import qs from 'querystring' import oauth from 'oauth-libre' import { v1 as uuidV1 } from 'uuid' import crypto from 'crypto' import config from '../../scripts/load-config' import http from '../../scripts/http' import models from './models' import Image from './image' import UAPI from './index' const userFields = ['username', 'email', 'avatar_file', 'display_name', 'ip_address'] let twitterApp let discordApp const API = { Common: { // Generate a hash based on the current session stateGenerator: (req) => { const sessionCrypto = req.session.id + ':' + config.server.session_secret return crypto.createHash('sha256').update(sessionCrypto).digest('hex') }, // Find an user with an external ID getExternal: async (service, identifier) => { let extr = await models.External.query().where('service', service).andWhere('identifier', identifier) if (!extr || !extr.length) return null extr = extr[0] extr.user = null if (extr.user_id !== null) { const user = await UAPI.User.get(extr.user_id) if (user) { extr.user = user } } return extr }, // Get user ban status getBan: async (user, ipAddress) => { const banList = await UAPI.User.getBanStatus(ipAddress || user.id, ipAddress != null) return banList }, // Create a new `external` instance for a user new: async (service, identifier, user) => { const data = { user_id: user.id, service: service, identifier: identifier, created_at: new Date() } await await models.External.query().insert(data) return true }, // Create a new user newUser: async (service, identifier, data) => { if (config.external.registrations !== true) throw new Error('Registrations from third-party websites are not allowed.') const udataLimited = Object.assign({ activated: 1, created_at: new Date(), updated_at: new Date(), uuid: uuidV1() }, data) // Some data cleanups // Limit display name length udataLimited.display_name = udataLimited.display_name.substring(0, 32) // Remove illegal characters from the username udataLimited.username = udataLimited.username.replace(/\W+/gi, '') // Limit user name length udataLimited.username = udataLimited.username.substring(0, 26) // Check if the username is already taken if (await UAPI.User.get(udataLimited.username) != null || udataLimited.username.length < 4) { udataLimited.username = udataLimited.username + UAPI.Hash(4) } // Check if the email given to us is already registered, if so, // tell them to log in first. if (udataLimited.email && udataLimited.email !== '') { const getByEmail = await UAPI.User.get(udataLimited.email) if (getByEmail) { throw new Error('An user with this email address is already registered, but this external account is are not linked. If you wish to link the account, please log in first.') } } // Create a new user based on the information we got from an external service const newUser = await models.User.query().insert(udataLimited) await API.Common.new(service, identifier, newUser) return newUser }, // Remove an `external` object (thus unlinking from a service) remove: async (user, service) => { user = await UAPI.User.ensureObject(user, ['password']) const userExterns = await models.External.query().orderBy('created_at', 'asc').where('user_id', user.id) if (!userExterns.length) { return false } // Do not remove the service the user signed up with if (userExterns[0] && (user.password === '' || user.password === null) && userExterns[0].service === service) { return false } return models.External.query().delete().where('user_id', user.id).andWhere('service', service) }, // Common code for all auth callbacks callback: async (identifier, uid, user, ipAddress, remoteData, avatarFunc) => { const exists = await API.Common.getExternal(identifier, uid) if (user) { // Get bans for user const bans = await API.Common.getBan(user) if (bans.length) return { banned: bans, ip: false } if (exists) return { error: null, user: user } await API.Common.new(identifier, uid, user) return { error: null, user: user } } // Callback succeeded with user id and the external table exists, we log in the user if (exists) { // Get bans for user const bans = await API.Common.getBan(exists.user) if (bans.length) return { banned: bans, ip: false } return { error: null, user: exists.user } } // Get bans for IP address const bans = await API.Common.getBan(null, ipAddress) if (bans.length) return { banned: bans, ip: true } // Run the function for avatar fetching let avatar = null if (avatarFunc) { avatar = await avatarFunc(remoteData) } // Assign the data const newUData = Object.assign({ email: remoteData.email || '', avatar_file: avatar, ip_address: ipAddress }, remoteData) // Remove unnecessary fields for (const i in newUData) { if (userFields.indexOf(i) === -1) { delete newUData[i] } } let newUser try { newUser = await API.Common.newUser(identifier, uid, newUData) } catch (e) { return { error: e.message } } return { error: null, user: newUser } } }, Facebook: { getAvatar: async (rawData) => { let profilepic = null if (rawData.picture) { if (rawData.picture.is_silhouette === false && rawData.picture.url) { const imgdata = await Image.downloadImage(rawData.picture.url) if (imgdata && imgdata.fileName) { profilepic = imgdata.fileName } } } return profilepic }, callback: async (user, authResponse, ipAddress) => { if (!authResponse) { return { error: 'No Authorization' } } const uid = authResponse.userID if (!uid) { return { error: 'No Authorization' } } // Get facebook user information in order to create a new user or verify let fbdata const intel = { access_token: authResponse.accessToken, fields: 'name,email,picture,short_name' } try { fbdata = await http.GET('https://graph.facebook.com/v2.10/' + uid + '?' + qs.stringify(intel)) fbdata = JSON.parse(fbdata) } catch (e) { return { error: 'Could not get user information', errorObject: e } } if (fbdata.error) { return { error: fbdata.error.message } } const cleanedData = Object.assign(fbdata, { username: fbdata.short_name || 'FB' + UAPI.Hash(4), display_name: fbdata.name, email: fbdata.email || '' }) return API.Common.callback('facebook', uid, user, ipAddress, cleanedData, API.Facebook.getAvatar) } }, Twitter: { getAvatar: async function (rawData) { let profilepic = null if (rawData.profile_image_url_https) { const imgdata = await Image.downloadImage(rawData.profile_image_url_https) if (imgdata && imgdata.fileName) { profilepic = imgdata.fileName } } return profilepic }, oauthApp: function () { if (!twitterApp) { const redirectUri = config.server.domain + '/api/external/twitter/callback' twitterApp = new oauth.PromiseOAuth( 'https://api.twitter.com/oauth/request_token', 'https://api.twitter.com/oauth/access_token', config.external.twitter.api, config.external.twitter.api_secret, '1.0A', redirectUri, 'HMAC-SHA1' ) } }, getRequestToken: async function () { if (!twitterApp) API.Twitter.oauthApp() let tokens try { tokens = await twitterApp.getOAuthRequestToken() } catch (e) { console.error(e) return { error: 'No tokens returned' } } if (tokens[2].oauth_callback_confirmed !== 'true') return { error: 'No tokens returned.' } return { error: null, token: tokens[0], token_secret: tokens[1] } }, getAccessTokens: async function (token, secret, verifier) { if (!twitterApp) API.Twitter.oauthApp() let tokens try { tokens = await twitterApp.getOAuthAccessToken(token, secret, verifier) } catch (e) { console.error(e) return { error: 'No tokens returned' } } if (!tokens || !tokens.length) return { error: 'No tokens returned' } return { error: null, access_token: tokens[0], access_token_secret: tokens[1] } }, callback: async function (user, accessTokens, ipAddress) { if (!twitterApp) API.Twitter.oauthApp() let twdata try { const resp = await twitterApp.get('https://api.twitter.com/1.1/account/verify_credentials.json?include_email=true', accessTokens.access_token, accessTokens.access_token_secret) twdata = JSON.parse(resp[0]) } catch (e) { console.error(e) return { error: 'Failed to verify user credentials.' } } const uid = twdata.id_str const cleanedData = Object.assign(twdata, { username: twdata.screen_name, display_name: twdata.name, email: twdata.email || '' }) return API.Common.callback('twitter', uid, user, ipAddress, cleanedData, API.Twitter.getAvatar) } }, Google: { getAvatar: async (rawData) => { let profilepic = null if (rawData.image) { const imgdata = await Image.downloadImage(rawData.image) if (imgdata && imgdata.fileName) { profilepic = imgdata.fileName } } return profilepic }, callback: async (user, data, ipAddress) => { let uid try { const test = await http.GET('https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=' + data.id_token) if (!test) throw new Error('No response!') const jsondata = JSON.parse(test) if (!jsondata || !jsondata.email || !jsondata.name) throw new Error('Please allow Basic Profile and Email.') if (jsondata.email !== data.email || jsondata.name !== data.name) throw new Error('Conflicting data. Please try again!') if (new Date(parseInt(jsondata.exp) * 1000) < Date.now()) throw new Error('Expired token! Please try again!') uid = jsondata.sub } catch (e) { return { error: e.message } } const cleanedData = Object.assign(data, { username: data.name, display_name: data.name, email: data.email || '' }) return API.Common.callback('google', uid, user, ipAddress, cleanedData, API.Google.getAvatar) } }, Discord: { getAvatar: async (rawData) => { let profilepic = null const aviSnowflake = rawData.avatar if (aviSnowflake) { try { const avpt = await Image.downloadImage('https://cdn.discordapp.com/avatars/' + rawData.id + '/' + aviSnowflake + '.png') if (avpt && avpt.fileName) { profilepic = avpt.fileName } } catch (e) { profilepic = null } } return profilepic }, oauth2App: function () { if (discordApp) return discordApp = new oauth.PromiseOAuth2( config.external.discord.api, config.external.discord.api_secret, 'https://discordapp.com/api/', 'oauth2/authorize', 'oauth2/token' ) discordApp.useAuthorizationHeaderforGET(true) }, getAuthorizeURL: function (req) { if (!discordApp) API.Discord.oauth2App() const state = API.Common.stateGenerator(req) const redirectUri = config.server.domain + '/api/external/discord/callback' const params = { client_id: config.external.discord.api, redirect_uri: redirectUri, scope: 'identify email', response_type: 'code', state: state } const url = discordApp.getAuthorizeUrl(params) return { error: null, state: state, url: url } }, getAccessToken: async function (code) { if (!discordApp) API.Discord.oauth2App() const redirectUri = config.server.domain + '/api/external/discord/callback' let tokens try { tokens = await discordApp.getOAuthAccessToken(code, { grant_type: 'authorization_code', redirect_uri: redirectUri }) } catch (e) { console.error(e) return { error: 'No Authorization' } } if (!tokens.length) return { error: 'No Tokens' } tokens = tokens[2] return { error: null, accessToken: tokens.access_token } }, callback: async function (user, accessToken, ipAddress) { if (!discordApp) API.Discord.oauth2App() let ddata try { const resp = await discordApp.get('https://discordapp.com/api/users/@me', accessToken) ddata = JSON.parse(resp) } catch (e) { console.error(e) return { error: 'Could not get user information' } } const uid = ddata.id // Create a new user const cleanedData = Object.assign(ddata, { display_name: ddata.username, email: ddata.email || '' }) return API.Common.callback('discord', uid, user, ipAddress, cleanedData, API.Discord.getAvatar) } } } module.exports = API