hostr/web/lib/auth.js

import crypto from 'crypto';
import { join } from 'path';
import passwords from 'passwords';
import uuid from 'node-uuid';
import views from 'co-views';
import debugname from 'debug';
import sendgridInit from 'sendgrid';
import models from '../../models';

const render = views(join(__dirname, '..', 'views'), { default: 'ejs' });
const debug = debugname('hostr-web:auth');
const sendgrid = sendgridInit(process.env.SENDGRID_KEY);

const from = process.env.EMAIL_FROM;
const fromname = process.env.EMAIL_NAME;

export async function authenticate(email, password) {
  const remoteIp = this.headers['x-forwarded-for'] || this.ip;

  if (!password || password.length < 6) {
    debug('No password, or password too short');
    return new Error('Invalid login details');
  }
  const count = await models.login.count({
    where: {
      ip: remoteIp,
      successful: false,
      createdAt: {
        $gt: Math.ceil(Date.now()) - 600000,
      },
    },
  });

  if (count > 25) {
    debug('Throttling brute force');
    return new Error('Invalid login details');
  }
  const user = await models.user.findOne({
    where: {
      email: email.toLowerCase(),
      activated: true,
    },
  });
  debug(user);
  const login = await models.login.create({
    ip: remoteIp,
    successful: false,
  });

  if (user && user.password) {
    if (await passwords.verify(password, user.password)) {
      debug('Password verified');
      login.successful = true;
      await login.save();
      debug(user);
      return user;
    }
    debug('Password invalid');
    login.userId = user.id;
  }
  await login.save();
  return false;
}


export async function setupSession(user) {
  debug('Setting up session');
  const token = uuid.v4();
  await this.redis.set(token, user.id, 'EX', 604800);

  const sessionUser = {
    id: user.id,
    email: user.email,
    dailyUploadAllowance: 15,
    maxFileSize: 20971520,
    joined: user.createdAt,
    plan: user.plan,
    uploadsToday: await models.file.count({ userId: user.id }),
    md5: crypto.createHash('md5').update(user.email).digest('hex'),
    token,
  };

  if (sessionUser.plan === 'Pro') {
    sessionUser.maxFileSize = 524288000;
    sessionUser.dailyUploadAllowance = 'unlimited';
  }

  this.session.user = sessionUser;
  if (this.request.body.remember && this.request.body.remember === 'on') {
    const remember = await models.remember.create({
      id: uuid(),
      userId: user.id,
    });
    this.cookies.set('r', remember.id, { maxAge: 1209600000, httpOnly: true });
  }
  debug('Session set up');
}


export async function signup(email, password, ip) {
  const existingUser = await models.user.findOne({
    where: {
      email,
      activated: true,
    },
  });
  if (existingUser) {
    debug('Email already in use.');
    throw new Error('Email already in use.');
  }
  const cryptedPassword = await passwords.crypt(password);
  const user = await models.user.create({
    email,
    password: cryptedPassword,
    ip,
    plan: 'Free',
    activation: {
      id: uuid(),
      email,
    },
  }, {
    include: [models.activation],
  });

  await user.save();

  const html = await render('email/inlined/activate', {
    activationUrl: `${process.env.WEB_BASE_URL}/activate/${user.activation.id}`,
  });
  const text = `Thanks for signing up to Hostr!
Please confirm your email address by clicking the link below.

${process.env.WEB_BASE_URL}/activate/${user.activation.id}

— Jonathan Cremin, Hostr Founder
`;
  const mail = new sendgrid.Email({
    to: user.email,
    subject: 'Welcome to Hostr',
    from,
    fromname,
    html,
    text,
  });
  mail.addCategory('activate');
  sendgrid.send(mail);
}


export async function sendResetToken(email) {
  const user = await models.user.findOne({
    where: {
      email,
    },
  });
  if (user) {
    const reset = await models.reset.create({
      id: uuid.v4(),
      userId: user.id,
    });
    const html = await render('email/inlined/forgot', {
      forgotUrl: `${process.env.WEB_BASE_URL}/forgot/${reset.id}`,
    });
    const text = `It seems you've forgotten your password :(
Visit  ${process.env.WEB_BASE_URL}/forgot/${reset.id} to set a new one.
`;
    const mail = new sendgrid.Email({
      to: user.email,
      from: 'jonathan@hostr.co',
      fromname: 'Jonathan from Hostr',
      subject: 'Hostr Password Reset',
      html,
      text,
    });
    mail.addCategory('password-reset');
    sendgrid.send(mail);
  } else {
    throw new Error('There was an error looking up your email address.');
  }
}


export async function fromToken(token) {
  const userId = await this.redis.get(token);
  return await models.user.findById(userId);
}


export async function fromCookie(rememberId) {
  const userId = await models.remember.findById(rememberId);
  return await models.user.findById(userId);
}


export async function validateResetToken(resetId) {
  return await models.reset.findById(resetId);
}


export async function updatePassword(userId, password) {
  const cryptedPassword = await passwords.crypt(password);
  const user = await models.user.findById(userId);
  user.password = cryptedPassword;
  await user.save();
}


export async function activateUser(code) {
  debug(code);
  const activation = await models.activation.findOne({
    where: {
      id: code,
    },
  });
  if (activation.updatedAt.getTime() === activation.createdAt.getTime()) {
    activation.activated = true;
    await activation.save();
    const user = await activation.getUser();
    user.activated = true;
    await user.save();
    await setupSession.call(this, user);
    return true;
  }
  return false;
}