
await passwordUtils.convertToBcrypt(user, newPassword);
|
|
await user.save();
|
|
|
|
res.respond(200, {});
|
|
},
|
|
};
|
|
|
|
/**
|
|
* @api {post} /api/v3/user/reset-password Reset password
|
|
* @apiDescription Send the user an email to let them reset their password
|
|
* @apiName ResetPassword
|
|
* @apiGroup User
|
|
*
|
|
* @apiParam (Body) {String} email The email address of the user
|
|
*
|
|
* @apiSuccess {String} message The localized success message
|
|
**/
|
|
api.resetPassword = {
|
|
method: 'POST',
|
|
middlewares: [],
|
|
url: '/user/reset-password',
|
|
async handler (req, res) {
|
|
req.checkBody({
|
|
email: {
|
|
notEmpty: {errorMessage: res.t('missingEmail')},
|
|
},
|
|
});
|
|
let validationErrors = req.validationErrors();
|
|
if (validationErrors) throw validationErrors;
|
|
|
|
let email = req.body.email.toLowerCase();
|
|
let user = await User.findOne({ 'auth.local.email': email }).exec();
|
|
|
|
if (user) {
|
|
// create an encrypted link to be used to reset the password
|
|
const passwordResetCode = encrypt(JSON.stringify({
|
|
userId: user._id,
|
|
expiresAt: moment().add({ hours: 24 }),
|
|
}));
|
|
let link = `${BASE_URL}/static/user/auth/local/reset-password-set-new-one?code=${passwordResetCode}`;
|
|
|
|
user.auth.local.passwordResetCode = passwordResetCode;
|
|
|
|
sendEmail({
|
|
from: 'Habitica <admin@habitica.com>',
|
|
to: email,
|
|
subject: res.t('passwordResetEmailSubject'),
|
|
text: res.t('passwordResetEmailText', {
|
|
username: user.auth.local.username,
|
|
passwordResetLink: link,
|
|
}),
|
|
html: res.t('passwordResetEmailHtml', {
|
|
username: user.auth.local.username,
|
|
passwordResetLink: link,
|
|
}),
|
|
});
|
|
|
|
await user.save();
|
|
}
|
|
|
|
res.respond(200, {}, res.t('passwordReset'));
|
|
},
|
|
};
|
|
|
|
/**
|
|
* @api {put} /api/v3/user/auth/update-email Update email
|
|
* @apiDescription Change the user email address
|
|
* @apiName UpdateEmail
|
|
* @apiGroup User
|
|
*
|
|
* @apiParam (Body) {String} newEmail The new email address.
|
|
* @apiParam (Body) {String} password The user password.
|
|
*
|
|
* @apiSuccess {String} data.email The updated email address
|
|
*/
|
|
api.updateEmail = {
|
|
method: 'PUT',
|
|
middlewares: [authWithHeaders()],
|
|
url: '/user/auth/update-email',
|
|
async handler (req, res) {
|
|
let user = res.locals.user;
|
|
|
|
if (!user.auth.local.email) throw new BadRequest(res.t('userHasNoLocalRegistration'));
|
|
|
|
req.checkBody('newEmail', res.t('newEmailRequired')).notEmpty().isEmail();
|
|
req.checkBody('password', res.t('missingPassword')).notEmpty();
|
|
let validationErrors = req.validationErrors();
|
|
if (validationErrors) throw validationErrors;
|
|
|
|
let emailAlreadyInUse = await User.findOne({
|
|
'auth.local.email': req.body.newEmail.toLowerCase(),
|
|
}).select({_id: 1}).lean().exec();
|
|
|
|
if (emailAlreadyInUse) throw new NotAuthorized(res.t('cannotFulfillReq', { techAssistanceEmail: TECH_ASSISTANCE_EMAIL }));
|
|
|
|
let password = req.body.password;
|
|
let isValidPassword = await passwordUtils.compare(user, password);
|
|
if (!isValidPassword) throw new NotAuthorized(res.t('wrongPassword'));
|
|
|
|
// if password is using old sha1 encryption, change it
|
|
if (user.auth.local.passwordHashMethod === 'sha1') {
|
|
await passwordUtils.convertToBcrypt(user, password);
|
|
}
|
|
|
|
user.auth.local.email = req.body.newEmail.toLowerCase();
|
|
await user.save();
|
|
|
|
return res.respond(200, { email: user.auth.local.email });
|
|
},
|
|
};
|
|
|
|
/**
|
|
* @api {post} /api/v3/user/auth/reset-password-set-new-one Reser Password Set New one
|
|
* @apiDescription Set a new password for a user that reset theirs. Not meant for public usage.
|
|
* @apiName ResetPasswordSetNewOne
|
|
* @apiGroup User
|
|
*
|
|
* @apiParam (Body) {String} newPassword The new password.
|
|
* @apiParam (Body) {String} confirmPassword Password confirmation.
|
|
*
|
|
* @apiSuccess {String} data An empty object
|
|
* @apiSuccess {String} data Success message
|
|
*/
|
|
api.resetPasswordSetNewOne = {
|
|
method: 'POST',
|
|
url: '/user/auth/reset-password-set-new-one',
|
|
async handler (req, res) {
|
|
let user = await validatePasswordResetCodeAndFindUser(req.body.code);
|
|
let isValidCode = Boolean(user);
|
|
|
|
if (!isValidCode) throw new NotAuthorized(res.t('invalidPasswordResetCode'));
|
|
|
|
req.checkBody('newPassword', res.t('missingNewPassword')).notEmpty();
|
|
req.checkBody('confirmPassword', res.t('missingNewPassword')).notEmpty();
|
|
let validationErrors = req.validationErrors();
|
|
if (validationErrors) throw validationErrors;
|
|
|
|
let newPassword = req.body.newPassword;
|
|
let confirmPassword = req.body.confirmPassword;
|
|
|
|
if (newPassword !== confirmPassword) {
|
|
throw new BadRequest(res.t('passwordConfirmationMatch'));
|
|
}
|
|
|
|
// set new password and make sure it's using bcrypt for hashing
|
|
await convertToBcrypt(user, String(newPassword));
|
|
user.auth.local.passwordResetCode = undefined; // Reset saved password reset code
|
|
await user.save();
|
|
|
|
return res.respond(200, {}, res.t('passwordChangeSuccess'));
|
|
},
|
|
};
|
|
|
|
/**
|
|
* @api {delete} /api/v3/user/auth/social/:network Delete social authentication method
|
|
* @apiDescription Remove a social authentication method (only facebook supported) from a user profile. The user must have local authentication enabled
|
|
* @apiName UserDeleteSocial
|
|
* @apiGroup User
|
|
*
|
|
* @apiSuccess {Object} data Empty object
|
|
*/
|
|
api.deleteSocial = {
|
|
method: 'DELETE',
|
|
url: '/user/auth/social/:network',
|
|
middlewares: [authWithHeaders()],
|
|
async handler (req, res) {
|
|
let user = res.locals.user;
|
|
let network = req.params.network;
|
|
let isSupportedNetwork = common.constants.SUPPORTED_SOCIAL_NETWORKS.find(supportedNetwork => {
|
|
return supportedNetwork.key === network;
|
|
});
|
|
if (!isSupportedNetwork) throw new BadRequest(res.t('unsupportedNetwork'));
|
|
if (!hasBackupAuth(user, network)) throw new NotAuthorized(res.t('cantDetachSocial'));
|
|
let unset = {
|
|
[`auth.${network}`]: 1,
|
|
};
|
|
await User.update({_id: user._id}, {$unset: unset}).exec();
|
|
|
|
res.respond(200, {});
|
|
},
|
|
};
|
|
|
|
module.exports = api;
|