wildduck/lib/user-handler.js
2017-07-16 14:37:33 +03:00

630 lines
21 KiB
JavaScript

'use strict';
const config = require('wild-config');
const log = require('npmlog');
const bcrypt = require('bcryptjs');
const speakeasy = require('speakeasy');
const QRCode = require('qrcode');
const tools = require('./tools');
const ObjectID = require('mongodb').ObjectID;
const generatePassword = require('generate-password');
const base32 = require('base32.js');
const os = require('os');
const MAX_STORAGE = 1 * (1024 * 1024 * 1024);
const MAX_RECIPIENTS = 2000;
const MAX_FORWARDS = 2000;
const JUNK_RETENTION = 30 * 24 * 3600 * 1000;
const mailboxTranslations = {
en: {
'\\Sent': 'Sent Mail',
'\\Trash': 'Trash',
'\\Junk': 'Junk',
'\\Drafts': 'Drafts',
'\\Archive': 'Archive'
},
et: {
'\\Sent': 'Saadetud kirjad',
'\\Trash': 'Prügikast',
'\\Junk': 'Rämpspost',
'\\Drafts': 'Mustandid',
'\\Archive': 'Arhiiv'
}
};
class UserHandler {
constructor(options) {
this.database = options.database;
this.users = options.users || options.database;
this.redis = options.redis;
}
/**
* Authenticate user
*
* @param {String} username Either username or email address
*/
authenticate(username, password, meta, callback) {
if (!callback && typeof meta === 'function') {
callback = meta;
meta = {};
}
if (!password) {
// do not allow signing in without a password
return callback(null, false);
}
let checkAddress = next => {
if (username.indexOf('@') < 0) {
// assume regular username
return next(null, {
username
});
}
// try to find existing email address
let address = tools.normalizeAddress(username);
this.users.collection('addresses').findOne({
address
}, {
fields: {
user: true
}
}, (err, addressData) => {
if (err) {
return callback(err);
}
if (!addressData) {
return callback(null, false);
}
return next(null, {
_id: addressData.user
});
});
};
checkAddress((err, query) => {
if (err) {
return callback(err);
}
this.users.collection('users').findOne(query, {
fields: {
username: true,
password: true,
enabled2fa: true,
asp: true
}
}, (err, userData) => {
if (err) {
return callback(err);
}
if (!userData) {
return callback(null, false);
}
// try master password
if (bcrypt.compareSync(password, userData.password || '')) {
meta.scope = 'master';
this.redis
.multi()
.zadd('wl:' + userData._id.toString(), Date.now(), JSON.stringify(meta))
.zremrangebyscore('wl:' + userData._id.toString(), '-INF', Date.now() - 10 * 24 * 3600 * 1000)
.expire('wl:' + userData._id.toString(), 10 * 24 * 3600)
.exec(() => false);
return callback(null, {
user: userData._id,
username: userData.username,
scope: 'master',
enabled2fa: userData.enabled2fa
});
}
// try application specific passwords
password = password.replace(/\s+/g, '').toLowerCase();
if (!userData.asp || !userData.asp.length || !/^[a-z]{16}$/.test(password)) {
// does not look like an application specific password
return callback(null, false);
}
for (let i = 0; i < userData.asp.length; i++) {
let asp = userData.asp[i];
if (bcrypt.compareSync(password, asp.password || '')) {
meta.scope = asp.id.toString();
this.redis
.multi()
.zadd('wl:' + userData._id.toString(), Date.now(), JSON.stringify(meta))
.zremrangebyscore('wl:' + userData._id.toString(), '-INF', Date.now() - 10 * 24 * 3600 * 1000)
.expire('wl:' + userData._id.toString(), 10 * 24 * 3600)
.exec(() => false);
return callback(null, {
user: userData._id,
username: userData.username,
scope: 'application',
enabled2fa: false // application scope never requires 2FA
});
}
}
return callback(null, false);
});
});
}
generateASP(data, callback) {
let password = generatePassword.generate({
length: 16,
uppercase: false,
numbers: false,
symbols: false
});
let passwordEntry = {
id: new ObjectID(),
description: data.description,
created: new Date(),
password: bcrypt.hashSync(password, 11)
};
// register this address as the default address for that user
return this.users.collection('users').findOneAndUpdate({
username: data.username
}, {
$push: {
asp: passwordEntry
}
}, {}, (err, result) => {
if (err) {
log.error('DB', 'UPDATEFAIL username=%s error=%s', data.username, err.message);
return callback(new Error('Database Error, failed to update user'));
}
if (!result || !result.value) {
return callback(new Error('User not found'));
}
passwordEntry.password = password;
return callback(null, passwordEntry);
});
}
create(data, callback) {
this.users.collection('users').findOne({
username: data.username
}, {
fields: {
username: true
}
}, (err, userData) => {
if (err) {
log.error('DB', 'CREATEFAIL username=%s error=%s', data.username, err.message);
return callback(new Error('Database Error, failed to create user'));
}
if (userData) {
let err = new Error('This username already exists');
err.fields = {
username: err.message
};
return callback(err);
}
let retention = Number(data.retention) || 0;
let junkRetention = JUNK_RETENTION;
if (retention < 0) {
retention = 0;
}
// Insert
let hash = data.password ? bcrypt.hashSync(data.password, 11) : '';
this.users.collection('users').insertOne({
username: data.username,
name: data.name,
// security
password: '', // set this later. having no password prevents login
asp: [], // list of application specific passwords
enabled2fa: false,
seed: '', // 2fa seed value
// default email address
address: '', // set this later
// quota
storageUsed: 0,
quota: data.maxStorage || MAX_STORAGE,
recipients: data.maxRecipients || MAX_RECIPIENTS,
forwards: data.maxForwards || MAX_FORWARDS,
filters: [],
// default retention for user mailboxes
retention,
created: new Date(),
// until setup value is not true, this account is not usable
setup: false
}, (err, result) => {
if (err) {
log.error('DB', 'CREATEFAIL username=%s error=%s', data.username, err.message);
return callback(new Error('Database Error, failed to create user'));
}
let user = result.insertedId;
let mailboxes = this.getMailboxes(data.language).map(mailbox => {
mailbox.user = user;
if (['\\Trash', '\\Junk'].includes(mailbox.specialUse)) {
mailbox.retention = retention ? Math.min(retention, junkRetention) : junkRetention;
} else {
mailbox.retention = retention;
}
return mailbox;
});
this.database.collection('mailboxes').insertMany(mailboxes, {
w: 1,
ordered: false
}, err => {
if (err) {
log.error('DB', 'CREATEFAIL username=%s error=%s', data.username, err.message);
return callback(new Error('Database Error, failed to create user'));
}
let address = data.address ? data.address : data.username + '@' + (config.emailDomain || os.hostname()).toLowerCase();
// insert alias address to email address registry
this.users.collection('addresses').insertOne({
user,
address,
created: new Date()
}, err => {
if (err) {
log.error('DB', 'CREATEFAIL username=%s error=%s', data.username, err.message);
return callback(new Error('Database Error, failed to create user'));
}
// register this address as the default address for that user
return this.users.collection('users').findOneAndUpdate({
_id: user
}, {
$set: {
password: hash,
address,
setup: true
}
}, {}, err => {
if (err) {
log.error('DB', 'CREATEFAIL username=%s error=%s', data.username, err.message);
return callback(new Error('Database Error, failed to create user'));
}
return callback(null, user);
});
});
});
});
});
}
reset(username, callback) {
let password = generatePassword.generate({
length: 12,
uppercase: true,
numbers: true,
symbols: false
});
return this.users.collection('users').findOneAndUpdate({
username
}, {
$set: {
enabled2fa: false,
seed: '',
requirePasswordChange: true,
password: bcrypt.hashSync(password, 11)
}
}, {}, (err, result) => {
if (err) {
log.error('DB', 'UPDATEFAIL username=%s error=%s', username, err.message);
return callback(new Error('Database Error, failed to reset user credentials'));
}
if (!result || !result.value) {
return callback(new Error('Could not update user'));
}
return callback(null, password);
});
}
setup2fa(username, issuer, callback) {
return this.users.collection('users').findOne({
username
}, {
fields: {
enabled2fa: true,
seed: true
}
}, (err, entry) => {
if (err) {
log.error('DB', 'UPDATEFAIL username=%s error=%s', username, err.message);
return callback(new Error('Database Error, failed to check user'));
}
if (!entry) {
return callback(new Error('Could not find user data'));
}
if (entry.enabled2fa) {
return callback(new Error('2FA is already enabled for this user'));
}
if (entry.seed) {
let otpauth_url = speakeasy.otpauthURL({
secret: base32.decode(entry.seed),
label: username,
issuer
});
return QRCode.toDataURL(otpauth_url, (err, data_url) => {
if (err) {
log.error('DB', 'QRFAIL username=%s error=%s', username, err.message);
return callback(new Error('Failed to generate QR code'));
}
return callback(null, data_url);
});
}
let secret = speakeasy.generateSecret({
length: 20,
name: username
});
return this.users.collection('users').findOneAndUpdate({
username,
enabled2fa: false
}, {
$set: {
seed: secret.base32
}
}, {}, (err, result) => {
if (err) {
log.error('DB', 'UPDATEFAIL username=%s error=%s', username, err.message);
return callback(new Error('Database Error, failed to update user'));
}
if (!result || !result.value) {
return callback(new Error('Could not update user, check if 2FA is not already enabled'));
}
let otpauth_url = speakeasy.otpauthURL({
secret: secret.ascii,
label: username,
issuer
});
QRCode.toDataURL(otpauth_url, (err, data_url) => {
if (err) {
log.error('DB', 'QRFAIL username=%s error=%s', username, err.message);
return callback(new Error('Failed to generate QR code'));
}
return callback(null, data_url);
});
});
});
}
enable2fa(username, userToken, callback) {
this.check2fa(username, userToken, (err, verified) => {
if (err) {
return callback(err);
}
if (!verified) {
return callback(null, false);
}
// token was valid, update user settings
return this.users.collection('users').findOneAndUpdate({
username
}, {
$set: {
enabled2fa: true
}
}, {}, (err, result) => {
if (err) {
log.error('DB', 'UPDATEFAIL username=%s error=%s', username, err.message);
return callback(new Error('Database Error, failed to update user'));
}
if (!result || !result.value) {
return callback(new Error('Could not update user, check if 2FA is not already enabled'));
}
return callback(null, true);
});
});
}
disable2fa(username, callback) {
return this.users.collection('users').findOneAndUpdate({
username
}, {
$set: {
enabled2fa: false,
seed: ''
}
}, {}, (err, result) => {
if (err) {
log.error('DB', 'UPDATEFAIL username=%s error=%s', username, err.message);
return callback(new Error('Database Error, failed to update user'));
}
if (!result || !result.value) {
return callback(new Error('Could not update user, check if 2FA is not already disabled'));
}
return callback(null, true);
});
}
check2fa(username, userToken, callback) {
this.users.collection('users').findOne({
username
}, {
fields: {
username: true,
seed: true
}
}, (err, userData) => {
if (err) {
log.error('DB', 'LOADFAIL username=%s error=%s', username, err.message);
return callback(new Error('Database Error, failed to update user'));
}
if (!userData) {
let err = new Error('This username does not exist');
err.fields = {
username: err.message
};
return callback(err);
}
if (!userData.seed) {
// 2fa not set up
return callback(null, true);
}
let verified = speakeasy.totp.verify({
secret: userData.seed,
encoding: 'base32',
token: userToken,
window: 6
});
return callback(null, verified);
});
}
update(data, callback) {
let query = {
username: data.username
};
if (data.resetPassword) {
query.requirePasswordChange = true;
}
this.users.collection('users').findOne(query, {
fields: {
username: true,
password: true
}
}, (err, userData) => {
if (err) {
log.error('DB', 'UPDATEFAIL username=%s error=%s', data.username, err.message);
return callback(new Error('Database Error, failed to update user'));
}
if (!userData) {
let err = new Error('This username does not exist');
err.fields = {
username: err.message
};
return callback(err);
}
if (!data.resetPassword && data.oldpassword && !bcrypt.compareSync(data.oldpassword, userData.password || '')) {
let err = new Error('Password does not match');
err.fields = {
oldpassword: err.message
};
return callback(err);
}
let update = {};
if (data.hasOwnProperty('name')) {
update.name = data.name || '';
}
if (data.hasOwnProperty('forward')) {
update.forward = data.forward || '';
}
if (data.hasOwnProperty('targetUrl')) {
update.targetUrl = data.targetUrl || '';
}
if (data.hasOwnProperty('autoreply')) {
update.autoreply = data.autoreply || '';
}
if (data.password) {
update.password = bcrypt.hashSync(data.password, 11);
}
if (data.resetPassword) {
update.requirePasswordChange = false;
}
return this.users.collection('users').findOneAndUpdate({
_id: userData._id
}, {
$set: update
}, {}, err => {
if (err) {
log.error('DB', 'UPDATEFAIL username=%s error=%s', data.username, err.message);
return callback(new Error('Database Error, failed to update user'));
}
return callback(null, userData._id);
});
});
}
getMailboxes(language) {
let translation = mailboxTranslations.hasOwnProperty(language) ? mailboxTranslations[language] : mailboxTranslations.en;
let defaultMailboxes = [
{
path: 'INBOX'
},
{
specialUse: '\\Sent'
},
{
specialUse: '\\Trash'
},
{
specialUse: '\\Drafts'
},
{
specialUse: '\\Junk'
},
{
specialUse: '\\Archive'
}
];
let uidValidity = Math.floor(Date.now() / 1000);
return defaultMailboxes.map(mailbox => ({
path: translation[mailbox.specialUse || mailbox.path] || mailbox.path,
specialUse: mailbox.specialUse,
uidValidity,
uidNext: 1,
modifyIndex: 0,
subscribed: true,
flags: []
}));
}
}
module.exports = UserHandler;