writefreely
/
writefreely
mirror of https://github.com/writefreely/writefreely.git
2
0
Fork 0
Code Issues Releases 25 Wiki Activity
A clean, Markdown-based publishing platform made for writers. Write together, and build a community. https://writefreely.org
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
937 Commits
45 Branches
297 MiB
 
 
 
 
 
Tree: f6aa99e591
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'f6aa99e591'
${ noResults }
writefreely/account.go

1183 lines
31 KiB
Raw Blame History 

  1. /*

  2.  * Copyright © 2018-2020 A Bunch Tell LLC.

  3.  *

  4.  * This file is part of WriteFreely.

  5.  *

  6.  * WriteFreely is free software: you can redistribute it and/or modify

  7.  * it under the terms of the GNU Affero General Public License, included

  8.  * in the LICENSE file in this source code package.

  9.  */

  10. 

  11. package writefreely

  12. 

  13. import (

  14. 	"encoding/json"

  15. 	"fmt"

  16. 	"html/template"

  17. 	"net/http"

  18. 	"regexp"

  19. 	"strings"

  20. 	"sync"

  21. 	"time"

  22. 

  23. 	"github.com/gorilla/mux"

  24. 	"github.com/gorilla/sessions"

  25. 	"github.com/guregu/null/zero"

  26. 	"github.com/writeas/impart"

  27. 	"github.com/writeas/web-core/auth"

  28. 	"github.com/writeas/web-core/data"

  29. 	"github.com/writeas/web-core/log"

  30. 

  31. 	"github.com/writeas/writefreely/author"

  32. 	"github.com/writeas/writefreely/config"

  33. 	"github.com/writeas/writefreely/page"

  34. )

  35. 

  36. type (

  37. 	userSettings struct {

  38. 		Username string `schema:"username" json:"username"`

  39. 		Email    string `schema:"email" json:"email"`

  40. 		NewPass  string `schema:"new-pass" json:"new_pass"`

  41. 		OldPass  string `schema:"current-pass" json:"current_pass"`

  42. 		IsLogOut bool   `schema:"logout" json:"logout"`

  43. 	}

  44. 

  45. 	UserPage struct {

  46. 		page.StaticPage

  47. 

  48. 		PageTitle string

  49. 		Separator template.HTML

  50. 		IsAdmin   bool

  51. 		CanInvite bool

  52. 	}

  53. )

  54. 

  55. func NewUserPage(app *App, r *http.Request, u *User, title string, flashes []string) *UserPage {

  56. 	up := &UserPage{

  57. 		StaticPage: pageForReq(app, r),

  58. 		PageTitle:  title,

  59. 	}

  60. 	up.Username = u.Username

  61. 	up.Flashes = flashes

  62. 	up.Path = r.URL.Path

  63. 	up.IsAdmin = u.IsAdmin()

  64. 	up.CanInvite = canUserInvite(app.cfg, up.IsAdmin)

  65. 	return up

  66. }

  67. 

  68. func canUserInvite(cfg *config.Config, isAdmin bool) bool {

  69. 	return cfg.App.UserInvites != "" &&

  70. 		(isAdmin || cfg.App.UserInvites != "admin")

  71. }

  72. 

  73. func (up *UserPage) SetMessaging(u *User) {

  74. 	// up.NeedsAuth = app.db.DoesUserNeedAuth(u.ID)

  75. }

  76. 

  77. const (

  78. 	loginAttemptExpiration = 3 * time.Second

  79. )

  80. 

  81. var actuallyUsernameReg = regexp.MustCompile("username is actually ([a-z0-9\\-]+)\\. Please try that, instead")

  82. 

  83. func apiSignup(app *App, w http.ResponseWriter, r *http.Request) error {

  84. 	_, err := signup(app, w, r)

  85. 	return err

  86. }

  87. 

  88. func signup(app *App, w http.ResponseWriter, r *http.Request) (*AuthUser, error) {

  89. 	if app.cfg.App.DisablePasswordAuth {

  90. 		err := ErrDisabledPasswordAuth

  91. 		return nil, err

  92. 	}

  93. 

  94. 	reqJSON := IsJSON(r)

  95. 

  96. 	// Get params

  97. 	var ur userRegistration

  98. 	if reqJSON {

  99. 		decoder := json.NewDecoder(r.Body)

  100. 		err := decoder.Decode(&ur)

  101. 		if err != nil {

  102. 			log.Error("Couldn't parse signup JSON request: %v\n", err)

  103. 			return nil, ErrBadJSON

  104. 		}

  105. 	} else {

  106. 		// Check if user is already logged in

  107. 		u := getUserSession(app, r)

  108. 		if u != nil {

  109. 			return &AuthUser{User: u}, nil

  110. 		}

  111. 

  112. 		err := r.ParseForm()

  113. 		if err != nil {

  114. 			log.Error("Couldn't parse signup form request: %v\n", err)

  115. 			return nil, ErrBadFormData

  116. 		}

  117. 

  118. 		err = app.formDecoder.Decode(&ur, r.PostForm)

  119. 		if err != nil {

  120. 			log.Error("Couldn't decode signup form request: %v\n", err)

  121. 			return nil, ErrBadFormData

  122. 		}

  123. 	}

  124. 

  125. 	return signupWithRegistration(app, ur, w, r)

  126. }

  127. 

  128. func signupWithRegistration(app *App, signup userRegistration, w http.ResponseWriter, r *http.Request) (*AuthUser, error) {

  129. 	reqJSON := IsJSON(r)

  130. 

  131. 	// Validate required params (alias)

  132. 	if signup.Alias == "" {

  133. 		return nil, impart.HTTPError{http.StatusBadRequest, "A username is required."}

  134. 	}

  135. 	if signup.Pass == "" {

  136. 		return nil, impart.HTTPError{http.StatusBadRequest, "A password is required."}

  137. 	}

  138. 	var desiredUsername string

  139. 	if signup.Normalize {

  140. 		// With this option we simply conform the username to what we expect

  141. 		// without complaining. Since they might've done something funny, like

  142. 		// enter: write.as/Way Out There, we'll use their raw input for the new

  143. 		// collection name and sanitize for the slug / username.

  144. 		desiredUsername = signup.Alias

  145. 		signup.Alias = getSlug(signup.Alias, "")

  146. 	}

  147. 	if !author.IsValidUsername(app.cfg, signup.Alias) {

  148. 		// Ensure the username is syntactically correct.

  149. 		return nil, impart.HTTPError{http.StatusPreconditionFailed, "Username is reserved or isn't valid. It must be at least 3 characters long, and can only include letters, numbers, and hyphens."}

  150. 	}

  151. 

  152. 	// Handle empty optional params

  153. 	// TODO: remove this var

  154. 	createdWithPass := true

  155. 	hashedPass, err := auth.HashPass([]byte(signup.Pass))

  156. 	if err != nil {

  157. 		return nil, impart.HTTPError{http.StatusInternalServerError, "Could not create password hash."}

  158. 	}

  159. 

  160. 	// Create struct to insert

  161. 	u := &User{

  162. 		Username:   signup.Alias,

  163. 		HashedPass: hashedPass,

  164. 		HasPass:    createdWithPass,

  165. 		Email:      prepareUserEmail(signup.Email, app.keys.EmailKey),

  166. 		Created:    time.Now().Truncate(time.Second).UTC(),

  167. 	}

  168. 

  169. 	// Create actual user

  170. 	if err := app.db.CreateUser(app.cfg, u, desiredUsername); err != nil {

  171. 		return nil, err

  172. 	}

  173. 

  174. 	// Log invite if needed

  175. 	if signup.InviteCode != "" {

  176. 		err = app.db.CreateInvitedUser(signup.InviteCode, u.ID)

  177. 		if err != nil {

  178. 			return nil, err

  179. 		}

  180. 	}

  181. 

  182. 	// Add back unencrypted data for response

  183. 	if signup.Email != "" {

  184. 		u.Email.String = signup.Email

  185. 	}

  186. 

  187. 	resUser := &AuthUser{

  188. 		User: u,

  189. 	}

  190. 	if !createdWithPass {

  191. 		resUser.Password = signup.Pass

  192. 	}

  193. 	title := signup.Alias

  194. 	if signup.Normalize {

  195. 		title = desiredUsername

  196. 	}

  197. 	resUser.Collections = &[]Collection{

  198. 		{

  199. 			Alias: signup.Alias,

  200. 			Title: title,

  201. 		},

  202. 	}

  203. 

  204. 	var token string

  205. 	if reqJSON && !signup.Web {

  206. 		token, err = app.db.GetAccessToken(u.ID)

  207. 		if err != nil {

  208. 			return nil, impart.HTTPError{http.StatusInternalServerError, "Could not create access token. Try re-authenticating."}

  209. 		}

  210. 		resUser.AccessToken = token

  211. 	} else {

  212. 		session, err := app.sessionStore.Get(r, cookieName)

  213. 		if err != nil {

  214. 			// The cookie should still save, even if there's an error.

  215. 			// Source: https://github.com/gorilla/sessions/issues/16#issuecomment-143642144

  216. 			log.Error("Session: %v; ignoring", err)

  217. 		}

  218. 		session.Values[cookieUserVal] = resUser.User.Cookie()

  219. 		err = session.Save(r, w)

  220. 		if err != nil {

  221. 			log.Error("Couldn't save session: %v", err)

  222. 			return nil, err

  223. 		}

  224. 	}

  225. 	if reqJSON {

  226. 		return resUser, impart.WriteSuccess(w, resUser, http.StatusCreated)

  227. 	}

  228. 

  229. 	return resUser, nil

  230. }

  231. 

  232. func viewLogout(app *App, w http.ResponseWriter, r *http.Request) error {

  233. 	session, err := app.sessionStore.Get(r, cookieName)

  234. 	if err != nil {

  235. 		return ErrInternalCookieSession

  236. 	}

  237. 

  238. 	// Ensure user has an email or password set before they go, so they don't

  239. 	// lose access to their account.

  240. 	val := session.Values[cookieUserVal]

  241. 	var u = &User{}

  242. 	var ok bool

  243. 	if u, ok = val.(*User); !ok {

  244. 		log.Error("Error casting user object on logout. Vals: %+v Resetting cookie.", session.Values)

  245. 

  246. 		err = session.Save(r, w)

  247. 		if err != nil {

  248. 			log.Error("Couldn't save session on logout: %v", err)

  249. 			return impart.HTTPError{http.StatusInternalServerError, "Unable to save cookie session."}

  250. 		}

  251. 

  252. 		return impart.HTTPError{http.StatusFound, "/"}

  253. 	}

  254. 

  255. 	u, err = app.db.GetUserByID(u.ID)

  256. 	if err != nil && err != ErrUserNotFound {

  257. 		return impart.HTTPError{http.StatusInternalServerError, "Unable to fetch user information."}

  258. 	}

  259. 

  260. 	session.Options.MaxAge = -1

  261. 

  262. 	err = session.Save(r, w)

  263. 	if err != nil {

  264. 		log.Error("Couldn't save session on logout: %v", err)

  265. 		return impart.HTTPError{http.StatusInternalServerError, "Unable to save cookie session."}

  266. 	}

  267. 

  268. 	return impart.HTTPError{http.StatusFound, "/"}

  269. }

  270. 

  271. func handleAPILogout(app *App, w http.ResponseWriter, r *http.Request) error {

  272. 	accessToken := r.Header.Get("Authorization")

  273. 	if accessToken == "" {

  274. 		return ErrNoAccessToken

  275. 	}

  276. 	t := auth.GetToken(accessToken)

  277. 	if len(t) == 0 {

  278. 		return ErrNoAccessToken

  279. 	}

  280. 	err := app.db.DeleteToken(t)

  281. 	if err != nil {

  282. 		return err

  283. 	}

  284. 	return impart.HTTPError{Status: http.StatusNoContent}

  285. }

  286. 

  287. func viewLogin(app *App, w http.ResponseWriter, r *http.Request) error {

  288. 	var earlyError string

  289. 	oneTimeToken := r.FormValue("with")

  290. 	if oneTimeToken != "" {

  291. 		log.Info("Calling login with one-time token.")

  292. 		err := login(app, w, r)

  293. 		if err != nil {

  294. 			log.Info("Received error: %v", err)

  295. 			earlyError = fmt.Sprintf("%s", err)

  296. 		}

  297. 	}

  298. 

  299. 	session, err := app.sessionStore.Get(r, cookieName)

  300. 	if err != nil {

  301. 		// Ignore this

  302. 		log.Error("Unable to get session; ignoring: %v", err)

  303. 	}

  304. 

  305. 	p := &struct {

  306. 		page.StaticPage

  307. 		To                      string

  308. 		Message                 template.HTML

  309. 		Flashes                 []template.HTML

  310. 		LoginUsername           string

  311. 		OauthSlack              bool

  312. 		OauthWriteAs            bool

  313. 		OauthGitlab             bool

  314. 		OauthGeneric            bool

  315. 		OauthGenericDisplayName string

  316. 		GitlabDisplayName       string

  317. 	}{

  318. 		pageForReq(app, r),

  319. 		r.FormValue("to"),

  320. 		template.HTML(""),

  321. 		[]template.HTML{},

  322. 		getTempInfo(app, "login-user", r, w),

  323. 		app.Config().SlackOauth.ClientID != "",

  324. 		app.Config().WriteAsOauth.ClientID != "",

  325. 		app.Config().GitlabOauth.ClientID != "",

  326. 		app.Config().GenericOauth.ClientID != "",

  327. 		config.OrDefaultString(app.Config().GenericOauth.DisplayName, genericOauthDisplayName),

  328. 		config.OrDefaultString(app.Config().GitlabOauth.DisplayName, gitlabDisplayName),

  329. 	}

  330. 

  331. 	if earlyError != "" {

  332. 		p.Flashes = append(p.Flashes, template.HTML(earlyError))

  333. 	}

  334. 

  335. 	// Display any error messages

  336. 	flashes, _ := getSessionFlashes(app, w, r, session)

  337. 	for _, flash := range flashes {

  338. 		p.Flashes = append(p.Flashes, template.HTML(flash))

  339. 	}

  340. 	err = pages["login.tmpl"].ExecuteTemplate(w, "base", p)

  341. 	if err != nil {

  342. 		log.Error("Unable to render login: %v", err)

  343. 		return err

  344. 	}

  345. 	return nil

  346. }

  347. 

  348. func webLogin(app *App, w http.ResponseWriter, r *http.Request) error {

  349. 	err := login(app, w, r)

  350. 	if err != nil {

  351. 		username := r.FormValue("alias")

  352. 		// Login request was unsuccessful; save the error in the session and redirect them

  353. 		if err, ok := err.(impart.HTTPError); ok {

  354. 			session, _ := app.sessionStore.Get(r, cookieName)

  355. 			if session != nil {

  356. 				session.AddFlash(err.Message)

  357. 				session.Save(r, w)

  358. 			}

  359. 

  360. 			if m := actuallyUsernameReg.FindStringSubmatch(err.Message); len(m) > 0 {

  361. 				// Retain fixed username recommendation for the login form

  362. 				username = m[1]

  363. 			}

  364. 		}

  365. 

  366. 		// Pass along certain information

  367. 		saveTempInfo(app, "login-user", username, r, w)

  368. 

  369. 		// Retain post-login URL if one was given

  370. 		redirectTo := "/login"

  371. 		postLoginRedirect := r.FormValue("to")

  372. 		if postLoginRedirect != "" {

  373. 			redirectTo += "?to=" + postLoginRedirect

  374. 		}

  375. 

  376. 		log.Error("Unable to login: %v", err)

  377. 		return impart.HTTPError{http.StatusTemporaryRedirect, redirectTo}

  378. 	}

  379. 

  380. 	return nil

  381. }

  382. 

  383. var loginAttemptUsers = sync.Map{}

  384. 

  385. func login(app *App, w http.ResponseWriter, r *http.Request) error {

  386. 	reqJSON := IsJSON(r)

  387. 	oneTimeToken := r.FormValue("with")

  388. 	verbose := r.FormValue("all") == "true" || r.FormValue("verbose") == "1" || r.FormValue("verbose") == "true" || (reqJSON && oneTimeToken != "")

  389. 

  390. 	redirectTo := r.FormValue("to")

  391. 	if redirectTo == "" {

  392. 		if app.cfg.App.SingleUser {

  393. 			redirectTo = "/me/new"

  394. 		} else {

  395. 			redirectTo = "/"

  396. 		}

  397. 	}

  398. 

  399. 	var u *User

  400. 	var err error

  401. 	var signin userCredentials

  402. 

  403. 	if app.cfg.App.DisablePasswordAuth {

  404. 		err := ErrDisabledPasswordAuth

  405. 		return err

  406. 	}

  407. 

  408. 	// Log in with one-time token if one is given

  409. 	if oneTimeToken != "" {

  410. 		log.Info("Login: Logging user in via token.")

  411. 		userID := app.db.GetUserID(oneTimeToken)

  412. 		if userID == -1 {

  413. 			log.Error("Login: Got user -1 from token")

  414. 			err := ErrBadAccessToken

  415. 			err.Message = "Expired or invalid login code."

  416. 			return err

  417. 		}

  418. 		log.Info("Login: Found user %d.", userID)

  419. 

  420. 		u, err = app.db.GetUserByID(userID)

  421. 		if err != nil {

  422. 			log.Error("Unable to fetch user on one-time token login: %v", err)

  423. 			return impart.HTTPError{http.StatusInternalServerError, "There was an error retrieving the user you want."}

  424. 		}

  425. 		log.Info("Login: Got user via token")

  426. 	} else {

  427. 		// Get params

  428. 		if reqJSON {

  429. 			decoder := json.NewDecoder(r.Body)

  430. 			err := decoder.Decode(&signin)

  431. 			if err != nil {

  432. 				log.Error("Couldn't parse signin JSON request: %v\n", err)

  433. 				return ErrBadJSON

  434. 			}

  435. 		} else {

  436. 			err := r.ParseForm()

  437. 			if err != nil {

  438. 				log.Error("Couldn't parse signin form request: %v\n", err)

  439. 				return ErrBadFormData

  440. 			}

  441. 

  442. 			err = app.formDecoder.Decode(&signin, r.PostForm)

  443. 			if err != nil {

  444. 				log.Error("Couldn't decode signin form request: %v\n", err)

  445. 				return ErrBadFormData

  446. 			}

  447. 		}

  448. 

  449. 		log.Info("Login: Attempting login for '%s'", signin.Alias)

  450. 

  451. 		// Validate required params (all)

  452. 		if signin.Alias == "" {

  453. 			msg := "Parameter `alias` required."

  454. 			if signin.Web {

  455. 				msg = "A username is required."

  456. 			}

  457. 			return impart.HTTPError{http.StatusBadRequest, msg}

  458. 		}

  459. 		if !signin.EmailLogin && signin.Pass == "" {

  460. 			msg := "Parameter `pass` required."

  461. 			if signin.Web {

  462. 				msg = "A password is required."

  463. 			}

  464. 			return impart.HTTPError{http.StatusBadRequest, msg}

  465. 		}

  466. 

  467. 		// Prevent excessive login attempts on the same account

  468. 		// Skip this check in dev environment

  469. 		if !app.cfg.Server.Dev {

  470. 			now := time.Now()

  471. 			attemptExp, att := loginAttemptUsers.LoadOrStore(signin.Alias, now.Add(loginAttemptExpiration))

  472. 			if att {

  473. 				if attemptExpTime, ok := attemptExp.(time.Time); ok {

  474. 					if attemptExpTime.After(now) {

  475. 						// This user attempted previously, and the period hasn't expired yet

  476. 						return impart.HTTPError{http.StatusTooManyRequests, "You're doing that too much."}

  477. 					} else {

  478. 						// This user attempted previously, but the time expired; free up space

  479. 						loginAttemptUsers.Delete(signin.Alias)

  480. 					}

  481. 				} else {

  482. 					log.Error("Unable to cast expiration to time")

  483. 				}

  484. 			}

  485. 		}

  486. 

  487. 		// Retrieve password

  488. 		u, err = app.db.GetUserForAuth(signin.Alias)

  489. 		if err != nil {

  490. 			log.Info("Unable to getUserForAuth on %s: %v", signin.Alias, err)

  491. 			if strings.IndexAny(signin.Alias, "@") > 0 {

  492. 				log.Info("Suggesting: %s", ErrUserNotFoundEmail.Message)

  493. 				return ErrUserNotFoundEmail

  494. 			}

  495. 			return err

  496. 		}

  497. 		// Authenticate

  498. 		if u.Email.String == "" {

  499. 			// User has no email set, so check if they haven't added a password, either,

  500. 			// so we can return a more helpful error message.

  501. 			if hasPass, _ := app.db.IsUserPassSet(u.ID); !hasPass {

  502. 				log.Info("Tried logging in to %s, but no password or email.", signin.Alias)

  503. 				return impart.HTTPError{http.StatusPreconditionFailed, "This user never added a password or email address. Please contact us for help."}

  504. 			}

  505. 		}

  506. 		if len(u.HashedPass) == 0 {

  507. 			return impart.HTTPError{http.StatusUnauthorized, "This user never set a password. Perhaps try logging in via OAuth?"}

  508. 		}

  509. 		if !auth.Authenticated(u.HashedPass, []byte(signin.Pass)) {

  510. 			return impart.HTTPError{http.StatusUnauthorized, "Incorrect password."}

  511. 		}

  512. 	}

  513. 

  514. 	if reqJSON && !signin.Web {

  515. 		var token string

  516. 		if r.Header.Get("User-Agent") == "" {

  517. 			// Get last created token when User-Agent is empty

  518. 			token = app.db.FetchLastAccessToken(u.ID)

  519. 			if token == "" {

  520. 				token, err = app.db.GetAccessToken(u.ID)

  521. 			}

  522. 		} else {

  523. 			token, err = app.db.GetAccessToken(u.ID)

  524. 		}

  525. 		if err != nil {

  526. 			log.Error("Login: Unable to create access token: %v", err)

  527. 			return impart.HTTPError{http.StatusInternalServerError, "Could not create access token. Try re-authenticating."}

  528. 		}

  529. 		resUser := getVerboseAuthUser(app, token, u, verbose)

  530. 		return impart.WriteSuccess(w, resUser, http.StatusOK)

  531. 	}

  532. 

  533. 	session, err := app.sessionStore.Get(r, cookieName)

  534. 	if err != nil {

  535. 		// The cookie should still save, even if there's an error.

  536. 		log.Error("Login: Session: %v; ignoring", err)

  537. 	}

  538. 

  539. 	// Remove unwanted data

  540. 	session.Values[cookieUserVal] = u.Cookie()

  541. 	err = session.Save(r, w)

  542. 	if err != nil {

  543. 		log.Error("Login: Couldn't save session: %v", err)

  544. 		// TODO: return error

  545. 	}

  546. 

  547. 	// Send success

  548. 	if reqJSON {

  549. 		return impart.WriteSuccess(w, &AuthUser{User: u}, http.StatusOK)

  550. 	}

  551. 	log.Info("Login: Redirecting to %s", redirectTo)

  552. 	w.Header().Set("Location", redirectTo)

  553. 	w.WriteHeader(http.StatusFound)

  554. 	return nil

  555. }

  556. 

  557. func getVerboseAuthUser(app *App, token string, u *User, verbose bool) *AuthUser {

  558. 	resUser := &AuthUser{

  559. 		AccessToken: token,

  560. 		User:        u,

  561. 	}

  562. 

  563. 	// Fetch verbose user data if requested

  564. 	if verbose {

  565. 		posts, err := app.db.GetUserPosts(u)

  566. 		if err != nil {

  567. 			log.Error("Login: Unable to get user posts: %v", err)

  568. 		}

  569. 		colls, err := app.db.GetCollections(u, app.cfg.App.Host)

  570. 		if err != nil {

  571. 			log.Error("Login: Unable to get user collections: %v", err)

  572. 		}

  573. 		passIsSet, err := app.db.IsUserPassSet(u.ID)

  574. 		if err != nil {

  575. 			// TODO: correct error meesage

  576. 			log.Error("Login: Unable to get user collections: %v", err)

  577. 		}

  578. 

  579. 		resUser.Posts = posts

  580. 		resUser.Collections = colls

  581. 		resUser.User.HasPass = passIsSet

  582. 	}

  583. 	return resUser

  584. }

  585. 

  586. func viewExportOptions(app *App, u *User, w http.ResponseWriter, r *http.Request) error {

  587. 	// Fetch extra user data

  588. 	p := NewUserPage(app, r, u, "Export", nil)

  589. 

  590. 	showUserPage(w, "export", p)

  591. 	return nil

  592. }

  593. 

  594. func viewExportPosts(app *App, w http.ResponseWriter, r *http.Request) ([]byte, string, error) {

  595. 	var filename string

  596. 	var u = &User{}

  597. 	reqJSON := IsJSON(r)

  598. 	if reqJSON {

  599. 		// Use given Authorization header

  600. 		accessToken := r.Header.Get("Authorization")

  601. 		if accessToken == "" {

  602. 			return nil, filename, ErrNoAccessToken

  603. 		}

  604. 

  605. 		userID := app.db.GetUserID(accessToken)

  606. 		if userID == -1 {

  607. 			return nil, filename, ErrBadAccessToken

  608. 		}

  609. 

  610. 		var err error

  611. 		u, err = app.db.GetUserByID(userID)

  612. 		if err != nil {

  613. 			return nil, filename, impart.HTTPError{http.StatusInternalServerError, "Unable to retrieve requested user."}

  614. 		}

  615. 	} else {

  616. 		// Use user cookie

  617. 		session, err := app.sessionStore.Get(r, cookieName)

  618. 		if err != nil {

  619. 			// The cookie should still save, even if there's an error.

  620. 			log.Error("Session: %v; ignoring", err)

  621. 		}

  622. 

  623. 		val := session.Values[cookieUserVal]

  624. 		var ok bool

  625. 		if u, ok = val.(*User); !ok {

  626. 			return nil, filename, ErrNotLoggedIn

  627. 		}

  628. 	}

  629. 

  630. 	filename = u.Username + "-posts-" + time.Now().Truncate(time.Second).UTC().Format("200601021504")

  631. 

  632. 	// Fetch data we're exporting

  633. 	var err error

  634. 	var data []byte

  635. 	posts, err := app.db.GetUserPosts(u)

  636. 	if err != nil {

  637. 		return data, filename, err

  638. 	}

  639. 

  640. 	// Export as CSV

  641. 	if strings.HasSuffix(r.URL.Path, ".csv") {

  642. 		data = exportPostsCSV(app.cfg.App.Host, u, posts)

  643. 		return data, filename, err

  644. 	}

  645. 	if strings.HasSuffix(r.URL.Path, ".zip") {

  646. 		data = exportPostsZip(u, posts)

  647. 		return data, filename, err

  648. 	}

  649. 

  650. 	if r.FormValue("pretty") == "1" {

  651. 		data, err = json.MarshalIndent(posts, "", "\t")

  652. 	} else {

  653. 		data, err = json.Marshal(posts)

  654. 	}

  655. 	return data, filename, err

  656. }

  657. 

  658. func viewExportFull(app *App, w http.ResponseWriter, r *http.Request) ([]byte, string, error) {

  659. 	var err error

  660. 	filename := ""

  661. 	u := getUserSession(app, r)

  662. 	if u == nil {

  663. 		return nil, filename, ErrNotLoggedIn

  664. 	}

  665. 	filename = u.Username + "-" + time.Now().Truncate(time.Second).UTC().Format("200601021504")

  666. 

  667. 	exportUser := compileFullExport(app, u)

  668. 

  669. 	var data []byte

  670. 	if r.FormValue("pretty") == "1" {

  671. 		data, err = json.MarshalIndent(exportUser, "", "\t")

  672. 	} else {

  673. 		data, err = json.Marshal(exportUser)

  674. 	}

  675. 	return data, filename, err

  676. }

  677. 

  678. func viewMeAPI(app *App, w http.ResponseWriter, r *http.Request) error {

  679. 	reqJSON := IsJSON(r)

  680. 	uObj := struct {

  681. 		ID       int64  `json:"id,omitempty"`

  682. 		Username string `json:"username,omitempty"`

  683. 	}{}

  684. 	var err error

  685. 

  686. 	if reqJSON {

  687. 		_, uObj.Username, err = app.db.GetUserDataFromToken(r.Header.Get("Authorization"))

  688. 		if err != nil {

  689. 			return err

  690. 		}

  691. 	} else {

  692. 		u := getUserSession(app, r)

  693. 		if u == nil {

  694. 			return impart.WriteSuccess(w, uObj, http.StatusOK)

  695. 		}

  696. 		uObj.Username = u.Username

  697. 	}

  698. 

  699. 	return impart.WriteSuccess(w, uObj, http.StatusOK)

  700. }

  701. 

  702. func viewMyPostsAPI(app *App, u *User, w http.ResponseWriter, r *http.Request) error {

  703. 	reqJSON := IsJSON(r)

  704. 	if !reqJSON {

  705. 		return ErrBadRequestedType

  706. 	}

  707. 

  708. 	var err error

  709. 	p := GetPostsCache(u.ID)

  710. 	if p == nil {

  711. 		userPostsCache.Lock()

  712. 		if userPostsCache.users[u.ID].ready == nil {

  713. 			userPostsCache.users[u.ID] = postsCacheItem{ready: make(chan struct{})}

  714. 			userPostsCache.Unlock()

  715. 

  716. 			p, err = app.db.GetUserPosts(u)

  717. 			if err != nil {

  718. 				return err

  719. 			}

  720. 

  721. 			CachePosts(u.ID, p)

  722. 		} else {

  723. 			userPostsCache.Unlock()

  724. 

  725. 			<-userPostsCache.users[u.ID].ready

  726. 			p = GetPostsCache(u.ID)

  727. 		}

  728. 	}

  729. 

  730. 	return impart.WriteSuccess(w, p, http.StatusOK)

  731. }

  732. 

  733. func viewMyCollectionsAPI(app *App, u *User, w http.ResponseWriter, r *http.Request) error {

  734. 	reqJSON := IsJSON(r)

  735. 	if !reqJSON {

  736. 		return ErrBadRequestedType

  737. 	}

  738. 

  739. 	p, err := app.db.GetCollections(u, app.cfg.App.Host)

  740. 	if err != nil {

  741. 		return err

  742. 	}

  743. 

  744. 	return impart.WriteSuccess(w, p, http.StatusOK)

  745. }

  746. 

  747. func viewArticles(app *App, u *User, w http.ResponseWriter, r *http.Request) error {

  748. 	p, err := app.db.GetAnonymousPosts(u)

  749. 	if err != nil {

  750. 		log.Error("unable to fetch anon posts: %v", err)

  751. 	}

  752. 	// nil-out AnonymousPosts slice for easy detection in the template

  753. 	if p != nil && len(*p) == 0 {

  754. 		p = nil

  755. 	}

  756. 

  757. 	f, err := getSessionFlashes(app, w, r, nil)

  758. 	if err != nil {

  759. 		log.Error("unable to fetch flashes: %v", err)

  760. 	}

  761. 

  762. 	c, err := app.db.GetPublishableCollections(u, app.cfg.App.Host)

  763. 	if err != nil {

  764. 		log.Error("unable to fetch collections: %v", err)

  765. 	}

  766. 

  767. 	silenced, err := app.db.IsUserSilenced(u.ID)

  768. 	if err != nil {

  769. 		log.Error("view articles: %v", err)

  770. 	}

  771. 	d := struct {

  772. 		*UserPage

  773. 		AnonymousPosts *[]PublicPost

  774. 		Collections    *[]Collection

  775. 		Silenced       bool

  776. 	}{

  777. 		UserPage:       NewUserPage(app, r, u, u.Username+"'s Posts", f),

  778. 		AnonymousPosts: p,

  779. 		Collections:    c,

  780. 		Silenced:       silenced,

  781. 	}

  782. 	d.UserPage.SetMessaging(u)

  783. 	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")

  784. 	w.Header().Set("Expires", "Thu, 04 Oct 1990 20:00:00 GMT")

  785. 	showUserPage(w, "articles", d)

  786. 

  787. 	return nil

  788. }

  789. 

  790. func viewCollections(app *App, u *User, w http.ResponseWriter, r *http.Request) error {

  791. 	c, err := app.db.GetCollections(u, app.cfg.App.Host)

  792. 	if err != nil {

  793. 		log.Error("unable to fetch collections: %v", err)

  794. 		return fmt.Errorf("No collections")

  795. 	}

  796. 

  797. 	f, _ := getSessionFlashes(app, w, r, nil)

  798. 

  799. 	uc, _ := app.db.GetUserCollectionCount(u.ID)

  800. 	// TODO: handle any errors

  801. 

  802. 	silenced, err := app.db.IsUserSilenced(u.ID)

  803. 	if err != nil {

  804. 		log.Error("view collections %v", err)

  805. 		return fmt.Errorf("view collections: %v", err)

  806. 	}

  807. 	d := struct {

  808. 		*UserPage

  809. 		Collections *[]Collection

  810. 

  811. 		UsedCollections, TotalCollections int

  812. 

  813. 		NewBlogsDisabled bool

  814. 		Silenced         bool

  815. 	}{

  816. 		UserPage:         NewUserPage(app, r, u, u.Username+"'s Blogs", f),

  817. 		Collections:      c,

  818. 		UsedCollections:  int(uc),

  819. 		NewBlogsDisabled: !app.cfg.App.CanCreateBlogs(uc),

  820. 		Silenced:         silenced,

  821. 	}

  822. 	d.UserPage.SetMessaging(u)

  823. 	showUserPage(w, "collections", d)

  824. 

  825. 	return nil

  826. }

  827. 

  828. func viewEditCollection(app *App, u *User, w http.ResponseWriter, r *http.Request) error {

  829. 	vars := mux.Vars(r)

  830. 	c, err := app.db.GetCollection(vars["collection"])

  831. 	if err != nil {

  832. 		return err

  833. 	}

  834. 	if c.OwnerID != u.ID {

  835. 		return ErrCollectionNotFound

  836. 	}

  837. 

  838. 	silenced, err := app.db.IsUserSilenced(u.ID)

  839. 	if err != nil {

  840. 		log.Error("view edit collection %v", err)

  841. 		return fmt.Errorf("view edit collection: %v", err)

  842. 	}

  843. 	flashes, _ := getSessionFlashes(app, w, r, nil)

  844. 	obj := struct {

  845. 		*UserPage

  846. 		*Collection

  847. 		Silenced bool

  848. 	}{

  849. 		UserPage:   NewUserPage(app, r, u, "Edit "+c.DisplayTitle(), flashes),

  850. 		Collection: c,

  851. 		Silenced:   silenced,

  852. 	}

  853. 

  854. 	showUserPage(w, "collection", obj)

  855. 	return nil

  856. }

  857. 

  858. func updateSettings(app *App, w http.ResponseWriter, r *http.Request) error {

  859. 	reqJSON := IsJSON(r)

  860. 

  861. 	var s userSettings

  862. 	var u *User

  863. 	var sess *sessions.Session

  864. 	var err error

  865. 	if reqJSON {

  866. 		accessToken := r.Header.Get("Authorization")

  867. 		if accessToken == "" {

  868. 			return ErrNoAccessToken

  869. 		}

  870. 

  871. 		u, err = app.db.GetAPIUser(accessToken)

  872. 		if err != nil {

  873. 			return ErrBadAccessToken

  874. 		}

  875. 

  876. 		decoder := json.NewDecoder(r.Body)

  877. 		err := decoder.Decode(&s)

  878. 		if err != nil {

  879. 			log.Error("Couldn't parse settings JSON request: %v\n", err)

  880. 			return ErrBadJSON

  881. 		}

  882. 

  883. 		// Prevent all username updates

  884. 		// TODO: support changing username via JSON API request

  885. 		s.Username = ""

  886. 	} else {

  887. 		u, sess = getUserAndSession(app, r)

  888. 		if u == nil {

  889. 			return ErrNotLoggedIn

  890. 		}

  891. 

  892. 		err := r.ParseForm()

  893. 		if err != nil {

  894. 			log.Error("Couldn't parse settings form request: %v\n", err)

  895. 			return ErrBadFormData

  896. 		}

  897. 

  898. 		err = app.formDecoder.Decode(&s, r.PostForm)

  899. 		if err != nil {

  900. 			log.Error("Couldn't decode settings form request: %v\n", err)

  901. 			return ErrBadFormData

  902. 		}

  903. 	}

  904. 

  905. 	// Do update

  906. 	postUpdateReturn := r.FormValue("return")

  907. 	redirectTo := "/me/settings"

  908. 	if s.IsLogOut {

  909. 		redirectTo += "?logout=1"

  910. 	} else if postUpdateReturn != "" {

  911. 		redirectTo = postUpdateReturn

  912. 	}

  913. 

  914. 	// Only do updates on values we need

  915. 	if s.Username != "" && s.Username == u.Username {

  916. 		// Username hasn't actually changed; blank it out

  917. 		s.Username = ""

  918. 	}

  919. 	err = app.db.ChangeSettings(app, u, &s)

  920. 	if err != nil {

  921. 		if reqJSON {

  922. 			return err

  923. 		}

  924. 

  925. 		if err, ok := err.(impart.HTTPError); ok {

  926. 			addSessionFlash(app, w, r, err.Message, nil)

  927. 		}

  928. 	} else {

  929. 		// Successful update.

  930. 		if reqJSON {

  931. 			return impart.WriteSuccess(w, u, http.StatusOK)

  932. 		}

  933. 

  934. 		if s.IsLogOut {

  935. 			redirectTo = "/me/logout"

  936. 		} else {

  937. 			sess.Values[cookieUserVal] = u.Cookie()

  938. 			addSessionFlash(app, w, r, "Account updated.", nil)

  939. 		}

  940. 	}

  941. 

  942. 	w.Header().Set("Location", redirectTo)

  943. 	w.WriteHeader(http.StatusFound)

  944. 	return nil

  945. }

  946. 

  947. func updatePassphrase(app *App, w http.ResponseWriter, r *http.Request) error {

  948. 	accessToken := r.Header.Get("Authorization")

  949. 	if accessToken == "" {

  950. 		return ErrNoAccessToken

  951. 	}

  952. 

  953. 	curPass := r.FormValue("current")

  954. 	newPass := r.FormValue("new")

  955. 	// Ensure a new password is given (always required)

  956. 	if newPass == "" {

  957. 		return impart.HTTPError{http.StatusBadRequest, "Provide a new password."}

  958. 	}

  959. 

  960. 	userID, sudo := app.db.GetUserIDPrivilege(accessToken)

  961. 	if userID == -1 {

  962. 		return ErrBadAccessToken

  963. 	}

  964. 

  965. 	// Ensure a current password is given if the access token doesn't have sudo

  966. 	// privileges.

  967. 	if !sudo && curPass == "" {

  968. 		return impart.HTTPError{http.StatusBadRequest, "Provide current password."}

  969. 	}

  970. 

  971. 	// Hash the new password

  972. 	hashedPass, err := auth.HashPass([]byte(newPass))

  973. 	if err != nil {

  974. 		return impart.HTTPError{http.StatusInternalServerError, "Could not create password hash."}

  975. 	}

  976. 

  977. 	// Do update

  978. 	err = app.db.ChangePassphrase(userID, sudo, curPass, hashedPass)

  979. 	if err != nil {

  980. 		return err

  981. 	}

  982. 

  983. 	return impart.WriteSuccess(w, struct{}{}, http.StatusOK)

  984. }

  985. 

  986. func viewStats(app *App, u *User, w http.ResponseWriter, r *http.Request) error {

  987. 	var c *Collection

  988. 	var err error

  989. 	vars := mux.Vars(r)

  990. 	alias := vars["collection"]

  991. 	if alias != "" {

  992. 		c, err = app.db.GetCollection(alias)

  993. 		if err != nil {

  994. 			return err

  995. 		}

  996. 		if c.OwnerID != u.ID {

  997. 			return ErrCollectionNotFound

  998. 		}

  999. 	}

  1000. 

  1001. 	topPosts, err := app.db.GetTopPosts(u, alias)

  1002. 	if err != nil {

  1003. 		log.Error("Unable to get top posts: %v", err)

  1004. 		return err

  1005. 	}

  1006. 

  1007. 	flashes, _ := getSessionFlashes(app, w, r, nil)

  1008. 	titleStats := ""

  1009. 	if c != nil {

  1010. 		titleStats = c.DisplayTitle() + " "

  1011. 	}

  1012. 

  1013. 	silenced, err := app.db.IsUserSilenced(u.ID)

  1014. 	if err != nil {

  1015. 		log.Error("view stats: %v", err)

  1016. 		return err

  1017. 	}

  1018. 	obj := struct {

  1019. 		*UserPage

  1020. 		VisitsBlog  string

  1021. 		Collection  *Collection

  1022. 		TopPosts    *[]PublicPost

  1023. 		APFollowers int

  1024. 		Silenced    bool

  1025. 	}{

  1026. 		UserPage:   NewUserPage(app, r, u, titleStats+"Stats", flashes),

  1027. 		VisitsBlog: alias,

  1028. 		Collection: c,

  1029. 		TopPosts:   topPosts,

  1030. 		Silenced:   silenced,

  1031. 	}

  1032. 	if app.cfg.App.Federation {

  1033. 		folls, err := app.db.GetAPFollowers(c)

  1034. 		if err != nil {

  1035. 			return err

  1036. 		}

  1037. 		obj.APFollowers = len(*folls)

  1038. 	}

  1039. 

  1040. 	showUserPage(w, "stats", obj)

  1041. 	return nil

  1042. }

  1043. 

  1044. func viewSettings(app *App, u *User, w http.ResponseWriter, r *http.Request) error {

  1045. 	fullUser, err := app.db.GetUserByID(u.ID)

  1046. 	if err != nil {

  1047. 		log.Error("Unable to get user for settings: %s", err)

  1048. 		return impart.HTTPError{http.StatusInternalServerError, "Unable to retrieve user data. The humans have been alerted."}

  1049. 	}

  1050. 

  1051. 	passIsSet, err := app.db.IsUserPassSet(u.ID)

  1052. 	if err != nil {

  1053. 		log.Error("Unable to get isUserPassSet for settings: %s", err)

  1054. 		return impart.HTTPError{http.StatusInternalServerError, "Unable to retrieve user data. The humans have been alerted."}

  1055. 	}

  1056. 

  1057. 	flashes, _ := getSessionFlashes(app, w, r, nil)

  1058. 

  1059. 	enableOauthSlack := app.Config().SlackOauth.ClientID != ""

  1060. 	enableOauthWriteAs := app.Config().WriteAsOauth.ClientID != ""

  1061. 	enableOauthGitLab := app.Config().GitlabOauth.ClientID != ""

  1062. 	enableOauthGeneric := app.Config().GenericOauth.ClientID != ""

  1063. 

  1064. 	oauthAccounts, err := app.db.GetOauthAccounts(r.Context(), u.ID)

  1065. 	if err != nil {

  1066. 		log.Error("Unable to get oauth accounts for settings: %s", err)

  1067. 		return impart.HTTPError{http.StatusInternalServerError, "Unable to retrieve user data. The humans have been alerted."}

  1068. 	}

  1069. 	for idx, oauthAccount := range oauthAccounts {

  1070. 		switch oauthAccount.Provider {

  1071. 		case "slack":

  1072. 			enableOauthSlack = false

  1073. 		case "write.as":

  1074. 			enableOauthWriteAs = false

  1075. 		case "gitlab":

  1076. 			enableOauthGitLab = false

  1077. 		case "generic":

  1078. 			oauthAccounts[idx].DisplayName = app.Config().GenericOauth.DisplayName

  1079. 			oauthAccounts[idx].AllowDisconnect = app.Config().GenericOauth.AllowDisconnect

  1080. 			enableOauthGeneric = false

  1081. 		}

  1082. 	}

  1083. 

  1084. 	displayOauthSection := enableOauthSlack || enableOauthWriteAs || enableOauthGitLab || enableOauthGeneric || len(oauthAccounts) > 0

  1085. 

  1086. 	obj := struct {

  1087. 		*UserPage

  1088. 		Email                   string

  1089. 		HasPass                 bool

  1090. 		IsLogOut                bool

  1091. 		Silenced                bool

  1092. 		OauthSection            bool

  1093. 		OauthAccounts           []oauthAccountInfo

  1094. 		OauthSlack              bool

  1095. 		OauthWriteAs            bool

  1096. 		OauthGitLab             bool

  1097. 		GitLabDisplayName       string

  1098. 		OauthGeneric            bool

  1099. 		OauthGenericDisplayName string

  1100. 	}{

  1101. 		UserPage:                NewUserPage(app, r, u, "Account Settings", flashes),

  1102. 		Email:                   fullUser.EmailClear(app.keys),

  1103. 		HasPass:                 passIsSet,

  1104. 		IsLogOut:                r.FormValue("logout") == "1",

  1105. 		Silenced:                fullUser.IsSilenced(),

  1106. 		OauthSection:            displayOauthSection,

  1107. 		OauthAccounts:           oauthAccounts,

  1108. 		OauthSlack:              enableOauthSlack,

  1109. 		OauthWriteAs:            enableOauthWriteAs,

  1110. 		OauthGitLab:             enableOauthGitLab,

  1111. 		GitLabDisplayName:       config.OrDefaultString(app.Config().GitlabOauth.DisplayName, gitlabDisplayName),

  1112. 		OauthGeneric:            enableOauthGeneric,

  1113. 		OauthGenericDisplayName: config.OrDefaultString(app.Config().GenericOauth.DisplayName, genericOauthDisplayName),

  1114. 	}

  1115. 

  1116. 	showUserPage(w, "settings", obj)

  1117. 	return nil

  1118. }

  1119. 

  1120. func saveTempInfo(app *App, key, val string, r *http.Request, w http.ResponseWriter) error {

  1121. 	session, err := app.sessionStore.Get(r, "t")

  1122. 	if err != nil {

  1123. 		return ErrInternalCookieSession

  1124. 	}

  1125. 

  1126. 	session.Values[key] = val

  1127. 	err = session.Save(r, w)

  1128. 	if err != nil {

  1129. 		log.Error("Couldn't saveTempInfo for key-val (%s:%s): %v", key, val, err)

  1130. 	}

  1131. 	return err

  1132. }

  1133. 

  1134. func getTempInfo(app *App, key string, r *http.Request, w http.ResponseWriter) string {

  1135. 	session, err := app.sessionStore.Get(r, "t")

  1136. 	if err != nil {

  1137. 		return ""

  1138. 	}

  1139. 

  1140. 	// Get the information

  1141. 	var s = ""

  1142. 	var ok bool

  1143. 	if s, ok = session.Values[key].(string); !ok {

  1144. 		return ""

  1145. 	}

  1146. 

  1147. 	// Delete cookie

  1148. 	session.Options.MaxAge = -1

  1149. 	err = session.Save(r, w)

  1150. 	if err != nil {

  1151. 		log.Error("Couldn't erase temp data for key %s: %v", key, err)

  1152. 	}

  1153. 

  1154. 	// Return value

  1155. 	return s

  1156. }

  1157. 

  1158. func removeOauth(app *App, u *User, w http.ResponseWriter, r *http.Request) error {

  1159. 	provider := r.FormValue("provider")

  1160. 	clientID := r.FormValue("client_id")

  1161. 	remoteUserID := r.FormValue("remote_user_id")

  1162. 

  1163. 	err := app.db.RemoveOauth(r.Context(), u.ID, provider, clientID, remoteUserID)

  1164. 	if err != nil {

  1165. 		return impart.HTTPError{Status: http.StatusInternalServerError, Message: err.Error()}

  1166. 	}

  1167. 

  1168. 	return impart.HTTPError{Status: http.StatusFound, Message: "/me/settings"}

  1169. }

  1170. 

  1171. func prepareUserEmail(input string, emailKey []byte) zero.String {

  1172. 	email := zero.NewString("", input != "")

  1173. 	if len(input) > 0 {

  1174. 		encEmail, err := data.Encrypt(emailKey, input)

  1175. 		if err != nil {

  1176. 			log.Error("Unable to encrypt email: %s\n", err)

  1177. 		} else {

  1178. 			email.String = string(encEmail)

  1179. 		}

  1180. 	}

  1181. 	return email

  1182. }