writefreely
/
writefreely
дзеркало https://github.com/writefreely/writefreely.git
2
0
Форк 0
Код Проблеми Релізи 25 Вікі Активність
A clean, Markdown-based publishing platform made for writers. Write together, and build a community. https://writefreely.org
Ви не можете вибрати більше 25 тем Теми мають розпочинатися з літери або цифри, можуть містити дефіси (-) і не повинні перевищувати 35 символів.
1024 Коміти
45 Гілки
305 MiB
 
 
 
 
 
Дерево: 95273697f4
Гілки Теги
${ item.name }
Створити гілку ${ searchTerm }
з '95273697f4'
${ noResults }
writefreely/account.go

1194 рядки
32 KiB
Неформатований Звинувачення Історія 

  1. /*

  2.  * Copyright © 2018-2020 A Bunch Tell LLC.

  3.  *

  4.  * This file is part of WriteFreely.

  5.  *

  6.  * WriteFreely is free software: you can redistribute it and/or modify

  7.  * it under the terms of the GNU Affero General Public License, included

  8.  * in the LICENSE file in this source code package.

  9.  */

  10. 

  11. package writefreely

  12. 

  13. import (

  14. 	"encoding/json"

  15. 	"fmt"

  16. 	"html/template"

  17. 	"net/http"

  18. 	"regexp"

  19. 	"strings"

  20. 	"sync"

  21. 	"time"

  22. 

  23. 	"github.com/gorilla/mux"

  24. 	"github.com/gorilla/sessions"

  25. 	"github.com/guregu/null/zero"

  26. 	"github.com/writeas/impart"

  27. 	"github.com/writeas/web-core/auth"

  28. 	"github.com/writeas/web-core/data"

  29. 	"github.com/writeas/web-core/log"

  30. 

  31. 	"github.com/writeas/writefreely/author"

  32. 	"github.com/writeas/writefreely/config"

  33. 	"github.com/writeas/writefreely/page"

  34. )

  35. 

  36. type (

  37. 	userSettings struct {

  38. 		Username string `schema:"username" json:"username"`

  39. 		Email    string `schema:"email" json:"email"`

  40. 		NewPass  string `schema:"new-pass" json:"new_pass"`

  41. 		OldPass  string `schema:"current-pass" json:"current_pass"`

  42. 		IsLogOut bool   `schema:"logout" json:"logout"`

  43. 	}

  44. 

  45. 	UserPage struct {

  46. 		page.StaticPage

  47. 

  48. 		PageTitle string

  49. 		Separator template.HTML

  50. 		IsAdmin   bool

  51. 		CanInvite bool

  52. 	}

  53. )

  54. 

  55. func NewUserPage(app *App, r *http.Request, u *User, title string, flashes []string) *UserPage {

  56. 	up := &UserPage{

  57. 		StaticPage: pageForReq(app, r),

  58. 		PageTitle:  title,

  59. 	}

  60. 	up.Username = u.Username

  61. 	up.Flashes = flashes

  62. 	up.Path = r.URL.Path

  63. 	up.IsAdmin = u.IsAdmin()

  64. 	up.CanInvite = canUserInvite(app.cfg, up.IsAdmin)

  65. 	return up

  66. }

  67. 

  68. func canUserInvite(cfg *config.Config, isAdmin bool) bool {

  69. 	return cfg.App.UserInvites != "" &&

  70. 		(isAdmin || cfg.App.UserInvites != "admin")

  71. }

  72. 

  73. func (up *UserPage) SetMessaging(u *User) {

  74. 	// up.NeedsAuth = app.db.DoesUserNeedAuth(u.ID)

  75. }

  76. 

  77. const (

  78. 	loginAttemptExpiration = 3 * time.Second

  79. )

  80. 

  81. var actuallyUsernameReg = regexp.MustCompile("username is actually ([a-z0-9\\-]+)\\. Please try that, instead")

  82. 

  83. func apiSignup(app *App, w http.ResponseWriter, r *http.Request) error {

  84. 	_, err := signup(app, w, r)

  85. 	return err

  86. }

  87. 

  88. func signup(app *App, w http.ResponseWriter, r *http.Request) (*AuthUser, error) {

  89. 	if app.cfg.App.DisablePasswordAuth {

  90. 		err := ErrDisabledPasswordAuth

  91. 		return nil, err

  92. 	}

  93. 

  94. 	reqJSON := IsJSON(r)

  95. 

  96. 	// Get params

  97. 	var ur userRegistration

  98. 	if reqJSON {

  99. 		decoder := json.NewDecoder(r.Body)

  100. 		err := decoder.Decode(&ur)

  101. 		if err != nil {

  102. 			log.Error("Couldn't parse signup JSON request: %v\n", err)

  103. 			return nil, ErrBadJSON

  104. 		}

  105. 	} else {

  106. 		// Check if user is already logged in

  107. 		u := getUserSession(app, r)

  108. 		if u != nil {

  109. 			return &AuthUser{User: u}, nil

  110. 		}

  111. 

  112. 		err := r.ParseForm()

  113. 		if err != nil {

  114. 			log.Error("Couldn't parse signup form request: %v\n", err)

  115. 			return nil, ErrBadFormData

  116. 		}

  117. 

  118. 		err = app.formDecoder.Decode(&ur, r.PostForm)

  119. 		if err != nil {

  120. 			log.Error("Couldn't decode signup form request: %v\n", err)

  121. 			return nil, ErrBadFormData

  122. 		}

  123. 	}

  124. 

  125. 	return signupWithRegistration(app, ur, w, r)

  126. }

  127. 

  128. func signupWithRegistration(app *App, signup userRegistration, w http.ResponseWriter, r *http.Request) (*AuthUser, error) {

  129. 	reqJSON := IsJSON(r)

  130. 

  131. 	// Validate required params (alias)

  132. 	if signup.Alias == "" {

  133. 		return nil, impart.HTTPError{http.StatusBadRequest, "A username is required."}

  134. 	}

  135. 	if signup.Pass == "" {

  136. 		return nil, impart.HTTPError{http.StatusBadRequest, "A password is required."}

  137. 	}

  138. 	var desiredUsername string

  139. 	if signup.Normalize {

  140. 		// With this option we simply conform the username to what we expect

  141. 		// without complaining. Since they might've done something funny, like

  142. 		// enter: write.as/Way Out There, we'll use their raw input for the new

  143. 		// collection name and sanitize for the slug / username.

  144. 		desiredUsername = signup.Alias

  145. 		signup.Alias = getSlug(signup.Alias, "")

  146. 	}

  147. 	if !author.IsValidUsername(app.cfg, signup.Alias) {

  148. 		// Ensure the username is syntactically correct.

  149. 		return nil, impart.HTTPError{http.StatusPreconditionFailed, "Username is reserved or isn't valid. It must be at least 3 characters long, and can only include letters, numbers, and hyphens."}

  150. 	}

  151. 

  152. 	// Handle empty optional params

  153. 	// TODO: remove this var

  154. 	createdWithPass := true

  155. 	hashedPass, err := auth.HashPass([]byte(signup.Pass))

  156. 	if err != nil {

  157. 		return nil, impart.HTTPError{http.StatusInternalServerError, "Could not create password hash."}

  158. 	}

  159. 

  160. 	// Create struct to insert

  161. 	u := &User{

  162. 		Username:   signup.Alias,

  163. 		HashedPass: hashedPass,

  164. 		HasPass:    createdWithPass,

  165. 		Email:      prepareUserEmail(signup.Email, app.keys.EmailKey),

  166. 		Created:    time.Now().Truncate(time.Second).UTC(),

  167. 	}

  168. 

  169. 	// Create actual user

  170. 	if err := app.db.CreateUser(app.cfg, u, desiredUsername); err != nil {

  171. 		return nil, err

  172. 	}

  173. 

  174. 	// Log invite if needed

  175. 	if signup.InviteCode != "" {

  176. 		err = app.db.CreateInvitedUser(signup.InviteCode, u.ID)

  177. 		if err != nil {

  178. 			return nil, err

  179. 		}

  180. 	}

  181. 

  182. 	// Add back unencrypted data for response

  183. 	if signup.Email != "" {

  184. 		u.Email.String = signup.Email

  185. 	}

  186. 

  187. 	resUser := &AuthUser{

  188. 		User: u,

  189. 	}

  190. 	if !createdWithPass {

  191. 		resUser.Password = signup.Pass

  192. 	}

  193. 	title := signup.Alias

  194. 	if signup.Normalize {

  195. 		title = desiredUsername

  196. 	}

  197. 	resUser.Collections = &[]Collection{

  198. 		{

  199. 			Alias: signup.Alias,

  200. 			Title: title,

  201. 		},

  202. 	}

  203. 

  204. 	var token string

  205. 	if reqJSON && !signup.Web {

  206. 		token, err = app.db.GetAccessToken(u.ID)

  207. 		if err != nil {

  208. 			return nil, impart.HTTPError{http.StatusInternalServerError, "Could not create access token. Try re-authenticating."}

  209. 		}

  210. 		resUser.AccessToken = token

  211. 	} else {

  212. 		session, err := app.sessionStore.Get(r, cookieName)

  213. 		if err != nil {

  214. 			// The cookie should still save, even if there's an error.

  215. 			// Source: https://github.com/gorilla/sessions/issues/16#issuecomment-143642144

  216. 			log.Error("Session: %v; ignoring", err)

  217. 		}

  218. 		session.Values[cookieUserVal] = resUser.User.Cookie()

  219. 		err = session.Save(r, w)

  220. 		if err != nil {

  221. 			log.Error("Couldn't save session: %v", err)

  222. 			return nil, err

  223. 		}

  224. 	}

  225. 	if reqJSON {

  226. 		return resUser, impart.WriteSuccess(w, resUser, http.StatusCreated)

  227. 	}

  228. 

  229. 	return resUser, nil

  230. }

  231. 

  232. func viewLogout(app *App, w http.ResponseWriter, r *http.Request) error {

  233. 	session, err := app.sessionStore.Get(r, cookieName)

  234. 	if err != nil {

  235. 		return ErrInternalCookieSession

  236. 	}

  237. 

  238. 	// Ensure user has an email or password set before they go, so they don't

  239. 	// lose access to their account.

  240. 	val := session.Values[cookieUserVal]

  241. 	var u = &User{}

  242. 	var ok bool

  243. 	if u, ok = val.(*User); !ok {

  244. 		log.Error("Error casting user object on logout. Vals: %+v Resetting cookie.", session.Values)

  245. 

  246. 		err = session.Save(r, w)

  247. 		if err != nil {

  248. 			log.Error("Couldn't save session on logout: %v", err)

  249. 			return impart.HTTPError{http.StatusInternalServerError, "Unable to save cookie session."}

  250. 		}

  251. 

  252. 		return impart.HTTPError{http.StatusFound, "/"}

  253. 	}

  254. 

  255. 	u, err = app.db.GetUserByID(u.ID)

  256. 	if err != nil && err != ErrUserNotFound {

  257. 		return impart.HTTPError{http.StatusInternalServerError, "Unable to fetch user information."}

  258. 	}

  259. 

  260. 	session.Options.MaxAge = -1

  261. 

  262. 	err = session.Save(r, w)

  263. 	if err != nil {

  264. 		log.Error("Couldn't save session on logout: %v", err)

  265. 		return impart.HTTPError{http.StatusInternalServerError, "Unable to save cookie session."}

  266. 	}

  267. 

  268. 	return impart.HTTPError{http.StatusFound, "/"}

  269. }

  270. 

  271. func handleAPILogout(app *App, w http.ResponseWriter, r *http.Request) error {

  272. 	accessToken := r.Header.Get("Authorization")

  273. 	if accessToken == "" {

  274. 		return ErrNoAccessToken

  275. 	}

  276. 	t := auth.GetToken(accessToken)

  277. 	if len(t) == 0 {

  278. 		return ErrNoAccessToken

  279. 	}

  280. 	err := app.db.DeleteToken(t)

  281. 	if err != nil {

  282. 		return err

  283. 	}

  284. 	return impart.HTTPError{Status: http.StatusNoContent}

  285. }

  286. 

  287. func viewLogin(app *App, w http.ResponseWriter, r *http.Request) error {

  288. 	var earlyError string

  289. 	oneTimeToken := r.FormValue("with")

  290. 	if oneTimeToken != "" {

  291. 		log.Info("Calling login with one-time token.")

  292. 		err := login(app, w, r)

  293. 		if err != nil {

  294. 			log.Info("Received error: %v", err)

  295. 			earlyError = fmt.Sprintf("%s", err)

  296. 		}

  297. 	}

  298. 

  299. 	session, err := app.sessionStore.Get(r, cookieName)

  300. 	if err != nil {

  301. 		// Ignore this

  302. 		log.Error("Unable to get session; ignoring: %v", err)

  303. 	}

  304. 

  305. 	p := &struct {

  306. 		page.StaticPage

  307. 		To                      string

  308. 		Message                 template.HTML

  309. 		Flashes                 []template.HTML

  310. 		LoginUsername           string

  311. 		OauthSlack              bool

  312. 		OauthWriteAs            bool

  313. 		OauthGitlab             bool

  314. 		GitlabDisplayName       string

  315. 		OauthGeneric            bool

  316. 		OauthGenericDisplayName string

  317. 		OauthGitea              bool

  318. 		GiteaDisplayName        string

  319. 	}{

  320. 		pageForReq(app, r),

  321. 		r.FormValue("to"),

  322. 		template.HTML(""),

  323. 		[]template.HTML{},

  324. 		getTempInfo(app, "login-user", r, w),

  325. 		app.Config().SlackOauth.ClientID != "",

  326. 		app.Config().WriteAsOauth.ClientID != "",

  327. 		app.Config().GitlabOauth.ClientID != "",

  328. 		config.OrDefaultString(app.Config().GenericOauth.DisplayName, genericOauthDisplayName),

  329. 		app.Config().GenericOauth.ClientID != "",

  330. 		config.OrDefaultString(app.Config().GitlabOauth.DisplayName, gitlabDisplayName),

  331. 		app.Config().GiteaOauth.ClientID != "",

  332. 		config.OrDefaultString(app.Config().GiteaOauth.DisplayName, giteaDisplayName),

  333. 	}

  334. 

  335. 	if earlyError != "" {

  336. 		p.Flashes = append(p.Flashes, template.HTML(earlyError))

  337. 	}

  338. 

  339. 	// Display any error messages

  340. 	flashes, _ := getSessionFlashes(app, w, r, session)

  341. 	for _, flash := range flashes {

  342. 		p.Flashes = append(p.Flashes, template.HTML(flash))

  343. 	}

  344. 	err = pages["login.tmpl"].ExecuteTemplate(w, "base", p)

  345. 	if err != nil {

  346. 		log.Error("Unable to render login: %v", err)

  347. 		return err

  348. 	}

  349. 	return nil

  350. }

  351. 

  352. func webLogin(app *App, w http.ResponseWriter, r *http.Request) error {

  353. 	err := login(app, w, r)

  354. 	if err != nil {

  355. 		username := r.FormValue("alias")

  356. 		// Login request was unsuccessful; save the error in the session and redirect them

  357. 		if err, ok := err.(impart.HTTPError); ok {

  358. 			session, _ := app.sessionStore.Get(r, cookieName)

  359. 			if session != nil {

  360. 				session.AddFlash(err.Message)

  361. 				session.Save(r, w)

  362. 			}

  363. 

  364. 			if m := actuallyUsernameReg.FindStringSubmatch(err.Message); len(m) > 0 {

  365. 				// Retain fixed username recommendation for the login form

  366. 				username = m[1]

  367. 			}

  368. 		}

  369. 

  370. 		// Pass along certain information

  371. 		saveTempInfo(app, "login-user", username, r, w)

  372. 

  373. 		// Retain post-login URL if one was given

  374. 		redirectTo := "/login"

  375. 		postLoginRedirect := r.FormValue("to")

  376. 		if postLoginRedirect != "" {

  377. 			redirectTo += "?to=" + postLoginRedirect

  378. 		}

  379. 

  380. 		log.Error("Unable to login: %v", err)

  381. 		return impart.HTTPError{http.StatusTemporaryRedirect, redirectTo}

  382. 	}

  383. 

  384. 	return nil

  385. }

  386. 

  387. var loginAttemptUsers = sync.Map{}

  388. 

  389. func login(app *App, w http.ResponseWriter, r *http.Request) error {

  390. 	reqJSON := IsJSON(r)

  391. 	oneTimeToken := r.FormValue("with")

  392. 	verbose := r.FormValue("all") == "true" || r.FormValue("verbose") == "1" || r.FormValue("verbose") == "true" || (reqJSON && oneTimeToken != "")

  393. 

  394. 	redirectTo := r.FormValue("to")

  395. 	if redirectTo == "" {

  396. 		if app.cfg.App.SingleUser {

  397. 			redirectTo = "/me/new"

  398. 		} else {

  399. 			redirectTo = "/"

  400. 		}

  401. 	}

  402. 

  403. 	var u *User

  404. 	var err error

  405. 	var signin userCredentials

  406. 

  407. 	if app.cfg.App.DisablePasswordAuth {

  408. 		err := ErrDisabledPasswordAuth

  409. 		return err

  410. 	}

  411. 

  412. 	// Log in with one-time token if one is given

  413. 	if oneTimeToken != "" {

  414. 		log.Info("Login: Logging user in via token.")

  415. 		userID := app.db.GetUserID(oneTimeToken)

  416. 		if userID == -1 {

  417. 			log.Error("Login: Got user -1 from token")

  418. 			err := ErrBadAccessToken

  419. 			err.Message = "Expired or invalid login code."

  420. 			return err

  421. 		}

  422. 		log.Info("Login: Found user %d.", userID)

  423. 

  424. 		u, err = app.db.GetUserByID(userID)

  425. 		if err != nil {

  426. 			log.Error("Unable to fetch user on one-time token login: %v", err)

  427. 			return impart.HTTPError{http.StatusInternalServerError, "There was an error retrieving the user you want."}

  428. 		}

  429. 		log.Info("Login: Got user via token")

  430. 	} else {

  431. 		// Get params

  432. 		if reqJSON {

  433. 			decoder := json.NewDecoder(r.Body)

  434. 			err := decoder.Decode(&signin)

  435. 			if err != nil {

  436. 				log.Error("Couldn't parse signin JSON request: %v\n", err)

  437. 				return ErrBadJSON

  438. 			}

  439. 		} else {

  440. 			err := r.ParseForm()

  441. 			if err != nil {

  442. 				log.Error("Couldn't parse signin form request: %v\n", err)

  443. 				return ErrBadFormData

  444. 			}

  445. 

  446. 			err = app.formDecoder.Decode(&signin, r.PostForm)

  447. 			if err != nil {

  448. 				log.Error("Couldn't decode signin form request: %v\n", err)

  449. 				return ErrBadFormData

  450. 			}

  451. 		}

  452. 

  453. 		log.Info("Login: Attempting login for '%s'", signin.Alias)

  454. 

  455. 		// Validate required params (all)

  456. 		if signin.Alias == "" {

  457. 			msg := "Parameter `alias` required."

  458. 			if signin.Web {

  459. 				msg = "A username is required."

  460. 			}

  461. 			return impart.HTTPError{http.StatusBadRequest, msg}

  462. 		}

  463. 		if !signin.EmailLogin && signin.Pass == "" {

  464. 			msg := "Parameter `pass` required."

  465. 			if signin.Web {

  466. 				msg = "A password is required."

  467. 			}

  468. 			return impart.HTTPError{http.StatusBadRequest, msg}

  469. 		}

  470. 

  471. 		// Prevent excessive login attempts on the same account

  472. 		// Skip this check in dev environment

  473. 		if !app.cfg.Server.Dev {

  474. 			now := time.Now()

  475. 			attemptExp, att := loginAttemptUsers.LoadOrStore(signin.Alias, now.Add(loginAttemptExpiration))

  476. 			if att {

  477. 				if attemptExpTime, ok := attemptExp.(time.Time); ok {

  478. 					if attemptExpTime.After(now) {

  479. 						// This user attempted previously, and the period hasn't expired yet

  480. 						return impart.HTTPError{http.StatusTooManyRequests, "You're doing that too much."}

  481. 					} else {

  482. 						// This user attempted previously, but the time expired; free up space

  483. 						loginAttemptUsers.Delete(signin.Alias)

  484. 					}

  485. 				} else {

  486. 					log.Error("Unable to cast expiration to time")

  487. 				}

  488. 			}

  489. 		}

  490. 

  491. 		// Retrieve password

  492. 		u, err = app.db.GetUserForAuth(signin.Alias)

  493. 		if err != nil {

  494. 			log.Info("Unable to getUserForAuth on %s: %v", signin.Alias, err)

  495. 			if strings.IndexAny(signin.Alias, "@") > 0 {

  496. 				log.Info("Suggesting: %s", ErrUserNotFoundEmail.Message)

  497. 				return ErrUserNotFoundEmail

  498. 			}

  499. 			return err

  500. 		}

  501. 		// Authenticate

  502. 		if u.Email.String == "" {

  503. 			// User has no email set, so check if they haven't added a password, either,

  504. 			// so we can return a more helpful error message.

  505. 			if hasPass, _ := app.db.IsUserPassSet(u.ID); !hasPass {

  506. 				log.Info("Tried logging in to %s, but no password or email.", signin.Alias)

  507. 				return impart.HTTPError{http.StatusPreconditionFailed, "This user never added a password or email address. Please contact us for help."}

  508. 			}

  509. 		}

  510. 		if len(u.HashedPass) == 0 {

  511. 			return impart.HTTPError{http.StatusUnauthorized, "This user never set a password. Perhaps try logging in via OAuth?"}

  512. 		}

  513. 		if !auth.Authenticated(u.HashedPass, []byte(signin.Pass)) {

  514. 			return impart.HTTPError{http.StatusUnauthorized, "Incorrect password."}

  515. 		}

  516. 	}

  517. 

  518. 	if reqJSON && !signin.Web {

  519. 		var token string

  520. 		if r.Header.Get("User-Agent") == "" {

  521. 			// Get last created token when User-Agent is empty

  522. 			token = app.db.FetchLastAccessToken(u.ID)

  523. 			if token == "" {

  524. 				token, err = app.db.GetAccessToken(u.ID)

  525. 			}

  526. 		} else {

  527. 			token, err = app.db.GetAccessToken(u.ID)

  528. 		}

  529. 		if err != nil {

  530. 			log.Error("Login: Unable to create access token: %v", err)

  531. 			return impart.HTTPError{http.StatusInternalServerError, "Could not create access token. Try re-authenticating."}

  532. 		}

  533. 		resUser := getVerboseAuthUser(app, token, u, verbose)

  534. 		return impart.WriteSuccess(w, resUser, http.StatusOK)

  535. 	}

  536. 

  537. 	session, err := app.sessionStore.Get(r, cookieName)

  538. 	if err != nil {

  539. 		// The cookie should still save, even if there's an error.

  540. 		log.Error("Login: Session: %v; ignoring", err)

  541. 	}

  542. 

  543. 	// Remove unwanted data

  544. 	session.Values[cookieUserVal] = u.Cookie()

  545. 	err = session.Save(r, w)

  546. 	if err != nil {

  547. 		log.Error("Login: Couldn't save session: %v", err)

  548. 		// TODO: return error

  549. 	}

  550. 

  551. 	// Send success

  552. 	if reqJSON {

  553. 		return impart.WriteSuccess(w, &AuthUser{User: u}, http.StatusOK)

  554. 	}

  555. 	log.Info("Login: Redirecting to %s", redirectTo)

  556. 	w.Header().Set("Location", redirectTo)

  557. 	w.WriteHeader(http.StatusFound)

  558. 	return nil

  559. }

  560. 

  561. func getVerboseAuthUser(app *App, token string, u *User, verbose bool) *AuthUser {

  562. 	resUser := &AuthUser{

  563. 		AccessToken: token,

  564. 		User:        u,

  565. 	}

  566. 

  567. 	// Fetch verbose user data if requested

  568. 	if verbose {

  569. 		posts, err := app.db.GetUserPosts(u)

  570. 		if err != nil {

  571. 			log.Error("Login: Unable to get user posts: %v", err)

  572. 		}

  573. 		colls, err := app.db.GetCollections(u, app.cfg.App.Host)

  574. 		if err != nil {

  575. 			log.Error("Login: Unable to get user collections: %v", err)

  576. 		}

  577. 		passIsSet, err := app.db.IsUserPassSet(u.ID)

  578. 		if err != nil {

  579. 			// TODO: correct error meesage

  580. 			log.Error("Login: Unable to get user collections: %v", err)

  581. 		}

  582. 

  583. 		resUser.Posts = posts

  584. 		resUser.Collections = colls

  585. 		resUser.User.HasPass = passIsSet

  586. 	}

  587. 	return resUser

  588. }

  589. 

  590. func viewExportOptions(app *App, u *User, w http.ResponseWriter, r *http.Request) error {

  591. 	// Fetch extra user data

  592. 	p := NewUserPage(app, r, u, "Export", nil)

  593. 

  594. 	showUserPage(w, "export", p)

  595. 	return nil

  596. }

  597. 

  598. func viewExportPosts(app *App, w http.ResponseWriter, r *http.Request) ([]byte, string, error) {

  599. 	var filename string

  600. 	var u = &User{}

  601. 	reqJSON := IsJSON(r)

  602. 	if reqJSON {

  603. 		// Use given Authorization header

  604. 		accessToken := r.Header.Get("Authorization")

  605. 		if accessToken == "" {

  606. 			return nil, filename, ErrNoAccessToken

  607. 		}

  608. 

  609. 		userID := app.db.GetUserID(accessToken)

  610. 		if userID == -1 {

  611. 			return nil, filename, ErrBadAccessToken

  612. 		}

  613. 

  614. 		var err error

  615. 		u, err = app.db.GetUserByID(userID)

  616. 		if err != nil {

  617. 			return nil, filename, impart.HTTPError{http.StatusInternalServerError, "Unable to retrieve requested user."}

  618. 		}

  619. 	} else {

  620. 		// Use user cookie

  621. 		session, err := app.sessionStore.Get(r, cookieName)

  622. 		if err != nil {

  623. 			// The cookie should still save, even if there's an error.

  624. 			log.Error("Session: %v; ignoring", err)

  625. 		}

  626. 

  627. 		val := session.Values[cookieUserVal]

  628. 		var ok bool

  629. 		if u, ok = val.(*User); !ok {

  630. 			return nil, filename, ErrNotLoggedIn

  631. 		}

  632. 	}

  633. 

  634. 	filename = u.Username + "-posts-" + time.Now().Truncate(time.Second).UTC().Format("200601021504")

  635. 

  636. 	// Fetch data we're exporting

  637. 	var err error

  638. 	var data []byte

  639. 	posts, err := app.db.GetUserPosts(u)

  640. 	if err != nil {

  641. 		return data, filename, err

  642. 	}

  643. 

  644. 	// Export as CSV

  645. 	if strings.HasSuffix(r.URL.Path, ".csv") {

  646. 		data = exportPostsCSV(app.cfg.App.Host, u, posts)

  647. 		return data, filename, err

  648. 	}

  649. 	if strings.HasSuffix(r.URL.Path, ".zip") {

  650. 		data = exportPostsZip(u, posts)

  651. 		return data, filename, err

  652. 	}

  653. 

  654. 	if r.FormValue("pretty") == "1" {

  655. 		data, err = json.MarshalIndent(posts, "", "\t")

  656. 	} else {

  657. 		data, err = json.Marshal(posts)

  658. 	}

  659. 	return data, filename, err

  660. }

  661. 

  662. func viewExportFull(app *App, w http.ResponseWriter, r *http.Request) ([]byte, string, error) {

  663. 	var err error

  664. 	filename := ""

  665. 	u := getUserSession(app, r)

  666. 	if u == nil {

  667. 		return nil, filename, ErrNotLoggedIn

  668. 	}

  669. 	filename = u.Username + "-" + time.Now().Truncate(time.Second).UTC().Format("200601021504")

  670. 

  671. 	exportUser := compileFullExport(app, u)

  672. 

  673. 	var data []byte

  674. 	if r.FormValue("pretty") == "1" {

  675. 		data, err = json.MarshalIndent(exportUser, "", "\t")

  676. 	} else {

  677. 		data, err = json.Marshal(exportUser)

  678. 	}

  679. 	return data, filename, err

  680. }

  681. 

  682. func viewMeAPI(app *App, w http.ResponseWriter, r *http.Request) error {

  683. 	reqJSON := IsJSON(r)

  684. 	uObj := struct {

  685. 		ID       int64  `json:"id,omitempty"`

  686. 		Username string `json:"username,omitempty"`

  687. 	}{}

  688. 	var err error

  689. 

  690. 	if reqJSON {

  691. 		_, uObj.Username, err = app.db.GetUserDataFromToken(r.Header.Get("Authorization"))

  692. 		if err != nil {

  693. 			return err

  694. 		}

  695. 	} else {

  696. 		u := getUserSession(app, r)

  697. 		if u == nil {

  698. 			return impart.WriteSuccess(w, uObj, http.StatusOK)

  699. 		}

  700. 		uObj.Username = u.Username

  701. 	}

  702. 

  703. 	return impart.WriteSuccess(w, uObj, http.StatusOK)

  704. }

  705. 

  706. func viewMyPostsAPI(app *App, u *User, w http.ResponseWriter, r *http.Request) error {

  707. 	reqJSON := IsJSON(r)

  708. 	if !reqJSON {

  709. 		return ErrBadRequestedType

  710. 	}

  711. 

  712. 	var err error

  713. 	p := GetPostsCache(u.ID)

  714. 	if p == nil {

  715. 		userPostsCache.Lock()

  716. 		if userPostsCache.users[u.ID].ready == nil {

  717. 			userPostsCache.users[u.ID] = postsCacheItem{ready: make(chan struct{})}

  718. 			userPostsCache.Unlock()

  719. 

  720. 			p, err = app.db.GetUserPosts(u)

  721. 			if err != nil {

  722. 				return err

  723. 			}

  724. 

  725. 			CachePosts(u.ID, p)

  726. 		} else {

  727. 			userPostsCache.Unlock()

  728. 

  729. 			<-userPostsCache.users[u.ID].ready

  730. 			p = GetPostsCache(u.ID)

  731. 		}

  732. 	}

  733. 

  734. 	return impart.WriteSuccess(w, p, http.StatusOK)

  735. }

  736. 

  737. func viewMyCollectionsAPI(app *App, u *User, w http.ResponseWriter, r *http.Request) error {

  738. 	reqJSON := IsJSON(r)

  739. 	if !reqJSON {

  740. 		return ErrBadRequestedType

  741. 	}

  742. 

  743. 	p, err := app.db.GetCollections(u, app.cfg.App.Host)

  744. 	if err != nil {

  745. 		return err

  746. 	}

  747. 

  748. 	return impart.WriteSuccess(w, p, http.StatusOK)

  749. }

  750. 

  751. func viewArticles(app *App, u *User, w http.ResponseWriter, r *http.Request) error {

  752. 	p, err := app.db.GetAnonymousPosts(u)

  753. 	if err != nil {

  754. 		log.Error("unable to fetch anon posts: %v", err)

  755. 	}

  756. 	// nil-out AnonymousPosts slice for easy detection in the template

  757. 	if p != nil && len(*p) == 0 {

  758. 		p = nil

  759. 	}

  760. 

  761. 	f, err := getSessionFlashes(app, w, r, nil)

  762. 	if err != nil {

  763. 		log.Error("unable to fetch flashes: %v", err)

  764. 	}

  765. 

  766. 	c, err := app.db.GetPublishableCollections(u, app.cfg.App.Host)

  767. 	if err != nil {

  768. 		log.Error("unable to fetch collections: %v", err)

  769. 	}

  770. 

  771. 	silenced, err := app.db.IsUserSilenced(u.ID)

  772. 	if err != nil {

  773. 		log.Error("view articles: %v", err)

  774. 	}

  775. 	d := struct {

  776. 		*UserPage

  777. 		AnonymousPosts *[]PublicPost

  778. 		Collections    *[]Collection

  779. 		Silenced       bool

  780. 	}{

  781. 		UserPage:       NewUserPage(app, r, u, u.Username+"'s Posts", f),

  782. 		AnonymousPosts: p,

  783. 		Collections:    c,

  784. 		Silenced:       silenced,

  785. 	}

  786. 	d.UserPage.SetMessaging(u)

  787. 	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")

  788. 	w.Header().Set("Expires", "Thu, 04 Oct 1990 20:00:00 GMT")

  789. 	showUserPage(w, "articles", d)

  790. 

  791. 	return nil

  792. }

  793. 

  794. func viewCollections(app *App, u *User, w http.ResponseWriter, r *http.Request) error {

  795. 	c, err := app.db.GetCollections(u, app.cfg.App.Host)

  796. 	if err != nil {

  797. 		log.Error("unable to fetch collections: %v", err)

  798. 		return fmt.Errorf("No collections")

  799. 	}

  800. 

  801. 	f, _ := getSessionFlashes(app, w, r, nil)

  802. 

  803. 	uc, _ := app.db.GetUserCollectionCount(u.ID)

  804. 	// TODO: handle any errors

  805. 

  806. 	silenced, err := app.db.IsUserSilenced(u.ID)

  807. 	if err != nil {

  808. 		log.Error("view collections %v", err)

  809. 		return fmt.Errorf("view collections: %v", err)

  810. 	}

  811. 	d := struct {

  812. 		*UserPage

  813. 		Collections *[]Collection

  814. 

  815. 		UsedCollections, TotalCollections int

  816. 

  817. 		NewBlogsDisabled bool

  818. 		Silenced         bool

  819. 	}{

  820. 		UserPage:         NewUserPage(app, r, u, u.Username+"'s Blogs", f),

  821. 		Collections:      c,

  822. 		UsedCollections:  int(uc),

  823. 		NewBlogsDisabled: !app.cfg.App.CanCreateBlogs(uc),

  824. 		Silenced:         silenced,

  825. 	}

  826. 	d.UserPage.SetMessaging(u)

  827. 	showUserPage(w, "collections", d)

  828. 

  829. 	return nil

  830. }

  831. 

  832. func viewEditCollection(app *App, u *User, w http.ResponseWriter, r *http.Request) error {

  833. 	vars := mux.Vars(r)

  834. 	c, err := app.db.GetCollection(vars["collection"])

  835. 	if err != nil {

  836. 		return err

  837. 	}

  838. 	if c.OwnerID != u.ID {

  839. 		return ErrCollectionNotFound

  840. 	}

  841. 

  842. 	silenced, err := app.db.IsUserSilenced(u.ID)

  843. 	if err != nil {

  844. 		log.Error("view edit collection %v", err)

  845. 		return fmt.Errorf("view edit collection: %v", err)

  846. 	}

  847. 	flashes, _ := getSessionFlashes(app, w, r, nil)

  848. 	obj := struct {

  849. 		*UserPage

  850. 		*Collection

  851. 		Silenced bool

  852. 	}{

  853. 		UserPage:   NewUserPage(app, r, u, "Edit "+c.DisplayTitle(), flashes),

  854. 		Collection: c,

  855. 		Silenced:   silenced,

  856. 	}

  857. 

  858. 	showUserPage(w, "collection", obj)

  859. 	return nil

  860. }

  861. 

  862. func updateSettings(app *App, w http.ResponseWriter, r *http.Request) error {

  863. 	reqJSON := IsJSON(r)

  864. 

  865. 	var s userSettings

  866. 	var u *User

  867. 	var sess *sessions.Session

  868. 	var err error

  869. 	if reqJSON {

  870. 		accessToken := r.Header.Get("Authorization")

  871. 		if accessToken == "" {

  872. 			return ErrNoAccessToken

  873. 		}

  874. 

  875. 		u, err = app.db.GetAPIUser(accessToken)

  876. 		if err != nil {

  877. 			return ErrBadAccessToken

  878. 		}

  879. 

  880. 		decoder := json.NewDecoder(r.Body)

  881. 		err := decoder.Decode(&s)

  882. 		if err != nil {

  883. 			log.Error("Couldn't parse settings JSON request: %v\n", err)

  884. 			return ErrBadJSON

  885. 		}

  886. 

  887. 		// Prevent all username updates

  888. 		// TODO: support changing username via JSON API request

  889. 		s.Username = ""

  890. 	} else {

  891. 		u, sess = getUserAndSession(app, r)

  892. 		if u == nil {

  893. 			return ErrNotLoggedIn

  894. 		}

  895. 

  896. 		err := r.ParseForm()

  897. 		if err != nil {

  898. 			log.Error("Couldn't parse settings form request: %v\n", err)

  899. 			return ErrBadFormData

  900. 		}

  901. 

  902. 		err = app.formDecoder.Decode(&s, r.PostForm)

  903. 		if err != nil {

  904. 			log.Error("Couldn't decode settings form request: %v\n", err)

  905. 			return ErrBadFormData

  906. 		}

  907. 	}

  908. 

  909. 	// Do update

  910. 	postUpdateReturn := r.FormValue("return")

  911. 	redirectTo := "/me/settings"

  912. 	if s.IsLogOut {

  913. 		redirectTo += "?logout=1"

  914. 	} else if postUpdateReturn != "" {

  915. 		redirectTo = postUpdateReturn

  916. 	}

  917. 

  918. 	// Only do updates on values we need

  919. 	if s.Username != "" && s.Username == u.Username {

  920. 		// Username hasn't actually changed; blank it out

  921. 		s.Username = ""

  922. 	}

  923. 	err = app.db.ChangeSettings(app, u, &s)

  924. 	if err != nil {

  925. 		if reqJSON {

  926. 			return err

  927. 		}

  928. 

  929. 		if err, ok := err.(impart.HTTPError); ok {

  930. 			addSessionFlash(app, w, r, err.Message, nil)

  931. 		}

  932. 	} else {

  933. 		// Successful update.

  934. 		if reqJSON {

  935. 			return impart.WriteSuccess(w, u, http.StatusOK)

  936. 		}

  937. 

  938. 		if s.IsLogOut {

  939. 			redirectTo = "/me/logout"

  940. 		} else {

  941. 			sess.Values[cookieUserVal] = u.Cookie()

  942. 			addSessionFlash(app, w, r, "Account updated.", nil)

  943. 		}

  944. 	}

  945. 

  946. 	w.Header().Set("Location", redirectTo)

  947. 	w.WriteHeader(http.StatusFound)

  948. 	return nil

  949. }

  950. 

  951. func updatePassphrase(app *App, w http.ResponseWriter, r *http.Request) error {

  952. 	accessToken := r.Header.Get("Authorization")

  953. 	if accessToken == "" {

  954. 		return ErrNoAccessToken

  955. 	}

  956. 

  957. 	curPass := r.FormValue("current")

  958. 	newPass := r.FormValue("new")

  959. 	// Ensure a new password is given (always required)

  960. 	if newPass == "" {

  961. 		return impart.HTTPError{http.StatusBadRequest, "Provide a new password."}

  962. 	}

  963. 

  964. 	userID, sudo := app.db.GetUserIDPrivilege(accessToken)

  965. 	if userID == -1 {

  966. 		return ErrBadAccessToken

  967. 	}

  968. 

  969. 	// Ensure a current password is given if the access token doesn't have sudo

  970. 	// privileges.

  971. 	if !sudo && curPass == "" {

  972. 		return impart.HTTPError{http.StatusBadRequest, "Provide current password."}

  973. 	}

  974. 

  975. 	// Hash the new password

  976. 	hashedPass, err := auth.HashPass([]byte(newPass))

  977. 	if err != nil {

  978. 		return impart.HTTPError{http.StatusInternalServerError, "Could not create password hash."}

  979. 	}

  980. 

  981. 	// Do update

  982. 	err = app.db.ChangePassphrase(userID, sudo, curPass, hashedPass)

  983. 	if err != nil {

  984. 		return err

  985. 	}

  986. 

  987. 	return impart.WriteSuccess(w, struct{}{}, http.StatusOK)

  988. }

  989. 

  990. func viewStats(app *App, u *User, w http.ResponseWriter, r *http.Request) error {

  991. 	var c *Collection

  992. 	var err error

  993. 	vars := mux.Vars(r)

  994. 	alias := vars["collection"]

  995. 	if alias != "" {

  996. 		c, err = app.db.GetCollection(alias)

  997. 		if err != nil {

  998. 			return err

  999. 		}

  1000. 		if c.OwnerID != u.ID {

  1001. 			return ErrCollectionNotFound

  1002. 		}

  1003. 	}

  1004. 

  1005. 	topPosts, err := app.db.GetTopPosts(u, alias)

  1006. 	if err != nil {

  1007. 		log.Error("Unable to get top posts: %v", err)

  1008. 		return err

  1009. 	}

  1010. 

  1011. 	flashes, _ := getSessionFlashes(app, w, r, nil)

  1012. 	titleStats := ""

  1013. 	if c != nil {

  1014. 		titleStats = c.DisplayTitle() + " "

  1015. 	}

  1016. 

  1017. 	silenced, err := app.db.IsUserSilenced(u.ID)

  1018. 	if err != nil {

  1019. 		log.Error("view stats: %v", err)

  1020. 		return err

  1021. 	}

  1022. 	obj := struct {

  1023. 		*UserPage

  1024. 		VisitsBlog  string

  1025. 		Collection  *Collection

  1026. 		TopPosts    *[]PublicPost

  1027. 		APFollowers int

  1028. 		Silenced    bool

  1029. 	}{

  1030. 		UserPage:   NewUserPage(app, r, u, titleStats+"Stats", flashes),

  1031. 		VisitsBlog: alias,

  1032. 		Collection: c,

  1033. 		TopPosts:   topPosts,

  1034. 		Silenced:   silenced,

  1035. 	}

  1036. 	if app.cfg.App.Federation {

  1037. 		folls, err := app.db.GetAPFollowers(c)

  1038. 		if err != nil {

  1039. 			return err

  1040. 		}

  1041. 		obj.APFollowers = len(*folls)

  1042. 	}

  1043. 

  1044. 	showUserPage(w, "stats", obj)

  1045. 	return nil

  1046. }

  1047. 

  1048. func viewSettings(app *App, u *User, w http.ResponseWriter, r *http.Request) error {

  1049. 	fullUser, err := app.db.GetUserByID(u.ID)

  1050. 	if err != nil {

  1051. 		log.Error("Unable to get user for settings: %s", err)

  1052. 		return impart.HTTPError{http.StatusInternalServerError, "Unable to retrieve user data. The humans have been alerted."}

  1053. 	}

  1054. 

  1055. 	passIsSet, err := app.db.IsUserPassSet(u.ID)

  1056. 	if err != nil {

  1057. 		log.Error("Unable to get isUserPassSet for settings: %s", err)

  1058. 		return impart.HTTPError{http.StatusInternalServerError, "Unable to retrieve user data. The humans have been alerted."}

  1059. 	}

  1060. 

  1061. 	flashes, _ := getSessionFlashes(app, w, r, nil)

  1062. 

  1063. 	enableOauthSlack := app.Config().SlackOauth.ClientID != ""

  1064. 	enableOauthWriteAs := app.Config().WriteAsOauth.ClientID != ""

  1065. 	enableOauthGitLab := app.Config().GitlabOauth.ClientID != ""

  1066. 	enableOauthGeneric := app.Config().GenericOauth.ClientID != ""

  1067. 	enableOauthGitea := app.Config().GiteaOauth.ClientID != ""

  1068. 

  1069. 	oauthAccounts, err := app.db.GetOauthAccounts(r.Context(), u.ID)

  1070. 	if err != nil {

  1071. 		log.Error("Unable to get oauth accounts for settings: %s", err)

  1072. 		return impart.HTTPError{http.StatusInternalServerError, "Unable to retrieve user data. The humans have been alerted."}

  1073. 	}

  1074. 	for idx, oauthAccount := range oauthAccounts {

  1075. 		switch oauthAccount.Provider {

  1076. 		case "slack":

  1077. 			enableOauthSlack = false

  1078. 		case "write.as":

  1079. 			enableOauthWriteAs = false

  1080. 		case "gitlab":

  1081. 			enableOauthGitLab = false

  1082. 		case "generic":

  1083. 			oauthAccounts[idx].DisplayName = app.Config().GenericOauth.DisplayName

  1084. 			oauthAccounts[idx].AllowDisconnect = app.Config().GenericOauth.AllowDisconnect

  1085. 			enableOauthGeneric = false

  1086. 		case "gitea":

  1087. 			enableOauthGitea = false

  1088. 		}

  1089. 	}

  1090. 

  1091. 	displayOauthSection := enableOauthSlack || enableOauthWriteAs || enableOauthGitLab || enableOauthGeneric || enableOauthGitea || len(oauthAccounts) > 0

  1092. 

  1093. 	obj := struct {

  1094. 		*UserPage

  1095. 		Email                   string

  1096. 		HasPass                 bool

  1097. 		IsLogOut                bool

  1098. 		Silenced                bool

  1099. 		OauthSection            bool

  1100. 		OauthAccounts           []oauthAccountInfo

  1101. 		OauthSlack              bool

  1102. 		OauthWriteAs            bool

  1103. 		OauthGitLab             bool

  1104. 		GitLabDisplayName       string

  1105. 		OauthGeneric            bool

  1106. 		OauthGenericDisplayName string

  1107. 		OauthGitea              bool

  1108. 		GiteaDisplayName        string

  1109. 	}{

  1110. 		UserPage:                NewUserPage(app, r, u, "Account Settings", flashes),

  1111. 		Email:                   fullUser.EmailClear(app.keys),

  1112. 		HasPass:                 passIsSet,

  1113. 		IsLogOut:                r.FormValue("logout") == "1",

  1114. 		Silenced:                fullUser.IsSilenced(),

  1115. 		OauthSection:            displayOauthSection,

  1116. 		OauthAccounts:           oauthAccounts,

  1117. 		OauthSlack:              enableOauthSlack,

  1118. 		OauthWriteAs:            enableOauthWriteAs,

  1119. 		OauthGitLab:             enableOauthGitLab,

  1120. 		GitLabDisplayName:       config.OrDefaultString(app.Config().GitlabOauth.DisplayName, gitlabDisplayName),

  1121. 		OauthGeneric:            enableOauthGeneric,

  1122. 		OauthGenericDisplayName: config.OrDefaultString(app.Config().GenericOauth.DisplayName, genericOauthDisplayName),

  1123. 		OauthGitea:              enableOauthGitea,

  1124. 		GiteaDisplayName:        config.OrDefaultString(app.Config().GiteaOauth.DisplayName, giteaDisplayName),

  1125. 	}

  1126. 

  1127. 	showUserPage(w, "settings", obj)

  1128. 	return nil

  1129. }

  1130. 

  1131. func saveTempInfo(app *App, key, val string, r *http.Request, w http.ResponseWriter) error {

  1132. 	session, err := app.sessionStore.Get(r, "t")

  1133. 	if err != nil {

  1134. 		return ErrInternalCookieSession

  1135. 	}

  1136. 

  1137. 	session.Values[key] = val

  1138. 	err = session.Save(r, w)

  1139. 	if err != nil {

  1140. 		log.Error("Couldn't saveTempInfo for key-val (%s:%s): %v", key, val, err)

  1141. 	}

  1142. 	return err

  1143. }

  1144. 

  1145. func getTempInfo(app *App, key string, r *http.Request, w http.ResponseWriter) string {

  1146. 	session, err := app.sessionStore.Get(r, "t")

  1147. 	if err != nil {

  1148. 		return ""

  1149. 	}

  1150. 

  1151. 	// Get the information

  1152. 	var s = ""

  1153. 	var ok bool

  1154. 	if s, ok = session.Values[key].(string); !ok {

  1155. 		return ""

  1156. 	}

  1157. 

  1158. 	// Delete cookie

  1159. 	session.Options.MaxAge = -1

  1160. 	err = session.Save(r, w)

  1161. 	if err != nil {

  1162. 		log.Error("Couldn't erase temp data for key %s: %v", key, err)

  1163. 	}

  1164. 

  1165. 	// Return value

  1166. 	return s

  1167. }

  1168. 

  1169. func removeOauth(app *App, u *User, w http.ResponseWriter, r *http.Request) error {

  1170. 	provider := r.FormValue("provider")

  1171. 	clientID := r.FormValue("client_id")

  1172. 	remoteUserID := r.FormValue("remote_user_id")

  1173. 

  1174. 	err := app.db.RemoveOauth(r.Context(), u.ID, provider, clientID, remoteUserID)

  1175. 	if err != nil {

  1176. 		return impart.HTTPError{Status: http.StatusInternalServerError, Message: err.Error()}

  1177. 	}

  1178. 

  1179. 	return impart.HTTPError{Status: http.StatusFound, Message: "/me/settings"}

  1180. }

  1181. 

  1182. func prepareUserEmail(input string, emailKey []byte) zero.String {

  1183. 	email := zero.NewString("", input != "")

  1184. 	if len(input) > 0 {

  1185. 		encEmail, err := data.Encrypt(emailKey, input)

  1186. 		if err != nil {

  1187. 			log.Error("Unable to encrypt email: %s\n", err)

  1188. 		} else {

  1189. 			email.String = string(encEmail)

  1190. 		}

  1191. 	}

  1192. 	return email

  1193. }