writefreely
/
writefreely
mirror of https://github.com/writefreely/writefreely.git
2
0
Fork 0
Code Issues Releases 25 Wiki Activity
A clean, Markdown-based publishing platform made for writers. Write together, and build a community. https://writefreely.org
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1030 Commits
45 Branches
107 MiB
 
 
 
 
 
Tree: 4db2cb8986
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '4db2cb8986'
${ noResults }
writefreely/account.go

1180 lines
31 KiB
Raw Blame History 

  1. /*

  2.  * Copyright © 2018-2020 A Bunch Tell LLC.

  3.  *

  4.  * This file is part of WriteFreely.

  5.  *

  6.  * WriteFreely is free software: you can redistribute it and/or modify

  7.  * it under the terms of the GNU Affero General Public License, included

  8.  * in the LICENSE file in this source code package.

  9.  */

  10. 

  11. package writefreely

  12. 

  13. import (

  14. 	"encoding/json"

  15. 	"fmt"

  16. 	"html/template"

  17. 	"net/http"

  18. 	"regexp"

  19. 	"strings"

  20. 	"sync"

  21. 	"time"

  22. 

  23. 	"github.com/gorilla/mux"

  24. 	"github.com/gorilla/sessions"

  25. 	"github.com/guregu/null/zero"

  26. 	"github.com/writeas/impart"

  27. 	"github.com/writeas/web-core/auth"

  28. 	"github.com/writeas/web-core/data"

  29. 	"github.com/writeas/web-core/log"

  30. 

  31. 	"github.com/writeas/writefreely/author"

  32. 	"github.com/writeas/writefreely/config"

  33. 	"github.com/writeas/writefreely/page"

  34. )

  35. 

  36. type (

  37. 	userSettings struct {

  38. 		Username string `schema:"username" json:"username"`

  39. 		Email    string `schema:"email" json:"email"`

  40. 		NewPass  string `schema:"new-pass" json:"new_pass"`

  41. 		OldPass  string `schema:"current-pass" json:"current_pass"`

  42. 		IsLogOut bool   `schema:"logout" json:"logout"`

  43. 	}

  44. 

  45. 	UserPage struct {

  46. 		page.StaticPage

  47. 

  48. 		PageTitle string

  49. 		Separator template.HTML

  50. 		IsAdmin   bool

  51. 		CanInvite bool

  52. 	}

  53. )

  54. 

  55. func NewUserPage(app *App, r *http.Request, u *User, title string, flashes []string) *UserPage {

  56. 	up := &UserPage{

  57. 		StaticPage: pageForReq(app, r),

  58. 		PageTitle:  title,

  59. 	}

  60. 	up.Username = u.Username

  61. 	up.Flashes = flashes

  62. 	up.Path = r.URL.Path

  63. 	up.IsAdmin = u.IsAdmin()

  64. 	up.CanInvite = canUserInvite(app.cfg, up.IsAdmin)

  65. 	return up

  66. }

  67. 

  68. func canUserInvite(cfg *config.Config, isAdmin bool) bool {

  69. 	return cfg.App.UserInvites != "" &&

  70. 		(isAdmin || cfg.App.UserInvites != "admin")

  71. }

  72. 

  73. func (up *UserPage) SetMessaging(u *User) {

  74. 	// up.NeedsAuth = app.db.DoesUserNeedAuth(u.ID)

  75. }

  76. 

  77. const (

  78. 	loginAttemptExpiration = 3 * time.Second

  79. )

  80. 

  81. var actuallyUsernameReg = regexp.MustCompile("username is actually ([a-z0-9\\-]+)\\. Please try that, instead")

  82. 

  83. func apiSignup(app *App, w http.ResponseWriter, r *http.Request) error {

  84. 	_, err := signup(app, w, r)

  85. 	return err

  86. }

  87. 

  88. func signup(app *App, w http.ResponseWriter, r *http.Request) (*AuthUser, error) {

  89. 	if app.cfg.App.DisablePasswordAuth {

  90. 		err := ErrDisabledPasswordAuth

  91. 		return nil, err

  92. 	}

  93. 

  94. 	reqJSON := IsJSON(r)

  95. 

  96. 	// Get params

  97. 	var ur userRegistration

  98. 	if reqJSON {

  99. 		decoder := json.NewDecoder(r.Body)

  100. 		err := decoder.Decode(&ur)

  101. 		if err != nil {

  102. 			log.Error("Couldn't parse signup JSON request: %v\n", err)

  103. 			return nil, ErrBadJSON

  104. 		}

  105. 	} else {

  106. 		// Check if user is already logged in

  107. 		u := getUserSession(app, r)

  108. 		if u != nil {

  109. 			return &AuthUser{User: u}, nil

  110. 		}

  111. 

  112. 		err := r.ParseForm()

  113. 		if err != nil {

  114. 			log.Error("Couldn't parse signup form request: %v\n", err)

  115. 			return nil, ErrBadFormData

  116. 		}

  117. 

  118. 		err = app.formDecoder.Decode(&ur, r.PostForm)

  119. 		if err != nil {

  120. 			log.Error("Couldn't decode signup form request: %v\n", err)

  121. 			return nil, ErrBadFormData

  122. 		}

  123. 	}

  124. 

  125. 	return signupWithRegistration(app, ur, w, r)

  126. }

  127. 

  128. func signupWithRegistration(app *App, signup userRegistration, w http.ResponseWriter, r *http.Request) (*AuthUser, error) {

  129. 	reqJSON := IsJSON(r)

  130. 

  131. 	// Validate required params (alias)

  132. 	if signup.Alias == "" {

  133. 		return nil, impart.HTTPError{http.StatusBadRequest, "A username is required."}

  134. 	}

  135. 	if signup.Pass == "" {

  136. 		return nil, impart.HTTPError{http.StatusBadRequest, "A password is required."}

  137. 	}

  138. 	var desiredUsername string

  139. 	if signup.Normalize {

  140. 		// With this option we simply conform the username to what we expect

  141. 		// without complaining. Since they might've done something funny, like

  142. 		// enter: write.as/Way Out There, we'll use their raw input for the new

  143. 		// collection name and sanitize for the slug / username.

  144. 		desiredUsername = signup.Alias

  145. 		signup.Alias = getSlug(signup.Alias, "")

  146. 	}

  147. 	if !author.IsValidUsername(app.cfg, signup.Alias) {

  148. 		// Ensure the username is syntactically correct.

  149. 		return nil, impart.HTTPError{http.StatusPreconditionFailed, "Username is reserved or isn't valid. It must be at least 3 characters long, and can only include letters, numbers, and hyphens."}

  150. 	}

  151. 

  152. 	// Handle empty optional params

  153. 	// TODO: remove this var

  154. 	createdWithPass := true

  155. 	hashedPass, err := auth.HashPass([]byte(signup.Pass))

  156. 	if err != nil {

  157. 		return nil, impart.HTTPError{http.StatusInternalServerError, "Could not create password hash."}

  158. 	}

  159. 

  160. 	// Create struct to insert

  161. 	u := &User{

  162. 		Username:   signup.Alias,

  163. 		HashedPass: hashedPass,

  164. 		HasPass:    createdWithPass,

  165. 		Email:      prepareUserEmail(signup.Email, app.keys.EmailKey),

  166. 		Created:    time.Now().Truncate(time.Second).UTC(),

  167. 	}

  168. 

  169. 	// Create actual user

  170. 	if err := app.db.CreateUser(app.cfg, u, desiredUsername); err != nil {

  171. 		return nil, err

  172. 	}

  173. 

  174. 	// Log invite if needed

  175. 	if signup.InviteCode != "" {

  176. 		err = app.db.CreateInvitedUser(signup.InviteCode, u.ID)

  177. 		if err != nil {

  178. 			return nil, err

  179. 		}

  180. 	}

  181. 

  182. 	// Add back unencrypted data for response

  183. 	if signup.Email != "" {

  184. 		u.Email.String = signup.Email

  185. 	}

  186. 

  187. 	resUser := &AuthUser{

  188. 		User: u,

  189. 	}

  190. 	if !createdWithPass {

  191. 		resUser.Password = signup.Pass

  192. 	}

  193. 	title := signup.Alias

  194. 	if signup.Normalize {

  195. 		title = desiredUsername

  196. 	}

  197. 	resUser.Collections = &[]Collection{

  198. 		{

  199. 			Alias: signup.Alias,

  200. 			Title: title,

  201. 		},

  202. 	}

  203. 

  204. 	var token string

  205. 	if reqJSON && !signup.Web {

  206. 		token, err = app.db.GetAccessToken(u.ID)

  207. 		if err != nil {

  208. 			return nil, impart.HTTPError{http.StatusInternalServerError, "Could not create access token. Try re-authenticating."}

  209. 		}

  210. 		resUser.AccessToken = token

  211. 	} else {

  212. 		session, err := app.sessionStore.Get(r, cookieName)

  213. 		if err != nil {

  214. 			// The cookie should still save, even if there's an error.

  215. 			// Source: https://github.com/gorilla/sessions/issues/16#issuecomment-143642144

  216. 			log.Error("Session: %v; ignoring", err)

  217. 		}

  218. 		session.Values[cookieUserVal] = resUser.User.Cookie()

  219. 		err = session.Save(r, w)

  220. 		if err != nil {

  221. 			log.Error("Couldn't save session: %v", err)

  222. 			return nil, err

  223. 		}

  224. 	}

  225. 	if reqJSON {

  226. 		return resUser, impart.WriteSuccess(w, resUser, http.StatusCreated)

  227. 	}

  228. 

  229. 	return resUser, nil

  230. }

  231. 

  232. func viewLogout(app *App, w http.ResponseWriter, r *http.Request) error {

  233. 	session, err := app.sessionStore.Get(r, cookieName)

  234. 	if err != nil {

  235. 		return ErrInternalCookieSession

  236. 	}

  237. 

  238. 	// Ensure user has an email or password set before they go, so they don't

  239. 	// lose access to their account.

  240. 	val := session.Values[cookieUserVal]

  241. 	var u = &User{}

  242. 	var ok bool

  243. 	if u, ok = val.(*User); !ok {

  244. 		log.Error("Error casting user object on logout. Vals: %+v Resetting cookie.", session.Values)

  245. 

  246. 		err = session.Save(r, w)

  247. 		if err != nil {

  248. 			log.Error("Couldn't save session on logout: %v", err)

  249. 			return impart.HTTPError{http.StatusInternalServerError, "Unable to save cookie session."}

  250. 		}

  251. 

  252. 		return impart.HTTPError{http.StatusFound, "/"}

  253. 	}

  254. 

  255. 	u, err = app.db.GetUserByID(u.ID)

  256. 	if err != nil && err != ErrUserNotFound {

  257. 		return impart.HTTPError{http.StatusInternalServerError, "Unable to fetch user information."}

  258. 	}

  259. 

  260. 	session.Options.MaxAge = -1

  261. 

  262. 	err = session.Save(r, w)

  263. 	if err != nil {

  264. 		log.Error("Couldn't save session on logout: %v", err)

  265. 		return impart.HTTPError{http.StatusInternalServerError, "Unable to save cookie session."}

  266. 	}

  267. 

  268. 	return impart.HTTPError{http.StatusFound, "/"}

  269. }

  270. 

  271. func handleAPILogout(app *App, w http.ResponseWriter, r *http.Request) error {

  272. 	accessToken := r.Header.Get("Authorization")

  273. 	if accessToken == "" {

  274. 		return ErrNoAccessToken

  275. 	}

  276. 	t := auth.GetToken(accessToken)

  277. 	if len(t) == 0 {

  278. 		return ErrNoAccessToken

  279. 	}

  280. 	err := app.db.DeleteToken(t)

  281. 	if err != nil {

  282. 		return err

  283. 	}

  284. 	return impart.HTTPError{Status: http.StatusNoContent}

  285. }

  286. 

  287. func viewLogin(app *App, w http.ResponseWriter, r *http.Request) error {

  288. 	var earlyError string

  289. 	oneTimeToken := r.FormValue("with")

  290. 	if oneTimeToken != "" {

  291. 		log.Info("Calling login with one-time token.")

  292. 		err := login(app, w, r)

  293. 		if err != nil {

  294. 			log.Info("Received error: %v", err)

  295. 			earlyError = fmt.Sprintf("%s", err)

  296. 		}

  297. 	}

  298. 

  299. 	session, err := app.sessionStore.Get(r, cookieName)

  300. 	if err != nil {

  301. 		// Ignore this

  302. 		log.Error("Unable to get session; ignoring: %v", err)

  303. 	}

  304. 

  305. 	p := &struct {

  306. 		page.StaticPage

  307. 		*OAuthButtons

  308. 		To            string

  309. 		Message       template.HTML

  310. 		Flashes       []template.HTML

  311. 		LoginUsername string

  312. 	}{

  313. 		StaticPage:    pageForReq(app, r),

  314. 		OAuthButtons:  NewOAuthButtons(app.Config()),

  315. 		To:            r.FormValue("to"),

  316. 		Message:       template.HTML(""),

  317. 		Flashes:       []template.HTML{},

  318. 		LoginUsername: getTempInfo(app, "login-user", r, w),

  319. 	}

  320. 

  321. 	if earlyError != "" {

  322. 		p.Flashes = append(p.Flashes, template.HTML(earlyError))

  323. 	}

  324. 

  325. 	// Display any error messages

  326. 	flashes, _ := getSessionFlashes(app, w, r, session)

  327. 	for _, flash := range flashes {

  328. 		p.Flashes = append(p.Flashes, template.HTML(flash))

  329. 	}

  330. 	err = pages["login.tmpl"].ExecuteTemplate(w, "base", p)

  331. 	if err != nil {

  332. 		log.Error("Unable to render login: %v", err)

  333. 		return err

  334. 	}

  335. 	return nil

  336. }

  337. 

  338. func webLogin(app *App, w http.ResponseWriter, r *http.Request) error {

  339. 	err := login(app, w, r)

  340. 	if err != nil {

  341. 		username := r.FormValue("alias")

  342. 		// Login request was unsuccessful; save the error in the session and redirect them

  343. 		if err, ok := err.(impart.HTTPError); ok {

  344. 			session, _ := app.sessionStore.Get(r, cookieName)

  345. 			if session != nil {

  346. 				session.AddFlash(err.Message)

  347. 				session.Save(r, w)

  348. 			}

  349. 

  350. 			if m := actuallyUsernameReg.FindStringSubmatch(err.Message); len(m) > 0 {

  351. 				// Retain fixed username recommendation for the login form

  352. 				username = m[1]

  353. 			}

  354. 		}

  355. 

  356. 		// Pass along certain information

  357. 		saveTempInfo(app, "login-user", username, r, w)

  358. 

  359. 		// Retain post-login URL if one was given

  360. 		redirectTo := "/login"

  361. 		postLoginRedirect := r.FormValue("to")

  362. 		if postLoginRedirect != "" {

  363. 			redirectTo += "?to=" + postLoginRedirect

  364. 		}

  365. 

  366. 		log.Error("Unable to login: %v", err)

  367. 		return impart.HTTPError{http.StatusTemporaryRedirect, redirectTo}

  368. 	}

  369. 

  370. 	return nil

  371. }

  372. 

  373. var loginAttemptUsers = sync.Map{}

  374. 

  375. func login(app *App, w http.ResponseWriter, r *http.Request) error {

  376. 	reqJSON := IsJSON(r)

  377. 	oneTimeToken := r.FormValue("with")

  378. 	verbose := r.FormValue("all") == "true" || r.FormValue("verbose") == "1" || r.FormValue("verbose") == "true" || (reqJSON && oneTimeToken != "")

  379. 

  380. 	redirectTo := r.FormValue("to")

  381. 	if redirectTo == "" {

  382. 		if app.cfg.App.SingleUser {

  383. 			redirectTo = "/me/new"

  384. 		} else {

  385. 			redirectTo = "/"

  386. 		}

  387. 	}

  388. 

  389. 	var u *User

  390. 	var err error

  391. 	var signin userCredentials

  392. 

  393. 	if app.cfg.App.DisablePasswordAuth {

  394. 		err := ErrDisabledPasswordAuth

  395. 		return err

  396. 	}

  397. 

  398. 	// Log in with one-time token if one is given

  399. 	if oneTimeToken != "" {

  400. 		log.Info("Login: Logging user in via token.")

  401. 		userID := app.db.GetUserID(oneTimeToken)

  402. 		if userID == -1 {

  403. 			log.Error("Login: Got user -1 from token")

  404. 			err := ErrBadAccessToken

  405. 			err.Message = "Expired or invalid login code."

  406. 			return err

  407. 		}

  408. 		log.Info("Login: Found user %d.", userID)

  409. 

  410. 		u, err = app.db.GetUserByID(userID)

  411. 		if err != nil {

  412. 			log.Error("Unable to fetch user on one-time token login: %v", err)

  413. 			return impart.HTTPError{http.StatusInternalServerError, "There was an error retrieving the user you want."}

  414. 		}

  415. 		log.Info("Login: Got user via token")

  416. 	} else {

  417. 		// Get params

  418. 		if reqJSON {

  419. 			decoder := json.NewDecoder(r.Body)

  420. 			err := decoder.Decode(&signin)

  421. 			if err != nil {

  422. 				log.Error("Couldn't parse signin JSON request: %v\n", err)

  423. 				return ErrBadJSON

  424. 			}

  425. 		} else {

  426. 			err := r.ParseForm()

  427. 			if err != nil {

  428. 				log.Error("Couldn't parse signin form request: %v\n", err)

  429. 				return ErrBadFormData

  430. 			}

  431. 

  432. 			err = app.formDecoder.Decode(&signin, r.PostForm)

  433. 			if err != nil {

  434. 				log.Error("Couldn't decode signin form request: %v\n", err)

  435. 				return ErrBadFormData

  436. 			}

  437. 		}

  438. 

  439. 		log.Info("Login: Attempting login for '%s'", signin.Alias)

  440. 

  441. 		// Validate required params (all)

  442. 		if signin.Alias == "" {

  443. 			msg := "Parameter `alias` required."

  444. 			if signin.Web {

  445. 				msg = "A username is required."

  446. 			}

  447. 			return impart.HTTPError{http.StatusBadRequest, msg}

  448. 		}

  449. 		if !signin.EmailLogin && signin.Pass == "" {

  450. 			msg := "Parameter `pass` required."

  451. 			if signin.Web {

  452. 				msg = "A password is required."

  453. 			}

  454. 			return impart.HTTPError{http.StatusBadRequest, msg}

  455. 		}

  456. 

  457. 		// Prevent excessive login attempts on the same account

  458. 		// Skip this check in dev environment

  459. 		if !app.cfg.Server.Dev {

  460. 			now := time.Now()

  461. 			attemptExp, att := loginAttemptUsers.LoadOrStore(signin.Alias, now.Add(loginAttemptExpiration))

  462. 			if att {

  463. 				if attemptExpTime, ok := attemptExp.(time.Time); ok {

  464. 					if attemptExpTime.After(now) {

  465. 						// This user attempted previously, and the period hasn't expired yet

  466. 						return impart.HTTPError{http.StatusTooManyRequests, "You're doing that too much."}

  467. 					} else {

  468. 						// This user attempted previously, but the time expired; free up space

  469. 						loginAttemptUsers.Delete(signin.Alias)

  470. 					}

  471. 				} else {

  472. 					log.Error("Unable to cast expiration to time")

  473. 				}

  474. 			}

  475. 		}

  476. 

  477. 		// Retrieve password

  478. 		u, err = app.db.GetUserForAuth(signin.Alias)

  479. 		if err != nil {

  480. 			log.Info("Unable to getUserForAuth on %s: %v", signin.Alias, err)

  481. 			if strings.IndexAny(signin.Alias, "@") > 0 {

  482. 				log.Info("Suggesting: %s", ErrUserNotFoundEmail.Message)

  483. 				return ErrUserNotFoundEmail

  484. 			}

  485. 			return err

  486. 		}

  487. 		// Authenticate

  488. 		if u.Email.String == "" {

  489. 			// User has no email set, so check if they haven't added a password, either,

  490. 			// so we can return a more helpful error message.

  491. 			if hasPass, _ := app.db.IsUserPassSet(u.ID); !hasPass {

  492. 				log.Info("Tried logging in to %s, but no password or email.", signin.Alias)

  493. 				return impart.HTTPError{http.StatusPreconditionFailed, "This user never added a password or email address. Please contact us for help."}

  494. 			}

  495. 		}

  496. 		if len(u.HashedPass) == 0 {

  497. 			return impart.HTTPError{http.StatusUnauthorized, "This user never set a password. Perhaps try logging in via OAuth?"}

  498. 		}

  499. 		if !auth.Authenticated(u.HashedPass, []byte(signin.Pass)) {

  500. 			return impart.HTTPError{http.StatusUnauthorized, "Incorrect password."}

  501. 		}

  502. 	}

  503. 

  504. 	if reqJSON && !signin.Web {

  505. 		var token string

  506. 		if r.Header.Get("User-Agent") == "" {

  507. 			// Get last created token when User-Agent is empty

  508. 			token = app.db.FetchLastAccessToken(u.ID)

  509. 			if token == "" {

  510. 				token, err = app.db.GetAccessToken(u.ID)

  511. 			}

  512. 		} else {

  513. 			token, err = app.db.GetAccessToken(u.ID)

  514. 		}

  515. 		if err != nil {

  516. 			log.Error("Login: Unable to create access token: %v", err)

  517. 			return impart.HTTPError{http.StatusInternalServerError, "Could not create access token. Try re-authenticating."}

  518. 		}

  519. 		resUser := getVerboseAuthUser(app, token, u, verbose)

  520. 		return impart.WriteSuccess(w, resUser, http.StatusOK)

  521. 	}

  522. 

  523. 	session, err := app.sessionStore.Get(r, cookieName)

  524. 	if err != nil {

  525. 		// The cookie should still save, even if there's an error.

  526. 		log.Error("Login: Session: %v; ignoring", err)

  527. 	}

  528. 

  529. 	// Remove unwanted data

  530. 	session.Values[cookieUserVal] = u.Cookie()

  531. 	err = session.Save(r, w)

  532. 	if err != nil {

  533. 		log.Error("Login: Couldn't save session: %v", err)

  534. 		// TODO: return error

  535. 	}

  536. 

  537. 	// Send success

  538. 	if reqJSON {

  539. 		return impart.WriteSuccess(w, &AuthUser{User: u}, http.StatusOK)

  540. 	}

  541. 	log.Info("Login: Redirecting to %s", redirectTo)

  542. 	w.Header().Set("Location", redirectTo)

  543. 	w.WriteHeader(http.StatusFound)

  544. 	return nil

  545. }

  546. 

  547. func getVerboseAuthUser(app *App, token string, u *User, verbose bool) *AuthUser {

  548. 	resUser := &AuthUser{

  549. 		AccessToken: token,

  550. 		User:        u,

  551. 	}

  552. 

  553. 	// Fetch verbose user data if requested

  554. 	if verbose {

  555. 		posts, err := app.db.GetUserPosts(u)

  556. 		if err != nil {

  557. 			log.Error("Login: Unable to get user posts: %v", err)

  558. 		}

  559. 		colls, err := app.db.GetCollections(u, app.cfg.App.Host)

  560. 		if err != nil {

  561. 			log.Error("Login: Unable to get user collections: %v", err)

  562. 		}

  563. 		passIsSet, err := app.db.IsUserPassSet(u.ID)

  564. 		if err != nil {

  565. 			// TODO: correct error meesage

  566. 			log.Error("Login: Unable to get user collections: %v", err)

  567. 		}

  568. 

  569. 		resUser.Posts = posts

  570. 		resUser.Collections = colls

  571. 		resUser.User.HasPass = passIsSet

  572. 	}

  573. 	return resUser

  574. }

  575. 

  576. func viewExportOptions(app *App, u *User, w http.ResponseWriter, r *http.Request) error {

  577. 	// Fetch extra user data

  578. 	p := NewUserPage(app, r, u, "Export", nil)

  579. 

  580. 	showUserPage(w, "export", p)

  581. 	return nil

  582. }

  583. 

  584. func viewExportPosts(app *App, w http.ResponseWriter, r *http.Request) ([]byte, string, error) {

  585. 	var filename string

  586. 	var u = &User{}

  587. 	reqJSON := IsJSON(r)

  588. 	if reqJSON {

  589. 		// Use given Authorization header

  590. 		accessToken := r.Header.Get("Authorization")

  591. 		if accessToken == "" {

  592. 			return nil, filename, ErrNoAccessToken

  593. 		}

  594. 

  595. 		userID := app.db.GetUserID(accessToken)

  596. 		if userID == -1 {

  597. 			return nil, filename, ErrBadAccessToken

  598. 		}

  599. 

  600. 		var err error

  601. 		u, err = app.db.GetUserByID(userID)

  602. 		if err != nil {

  603. 			return nil, filename, impart.HTTPError{http.StatusInternalServerError, "Unable to retrieve requested user."}

  604. 		}

  605. 	} else {

  606. 		// Use user cookie

  607. 		session, err := app.sessionStore.Get(r, cookieName)

  608. 		if err != nil {

  609. 			// The cookie should still save, even if there's an error.

  610. 			log.Error("Session: %v; ignoring", err)

  611. 		}

  612. 

  613. 		val := session.Values[cookieUserVal]

  614. 		var ok bool

  615. 		if u, ok = val.(*User); !ok {

  616. 			return nil, filename, ErrNotLoggedIn

  617. 		}

  618. 	}

  619. 

  620. 	filename = u.Username + "-posts-" + time.Now().Truncate(time.Second).UTC().Format("200601021504")

  621. 

  622. 	// Fetch data we're exporting

  623. 	var err error

  624. 	var data []byte

  625. 	posts, err := app.db.GetUserPosts(u)

  626. 	if err != nil {

  627. 		return data, filename, err

  628. 	}

  629. 

  630. 	// Export as CSV

  631. 	if strings.HasSuffix(r.URL.Path, ".csv") {

  632. 		data = exportPostsCSV(app.cfg.App.Host, u, posts)

  633. 		return data, filename, err

  634. 	}

  635. 	if strings.HasSuffix(r.URL.Path, ".zip") {

  636. 		data = exportPostsZip(u, posts)

  637. 		return data, filename, err

  638. 	}

  639. 

  640. 	if r.FormValue("pretty") == "1" {

  641. 		data, err = json.MarshalIndent(posts, "", "\t")

  642. 	} else {

  643. 		data, err = json.Marshal(posts)

  644. 	}

  645. 	return data, filename, err

  646. }

  647. 

  648. func viewExportFull(app *App, w http.ResponseWriter, r *http.Request) ([]byte, string, error) {

  649. 	var err error

  650. 	filename := ""

  651. 	u := getUserSession(app, r)

  652. 	if u == nil {

  653. 		return nil, filename, ErrNotLoggedIn

  654. 	}

  655. 	filename = u.Username + "-" + time.Now().Truncate(time.Second).UTC().Format("200601021504")

  656. 

  657. 	exportUser := compileFullExport(app, u)

  658. 

  659. 	var data []byte

  660. 	if r.FormValue("pretty") == "1" {

  661. 		data, err = json.MarshalIndent(exportUser, "", "\t")

  662. 	} else {

  663. 		data, err = json.Marshal(exportUser)

  664. 	}

  665. 	return data, filename, err

  666. }

  667. 

  668. func viewMeAPI(app *App, w http.ResponseWriter, r *http.Request) error {

  669. 	reqJSON := IsJSON(r)

  670. 	uObj := struct {

  671. 		ID       int64  `json:"id,omitempty"`

  672. 		Username string `json:"username,omitempty"`

  673. 	}{}

  674. 	var err error

  675. 

  676. 	if reqJSON {

  677. 		_, uObj.Username, err = app.db.GetUserDataFromToken(r.Header.Get("Authorization"))

  678. 		if err != nil {

  679. 			return err

  680. 		}

  681. 	} else {

  682. 		u := getUserSession(app, r)

  683. 		if u == nil {

  684. 			return impart.WriteSuccess(w, uObj, http.StatusOK)

  685. 		}

  686. 		uObj.Username = u.Username

  687. 	}

  688. 

  689. 	return impart.WriteSuccess(w, uObj, http.StatusOK)

  690. }

  691. 

  692. func viewMyPostsAPI(app *App, u *User, w http.ResponseWriter, r *http.Request) error {

  693. 	reqJSON := IsJSON(r)

  694. 	if !reqJSON {

  695. 		return ErrBadRequestedType

  696. 	}

  697. 

  698. 	var err error

  699. 	p := GetPostsCache(u.ID)

  700. 	if p == nil {

  701. 		userPostsCache.Lock()

  702. 		if userPostsCache.users[u.ID].ready == nil {

  703. 			userPostsCache.users[u.ID] = postsCacheItem{ready: make(chan struct{})}

  704. 			userPostsCache.Unlock()

  705. 

  706. 			p, err = app.db.GetUserPosts(u)

  707. 			if err != nil {

  708. 				return err

  709. 			}

  710. 

  711. 			CachePosts(u.ID, p)

  712. 		} else {

  713. 			userPostsCache.Unlock()

  714. 

  715. 			<-userPostsCache.users[u.ID].ready

  716. 			p = GetPostsCache(u.ID)

  717. 		}

  718. 	}

  719. 

  720. 	return impart.WriteSuccess(w, p, http.StatusOK)

  721. }

  722. 

  723. func viewMyCollectionsAPI(app *App, u *User, w http.ResponseWriter, r *http.Request) error {

  724. 	reqJSON := IsJSON(r)

  725. 	if !reqJSON {

  726. 		return ErrBadRequestedType

  727. 	}

  728. 

  729. 	p, err := app.db.GetCollections(u, app.cfg.App.Host)

  730. 	if err != nil {

  731. 		return err

  732. 	}

  733. 

  734. 	return impart.WriteSuccess(w, p, http.StatusOK)

  735. }

  736. 

  737. func viewArticles(app *App, u *User, w http.ResponseWriter, r *http.Request) error {

  738. 	p, err := app.db.GetAnonymousPosts(u)

  739. 	if err != nil {

  740. 		log.Error("unable to fetch anon posts: %v", err)

  741. 	}

  742. 	// nil-out AnonymousPosts slice for easy detection in the template

  743. 	if p != nil && len(*p) == 0 {

  744. 		p = nil

  745. 	}

  746. 

  747. 	f, err := getSessionFlashes(app, w, r, nil)

  748. 	if err != nil {

  749. 		log.Error("unable to fetch flashes: %v", err)

  750. 	}

  751. 

  752. 	c, err := app.db.GetPublishableCollections(u, app.cfg.App.Host)

  753. 	if err != nil {

  754. 		log.Error("unable to fetch collections: %v", err)

  755. 	}

  756. 

  757. 	silenced, err := app.db.IsUserSilenced(u.ID)

  758. 	if err != nil {

  759. 		log.Error("view articles: %v", err)

  760. 	}

  761. 	d := struct {

  762. 		*UserPage

  763. 		AnonymousPosts *[]PublicPost

  764. 		Collections    *[]Collection

  765. 		Silenced       bool

  766. 	}{

  767. 		UserPage:       NewUserPage(app, r, u, u.Username+"'s Posts", f),

  768. 		AnonymousPosts: p,

  769. 		Collections:    c,

  770. 		Silenced:       silenced,

  771. 	}

  772. 	d.UserPage.SetMessaging(u)

  773. 	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")

  774. 	w.Header().Set("Expires", "Thu, 04 Oct 1990 20:00:00 GMT")

  775. 	showUserPage(w, "articles", d)

  776. 

  777. 	return nil

  778. }

  779. 

  780. func viewCollections(app *App, u *User, w http.ResponseWriter, r *http.Request) error {

  781. 	c, err := app.db.GetCollections(u, app.cfg.App.Host)

  782. 	if err != nil {

  783. 		log.Error("unable to fetch collections: %v", err)

  784. 		return fmt.Errorf("No collections")

  785. 	}

  786. 

  787. 	f, _ := getSessionFlashes(app, w, r, nil)

  788. 

  789. 	uc, _ := app.db.GetUserCollectionCount(u.ID)

  790. 	// TODO: handle any errors

  791. 

  792. 	silenced, err := app.db.IsUserSilenced(u.ID)

  793. 	if err != nil {

  794. 		log.Error("view collections %v", err)

  795. 		return fmt.Errorf("view collections: %v", err)

  796. 	}

  797. 	d := struct {

  798. 		*UserPage

  799. 		Collections *[]Collection

  800. 

  801. 		UsedCollections, TotalCollections int

  802. 

  803. 		NewBlogsDisabled bool

  804. 		Silenced         bool

  805. 	}{

  806. 		UserPage:         NewUserPage(app, r, u, u.Username+"'s Blogs", f),

  807. 		Collections:      c,

  808. 		UsedCollections:  int(uc),

  809. 		NewBlogsDisabled: !app.cfg.App.CanCreateBlogs(uc),

  810. 		Silenced:         silenced,

  811. 	}

  812. 	d.UserPage.SetMessaging(u)

  813. 	showUserPage(w, "collections", d)

  814. 

  815. 	return nil

  816. }

  817. 

  818. func viewEditCollection(app *App, u *User, w http.ResponseWriter, r *http.Request) error {

  819. 	vars := mux.Vars(r)

  820. 	c, err := app.db.GetCollection(vars["collection"])

  821. 	if err != nil {

  822. 		return err

  823. 	}

  824. 	if c.OwnerID != u.ID {

  825. 		return ErrCollectionNotFound

  826. 	}

  827. 

  828. 	silenced, err := app.db.IsUserSilenced(u.ID)

  829. 	if err != nil {

  830. 		log.Error("view edit collection %v", err)

  831. 		return fmt.Errorf("view edit collection: %v", err)

  832. 	}

  833. 	flashes, _ := getSessionFlashes(app, w, r, nil)

  834. 	obj := struct {

  835. 		*UserPage

  836. 		*Collection

  837. 		Silenced bool

  838. 	}{

  839. 		UserPage:   NewUserPage(app, r, u, "Edit "+c.DisplayTitle(), flashes),

  840. 		Collection: c,

  841. 		Silenced:   silenced,

  842. 	}

  843. 

  844. 	showUserPage(w, "collection", obj)

  845. 	return nil

  846. }

  847. 

  848. func updateSettings(app *App, w http.ResponseWriter, r *http.Request) error {

  849. 	reqJSON := IsJSON(r)

  850. 

  851. 	var s userSettings

  852. 	var u *User

  853. 	var sess *sessions.Session

  854. 	var err error

  855. 	if reqJSON {

  856. 		accessToken := r.Header.Get("Authorization")

  857. 		if accessToken == "" {

  858. 			return ErrNoAccessToken

  859. 		}

  860. 

  861. 		u, err = app.db.GetAPIUser(accessToken)

  862. 		if err != nil {

  863. 			return ErrBadAccessToken

  864. 		}

  865. 

  866. 		decoder := json.NewDecoder(r.Body)

  867. 		err := decoder.Decode(&s)

  868. 		if err != nil {

  869. 			log.Error("Couldn't parse settings JSON request: %v\n", err)

  870. 			return ErrBadJSON

  871. 		}

  872. 

  873. 		// Prevent all username updates

  874. 		// TODO: support changing username via JSON API request

  875. 		s.Username = ""

  876. 	} else {

  877. 		u, sess = getUserAndSession(app, r)

  878. 		if u == nil {

  879. 			return ErrNotLoggedIn

  880. 		}

  881. 

  882. 		err := r.ParseForm()

  883. 		if err != nil {

  884. 			log.Error("Couldn't parse settings form request: %v\n", err)

  885. 			return ErrBadFormData

  886. 		}

  887. 

  888. 		err = app.formDecoder.Decode(&s, r.PostForm)

  889. 		if err != nil {

  890. 			log.Error("Couldn't decode settings form request: %v\n", err)

  891. 			return ErrBadFormData

  892. 		}

  893. 	}

  894. 

  895. 	// Do update

  896. 	postUpdateReturn := r.FormValue("return")

  897. 	redirectTo := "/me/settings"

  898. 	if s.IsLogOut {

  899. 		redirectTo += "?logout=1"

  900. 	} else if postUpdateReturn != "" {

  901. 		redirectTo = postUpdateReturn

  902. 	}

  903. 

  904. 	// Only do updates on values we need

  905. 	if s.Username != "" && s.Username == u.Username {

  906. 		// Username hasn't actually changed; blank it out

  907. 		s.Username = ""

  908. 	}

  909. 	err = app.db.ChangeSettings(app, u, &s)

  910. 	if err != nil {

  911. 		if reqJSON {

  912. 			return err

  913. 		}

  914. 

  915. 		if err, ok := err.(impart.HTTPError); ok {

  916. 			addSessionFlash(app, w, r, err.Message, nil)

  917. 		}

  918. 	} else {

  919. 		// Successful update.

  920. 		if reqJSON {

  921. 			return impart.WriteSuccess(w, u, http.StatusOK)

  922. 		}

  923. 

  924. 		if s.IsLogOut {

  925. 			redirectTo = "/me/logout"

  926. 		} else {

  927. 			sess.Values[cookieUserVal] = u.Cookie()

  928. 			addSessionFlash(app, w, r, "Account updated.", nil)

  929. 		}

  930. 	}

  931. 

  932. 	w.Header().Set("Location", redirectTo)

  933. 	w.WriteHeader(http.StatusFound)

  934. 	return nil

  935. }

  936. 

  937. func updatePassphrase(app *App, w http.ResponseWriter, r *http.Request) error {

  938. 	accessToken := r.Header.Get("Authorization")

  939. 	if accessToken == "" {

  940. 		return ErrNoAccessToken

  941. 	}

  942. 

  943. 	curPass := r.FormValue("current")

  944. 	newPass := r.FormValue("new")

  945. 	// Ensure a new password is given (always required)

  946. 	if newPass == "" {

  947. 		return impart.HTTPError{http.StatusBadRequest, "Provide a new password."}

  948. 	}

  949. 

  950. 	userID, sudo := app.db.GetUserIDPrivilege(accessToken)

  951. 	if userID == -1 {

  952. 		return ErrBadAccessToken

  953. 	}

  954. 

  955. 	// Ensure a current password is given if the access token doesn't have sudo

  956. 	// privileges.

  957. 	if !sudo && curPass == "" {

  958. 		return impart.HTTPError{http.StatusBadRequest, "Provide current password."}

  959. 	}

  960. 

  961. 	// Hash the new password

  962. 	hashedPass, err := auth.HashPass([]byte(newPass))

  963. 	if err != nil {

  964. 		return impart.HTTPError{http.StatusInternalServerError, "Could not create password hash."}

  965. 	}

  966. 

  967. 	// Do update

  968. 	err = app.db.ChangePassphrase(userID, sudo, curPass, hashedPass)

  969. 	if err != nil {

  970. 		return err

  971. 	}

  972. 

  973. 	return impart.WriteSuccess(w, struct{}{}, http.StatusOK)

  974. }

  975. 

  976. func viewStats(app *App, u *User, w http.ResponseWriter, r *http.Request) error {

  977. 	var c *Collection

  978. 	var err error

  979. 	vars := mux.Vars(r)

  980. 	alias := vars["collection"]

  981. 	if alias != "" {

  982. 		c, err = app.db.GetCollection(alias)

  983. 		if err != nil {

  984. 			return err

  985. 		}

  986. 		if c.OwnerID != u.ID {

  987. 			return ErrCollectionNotFound

  988. 		}

  989. 	}

  990. 

  991. 	topPosts, err := app.db.GetTopPosts(u, alias)

  992. 	if err != nil {

  993. 		log.Error("Unable to get top posts: %v", err)

  994. 		return err

  995. 	}

  996. 

  997. 	flashes, _ := getSessionFlashes(app, w, r, nil)

  998. 	titleStats := ""

  999. 	if c != nil {

  1000. 		titleStats = c.DisplayTitle() + " "

  1001. 	}

  1002. 

  1003. 	silenced, err := app.db.IsUserSilenced(u.ID)

  1004. 	if err != nil {

  1005. 		log.Error("view stats: %v", err)

  1006. 		return err

  1007. 	}

  1008. 	obj := struct {

  1009. 		*UserPage

  1010. 		VisitsBlog  string

  1011. 		Collection  *Collection

  1012. 		TopPosts    *[]PublicPost

  1013. 		APFollowers int

  1014. 		Silenced    bool

  1015. 	}{

  1016. 		UserPage:   NewUserPage(app, r, u, titleStats+"Stats", flashes),

  1017. 		VisitsBlog: alias,

  1018. 		Collection: c,

  1019. 		TopPosts:   topPosts,

  1020. 		Silenced:   silenced,

  1021. 	}

  1022. 	if app.cfg.App.Federation {

  1023. 		folls, err := app.db.GetAPFollowers(c)

  1024. 		if err != nil {

  1025. 			return err

  1026. 		}

  1027. 		obj.APFollowers = len(*folls)

  1028. 	}

  1029. 

  1030. 	showUserPage(w, "stats", obj)

  1031. 	return nil

  1032. }

  1033. 

  1034. func viewSettings(app *App, u *User, w http.ResponseWriter, r *http.Request) error {

  1035. 	fullUser, err := app.db.GetUserByID(u.ID)

  1036. 	if err != nil {

  1037. 		log.Error("Unable to get user for settings: %s", err)

  1038. 		return impart.HTTPError{http.StatusInternalServerError, "Unable to retrieve user data. The humans have been alerted."}

  1039. 	}

  1040. 

  1041. 	passIsSet, err := app.db.IsUserPassSet(u.ID)

  1042. 	if err != nil {

  1043. 		log.Error("Unable to get isUserPassSet for settings: %s", err)

  1044. 		return impart.HTTPError{http.StatusInternalServerError, "Unable to retrieve user data. The humans have been alerted."}

  1045. 	}

  1046. 

  1047. 	flashes, _ := getSessionFlashes(app, w, r, nil)

  1048. 

  1049. 	enableOauthSlack := app.Config().SlackOauth.ClientID != ""

  1050. 	enableOauthWriteAs := app.Config().WriteAsOauth.ClientID != ""

  1051. 	enableOauthGitLab := app.Config().GitlabOauth.ClientID != ""

  1052. 	enableOauthGeneric := app.Config().GenericOauth.ClientID != ""

  1053. 	enableOauthGitea := app.Config().GiteaOauth.ClientID != ""

  1054. 

  1055. 	oauthAccounts, err := app.db.GetOauthAccounts(r.Context(), u.ID)

  1056. 	if err != nil {

  1057. 		log.Error("Unable to get oauth accounts for settings: %s", err)

  1058. 		return impart.HTTPError{http.StatusInternalServerError, "Unable to retrieve user data. The humans have been alerted."}

  1059. 	}

  1060. 	for idx, oauthAccount := range oauthAccounts {

  1061. 		switch oauthAccount.Provider {

  1062. 		case "slack":

  1063. 			enableOauthSlack = false

  1064. 		case "write.as":

  1065. 			enableOauthWriteAs = false

  1066. 		case "gitlab":

  1067. 			enableOauthGitLab = false

  1068. 		case "generic":

  1069. 			oauthAccounts[idx].DisplayName = app.Config().GenericOauth.DisplayName

  1070. 			oauthAccounts[idx].AllowDisconnect = app.Config().GenericOauth.AllowDisconnect

  1071. 			enableOauthGeneric = false

  1072. 		case "gitea":

  1073. 			enableOauthGitea = false

  1074. 		}

  1075. 	}

  1076. 

  1077. 	displayOauthSection := enableOauthSlack || enableOauthWriteAs || enableOauthGitLab || enableOauthGeneric || enableOauthGitea || len(oauthAccounts) > 0

  1078. 

  1079. 	obj := struct {

  1080. 		*UserPage

  1081. 		Email                   string

  1082. 		HasPass                 bool

  1083. 		IsLogOut                bool

  1084. 		Silenced                bool

  1085. 		OauthSection            bool

  1086. 		OauthAccounts           []oauthAccountInfo

  1087. 		OauthSlack              bool

  1088. 		OauthWriteAs            bool

  1089. 		OauthGitLab             bool

  1090. 		GitLabDisplayName       string

  1091. 		OauthGeneric            bool

  1092. 		OauthGenericDisplayName string

  1093. 		OauthGitea              bool

  1094. 		GiteaDisplayName        string

  1095. 	}{

  1096. 		UserPage:                NewUserPage(app, r, u, "Account Settings", flashes),

  1097. 		Email:                   fullUser.EmailClear(app.keys),

  1098. 		HasPass:                 passIsSet,

  1099. 		IsLogOut:                r.FormValue("logout") == "1",

  1100. 		Silenced:                fullUser.IsSilenced(),

  1101. 		OauthSection:            displayOauthSection,

  1102. 		OauthAccounts:           oauthAccounts,

  1103. 		OauthSlack:              enableOauthSlack,

  1104. 		OauthWriteAs:            enableOauthWriteAs,

  1105. 		OauthGitLab:             enableOauthGitLab,

  1106. 		GitLabDisplayName:       config.OrDefaultString(app.Config().GitlabOauth.DisplayName, gitlabDisplayName),

  1107. 		OauthGeneric:            enableOauthGeneric,

  1108. 		OauthGenericDisplayName: config.OrDefaultString(app.Config().GenericOauth.DisplayName, genericOauthDisplayName),

  1109. 		OauthGitea:              enableOauthGitea,

  1110. 		GiteaDisplayName:        config.OrDefaultString(app.Config().GiteaOauth.DisplayName, giteaDisplayName),

  1111. 	}

  1112. 

  1113. 	showUserPage(w, "settings", obj)

  1114. 	return nil

  1115. }

  1116. 

  1117. func saveTempInfo(app *App, key, val string, r *http.Request, w http.ResponseWriter) error {

  1118. 	session, err := app.sessionStore.Get(r, "t")

  1119. 	if err != nil {

  1120. 		return ErrInternalCookieSession

  1121. 	}

  1122. 

  1123. 	session.Values[key] = val

  1124. 	err = session.Save(r, w)

  1125. 	if err != nil {

  1126. 		log.Error("Couldn't saveTempInfo for key-val (%s:%s): %v", key, val, err)

  1127. 	}

  1128. 	return err

  1129. }

  1130. 

  1131. func getTempInfo(app *App, key string, r *http.Request, w http.ResponseWriter) string {

  1132. 	session, err := app.sessionStore.Get(r, "t")

  1133. 	if err != nil {

  1134. 		return ""

  1135. 	}

  1136. 

  1137. 	// Get the information

  1138. 	var s = ""

  1139. 	var ok bool

  1140. 	if s, ok = session.Values[key].(string); !ok {

  1141. 		return ""

  1142. 	}

  1143. 

  1144. 	// Delete cookie

  1145. 	session.Options.MaxAge = -1

  1146. 	err = session.Save(r, w)

  1147. 	if err != nil {

  1148. 		log.Error("Couldn't erase temp data for key %s: %v", key, err)

  1149. 	}

  1150. 

  1151. 	// Return value

  1152. 	return s

  1153. }

  1154. 

  1155. func removeOauth(app *App, u *User, w http.ResponseWriter, r *http.Request) error {

  1156. 	provider := r.FormValue("provider")

  1157. 	clientID := r.FormValue("client_id")

  1158. 	remoteUserID := r.FormValue("remote_user_id")

  1159. 

  1160. 	err := app.db.RemoveOauth(r.Context(), u.ID, provider, clientID, remoteUserID)

  1161. 	if err != nil {

  1162. 		return impart.HTTPError{Status: http.StatusInternalServerError, Message: err.Error()}

  1163. 	}

  1164. 

  1165. 	return impart.HTTPError{Status: http.StatusFound, Message: "/me/settings"}

  1166. }

  1167. 

  1168. func prepareUserEmail(input string, emailKey []byte) zero.String {

  1169. 	email := zero.NewString("", input != "")

  1170. 	if len(input) > 0 {

  1171. 		encEmail, err := data.Encrypt(emailKey, input)

  1172. 		if err != nil {

  1173. 			log.Error("Unable to encrypt email: %s\n", err)

  1174. 		} else {

  1175. 			email.String = string(encEmail)

  1176. 		}

  1177. 	}

  1178. 	return email

  1179. }