wildduck/lib/api/auth.js

'use strict';

const Joi = require('joi');
const MongoPaging = require('mongo-cursor-pagination');
const ObjectID = require('mongodb').ObjectID;
const tools = require('../tools');
const roles = require('../roles');
const { nextPageCursorSchema, previousPageCursorSchema, pageNrSchema, sessSchema, sessIPSchema, booleanSchema } = require('../schemas');

module.exports = (db, server, userHandler) => {
    server.post(
        '/authenticate',
        tools.asyncifyJson(async (req, res, next) => {
            res.charSet('utf-8');

            const schema = Joi.object().keys({
                username: Joi.alternatives()
                    .try(
                        Joi.string()
                            .lowercase()
                            .regex(/^[a-z0-9][a-z0-9.]+[a-z0-9]$/, 'username')
                            .min(3)
                            .max(30),
                        Joi.string().email({ tlds: false })
                    )
                    .required(),
                password: Joi.string().max(256).required(),

                protocol: Joi.string().default('API'),
                scope: Joi.string()
                    .default('master')
                    // token can be true only if scope is master
                    .when('token', { is: true, then: Joi.valid('master') }),

                appId: Joi.string().empty('').uri(),

                token: booleanSchema.default(false),

                sess: sessSchema,
                ip: sessIPSchema
            });

            const result = schema.validate(req.params, {
                abortEarly: false,
                convert: true
            });

            if (result.error) {
                res.status(400);
                res.json({
                    error: result.error.message,
                    code: 'InputValidationError',
                    details: tools.validationErrors(result)
                });
                return next();
            }

            let permission = roles.can(req.role).createAny('authentication');

            // permissions check
            req.validate(permission);

            // filter out unallowed fields
            result.value = permission.filter(result.value);

            let meta = {
                protocol: result.value.protocol,
                sess: result.value.sess,
                ip: result.value.ip
            };

            if (result.value.appId) {
                meta.appId = result.value.appId;
            }

            let authData, user;

            try {
                [authData, user] = await userHandler.asyncAuthenticate(result.value.username, result.value.password, result.value.scope, meta);
            } catch (err) {
                let response = {
                    error: err.message,
                    code: 'AuthFailed' || err.code
                };
                if (user) {
                    response.id = user.toString();
                }
                res.status(403);
                res.json(response);
                return next();
            }

            if (!authData) {
                let response = {
                    error: 'Authentication failed',
                    code: 'AuthFailed'
                };
                if (user) {
                    response.id = user.toString();
                }
                res.status(403);
                res.json(response);
                return next();
            }

            let authResponse = {
                success: true,
                id: authData.user.toString(),
                username: authData.username,
                scope: authData.scope,
                require2fa: authData.require2fa,
                requirePasswordChange: authData.requirePasswordChange
            };

            if (result.value.token) {
                try {
                    authResponse.token = await userHandler.generateAuthToken(authData.user);
                } catch (err) {
                    let response = {
                        error: err.message,
                        code: err.code || 'AuthFailed',
                        id: user.toString()
                    };
                    res.status(500);
                    res.json(response);
                    return next();
                }
            }

            if (authData.u2fAuthRequest) {
                authResponse.u2fAuthRequest = authData.u2fAuthRequest;
            }

            res.status(200);
            res.json(permission.filter(authResponse));
            return next();
        })
    );

    server.del(
        '/authenticate',
        tools.asyncifyJson(async (req, res, next) => {
            res.charSet('utf-8');

            if (req.accessToken) {
                try {
                    await db.redis
                        .multi()
                        .del('tn:token:' + req.accessToken.hash)
                        .exec();
                } catch (err) {
                    // ignore
                }
            }

            res.json({ success: true });
            return next();
        })
    );

    server.get(
        { name: 'authlog', path: '/users/:user/authlog' },
        tools.asyncifyJson(async (req, res, next) => {
            res.charSet('utf-8');

            const schema = Joi.object().keys({
                user: Joi.string().hex().lowercase().length(24).required(),
                action: Joi.string().trim().lowercase().empty('').max(100),
                limit: Joi.number().default(20).min(1).max(250),
                next: nextPageCursorSchema,
                previous: previousPageCursorSchema,
                page: pageNrSchema,
                filterip: sessIPSchema,

                sess: sessSchema,
                ip: sessIPSchema
            });

            const result = schema.validate(req.params, {
                abortEarly: false,
                convert: true,
                allowUnknown: false
            });

            if (result.error) {
                res.status(400);
                res.json({
                    error: result.error.message,
                    code: 'InputValidationError',
                    details: tools.validationErrors(result)
                });
                return next();
            }

            // permissions check
            if (req.user && req.user === result.value.user) {
                req.validate(roles.can(req.role).readOwn('authentication'));
            } else {
                req.validate(roles.can(req.role).readAny('authentication'));
            }

            let user = new ObjectID(result.value.user);
            let limit = result.value.limit;

            let action = result.value.action;
            let ip = result.value.filterIp;

            let page = result.value.page;
            let pageNext = result.value.next;
            let pagePrevious = result.value.previous;

            let userData;
            try {
                userData = await db.users.collection('users').findOne(
                    {
                        _id: user
                    },
                    {
                        projection: {
                            _id: true
                        }
                    }
                );
            } catch (err) {
                res.json({
                    error: 'MongoDB Error: ' + err.message,
                    code: 'InternalDatabaseError'
                });
                return next();
            }

            if (!userData) {
                res.json({
                    error: 'This user does not exist',
                    code: 'UserNotFound'
                });
                return next();
            }

            let filter = { user };
            if (ip) {
                filter.ip = ip;
            }

            let total = await db.users.collection('authlog').countDocuments(filter);

            let opts = {
                limit,
                query: filter,
                sortAscending: false
            };

            if (pageNext) {
                opts.next = pageNext;
            } else if ((!page || page > 1) && pagePrevious) {
                opts.previous = pagePrevious;
            }

            let listing;
            try {
                listing = await MongoPaging.find(db.users.collection('authlog'), opts);
            } catch (err) {
                res.json({
                    error: 'MongoDB Error: ' + err.message,
                    code: 'InternalDatabaseError'
                });
                return next();
            }

            if (!listing.hasPrevious) {
                page = 1;
            }

            let response = {
                success: true,
                action,
                total,
                page,
                previousCursor: listing.hasPrevious ? listing.previous : false,
                nextCursor: listing.hasNext ? listing.next : false,
                results: (listing.results || []).map(resultData => {
                    let response = {
                        id: (resultData._id || '').toString()
                    };
                    Object.keys(resultData).forEach(key => {
                        if (!['_id', 'user'].includes(key)) {
                            response[key] = resultData[key];
                        }
                    });
                    return response;
                })
            };

            res.json(response);
            return next();
        })
    );

    server.get(
        '/users/:user/authlog/:event',
        tools.asyncifyJson(async (req, res, next) => {
            res.charSet('utf-8');

            const schema = Joi.object().keys({
                user: Joi.string().hex().lowercase().length(24).required(),
                event: Joi.string().hex().lowercase().length(24).required(),
                sess: sessSchema,
                ip: sessIPSchema
            });

            const result = schema.validate(req.params, {
                abortEarly: false,
                convert: true,
                allowUnknown: false
            });

            if (result.error) {
                res.status(400);
                res.json({
                    error: result.error.message,
                    code: 'InputValidationError',
                    details: tools.validationErrors(result)
                });
                return next();
            }

            // permissions check
            if (req.user && req.user === result.value.user) {
                req.validate(roles.can(req.role).readOwn('authentication'));
            } else {
                req.validate(roles.can(req.role).readAny('authentication'));
            }

            let user = new ObjectID(result.value.user);
            let event = new ObjectID(result.value.event);

            let userData;
            try {
                userData = await db.users.collection('users').findOne(
                    {
                        _id: user
                    },
                    {
                        projection: {
                            _id: true
                        }
                    }
                );
            } catch (err) {
                res.json({
                    error: 'MongoDB Error: ' + err.message,
                    code: 'InternalDatabaseError'
                });
                return next();
            }

            if (!userData) {
                res.json({
                    error: 'This user does not exist',
                    code: 'UserNotFound'
                });
                return next();
            }

            let filter = { _id: event, user };
            let eventData;
            try {
                eventData = await db.users.collection('authlog').findOne(filter);
            } catch (err) {
                res.json({
                    error: 'MongoDB Error: ' + err.message,
                    code: 'InternalDatabaseError'
                });
                return next();
            }

            if (!eventData) {
                res.json({
                    error: 'Event was not found',
                    code: 'EventNotFound'
                });
                return next();
            }

            let response = {
                success: true,
                id: eventData._id.toString()
            };
            Object.keys(eventData).forEach(key => {
                if (!['_id', 'user'].includes(key)) {
                    response[key] = eventData[key];
                }
            });

            res.json(response);
            return next();
        })
    );
};
refactor api 2017-07-26 16:52:55 +08:00			`'use strict';`

Upgraded joi to latest 2020-07-20 01:51:06 +08:00			`const Joi = require('joi');`
Use async mongo paging 2018-08-03 20:44:03 +08:00			`const MongoPaging = require('mongo-cursor-pagination');`
refactor api 2017-07-26 16:52:55 +08:00			`const ObjectID = require('mongodb').ObjectID;`
Use async mongo paging 2018-08-03 20:44:03 +08:00			`const tools = require('../tools');`
some access control 2018-08-29 18:15:38 +08:00			`const roles = require('../roles');`
Upgraded joi to latest 2020-07-20 01:51:06 +08:00			`const { nextPageCursorSchema, previousPageCursorSchema, pageNrSchema, sessSchema, sessIPSchema, booleanSchema } = require('../schemas');`
refactor api 2017-07-26 16:52:55 +08:00
			`module.exports = (db, server, userHandler) => {`
some access control 2018-08-29 18:15:38 +08:00			`server.post(`
			`'/authenticate',`
			`tools.asyncifyJson(async (req, res, next) => {`
			`res.charSet('utf-8');`
refactor api 2017-07-26 16:52:55 +08:00
some access control 2018-08-29 18:15:38 +08:00			`const schema = Joi.object().keys({`
			`username: Joi.alternatives()`
			`.try(`
			`Joi.string()`
			`.lowercase()`
			`.regex(/^[a-z0-9][a-z0-9.]+[a-z0-9]$/, 'username')`
			`.min(3)`
			`.max(30),`
Upgraded joi to latest 2020-07-20 01:51:06 +08:00			`Joi.string().email({ tlds: false })`
some access control 2018-08-29 18:15:38 +08:00			`)`
			`.required(),`
default GET+POST to req.params 2020-07-16 16:15:04 +08:00			`password: Joi.string().max(256).required(),`
some access control 2018-08-29 18:15:38 +08:00
			`protocol: Joi.string().default('API'),`
v1.15.2 2019-03-21 16:30:32 +08:00			`scope: Joi.string()`
			`.default('master')`
			`// token can be true only if scope is master`
			`.when('token', { is: true, then: Joi.valid('master') }),`
refactor api 2017-07-26 16:52:55 +08:00
default GET+POST to req.params 2020-07-16 16:15:04 +08:00			`appId: Joi.string().empty('').uri(),`
some access control 2018-08-29 18:15:38 +08:00
Upgraded joi to latest 2020-07-20 01:51:06 +08:00			`token: booleanSchema.default(false),`
experimental user token generation on auth 2019-03-21 05:19:15 +08:00
Upgraded joi to latest 2020-07-20 01:51:06 +08:00			`sess: sessSchema,`
			`ip: sessIPSchema`
refactor api 2017-07-26 16:52:55 +08:00			`});`
v1.30.2 2020-10-08 13:55:56 +08:00
Upgraded joi to latest 2020-07-20 01:51:06 +08:00			`const result = schema.validate(req.params, {`
some access control 2018-08-29 18:15:38 +08:00			`abortEarly: false,`
			`convert: true`
			`});`

			`if (result.error) {`
migrated API tests from icedfrisby to supertest 2019-07-31 21:05:59 +08:00			`res.status(400);`
some access control 2018-08-29 18:15:38 +08:00			`res.json({`
			`error: result.error.message,`
show validation errors in JSON response 2020-07-16 16:31:58 +08:00			`code: 'InputValidationError',`
			`details: tools.validationErrors(result)`
some access control 2018-08-29 18:15:38 +08:00			`});`
			`return next();`
			`}`

experimental user token generation on auth 2019-03-21 05:19:15 +08:00			`let permission = roles.can(req.role).createAny('authentication');`

some access control 2018-08-29 18:15:38 +08:00			`// permissions check`
experimental user token generation on auth 2019-03-21 05:19:15 +08:00			`req.validate(permission);`

			`// filter out unallowed fields`
			`result.value = permission.filter(result.value);`
refactor api 2017-07-26 16:52:55 +08:00
some access control 2018-08-29 18:15:38 +08:00			`let meta = {`
			`protocol: result.value.protocol,`
			`sess: result.value.sess,`
			`ip: result.value.ip`
			`};`
allow setting appId for u2f 2018-06-28 14:12:31 +08:00
some access control 2018-08-29 18:15:38 +08:00			`if (result.value.appId) {`
			`meta.appId = result.value.appId;`
			`}`

			`let authData, user;`

			`try {`
v1.21.0 2019-07-12 15:21:48 +08:00			`[authData, user] = await userHandler.asyncAuthenticate(result.value.username, result.value.password, result.value.scope, meta);`
some access control 2018-08-29 18:15:38 +08:00			`} catch (err) {`
v1.4.2 2018-08-23 16:32:21 +08:00			`let response = {`
v1.12.4 2019-01-13 19:13:22 +08:00			`error: err.message,`
			`code: 'AuthFailed' \|\| err.code`
v1.4.2 2018-08-23 16:32:21 +08:00			`};`
			`if (user) {`
			`response.id = user.toString();`
			`}`
migrated API tests from icedfrisby to supertest 2019-07-31 21:05:59 +08:00			`res.status(403);`
v1.4.2 2018-08-23 16:32:21 +08:00			`res.json(response);`
refactor api 2017-07-26 16:52:55 +08:00			`return next();`
			`}`

			`if (!authData) {`
v1.4.2 2018-08-23 16:32:21 +08:00			`let response = {`
			`error: 'Authentication failed',`
			`code: 'AuthFailed'`
			`};`
			`if (user) {`
			`response.id = user.toString();`
			`}`
migrated API tests from icedfrisby to supertest 2019-07-31 21:05:59 +08:00			`res.status(403);`
v1.4.2 2018-08-23 16:32:21 +08:00			`res.json(response);`
refactor api 2017-07-26 16:52:55 +08:00			`return next();`
			`}`

Support a single u2f key 2017-10-10 16:19:10 +08:00			`let authResponse = {`
refactor api 2017-07-26 16:52:55 +08:00			`success: true,`
force id to string before filtering 2019-03-21 05:51:35 +08:00			`id: authData.user.toString(),`
refactor api 2017-07-26 16:52:55 +08:00			`username: authData.username,`
			`scope: authData.scope,`
added API endpoint to reset user password 2017-08-05 20:55:29 +08:00			`require2fa: authData.require2fa,`
			`requirePasswordChange: authData.requirePasswordChange`
Support a single u2f key 2017-10-10 16:19:10 +08:00			`};`

experimental user token generation on auth 2019-03-21 05:19:15 +08:00			`if (result.value.token) {`
			`try {`
			`authResponse.token = await userHandler.generateAuthToken(authData.user);`
			`} catch (err) {`
			`let response = {`
			`error: err.message,`
v1.17.0 2019-04-05 20:08:46 +08:00			`code: err.code \|\| 'AuthFailed',`
experimental user token generation on auth 2019-03-21 05:19:15 +08:00			`id: user.toString()`
			`};`
migrated API tests from icedfrisby to supertest 2019-07-31 21:05:59 +08:00			`res.status(500);`
experimental user token generation on auth 2019-03-21 05:19:15 +08:00			`res.json(response);`
			`return next();`
			`}`
			`}`

Support a single u2f key 2017-10-10 16:19:10 +08:00			`if (authData.u2fAuthRequest) {`
			`authResponse.u2fAuthRequest = authData.u2fAuthRequest;`
			`}`

migrated API tests from icedfrisby to supertest 2019-07-31 21:05:59 +08:00			`res.status(200);`
experimental user token generation on auth 2019-03-21 05:19:15 +08:00			`res.json(permission.filter(authResponse));`
refactor api 2017-07-26 16:52:55 +08:00			`return next();`
some access control 2018-08-29 18:15:38 +08:00			`})`
			`);`
refactor api 2017-07-26 16:52:55 +08:00
v1.17.0 2019-04-05 20:08:46 +08:00			`server.del(`
			`'/authenticate',`
			`tools.asyncifyJson(async (req, res, next) => {`
			`res.charSet('utf-8');`

			`if (req.accessToken) {`
			`try {`
			`await db.redis`
			`.multi()`
			`.del('tn:token:' + req.accessToken.hash)`
			`.exec();`
			`} catch (err) {`
			`// ignore`
			`}`
			`}`

			`res.json({ success: true });`
			`return next();`
			`})`
			`);`

Use async mongo paging 2018-08-03 20:44:03 +08:00			`server.get(`
			`{ name: 'authlog', path: '/users/:user/authlog' },`
			`tools.asyncifyJson(async (req, res, next) => {`
			`res.charSet('utf-8');`

			`const schema = Joi.object().keys({`
default GET+POST to req.params 2020-07-16 16:15:04 +08:00			`user: Joi.string().hex().lowercase().length(24).required(),`
			`action: Joi.string().trim().lowercase().empty('').max(100),`
			`limit: Joi.number().default(20).min(1).max(250),`
Upgraded joi to latest 2020-07-20 01:51:06 +08:00			`next: nextPageCursorSchema,`
			`previous: previousPageCursorSchema,`
			`page: pageNrSchema,`
			`filterip: sessIPSchema,`

			`sess: sessSchema,`
			`ip: sessIPSchema`
Use async mongo paging 2018-08-03 20:44:03 +08:00			`});`
refactor api 2017-07-26 16:52:55 +08:00
Upgraded joi to latest 2020-07-20 01:51:06 +08:00			`const result = schema.validate(req.params, {`
Use async mongo paging 2018-08-03 20:44:03 +08:00			`abortEarly: false,`
			`convert: true,`
			`allowUnknown: false`
refactor api 2017-07-26 16:52:55 +08:00			`});`

Use async mongo paging 2018-08-03 20:44:03 +08:00			`if (result.error) {`
migrated API tests from icedfrisby to supertest 2019-07-31 21:05:59 +08:00			`res.status(400);`
Use async mongo paging 2018-08-03 20:44:03 +08:00			`res.json({`
			`error: result.error.message,`
show validation errors in JSON response 2020-07-16 16:31:58 +08:00			`code: 'InputValidationError',`
			`details: tools.validationErrors(result)`
Use async mongo paging 2018-08-03 20:44:03 +08:00			`});`
			`return next();`
			`}`

some access control 2018-08-29 18:15:38 +08:00			`// permissions check`
			`if (req.user && req.user === result.value.user) {`
			`req.validate(roles.can(req.role).readOwn('authentication'));`
			`} else {`
			`req.validate(roles.can(req.role).readAny('authentication'));`
			`}`

Use async mongo paging 2018-08-03 20:44:03 +08:00			`let user = new ObjectID(result.value.user);`
			`let limit = result.value.limit;`
updated indexes 2018-08-15 04:03:12 +08:00
Use async mongo paging 2018-08-03 20:44:03 +08:00			`let action = result.value.action;`
filter ip 2018-11-12 20:36:34 +08:00			`let ip = result.value.filterIp;`
updated indexes 2018-08-15 04:03:12 +08:00
Use async mongo paging 2018-08-03 20:44:03 +08:00			`let page = result.value.page;`
			`let pageNext = result.value.next;`
			`let pagePrevious = result.value.previous;`

			`let userData;`
			`try {`
			`userData = await db.users.collection('users').findOne(`
			`{`
			`_id: user`
			`},`
			`{`
use projection instead of fields 2018-08-15 04:45:45 +08:00			`projection: {`
Use async mongo paging 2018-08-03 20:44:03 +08:00			`_id: true`
			`}`
refactor api 2017-07-26 16:52:55 +08:00			`}`
Use async mongo paging 2018-08-03 20:44:03 +08:00			`);`
			`} catch (err) {`
			`res.json({`
			`error: 'MongoDB Error: ' + err.message,`
			`code: 'InternalDatabaseError'`
			`});`
			`return next();`
			`}`
refactor api 2017-07-26 16:52:55 +08:00
Use async mongo paging 2018-08-03 20:44:03 +08:00			`if (!userData) {`
			`res.json({`
			`error: 'This user does not exist',`
			`code: 'UserNotFound'`
			`});`
			`return next();`
			`}`
v1.0.90 2017-11-23 17:51:37 +08:00
Use async mongo paging 2018-08-03 20:44:03 +08:00			`let filter = { user };`
			`if (ip) {`
			`filter.ip = ip;`
			`}`
refactor api 2017-07-26 16:52:55 +08:00
filter ip 2018-11-12 20:39:11 +08:00			`let total = await db.users.collection('authlog').countDocuments(filter);`
v1.0.90 2017-11-23 17:51:37 +08:00
Use async mongo paging 2018-08-03 20:44:03 +08:00			`let opts = {`
			`limit,`
			`query: filter,`
			`sortAscending: false`
			`};`
v1.0.90 2017-11-23 17:51:37 +08:00
Use async mongo paging 2018-08-03 20:44:03 +08:00			`if (pageNext) {`
			`opts.next = pageNext;`
do not use fields 2018-09-20 16:28:43 +08:00			`} else if ((!page \|\| page > 1) && pagePrevious) {`
Use async mongo paging 2018-08-03 20:44:03 +08:00			`opts.previous = pagePrevious;`
			`}`

			`let listing;`
			`try {`
			`listing = await MongoPaging.find(db.users.collection('authlog'), opts);`
			`} catch (err) {`
			`res.json({`
			`error: 'MongoDB Error: ' + err.message,`
			`code: 'InternalDatabaseError'`
refactor api 2017-07-26 16:52:55 +08:00			`});`
Use async mongo paging 2018-08-03 20:44:03 +08:00			`return next();`
v1.0.90 2017-11-23 17:51:37 +08:00			`}`
Use async mongo paging 2018-08-03 20:44:03 +08:00
			`if (!listing.hasPrevious) {`
			`page = 1;`
			`}`

			`let response = {`
			`success: true,`
			`action,`
			`total,`
			`page,`
			`previousCursor: listing.hasPrevious ? listing.previous : false,`
			`nextCursor: listing.hasNext ? listing.next : false,`
			`results: (listing.results \|\| []).map(resultData => {`
			`let response = {`
v1.10.10 2018-11-14 19:32:40 +08:00			`id: (resultData._id \|\| '').toString()`
Use async mongo paging 2018-08-03 20:44:03 +08:00			`};`
			`Object.keys(resultData).forEach(key => {`
			`if (!['_id', 'user'].includes(key)) {`
			`response[key] = resultData[key];`
			`}`
			`});`
			`return response;`
			`})`
			`};`

			`res.json(response);`
			`return next();`
			`})`
			`);`
allow fetching specific event data 2018-01-12 16:16:16 +08:00
some access control 2018-08-29 18:15:38 +08:00			`server.get(`
			`'/users/:user/authlog/:event',`
			`tools.asyncifyJson(async (req, res, next) => {`
			`res.charSet('utf-8');`
allow fetching specific event data 2018-01-12 16:16:16 +08:00
some access control 2018-08-29 18:15:38 +08:00			`const schema = Joi.object().keys({`
default GET+POST to req.params 2020-07-16 16:15:04 +08:00			`user: Joi.string().hex().lowercase().length(24).required(),`
			`event: Joi.string().hex().lowercase().length(24).required(),`
Upgraded joi to latest 2020-07-20 01:51:06 +08:00			`sess: sessSchema,`
			`ip: sessIPSchema`
some access control 2018-08-29 18:15:38 +08:00			`});`
allow fetching specific event data 2018-01-12 16:16:16 +08:00
Upgraded joi to latest 2020-07-20 01:51:06 +08:00			`const result = schema.validate(req.params, {`
some access control 2018-08-29 18:15:38 +08:00			`abortEarly: false,`
			`convert: true,`
			`allowUnknown: false`
allow fetching specific event data 2018-01-12 16:16:16 +08:00			`});`

some access control 2018-08-29 18:15:38 +08:00			`if (result.error) {`
migrated API tests from icedfrisby to supertest 2019-07-31 21:05:59 +08:00			`res.status(400);`
some access control 2018-08-29 18:15:38 +08:00			`res.json({`
			`error: result.error.message,`
show validation errors in JSON response 2020-07-16 16:31:58 +08:00			`code: 'InputValidationError',`
			`details: tools.validationErrors(result)`
some access control 2018-08-29 18:15:38 +08:00			`});`
			`return next();`
			`}`
allow fetching specific event data 2018-01-12 16:16:16 +08:00
some access control 2018-08-29 18:15:38 +08:00			`// permissions check`
			`if (req.user && req.user === result.value.user) {`
			`req.validate(roles.can(req.role).readOwn('authentication'));`
			`} else {`
			`req.validate(roles.can(req.role).readAny('authentication'));`
			`}`
allow fetching specific event data 2018-01-12 16:16:16 +08:00
some access control 2018-08-29 18:15:38 +08:00			`let user = new ObjectID(result.value.user);`
			`let event = new ObjectID(result.value.event);`
allow fetching specific event data 2018-01-12 16:16:16 +08:00
some access control 2018-08-29 18:15:38 +08:00			`let userData;`
			`try {`
			`userData = await db.users.collection('users').findOne(`
			`{`
			`_id: user`
			`},`
			`{`
			`projection: {`
			`_id: true`
allow fetching specific event data 2018-01-12 16:16:16 +08:00			`}`
some access control 2018-08-29 18:15:38 +08:00			`}`
			`);`
			`} catch (err) {`
			`res.json({`
			`error: 'MongoDB Error: ' + err.message,`
			`code: 'InternalDatabaseError'`
			`});`
			`return next();`
			`}`
allow fetching specific event data 2018-01-12 16:16:16 +08:00
some access control 2018-08-29 18:15:38 +08:00			`if (!userData) {`
			`res.json({`
			`error: 'This user does not exist',`
			`code: 'UserNotFound'`
allow fetching specific event data 2018-01-12 16:16:16 +08:00			`});`
some access control 2018-08-29 18:15:38 +08:00			`return next();`
allow fetching specific event data 2018-01-12 16:16:16 +08:00			`}`
some access control 2018-08-29 18:15:38 +08:00
			`let filter = { _id: event, user };`
			`let eventData;`
			`try {`
filter ip 2018-11-12 20:39:11 +08:00			`eventData = await db.users.collection('authlog').findOne(filter);`
some access control 2018-08-29 18:15:38 +08:00			`} catch (err) {`
			`res.json({`
			`error: 'MongoDB Error: ' + err.message,`
			`code: 'InternalDatabaseError'`
			`});`
			`return next();`
			`}`

			`if (!eventData) {`
			`res.json({`
			`error: 'Event was not found',`
			`code: 'EventNotFound'`
			`});`
			`return next();`
			`}`

			`let response = {`
			`success: true,`
Do not use _id in API response 2021-01-07 15:41:48 +08:00			`id: eventData._id.toString()`
some access control 2018-08-29 18:15:38 +08:00			`};`
			`Object.keys(eventData).forEach(key => {`
			`if (!['_id', 'user'].includes(key)) {`
			`response[key] = eventData[key];`
			`}`
			`});`

			`res.json(response);`
			`return next();`
			`})`
			`);`
refactor api 2017-07-26 16:52:55 +08:00			`};`