2020-01-26 18:08:06 +01:00
|
|
|
// Copyright2018-2020 Vikunja and contriubtors. All rights reserved.
|
2018-11-26 21:17:33 +01:00
|
|
|
//
|
2020-01-26 18:08:06 +01:00
|
|
|
// This file is part of Vikunja.
|
|
|
|
//
|
|
|
|
// Vikunja is free software: you can redistribute it and/or modify
|
2019-12-04 20:39:56 +01:00
|
|
|
// it under the terms of the GNU General Public License as published by
|
|
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
|
|
// (at your option) any later version.
|
2018-11-26 21:17:33 +01:00
|
|
|
//
|
2020-01-26 18:08:06 +01:00
|
|
|
// Vikunja is distributed in the hope that it will be useful,
|
2019-12-04 20:39:56 +01:00
|
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
// GNU General Public License for more details.
|
2018-11-26 21:17:33 +01:00
|
|
|
//
|
2019-12-04 20:39:56 +01:00
|
|
|
// You should have received a copy of the GNU General Public License
|
2020-01-26 18:08:06 +01:00
|
|
|
// along with Vikunja. If not, see <https://www.gnu.org/licenses/>.
|
2018-11-26 21:17:33 +01:00
|
|
|
|
2020-01-26 18:08:06 +01:00
|
|
|
package user
|
2018-06-10 11:11:41 +02:00
|
|
|
|
|
|
|
import (
|
2019-07-16 16:15:40 +02:00
|
|
|
"code.vikunja.io/api/pkg/config"
|
|
|
|
"code.vikunja.io/api/pkg/mail"
|
2018-12-12 23:50:35 +01:00
|
|
|
"code.vikunja.io/api/pkg/metrics"
|
2020-02-08 13:48:49 +01:00
|
|
|
"code.vikunja.io/api/pkg/timeutil"
|
2019-05-31 09:24:59 +02:00
|
|
|
"code.vikunja.io/api/pkg/utils"
|
2018-12-01 00:26:56 +01:00
|
|
|
"code.vikunja.io/web"
|
|
|
|
"fmt"
|
2018-06-10 11:11:41 +02:00
|
|
|
"github.com/dgrijalva/jwt-go"
|
2019-05-07 21:42:24 +02:00
|
|
|
"github.com/labstack/echo/v4"
|
2018-06-10 11:11:41 +02:00
|
|
|
"golang.org/x/crypto/bcrypt"
|
2018-12-01 00:26:56 +01:00
|
|
|
"reflect"
|
2018-06-10 11:11:41 +02:00
|
|
|
)
|
|
|
|
|
2020-01-26 18:08:06 +01:00
|
|
|
// Login Object to recive user credentials in JSON format
|
|
|
|
type Login struct {
|
2019-01-03 23:22:06 +01:00
|
|
|
// The username used to log in.
|
2019-01-14 23:32:56 +01:00
|
|
|
Username string `json:"username"`
|
2019-01-03 23:22:06 +01:00
|
|
|
// The password for the user.
|
2019-01-14 23:32:56 +01:00
|
|
|
Password string `json:"password"`
|
2018-06-10 11:11:41 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// User holds information about an user
|
|
|
|
type User struct {
|
2019-01-03 23:22:06 +01:00
|
|
|
// The unique, numeric id of this user.
|
|
|
|
ID int64 `xorm:"int(11) autoincr not null unique pk" json:"id"`
|
2019-01-14 23:32:56 +01:00
|
|
|
// The username of the user. Is always unique.
|
2019-01-03 23:22:06 +01:00
|
|
|
Username string `xorm:"varchar(250) not null unique" json:"username" valid:"length(3|250)" minLength:"3" maxLength:"250"`
|
2018-06-13 12:18:55 +02:00
|
|
|
Password string `xorm:"varchar(250) not null" json:"-"`
|
2019-01-14 23:32:56 +01:00
|
|
|
// The user's email address.
|
2019-04-23 10:34:06 +02:00
|
|
|
Email string `xorm:"varchar(250) null" json:"email,omitempty" valid:"email,length(0|250)" maxLength:"250"`
|
2019-03-29 18:54:35 +01:00
|
|
|
IsActive bool `xorm:"null" json:"-"`
|
2019-05-31 09:24:59 +02:00
|
|
|
// The users md5-hashed email address, used to get the avatar from gravatar and the likes.
|
|
|
|
AvatarURL string `xorm:"-" json:"avatarUrl"`
|
2018-10-27 11:33:28 +02:00
|
|
|
|
2019-03-29 18:54:35 +01:00
|
|
|
PasswordResetToken string `xorm:"varchar(450) null" json:"-"`
|
|
|
|
EmailConfirmToken string `xorm:"varchar(450) null" json:"-"`
|
2018-10-27 11:33:28 +02:00
|
|
|
|
2020-02-08 13:48:49 +01:00
|
|
|
// A timestamp when this task was created. You cannot change this value.
|
|
|
|
Created timeutil.TimeStamp `xorm:"created not null" json:"created"`
|
|
|
|
// A timestamp when this task was last updated. You cannot change this value.
|
|
|
|
Updated timeutil.TimeStamp `xorm:"updated not null" json:"updated"`
|
2018-12-01 00:26:56 +01:00
|
|
|
|
|
|
|
web.Auth `xorm:"-" json:"-"`
|
2018-06-10 11:11:41 +02:00
|
|
|
}
|
|
|
|
|
2019-04-01 20:19:55 +02:00
|
|
|
// AfterLoad is used to delete all emails to not have them leaked to the user
|
|
|
|
func (u *User) AfterLoad() {
|
2019-05-31 09:24:59 +02:00
|
|
|
u.AvatarURL = utils.Md5String(u.Email)
|
2019-04-01 20:19:55 +02:00
|
|
|
}
|
|
|
|
|
2019-06-28 10:21:48 +02:00
|
|
|
// GetID implements the Auth interface
|
|
|
|
func (u *User) GetID() int64 {
|
|
|
|
return u.ID
|
|
|
|
}
|
2018-12-01 00:26:56 +01:00
|
|
|
|
2018-06-10 11:11:41 +02:00
|
|
|
// TableName returns the table name for users
|
|
|
|
func (User) TableName() string {
|
|
|
|
return "users"
|
|
|
|
}
|
|
|
|
|
2020-01-26 18:08:06 +01:00
|
|
|
// GetFromAuth returns a user object from a web.Auth object and returns an error if the underlying type
|
|
|
|
// is not a user object
|
|
|
|
func GetFromAuth(a web.Auth) (*User, error) {
|
2018-12-01 00:26:56 +01:00
|
|
|
u, is := a.(*User)
|
|
|
|
if !is {
|
|
|
|
return &User{}, fmt.Errorf("user is not user element, is %s", reflect.TypeOf(a))
|
|
|
|
}
|
|
|
|
return u, nil
|
|
|
|
}
|
|
|
|
|
2018-07-10 14:02:23 +02:00
|
|
|
// APIUserPassword represents a user object without timestamps and a json password field.
|
|
|
|
type APIUserPassword struct {
|
2019-01-03 23:22:06 +01:00
|
|
|
// The unique, numeric id of this user.
|
|
|
|
ID int64 `json:"id"`
|
|
|
|
// The username of the username. Is always unique.
|
|
|
|
Username string `json:"username" valid:"length(3|250)" minLength:"3" maxLength:"250"`
|
|
|
|
// The user's password in clear text. Only used when registering the user.
|
|
|
|
Password string `json:"password" valid:"length(8|250)" minLength:"8" maxLength:"250"`
|
|
|
|
// The user's email address
|
|
|
|
Email string `json:"email" valid:"email,length(0|250)" maxLength:"250"`
|
2018-06-13 13:45:22 +02:00
|
|
|
}
|
|
|
|
|
2018-07-10 14:02:23 +02:00
|
|
|
// APIFormat formats an API User into a normal user struct
|
2019-08-14 21:59:31 +02:00
|
|
|
func (apiUser *APIUserPassword) APIFormat() *User {
|
|
|
|
return &User{
|
2018-06-13 13:45:22 +02:00
|
|
|
ID: apiUser.ID,
|
|
|
|
Username: apiUser.Username,
|
|
|
|
Password: apiUser.Password,
|
|
|
|
Email: apiUser.Email,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-06-10 11:11:41 +02:00
|
|
|
// GetUserByID gets informations about a user by its ID
|
2019-08-14 21:59:31 +02:00
|
|
|
func GetUserByID(id int64) (user *User, err error) {
|
2018-06-10 11:11:41 +02:00
|
|
|
// Apparently xorm does otherwise look for all users but return only one, which leads to returing one even if the ID is 0
|
2018-09-13 20:07:11 +02:00
|
|
|
if id < 1 {
|
2019-08-14 21:59:31 +02:00
|
|
|
return &User{}, ErrUserDoesNotExist{}
|
2018-06-10 11:11:41 +02:00
|
|
|
}
|
|
|
|
|
2019-08-14 21:59:31 +02:00
|
|
|
return GetUser(&User{ID: id})
|
2018-06-10 11:11:41 +02:00
|
|
|
}
|
|
|
|
|
2019-05-25 11:47:16 +02:00
|
|
|
// GetUserByUsername gets a user from its user name. This is an extra function to be able to add an extra error check.
|
2019-08-14 21:59:31 +02:00
|
|
|
func GetUserByUsername(username string) (user *User, err error) {
|
2019-05-25 11:47:16 +02:00
|
|
|
if username == "" {
|
2019-08-14 21:59:31 +02:00
|
|
|
return &User{}, ErrUserDoesNotExist{}
|
2019-05-25 11:47:16 +02:00
|
|
|
}
|
|
|
|
|
2019-08-14 21:59:31 +02:00
|
|
|
return GetUser(&User{Username: username})
|
2019-05-25 11:47:16 +02:00
|
|
|
}
|
|
|
|
|
2018-06-10 11:11:41 +02:00
|
|
|
// GetUser gets a user object
|
2019-08-14 21:59:31 +02:00
|
|
|
func GetUser(user *User) (userOut *User, err error) {
|
|
|
|
return getUser(user, false)
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetUserWithEmail returns a user object with email
|
|
|
|
func GetUserWithEmail(user *User) (userOut *User, err error) {
|
|
|
|
return getUser(user, true)
|
|
|
|
}
|
|
|
|
|
|
|
|
// getUser is a small helper function to avoid having duplicated code for almost the same use case
|
|
|
|
func getUser(user *User, withEmail bool) (userOut *User, err error) {
|
|
|
|
userOut = &User{} // To prevent a panic if user is nil
|
|
|
|
*userOut = *user
|
|
|
|
exists, err := x.Get(userOut)
|
2018-06-10 11:11:41 +02:00
|
|
|
|
|
|
|
if !exists {
|
2019-08-14 21:59:31 +02:00
|
|
|
return &User{}, ErrUserDoesNotExist{UserID: user.ID}
|
|
|
|
}
|
|
|
|
|
|
|
|
if !withEmail {
|
|
|
|
userOut.Email = ""
|
2018-06-10 11:11:41 +02:00
|
|
|
}
|
|
|
|
|
2018-08-30 19:14:02 +02:00
|
|
|
return userOut, err
|
2018-06-10 11:11:41 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// CheckUserCredentials checks user credentials
|
2020-01-26 18:08:06 +01:00
|
|
|
func CheckUserCredentials(u *Login) (*User, error) {
|
2018-11-01 23:51:05 +01:00
|
|
|
// Check if we have any credentials
|
|
|
|
if u.Password == "" || u.Username == "" {
|
2019-08-14 21:59:31 +02:00
|
|
|
return &User{}, ErrNoUsernamePassword{}
|
2018-11-01 23:51:05 +01:00
|
|
|
}
|
|
|
|
|
2018-06-10 11:11:41 +02:00
|
|
|
// Check if the user exists
|
2019-05-25 11:47:16 +02:00
|
|
|
user, err := GetUserByUsername(u.Username)
|
2018-06-10 11:11:41 +02:00
|
|
|
if err != nil {
|
2018-12-19 22:05:25 +01:00
|
|
|
// hashing the password takes a long time, so we hash something to not make it clear if the username was wrong
|
|
|
|
bcrypt.GenerateFromPassword([]byte(u.Username), 14)
|
2019-08-14 21:59:31 +02:00
|
|
|
return &User{}, ErrWrongUsernameOrPassword{}
|
2018-06-10 11:11:41 +02:00
|
|
|
}
|
|
|
|
|
2018-11-01 23:47:41 +01:00
|
|
|
// User is invalid if it needs to verify its email address
|
|
|
|
if !user.IsActive {
|
2019-08-14 21:59:31 +02:00
|
|
|
return &User{}, ErrEmailNotConfirmed{UserID: user.ID}
|
2018-11-01 23:47:41 +01:00
|
|
|
}
|
|
|
|
|
2018-06-10 11:11:41 +02:00
|
|
|
// Check the users password
|
|
|
|
err = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(u.Password))
|
|
|
|
if err != nil {
|
2018-11-01 23:47:41 +01:00
|
|
|
if err == bcrypt.ErrMismatchedHashAndPassword {
|
2019-08-14 21:59:31 +02:00
|
|
|
return &User{}, ErrWrongUsernameOrPassword{}
|
2018-11-01 23:47:41 +01:00
|
|
|
}
|
2019-08-14 21:59:31 +02:00
|
|
|
return &User{}, err
|
2018-06-10 11:11:41 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
return user, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetCurrentUser returns the current user based on its jwt token
|
2018-12-01 00:26:56 +01:00
|
|
|
func GetCurrentUser(c echo.Context) (user *User, err error) {
|
2018-06-10 11:11:41 +02:00
|
|
|
jwtinf := c.Get("user").(*jwt.Token)
|
|
|
|
claims := jwtinf.Claims.(jwt.MapClaims)
|
2019-08-31 22:56:41 +02:00
|
|
|
return GetUserFromClaims(claims)
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetUserFromClaims Returns a new user from jwt claims
|
|
|
|
func GetUserFromClaims(claims jwt.MapClaims) (user *User, err error) {
|
2018-06-10 11:11:41 +02:00
|
|
|
userID, ok := claims["id"].(float64)
|
|
|
|
if !ok {
|
|
|
|
return user, ErrCouldNotGetUserID{}
|
|
|
|
}
|
2018-12-01 00:26:56 +01:00
|
|
|
user = &User{
|
2018-06-10 11:11:41 +02:00
|
|
|
ID: int64(userID),
|
|
|
|
Email: claims["email"].(string),
|
|
|
|
Username: claims["username"].(string),
|
|
|
|
}
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
2018-12-12 23:50:35 +01:00
|
|
|
|
2019-07-16 16:15:40 +02:00
|
|
|
// CreateUser creates a new user and inserts it into the database
|
2019-08-14 21:59:31 +02:00
|
|
|
func CreateUser(user *User) (newUser *User, err error) {
|
2019-07-16 16:15:40 +02:00
|
|
|
|
|
|
|
newUser = user
|
|
|
|
|
|
|
|
// Check if we have all needed informations
|
|
|
|
if newUser.Password == "" || newUser.Username == "" || newUser.Email == "" {
|
2019-08-14 21:59:31 +02:00
|
|
|
return &User{}, ErrNoUsernamePassword{}
|
2019-07-16 16:15:40 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// Check if the user already existst with that username
|
|
|
|
exists := true
|
2019-08-14 21:59:31 +02:00
|
|
|
_, err = GetUserByUsername(newUser.Username)
|
2019-07-16 16:15:40 +02:00
|
|
|
if err != nil {
|
|
|
|
if IsErrUserDoesNotExist(err) {
|
|
|
|
exists = false
|
|
|
|
} else {
|
2019-08-14 21:59:31 +02:00
|
|
|
return &User{}, err
|
2019-07-16 16:15:40 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
if exists {
|
2019-08-14 21:59:31 +02:00
|
|
|
return &User{}, ErrUsernameExists{newUser.ID, newUser.Username}
|
2019-07-16 16:15:40 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// Check if the user already existst with that email
|
|
|
|
exists = true
|
2019-08-14 21:59:31 +02:00
|
|
|
_, err = GetUser(&User{Email: newUser.Email})
|
2019-07-16 16:15:40 +02:00
|
|
|
if err != nil {
|
|
|
|
if IsErrUserDoesNotExist(err) {
|
|
|
|
exists = false
|
|
|
|
} else {
|
2019-08-14 21:59:31 +02:00
|
|
|
return &User{}, err
|
2019-07-16 16:15:40 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
if exists {
|
2019-08-14 21:59:31 +02:00
|
|
|
return &User{}, ErrUserEmailExists{newUser.ID, newUser.Email}
|
2019-07-16 16:15:40 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// Hash the password
|
|
|
|
newUser.Password, err = hashPassword(user.Password)
|
|
|
|
if err != nil {
|
2019-08-14 21:59:31 +02:00
|
|
|
return &User{}, err
|
2019-07-16 16:15:40 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
newUser.IsActive = true
|
|
|
|
if config.MailerEnabled.GetBool() {
|
|
|
|
// The new user should not be activated until it confirms his mail address
|
|
|
|
newUser.IsActive = false
|
|
|
|
// Generate a confirm token
|
|
|
|
newUser.EmailConfirmToken = utils.MakeRandomString(400)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Insert it
|
|
|
|
_, err = x.Insert(newUser)
|
|
|
|
if err != nil {
|
2019-08-14 21:59:31 +02:00
|
|
|
return &User{}, err
|
2019-07-16 16:15:40 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// Update the metrics
|
|
|
|
metrics.UpdateCount(1, metrics.ActiveUsersKey)
|
|
|
|
|
|
|
|
// Get the full new User
|
|
|
|
newUserOut, err := GetUser(newUser)
|
|
|
|
if err != nil {
|
2019-08-14 21:59:31 +02:00
|
|
|
return &User{}, err
|
2019-07-16 16:15:40 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// Dont send a mail if we're testing
|
|
|
|
if !config.MailerEnabled.GetBool() {
|
|
|
|
return newUserOut, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Send the user a mail with a link to confirm the mail
|
|
|
|
data := map[string]interface{}{
|
|
|
|
"User": newUserOut,
|
|
|
|
}
|
|
|
|
|
|
|
|
mail.SendMailWithTemplate(user.Email, newUserOut.Username+" + Vikunja = <3", "confirm-email", data)
|
|
|
|
|
|
|
|
return newUserOut, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// HashPassword hashes a password
|
|
|
|
func hashPassword(password string) (string, error) {
|
|
|
|
bytes, err := bcrypt.GenerateFromPassword([]byte(password), 11)
|
|
|
|
return string(bytes), err
|
|
|
|
}
|
|
|
|
|
|
|
|
// UpdateUser updates a user
|
2019-08-14 21:59:31 +02:00
|
|
|
func UpdateUser(user *User) (updatedUser *User, err error) {
|
2019-07-16 16:15:40 +02:00
|
|
|
|
|
|
|
// Check if it exists
|
|
|
|
theUser, err := GetUserByID(user.ID)
|
|
|
|
if err != nil {
|
2019-08-14 21:59:31 +02:00
|
|
|
return &User{}, err
|
2019-07-16 16:15:40 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// Check if we have at least a username
|
|
|
|
if user.Username == "" {
|
|
|
|
//return User{}, ErrNoUsername{user.ID}
|
|
|
|
user.Username = theUser.Username // Dont change the username if we dont have one
|
|
|
|
}
|
|
|
|
|
|
|
|
user.Password = theUser.Password // set the password to the one in the database to not accedently resetting it
|
|
|
|
|
|
|
|
// Update it
|
|
|
|
_, err = x.Id(user.ID).Update(user)
|
|
|
|
if err != nil {
|
2019-08-14 21:59:31 +02:00
|
|
|
return &User{}, err
|
2019-07-16 16:15:40 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// Get the newly updated user
|
|
|
|
updatedUser, err = GetUserByID(user.ID)
|
|
|
|
if err != nil {
|
2019-08-14 21:59:31 +02:00
|
|
|
return &User{}, err
|
2019-07-16 16:15:40 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
return updatedUser, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// UpdateUserPassword updates the password of a user
|
|
|
|
func UpdateUserPassword(user *User, newPassword string) (err error) {
|
|
|
|
|
|
|
|
if newPassword == "" {
|
|
|
|
return ErrEmptyNewPassword{}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Get all user details
|
|
|
|
theUser, err := GetUserByID(user.ID)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Hash the new password and set it
|
|
|
|
hashed, err := hashPassword(newPassword)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
theUser.Password = hashed
|
|
|
|
|
|
|
|
// Update it
|
|
|
|
_, err = x.Id(user.ID).Update(theUser)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
return err
|
|
|
|
}
|