// These methods handle the User-related routes. import Parse from 'parse/node'; import Config from '../Config'; import AccountLockout from '../AccountLockout'; import ClassesRouter from './ClassesRouter'; import rest from '../rest'; import Auth from '../Auth'; import passwordCrypto from '../password'; export class UsersRouter extends ClassesRouter { className() { return '_User'; } /** * Removes all "_" prefixed properties from an object, except "__type" * @param {Object} obj An object. */ static removeHiddenProperties (obj) { for (var key in obj) { if (obj.hasOwnProperty(key)) { // Regexp comes from Parse.Object.prototype.validate if (key !== "__type" && !(/^[A-Za-z][0-9A-Za-z_]*$/).test(key)) { delete obj[key]; } } } } handleMe(req) { if (!req.info || !req.info.sessionToken) { throw new Parse.Error(Parse.Error.INVALID_SESSION_TOKEN, 'invalid session token'); } const sessionToken = req.info.sessionToken; return rest.find(req.config, Auth.master(req.config), '_Session', { sessionToken }, { include: 'user' }, req.info.clientSDK) .then((response) => { if (!response.results || response.results.length == 0 || !response.results[0].user) { throw new Parse.Error(Parse.Error.INVALID_SESSION_TOKEN, 'invalid session token'); } else { const user = response.results[0].user; // Send token back on the login, because SDKs expect that. user.sessionToken = sessionToken; // Remove hidden properties. UsersRouter.removeHiddenProperties(user); return { response: user }; } }); } handleLogIn(req) { // Use query parameters instead if provided in url let payload = req.body; if (!payload.username && req.query.username || !payload.email && req.query.email) { payload = req.query; } const { username, email, password, } = payload; // TODO: use the right error codes / descriptions. if (!username && !email) { throw new Parse.Error(Parse.Error.USERNAME_MISSING, 'username/email is required.'); } if (!password) { throw new Parse.Error(Parse.Error.PASSWORD_MISSING, 'password is required.'); } if (typeof password !== 'string' || email && typeof email !== 'string' || username && typeof username !== 'string') { throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Invalid username/password.'); } let user; let isValidPassword = false; let query; if (email && username) { query = { email, username }; } else if (email) { query = { email }; } else { query = { $or: [{ username } , { email: username }] }; } return req.config.database.find('_User', query) .then((results) => { if (!results.length) { throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Invalid username/password.'); } if (results.length > 1) { // corner case where user1 has username == user2 email req.config.loggerController.warn('There is a user which email is the same as another user\'s username, logging in based on username'); user = results.filter((user) => user.username === username)[0]; } else { user = results[0]; } if (req.config.verifyUserEmails && req.config.preventLoginWithUnverifiedEmail && !user.emailVerified) { throw new Parse.Error(Parse.Error.EMAIL_NOT_FOUND, 'User email is not verified.'); } return passwordCrypto.compare(password, user.password); }) .then((correct) => { isValidPassword = correct; const accountLockoutPolicy = new AccountLockout(user, req.config); return accountLockoutPolicy.handleLoginAttempt(isValidPassword); }) .then(() => { if (!isValidPassword) { throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Invalid username/password.'); } // handle password expiry policy if (req.config.passwordPolicy && req.config.passwordPolicy.maxPasswordAge) { let changedAt = user._password_changed_at; if (!changedAt) { // password was created before expiry policy was enabled. // simply update _User object so that it will start enforcing from now changedAt = new Date(); req.config.database.update('_User', {username: user.username}, {_password_changed_at: Parse._encode(changedAt)}); } else { // check whether the password has expired if (changedAt.__type == 'Date') { changedAt = new Date(changedAt.iso); } // Calculate the expiry time. const expiresAt = new Date(changedAt.getTime() + 86400000 * req.config.passwordPolicy.maxPasswordAge); if (expiresAt < new Date()) // fail of current time is past password expiry time throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'Your password has expired. Please reset your password.'); } } delete user.password; // Remove hidden properties. UsersRouter.removeHiddenProperties(user); // Sometimes the authData still has null on that keys // https://github.com/parse-community/parse-server/issues/935 if (user.authData) { Object.keys(user.authData).forEach((provider) => { if (user.authData[provider] === null) { delete user.authData[provider]; } }); if (Object.keys(user.authData).length == 0) { delete user.authData; } } const { sessionData, createSession } = Auth.createSession(req.config, { userId: user.objectId, createdWith: { 'action': 'login', 'authProvider': 'password' }, installationId: req.info.installationId }); user.sessionToken = sessionData.sessionToken; req.config.filesController.expandFilesInObject(req.config, user); return createSession(); }).then(() => { return { response: user }; }); } handleLogOut(req) { const success = {response: {}}; if (req.info && req.info.sessionToken) { return rest.find(req.config, Auth.master(req.config), '_Session', { sessionToken: req.info.sessionToken }, undefined, req.info.clientSDK ).then((records) => { if (records.results && records.results.length) { return rest.del(req.config, Auth.master(req.config), '_Session', records.results[0].objectId ).then(() => { return Promise.resolve(success); }); } return Promise.resolve(success); }); } return Promise.resolve(success); } _throwOnBadEmailConfig(req) { try { Config.validateEmailConfiguration({ emailAdapter: req.config.userController.adapter, appName: req.config.appName, publicServerURL: req.config.publicServerURL, emailVerifyTokenValidityDuration: req.config.emailVerifyTokenValidityDuration }); } catch (e) { if (typeof e === 'string') { // Maybe we need a Bad Configuration error, but the SDKs won't understand it. For now, Internal Server Error. throw new Parse.Error(Parse.Error.INTERNAL_SERVER_ERROR, 'An appName, publicServerURL, and emailAdapter are required for password reset and email verification functionality.'); } else { throw e; } } } handleResetRequest(req) { this._throwOnBadEmailConfig(req); const { email } = req.body; if (!email) { throw new Parse.Error(Parse.Error.EMAIL_MISSING, "you must provide an email"); } if (typeof email !== 'string') { throw new Parse.Error(Parse.Error.INVALID_EMAIL_ADDRESS, 'you must provide a valid email string'); } const userController = req.config.userController; return userController.sendPasswordResetEmail(email).then(() => { return Promise.resolve({ response: {} }); }, err => { if (err.code === Parse.Error.OBJECT_NOT_FOUND) { throw new Parse.Error(Parse.Error.EMAIL_NOT_FOUND, `No user found with email ${email}.`); } else { throw err; } }); } handleVerificationEmailRequest(req) { this._throwOnBadEmailConfig(req); const { email } = req.body; if (!email) { throw new Parse.Error(Parse.Error.EMAIL_MISSING, 'you must provide an email'); } if (typeof email !== 'string') { throw new Parse.Error(Parse.Error.INVALID_EMAIL_ADDRESS, 'you must provide a valid email string'); } return req.config.database.find('_User', { email: email }).then((results) => { if (!results.length || results.length < 1) { throw new Parse.Error(Parse.Error.EMAIL_NOT_FOUND, `No user found with email ${email}`); } const user = results[0]; // remove password field, messes with saving on postgres delete user.password; if (user.emailVerified) { throw new Parse.Error(Parse.Error.OTHER_CAUSE, `Email ${email} is already verified.`); } const userController = req.config.userController; return userController.regenerateEmailVerifyToken(user).then(() => { userController.sendVerificationEmail(user); return { response: {} }; }); }); } mountRoutes() { this.route('GET', '/users', req => { return this.handleFind(req); }); this.route('POST', '/users', req => { return this.handleCreate(req); }); this.route('GET', '/users/me', req => { return this.handleMe(req); }); this.route('GET', '/users/:objectId', req => { return this.handleGet(req); }); this.route('PUT', '/users/:objectId', req => { return this.handleUpdate(req); }); this.route('DELETE', '/users/:objectId', req => { return this.handleDelete(req); }); this.route('GET', '/login', req => { return this.handleLogIn(req); }); this.route('POST', '/login', req => { return this.handleLogIn(req); }); this.route('POST', '/logout', req => { return this.handleLogOut(req); }); this.route('POST', '/requestPasswordReset', req => { return this.handleResetRequest(req); }); this.route('POST', '/verificationEmailRequest', req => { return this.handleVerificationEmailRequest(req); }); } } export default UsersRouter;