github/directus
1
0
Fork 0
mirror of https://github.com/directus/directus.git synced 2026-01-29 21:28:02 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
cc076494ff9ddefec97741fda281ef55922451fe
directus/api/src/services/users.ts
Rijk van Zanten dbf35a1736 Add ability to share items with people outside the platform (#10663) 
* Add directus_shares

* Don't check for usage limit on refresh

* Add all endpoints to the shares controller

* Move route `/auth/shared` to `/shared/auth`

* Add password protection

* Add `share` action in permissions

* Add `shares/:pk/info`

* Start on shared-view

* Add basic styling for full shared view

* Fixed migrations

* Add inline style for shared view

* Allow title override

* Finish /info endpoint for shares

* Add basic UUID validation to share/info endpont

* Add UUID validation to other routes

* Add not found state

* Cleanup /extract/finish share login endpoint

* Cleanup auth

* Added `share_start` and `share_end`

* Add share sidebar details.

* Allow share permissions configuration

* Hide the `new_share` button for unauthorized users

* Fix uses_left displayed value

* Show expired / upcoming shares

* Improved expired/upcoming styling

* Fixed share login query

* Fix check-ip and get-permissions middlewares behaviour when role is null

* Simplify cache key

* Fix typescript linting issues

* Handle app auth flow for shared page

* Fixed /users/me response

* Show when user is authenticated

* Try showing item drawer in shared page

* Improved shared card styling

* Add shares permissions and change share card styling

* Pull in schema/permissions on share

* Create getPermissionForShare file

* Change getPermissionsForShare signature

* Render form + item on share after auth

* Finalize public front end

* Handle fake o2m field in applyQuery

* [WIP]

* New translations en-US.yaml (Bulgarian) (#10585)

* smaller label height (#10587)

* Update to the latest Material Icons (#10573)

The icons are based on https://fonts.google.com/icons

* New translations en-US.yaml (Arabic) (#10593)

* New translations en-US.yaml (Arabic) (#10594)

* New translations en-US.yaml (Portuguese, Brazilian) (#10604)

* New translations en-US.yaml (French) (#10605)

* New translations en-US.yaml (Italian) (#10613)

* fix M2A list not updating (#10617)

* Fix filters

* Add admin filter on m2o role selection

* Add admin filter on m2o role selection

* Add o2m permissions traversing

* Finish relational tree permissions generation

* Handle implicit a2o relation

* Update implicit relation regex

* Fix regex

* Fix implicitRelation unnesting for new regex

* Fix implicitRelation length check

* Rename m2a to a2o internally

* Add auto-gen permissions for a2o

* [WIP] Improve share UX

* Add ctx menu options

* Add share dialog

* Add email notifications

* Tweak endpoint

* Tweak file interface disabled state

* Add nicer invalid state to password input

* Dont return info for expired/upcoming shares

* Tweak disabled state for relational interfaces

* Fix share button for non admin roles

* Show/hide edit/delete based on permissions to shares

* Fix imports of mutationtype

* Resolve (my own) suggestions

* Fix migration for ms sql

* Resolve last suggestion

Co-authored-by: Oreilles <oreilles.github@nitoref.io>
Co-authored-by: Oreilles <33065839+oreilles@users.noreply.github.com>
Co-authored-by: Ben Haynes <ben@rngr.org>
Co-authored-by: Thien Nguyen <72242664+tatthien@users.noreply.github.com>
Co-authored-by: Azri Kahar <42867097+azrikahar@users.noreply.github.com>
2021-12-23 18:51:59 -05:00

372 lines
11 KiB
TypeScript
Raw Blame History

import jwt from 'jsonwebtoken';
import { Knex } from 'knex';
import { cloneDeep } from 'lodash';
import getDatabase from '../database';
import env from '../env';
import { FailedValidationException } from '@directus/shared/exceptions';
import { ForbiddenException, InvalidPayloadException, UnprocessableEntityException } from '../exceptions';
import { RecordNotUniqueException } from '../exceptions/database/record-not-unique';
import { AbstractServiceOptions, Item, PrimaryKey, SchemaOverview, MutationOptions } from '../types';
import { Query } from '@directus/shared/types';
import { Accountability } from '@directus/shared/types';
import isUrlAllowed from '../utils/is-url-allowed';
import { toArray } from '@directus/shared/utils';
import { Url } from '../utils/url';
import { ItemsService } from './items';
import { MailService } from './mail';
import { SettingsService } from './settings';
import { stall } from '../utils/stall';
import { performance } from 'perf_hooks';
import { getSimpleHash } from '@directus/shared/utils';
export class UsersService extends ItemsService {
knex: Knex;
accountability: Accountability | null;
schema: SchemaOverview;
constructor(options: AbstractServiceOptions) {
super('directus_users', options);
this.knex = options.knex || getDatabase();
this.accountability = options.accountability || null;
this.schema = options.schema;
}
/**
* User email has to be unique case-insensitive. This is an additional check to make sure that
* the email is unique regardless of casing
*/
private async checkUniqueEmails(emails: string[], excludeKey?: PrimaryKey): Promise<void> {
emails = emails.map((email) => email.toLowerCase());
const duplicates = emails.filter((value, index, array) => array.indexOf(value) !== index);
if (duplicates.length) {
throw new RecordNotUniqueException('email', {
collection: 'directus_users',
field: 'email',
invalid: duplicates[0],
});
}
const query = this.knex
.select('email')
.from('directus_users')
.whereRaw(`LOWER(??) IN (${emails.map(() => '?')})`, ['email', ...emails]);
if (excludeKey) {
query.whereNot('id', excludeKey);
}
const results = await query;
if (results.length) {
throw new RecordNotUniqueException('email', {
collection: 'directus_users',
field: 'email',
invalid: results[0].email,
});
}
}
/**
* Check if the provided password matches the strictness as configured in
* directus_settings.auth_password_policy
*/
private async checkPasswordPolicy(passwords: string[]): Promise<void> {
const settingsService = new SettingsService({
schema: this.schema,
knex: this.knex,
});
const { auth_password_policy: policyRegExString } = await settingsService.readSingleton({
fields: ['auth_password_policy'],
});
if (!policyRegExString) {
return;
}
const wrapped = policyRegExString.startsWith('/') && policyRegExString.endsWith('/');
const regex = new RegExp(wrapped ? policyRegExString.slice(1, -1) : policyRegExString);
for (const password of passwords) {
if (!regex.test(password)) {
throw new FailedValidationException({
message: `Provided password doesn't match password policy`,
path: ['password'],
type: 'custom.pattern.base',
context: {
value: password,
},
});
}
}
}
private async checkRemainingAdminExistence(excludeKeys: PrimaryKey[]) {
// Make sure there's at least one admin user left after this deletion is done
const otherAdminUsers = await this.knex
.count('*', { as: 'count' })
.from('directus_users')
.whereNotIn('directus_users.id', excludeKeys)
.andWhere({ 'directus_roles.admin_access': true })
.leftJoin('directus_roles', 'directus_users.role', 'directus_roles.id')
.first();
const otherAdminUsersCount = +(otherAdminUsers?.count || 0);
if (otherAdminUsersCount === 0) {
throw new UnprocessableEntityException(`You can't remove the last admin user from the role.`);
}
}
/**
* Create a new user
*/
async createOne(data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey> {
const result = await this.createMany([data], opts);
return result[0];
}
/**
* Create multiple new users
*/
async createMany(data: Partial<Item>[], opts?: MutationOptions): Promise<PrimaryKey[]> {
const emails = data.map((payload) => payload.email).filter((email) => email);
const passwords = data.map((payload) => payload.password).filter((password) => password);
if (emails.length) {
await this.checkUniqueEmails(emails);
}
if (passwords.length) {
await this.checkPasswordPolicy(passwords);
}
return await super.createMany(data, opts);
}
/**
* Update many users by query
*/
async updateByQuery(query: Query, data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey[]> {
const keys = await this.getKeysByQuery(query);
return keys.length ? await this.updateMany(keys, data, opts) : [];
}
/**
* Update a single user by primary key
*/
async updateOne(key: PrimaryKey, data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey> {
await this.updateMany([key], data, opts);
return key;
}
/**
* Update many users by primary key
*/
async updateMany(keys: PrimaryKey[], data: Partial<Item>, opts?: MutationOptions): Promise<PrimaryKey[]> {
if (data.role) {
const newRole = await this.knex.select('admin_access').from('directus_roles').where('id', data.role).first();
if (!newRole?.admin_access) {
await this.checkRemainingAdminExistence(keys);
}
}
if (data.email) {
if (keys.length > 1) {
throw new RecordNotUniqueException('email', {
collection: 'directus_users',
field: 'email',
invalid: data.email,
});
}
await this.checkUniqueEmails([data.email], keys[0]);
}
if (data.password) {
await this.checkPasswordPolicy([data.password]);
}
if (data.tfa_secret !== undefined) {
throw new InvalidPayloadException(`You can't change the "tfa_secret" value manually.`);
}
if (data.provider !== undefined) {
throw new InvalidPayloadException(`You can't change the "provider" value manually.`);
}
if (data.external_identifier !== undefined) {
throw new InvalidPayloadException(`You can't change the "external_identifier" value manually.`);
}
return await super.updateMany(keys, data, opts);
}
/**
* Delete a single user by primary key
*/
async deleteOne(key: PrimaryKey, opts?: MutationOptions): Promise<PrimaryKey> {
await this.deleteMany([key], opts);
return key;
}
/**
* Delete multiple users by primary key
*/
async deleteMany(keys: PrimaryKey[], opts?: MutationOptions): Promise<PrimaryKey[]> {
await this.checkRemainingAdminExistence(keys);
await this.knex('directus_notifications').update({ sender: null }).whereIn('sender', keys);
await super.deleteMany(keys, opts);
return keys;
}
async deleteByQuery(query: Query, opts?: MutationOptions): Promise<PrimaryKey[]> {
const primaryKeyField = this.schema.collections[this.collection].primary;
const readQuery = cloneDeep(query);
readQuery.fields = [primaryKeyField];
// Not authenticated:
const itemsService = new ItemsService(this.collection, {
knex: this.knex,
schema: this.schema,
});
const itemsToDelete = await itemsService.readByQuery(readQuery);
const keys: PrimaryKey[] = itemsToDelete.map((item: Item) => item[primaryKeyField]);
if (keys.length === 0) return [];
return await this.deleteMany(keys, opts);
}
async inviteUser(email: string | string[], role: string, url: string | null, subject?: string | null): Promise<void> {
if (url && isUrlAllowed(url, env.USER_INVITE_URL_ALLOW_LIST) === false) {
throw new InvalidPayloadException(`Url "${url}" can't be used to invite users.`);
}
const emails = toArray(email);
const mailService = new MailService({
schema: this.schema,
accountability: this.accountability,
});
for (const email of emails) {
const payload = { email, scope: 'invite' };
const token = jwt.sign(payload, env.SECRET as string, { expiresIn: '7d', issuer: 'directus' });
const subjectLine = subject ?? "You've been invited";
const inviteURL = url ? new Url(url) : new Url(env.PUBLIC_URL).addPath('admin', 'accept-invite');
inviteURL.setQuery('token', token);
// Create user first to verify uniqueness
await this.createOne({ email, role, status: 'invited' });
await mailService.send({
to: email,
subject: subjectLine,
template: {
name: 'user-invitation',
data: {
url: inviteURL.toString(),
email,
},
},
});
}
}
async acceptInvite(token: string, password: string): Promise<void> {
const { email, scope } = jwt.verify(token, env.SECRET as string, { issuer: 'directus' }) as {
email: string;
scope: string;
};
if (scope !== 'invite') throw new ForbiddenException();
const user = await this.knex.select('id', 'status').from('directus_users').where({ email }).first();
if (user?.status !== 'invited') {
throw new InvalidPayloadException(`Email address ${email} hasn't been invited.`);
}
// Allow unauthenticated update
const service = new UsersService({
knex: this.knex,
schema: this.schema,
});
await service.updateOne(user.id, { password, status: 'active' });
}
async requestPasswordReset(email: string, url: string | null, subject?: string | null): Promise<void> {
if (url && isUrlAllowed(url, env.PASSWORD_RESET_URL_ALLOW_LIST) === false) {
throw new InvalidPayloadException(`Url "${url}" can't be used to reset passwords.`);
}
const STALL_TIME = 500;
const timeStart = performance.now();
const user = await this.knex.select('status', 'password').from('directus_users').where({ email }).first();
if (user?.status !== 'active') {
await stall(STALL_TIME, timeStart);
throw new ForbiddenException();
}
const mailService = new MailService({
schema: this.schema,
knex: this.knex,
accountability: this.accountability,
});
const payload = { email, scope: 'password-reset', hash: getSimpleHash('' + user.password) };
const token = jwt.sign(payload, env.SECRET as string, { expiresIn: '1d', issuer: 'directus' });
const acceptURL = url ? `${url}?token=${token}` : `${env.PUBLIC_URL}/admin/reset-password?token=${token}`;
const subjectLine = subject ? subject : 'Password Reset Request';
await mailService.send({
to: email,
subject: subjectLine,
template: {
name: 'password-reset',
data: {
url: acceptURL,
email,
},
},
});
await stall(STALL_TIME, timeStart);
}
async resetPassword(token: string, password: string): Promise<void> {
const { email, scope, hash } = jwt.verify(token, env.SECRET as string, { issuer: 'directus' }) as {
email: string;
scope: string;
hash: string;
};
if (scope !== 'password-reset' || !hash) throw new ForbiddenException();
await this.checkPasswordPolicy([password]);
const user = await this.knex.select('id', 'status', 'password').from('directus_users').where({ email }).first();
if (user?.status !== 'active' || hash !== getSimpleHash('' + user.password)) {
throw new ForbiddenException();
}
// Allow unauthenticated update
const service = new UsersService({
knex: this.knex,
schema: this.schema,
});
await service.updateOne(user.id, { password, status: 'active' });
}
}
Reference in New Issue View Git Blame Copy Permalink