hostr/web/routes/user.js

import debugname from 'debug';
import {
  authenticate, setupSession, signup as signupUser, activateUser, sendResetToken,
  validateResetToken, updatePassword,
} from '../lib/auth';

import models from '../../models';

const debug = debugname('hostr-web:user');

export async function signin(ctx) {
  if (!ctx.request.body.email) {
    await ctx.render('signin', { csrf: ctx.csrf, async: true });
    return;
  }

  ctx.statsd.incr('auth.attempt', 1);

  const user = await authenticate.call(ctx, ctx.request.body.email, ctx.request.body.password);

  if (!user || !user.id) {
    ctx.statsd.incr('auth.failure', 1);
    await ctx.render('signin', { error: 'Invalid login details', csrf: ctx.csrf, async: true });
    return;
  } else if (user.activationCode) {
    await ctx.render('signin', {
      error: 'Your account hasn\'t been activated yet. Check for an activation email.',
      csrf: ctx.csrf,
      async: true, 
    });
    return;
  }
  ctx.statsd.incr('auth.success', 1);
  await setupSession.call(ctx, user);
  ctx.redirect('/');
}


export async function signup(ctx) {

  await ctx.render('signup', { error: 'Signups are disabled.', csrf: ctx.csrf, async: true });
  return;

  if (!ctx.request.body.email) {
    await ctx.render('signup', { csrf: ctx.csrf, async: true });
    return;
  }

  if (ctx.request.body.email !== ctx.request.body.confirm_email) {
    await ctx.render('signup', { error: 'Emails do not match.', csrf: ctx.csrf, async: true });
    return;
  } else if (ctx.request.body.email && !ctx.request.body.terms) {
    await ctx.render('signup', {
      error: 'You must agree to the terms of service.',
      csrf: ctx.csrf,
      async: true,
    });
    return;
  } else if (ctx.request.body.password && ctx.request.body.password.length < 7) {
    await ctx.render('signup', {
      error: 'Password must be at least 7 characters long.',
      csrf: ctx.csrf,
      async: true, 
    });
    return;
  }
  const ip = ctx.headers['x-forwarded-for'] || ctx.ip;
  const { email, password } = ctx.request.body;
  try {
    await signupUser.call(ctx, email, password, ip);
  } catch (e) {
    await ctx.render('signup', { error: e.message, csrf: ctx.csrf, async: true  });
    return;
  }
  ctx.statsd.incr('auth.signup', 1);
  await ctx.render('signup', {
    message: 'Thanks for signing up, we\'ve sent you an email to activate your account.',
    csrf: ctx.csrf,
    async: true,
  });
}


export async function forgot(ctx) {
  const { token } = ctx.params;

  if (ctx.request.body.password) {
    if (ctx.request.body.password.length < 7) {
      await ctx.render('forgot', {
        error: 'Password needs to be at least 7 characters long.',
        csrf: ctx.csrf,
        token,
        async: true,
      });
      return;
    }

    const user = await validateResetToken(token);
    if (user) {
      await updatePassword(user.userId, ctx.request.body.password);
      const reset = await models.reset.findByPk(token);
      reset.destroy();
      await setupSession.call(ctx, user);
      ctx.statsd.incr('auth.reset.success', 1);
      ctx.redirect('/');
    }
  } else if (token) {
    const tokenUser = await validateResetToken(token);
    if (!tokenUser) {
      ctx.statsd.incr('auth.reset.fail', 1);
      await ctx.render('forgot', {
        error: 'Invalid password reset token. It might be expired, or has already been used.',
        csrf: ctx.csrf,
        token: null,
        async: true,
      });
      return;
    }
    await ctx.render('forgot', { csrf: ctx.csrf, token, async: true });
  } else if (ctx.request.body.email) {

    try {
      const { email } = ctx.request.body;
      await sendResetToken.call(ctx, email);
      ctx.statsd.incr('auth.reset.request', 1);
      await ctx.render('forgot', {
        message: `We've sent an email with a link to reset your password.
        Be sure to check your spam folder if you it doesn't appear within a few minutes`,
        csrf: ctx.csrf,
        token: null,
        async: true,
      });
      return;
    } catch (error) {
      debug(error);
    }
  } else {
    await ctx.render('forgot', { csrf: ctx.csrf, token: null, async: true });
  }
}


export async function logout(ctx) {
  ctx.statsd.incr('auth.logout', 1);
  ctx.cookies.set('r', { expires: new Date(1), path: '/' });
  ctx.session = null;
  ctx.redirect('/');
}


export async function activate(ctx) {
  const { code } = ctx.params;
  if (await activateUser.call(ctx, code)) {
    ctx.statsd.incr('auth.activation', 1);
    ctx.redirect('/');
  } else {
    ctx.throw(400);
  }
}
Fix linting 2018-06-02 18:07:00 +00:00			`import debugname from 'debug';`
Get linting passing again 2016-06-06 15:37:00 +01:00			`import {`
			`authenticate, setupSession, signup as signupUser, activateUser, sendResetToken,`
			`validateResetToken, updatePassword,`
			`} from '../lib/auth';`
Fix linting 2018-06-02 18:07:00 +00:00
Postgres. 2016-06-19 10:14:47 -07:00			`import models from '../../models';`
Fix linting 2018-06-02 18:07:00 +00:00
Fix password reset 2015-08-23 16:50:40 +01:00			`const debug = debugname('hostr-web:user');`
Initial commit. 2015-07-09 23:01:43 +01:00
Update stuff 2018-06-02 15:50:39 +00:00			`export async function signin(ctx) {`
			`if (!ctx.request.body.email) {`
Fix broken shit after dep updates 2020-06-14 22:29:04 +01:00			`await ctx.render('signin', { csrf: ctx.csrf, async: true });`
Get linting passing again 2016-06-06 15:37:00 +01:00			`return;`
Initial commit. 2015-07-09 23:01:43 +01:00			`}`
Add csrf checking for cookie posts, fix file hotlinking 2015-08-10 11:44:47 +01:00
Update stuff 2018-06-02 15:50:39 +00:00			`ctx.statsd.incr('auth.attempt', 1);`

			`const user = await authenticate.call(ctx, ctx.request.body.email, ctx.request.body.password);`
More changes for db migration 2016-08-07 14:38:05 +01:00
Fix broken shit after dep updates 2020-06-14 22:29:04 +01:00			`if (!user \|\| !user.id) {`
Update stuff 2018-06-02 15:50:39 +00:00			`ctx.statsd.incr('auth.failure', 1);`
Fix broken shit after dep updates 2020-06-14 22:29:04 +01:00			`await ctx.render('signin', { error: 'Invalid login details', csrf: ctx.csrf, async: true });`
Get linting passing again 2016-06-06 15:37:00 +01:00			`return;`
Initial commit. 2015-07-09 23:01:43 +01:00			`} else if (user.activationCode) {`
Update stuff 2018-06-02 15:50:39 +00:00			`await ctx.render('signin', {`
More changes for db migration 2016-08-07 14:38:05 +01:00			`error: 'Your account hasn\'t been activated yet. Check for an activation email.',`
Update stuff 2018-06-02 15:50:39 +00:00			`csrf: ctx.csrf,`
Fix broken shit after dep updates 2020-06-14 22:29:04 +01:00			`async: true,`
Get linting passing again 2016-06-06 15:37:00 +01:00			`});`
			`return;`
Initial commit. 2015-07-09 23:01:43 +01:00			`}`
Update stuff 2018-06-02 15:50:39 +00:00			`ctx.statsd.incr('auth.success', 1);`
			`await setupSession.call(ctx, user);`
			`ctx.redirect('/');`
Initial commit. 2015-07-09 23:01:43 +01:00			`}`


Update stuff 2018-06-02 15:50:39 +00:00			`export async function signup(ctx) {`
Disable signups, minor fixes 2025-05-30 09:03:26 +01:00
			`await ctx.render('signup', { error: 'Signups are disabled.', csrf: ctx.csrf, async: true });`
			`return;`

Update stuff 2018-06-02 15:50:39 +00:00			`if (!ctx.request.body.email) {`
Fix broken shit after dep updates 2020-06-14 22:29:04 +01:00			`await ctx.render('signup', { csrf: ctx.csrf, async: true });`
Get linting passing again 2016-06-06 15:37:00 +01:00			`return;`
Initial commit. 2015-07-09 23:01:43 +01:00			`}`

Update stuff 2018-06-02 15:50:39 +00:00			`if (ctx.request.body.email !== ctx.request.body.confirm_email) {`
Fix broken shit after dep updates 2020-06-14 22:29:04 +01:00			`await ctx.render('signup', { error: 'Emails do not match.', csrf: ctx.csrf, async: true });`
Get linting passing again 2016-06-06 15:37:00 +01:00			`return;`
Update stuff 2018-06-02 15:50:39 +00:00			`} else if (ctx.request.body.email && !ctx.request.body.terms) {`
Fix linting 2018-06-02 18:07:00 +00:00			`await ctx.render('signup', {`
			`error: 'You must agree to the terms of service.',`
			`csrf: ctx.csrf,`
Fix broken shit after dep updates 2020-06-14 22:29:04 +01:00			`async: true,`
Fix linting 2018-06-02 18:07:00 +00:00			`});`
Get linting passing again 2016-06-06 15:37:00 +01:00			`return;`
Update stuff 2018-06-02 15:50:39 +00:00			`} else if (ctx.request.body.password && ctx.request.body.password.length < 7) {`
Fix linting 2018-06-02 18:07:00 +00:00			`await ctx.render('signup', {`
			`error: 'Password must be at least 7 characters long.',`
			`csrf: ctx.csrf,`
Fix broken shit after dep updates 2020-06-14 22:29:04 +01:00			`async: true,`
Fix linting 2018-06-02 18:07:00 +00:00			`});`
Get linting passing again 2016-06-06 15:37:00 +01:00			`return;`
Initial commit. 2015-07-09 23:01:43 +01:00			`}`
Update stuff 2018-06-02 15:50:39 +00:00			`const ip = ctx.headers['x-forwarded-for'] \|\| ctx.ip;`
Fix linting 2018-06-02 18:07:00 +00:00			`const { email, password } = ctx.request.body;`
Initial commit. 2015-07-09 23:01:43 +01:00			`try {`
Update stuff 2018-06-02 15:50:39 +00:00			`await signupUser.call(ctx, email, password, ip);`
Initial commit. 2015-07-09 23:01:43 +01:00			`} catch (e) {`
Fix broken shit after dep updates 2020-06-14 22:29:04 +01:00			`await ctx.render('signup', { error: e.message, csrf: ctx.csrf, async: true });`
Get linting passing again 2016-06-06 15:37:00 +01:00			`return;`
Initial commit. 2015-07-09 23:01:43 +01:00			`}`
Update stuff 2018-06-02 15:50:39 +00:00			`ctx.statsd.incr('auth.signup', 1);`
			`await ctx.render('signup', {`
Get linting passing again 2016-06-06 15:37:00 +01:00			`message: 'Thanks for signing up, we\'ve sent you an email to activate your account.',`
Fix emails and csrf 2018-08-11 12:08:16 +01:00			`csrf: ctx.csrf,`
Fix broken shit after dep updates 2020-06-14 22:29:04 +01:00			`async: true,`
Get linting passing again 2016-06-06 15:37:00 +01:00			`});`
Initial commit. 2015-07-09 23:01:43 +01:00			`}`


Update stuff 2018-06-02 15:50:39 +00:00			`export async function forgot(ctx) {`
Fix linting 2018-06-02 18:07:00 +00:00			`const { token } = ctx.params;`
Add CSRF protection. 2015-08-22 23:07:34 +01:00
Update stuff 2018-06-02 15:50:39 +00:00			`if (ctx.request.body.password) {`
			`if (ctx.request.body.password.length < 7) {`
			`await ctx.render('forgot', {`
Get linting passing again 2016-06-06 15:37:00 +01:00			`error: 'Password needs to be at least 7 characters long.',`
Update stuff 2018-06-02 15:50:39 +00:00			`csrf: ctx.csrf,`
Get linting passing again 2016-06-06 15:37:00 +01:00			`token,`
Fix broken shit after dep updates 2020-06-14 22:29:04 +01:00			`async: true,`
Get linting passing again 2016-06-06 15:37:00 +01:00			`});`
			`return;`
Initial commit. 2015-07-09 23:01:43 +01:00			`}`
Fix emails and csrf 2018-08-11 12:08:16 +01:00
Update stuff 2018-06-02 15:50:39 +00:00			`const user = await validateResetToken(token);`
More changes for db migration 2016-08-07 14:38:05 +01:00			`if (user) {`
Update stuff 2018-06-02 15:50:39 +00:00			`await updatePassword(user.userId, ctx.request.body.password);`
Update dependencies 2019-06-08 07:52:57 -07:00			`const reset = await models.reset.findByPk(token);`
Fix linting 2018-06-02 18:07:00 +00:00			`reset.destroy();`
Update stuff 2018-06-02 15:50:39 +00:00			`await setupSession.call(ctx, user);`
			`ctx.statsd.incr('auth.reset.success', 1);`
			`ctx.redirect('/');`
More changes for db migration 2016-08-07 14:38:05 +01:00			`}`
Fix password reset 2015-08-23 16:50:40 +01:00			`} else if (token) {`
Update stuff 2018-06-02 15:50:39 +00:00			`const tokenUser = await validateResetToken(token);`
Initial commit. 2015-07-09 23:01:43 +01:00			`if (!tokenUser) {`
Update stuff 2018-06-02 15:50:39 +00:00			`ctx.statsd.incr('auth.reset.fail', 1);`
			`await ctx.render('forgot', {`
Get linting passing again 2016-06-06 15:37:00 +01:00			`error: 'Invalid password reset token. It might be expired, or has already been used.',`
Update stuff 2018-06-02 15:50:39 +00:00			`csrf: ctx.csrf,`
Get linting passing again 2016-06-06 15:37:00 +01:00			`token: null,`
Fix broken shit after dep updates 2020-06-14 22:29:04 +01:00			`async: true,`
Get linting passing again 2016-06-06 15:37:00 +01:00			`});`
			`return;`
Initial commit. 2015-07-09 23:01:43 +01:00			`}`
Fix broken shit after dep updates 2020-06-14 22:29:04 +01:00			`await ctx.render('forgot', { csrf: ctx.csrf, token, async: true });`
Update stuff 2018-06-02 15:50:39 +00:00			`} else if (ctx.request.body.email) {`
Fix emails and csrf 2018-08-11 12:08:16 +01:00
Fix password reset 2015-08-23 16:50:40 +01:00			`try {`
Fix linting 2018-06-02 18:07:00 +00:00			`const { email } = ctx.request.body;`
Update stuff 2018-06-02 15:50:39 +00:00			`await sendResetToken.call(ctx, email);`
			`ctx.statsd.incr('auth.reset.request', 1);`
			`await ctx.render('forgot', {`
Get linting passing again 2016-06-06 15:37:00 +01:00			message: `We've sent an email with a link to reset your password.
			Be sure to check your spam folder if you it doesn't appear within a few minutes`,
Update stuff 2018-06-02 15:50:39 +00:00			`csrf: ctx.csrf,`
Get linting passing again 2016-06-06 15:37:00 +01:00			`token: null,`
Fix broken shit after dep updates 2020-06-14 22:29:04 +01:00			`async: true,`
Get linting passing again 2016-06-06 15:37:00 +01:00			`});`
			`return;`
Fix password reset 2015-08-23 16:50:40 +01:00			`} catch (error) {`
			`debug(error);`
			`}`
Initial commit. 2015-07-09 23:01:43 +01:00			`} else {`
Fix broken shit after dep updates 2020-06-14 22:29:04 +01:00			`await ctx.render('forgot', { csrf: ctx.csrf, token: null, async: true });`
Initial commit. 2015-07-09 23:01:43 +01:00			`}`
			`}`


Update stuff 2018-06-02 15:50:39 +00:00			`export async function logout(ctx) {`
			`ctx.statsd.incr('auth.logout', 1);`
			`ctx.cookies.set('r', { expires: new Date(1), path: '/' });`
			`ctx.session = null;`
			`ctx.redirect('/');`
Initial commit. 2015-07-09 23:01:43 +01:00			`}`


Update stuff 2018-06-02 15:50:39 +00:00			`export async function activate(ctx) {`
Fix linting 2018-06-02 18:07:00 +00:00			`const { code } = ctx.params;`
Update stuff 2018-06-02 15:50:39 +00:00			`if (await activateUser.call(ctx, code)) {`
			`ctx.statsd.incr('auth.activation', 1);`
			`ctx.redirect('/');`
Add CSRF protection. 2015-08-22 23:07:34 +01:00			`} else {`
Update stuff 2018-06-02 15:50:39 +00:00			`ctx.throw(400);`
Add more stat collection 2015-08-09 17:21:39 +01:00			`}`
Initial commit. 2015-07-09 23:01:43 +01:00			`}`