hostr/web/lib/auth.js

import crypto from 'crypto';
import passwords from 'passwords';
import uuid from 'node-uuid';
import views from 'co-views';
const render = views(__dirname + '/../views', { default: 'ejs'});
import debugname from 'debug';
const debug = debugname('hostr-web:auth');
import { Mandrill } from 'mandrill-api/mandrill';
const mandrill = new Mandrill(process.env.MANDRILL_KEY);

export function* authenticate(email, password) {
  const Users = this.db.Users;
  const Logins = this.db.Logins;
  const remoteIp = this.headers['x-real-ip'] || this.ip;

  if (!password || password.length < 6) {
    debug('No password, or password too short');
    return new Error('Invalid login details');
  }
  const count = yield Logins.count({ip: remoteIp, successful: false, at: { '$gt': Math.ceil(Date.now() / 1000) - 600}});
  if (count > 25) {
    debug('Throttling brute force');
    return new Error('Invalid login details');
  }
  const login = {ip: remoteIp, at: Math.ceil(Date.now() / 1000), successful: null};
  yield Logins.save(login);
  const user = yield Users.findOne({email: email.toLowerCase(), banned: {'$exists': false}, status: {'$ne': 'deleted'}});
  if (user) {
    const verified = yield passwords.verify(password, user.salted_password);
    if (verified) {
      debug('Password verified');
      login.successful = true;
      yield Logins.updateOne({_id: login._id}, login);
      return user;
    }
    debug('Password invalid');
    login.successful = false;
    yield Logins.updateOne({_id: login._id}, login);
  } else {
    debug('Email invalid');
    login.successful = false;
    yield Logins.updateOne({_id: login._id}, login);
  }
}


export function* setupSession(user) {
  debug('Setting up session');
  const token = uuid.v4();
  yield this.redis.set(token, user._id, 'EX', 604800);

  const sessionUser = {
    'id': user._id,
    'email': user.email,
    'dailyUploadAllowance': 15,
    'maxFileSize': 20971520,
    'joined': user.joined,
    'plan': user.type || 'Free',
    'uploadsToday': yield this.db.Files.count({owner: user._id, 'time_added': {'$gt': Math.ceil(Date.now() / 1000) - 86400}}),
    'token': token,
    'md5': crypto.createHash('md5').update(user.email).digest('hex'),
  };

  if (sessionUser.plan === 'Pro') {
    sessionUser.maxFileSize = 524288000;
    sessionUser.dailyUploadAllowance = 'unlimited';
  }

  this.session.user = sessionUser;
  if (this.request.body.remember && this.request.body.remember === 'on') {
    const Remember = this.db.Remember;
    const rememberToken = uuid();
    Remember.save({_id: rememberToken, 'user_id': user.id, created: new Date().getTime()});
    this.cookies.set('r', rememberToken, { maxAge: 1209600000, httpOnly: true});
  }
  debug('Session set up');
}


export function* signup(email, password, ip) {
  const Users = this.db.Users;
  const existingUser = yield Users.findOne({email: email, status: {'$ne': 'deleted'}});
  if (existingUser) {
    debug('Email already in use.');
    throw new Error('Email already in use.');
  }
  const cryptedPassword = yield passwords.crypt(password);
  const user = {
    email: email,
    'salted_password': cryptedPassword,
    joined: Math.round(new Date().getTime() / 1000),
    'signup_ip': ip,
    activationCode: uuid(),
  };
  Users.insertOne(user);

  const html = yield render('email/inlined/activate', {activationUrl: process.env.WEB_BASE_URL + '/activate/' + user.activationCode});
  const text = `Thanks for signing up to Hostr!
Please confirm your email address by clicking the link below.

${process.env.WEB_BASE_URL + '/activate/' + user.activationCode}

— Jonathan Cremin, Hostr Founder
`;
  mandrill.messages.send({message: {
    html: html,
    text: text,
    subject: 'Welcome to Hostr',
    'from_email': 'jonathan@hostr.co',
    'from_name': 'Jonathan from Hostr',
    to: [{
      email: user.email,
      type: 'to',
    }],
    'tags': [
      'user-activation',
    ],
  }});
}


export function* sendResetToken(email) {
  const Users = this.db.Users;
  const Reset = this.db.Reset;
  const user = yield Users.findOne({email: email});
  if (user) {
    const token = uuid.v4();
    Reset.save({
      '_id': user._id,
      'token': token,
      'created': Math.round(new Date().getTime() / 1000),
    });
    const html = yield render('email/inlined/forgot', {forgotUrl: process.env.WEB_BASE_URL + '/forgot/' + token});
    const text = `It seems you've forgotten your password :(
Visit  ${process.env.WEB_BASE_URL + '/forgot/' + token} to set a new one.
`;
    mandrill.messages.send({message: {
      html: html,
      text: text,
      subject: 'Hostr Password Reset',
      'from_email': 'jonathan@hostr.co',
      'from_name': 'Jonathan from Hostr',
      to: [{
        email: user.email,
        type: 'to',
      }],
      'tags': [
        'password-reset',
      ],
    }});
  } else {
    throw new Error('There was an error looking up your email address.');
  }
}


export function* fromToken(token) {
  const Users = this.db.Users;
  const reply = yield this.redis.get(token);
  return yield Users.findOne({_id: reply});
}


export function* fromCookie(cookie) {
  const Remember = this.db.Remember;
  const Users = this.db.Users;
  const remember = yield Remember.findOne({_id: cookie});
  return yield Users.findOne({_id: remember.user_id});
}


export function* validateResetToken() {
  const Reset = this.db.Reset;
  return yield Reset.findOne({token: this.params.id});
}


export function* updatePassword(userId, password) {
  const Users = this.db.Users;
  const cryptedPassword = yield passwords.crypt(password);
  yield Users.updateOne({_id: userId}, {'$set': {'salted_password': cryptedPassword}});
}


export function* activateUser(code) {
  const Users = this.db.Users;
  const user = yield Users.findOne({activationCode: code});
  if (user) {
    Users.updateOne({_id: user._id}, {'$unset': {activationCode: ''}});
    yield setupSession.call(this, user);
    return true;
  }
  return false;
}