import { Router } from 'express'; import { getRepository } from 'typeorm'; import { canMakePermissionsChange } from '.'; import { User } from '../../entity/User'; import { getSettings } from '../../lib/settings'; import { UserSettings } from '../../entity/UserSettings'; import { UserSettingsGeneralResponse, UserSettingsNotificationsResponse, } from '../../interfaces/api/userSettingsInterfaces'; import { Permission } from '../../lib/permissions'; import logger from '../../logger'; import { isAuthenticated } from '../../middleware/auth'; const isOwnProfileOrAdmin = (): Middleware => { const authMiddleware: Middleware = (req, res, next) => { if ( !req.user?.hasPermission(Permission.MANAGE_USERS) && req.user?.id !== Number(req.params.id) ) { return next({ status: 403, message: "You do not have permission to view this user's settings.", }); } next(); }; return authMiddleware; }; const userSettingsRoutes = Router({ mergeParams: true }); userSettingsRoutes.get<{ id: string }, UserSettingsGeneralResponse>( '/main', isOwnProfileOrAdmin(), async (req, res, next) => { const userRepository = getRepository(User); try { const user = await userRepository.findOne({ where: { id: Number(req.params.id) }, }); if (!user) { return next({ status: 404, message: 'User not found.' }); } return res.status(200).json({ username: user.username, region: user.settings?.region, originalLanguage: user.settings?.originalLanguage, }); } catch (e) { next({ status: 500, message: e.message }); } } ); userSettingsRoutes.post< { id: string }, UserSettingsGeneralResponse, UserSettingsGeneralResponse >('/main', isOwnProfileOrAdmin(), async (req, res, next) => { const userRepository = getRepository(User); try { const user = await userRepository.findOne({ where: { id: Number(req.params.id) }, }); if (!user) { return next({ status: 404, message: 'User not found.' }); } // "Owner" user settings cannot be modified by other users if (user.id === 1 && req.user?.id !== 1) { return next({ status: 403, message: "You do not have permission to modify this user's settings.", }); } user.username = req.body.username; if (!user.settings) { user.settings = new UserSettings({ user: req.user, region: req.body.region, originalLanguage: req.body.originalLanguage, }); } else { user.settings.region = req.body.region; user.settings.originalLanguage = req.body.originalLanguage; } await userRepository.save(user); return res.status(200).json({ username: user.username }); } catch (e) { next({ status: 500, message: e.message }); } }); userSettingsRoutes.get<{ id: string }, { hasPassword: boolean }>( '/password', isOwnProfileOrAdmin(), async (req, res, next) => { const userRepository = getRepository(User); try { const user = await userRepository.findOne({ where: { id: Number(req.params.id) }, select: ['id', 'password'], }); if (!user) { return next({ status: 404, message: 'User not found.' }); } return res.status(200).json({ hasPassword: !!user.password }); } catch (e) { next({ status: 500, message: e.message }); } } ); userSettingsRoutes.post< { id: string }, null, { currentPassword?: string; newPassword: string } >('/password', isOwnProfileOrAdmin(), async (req, res, next) => { const userRepository = getRepository(User); try { const user = await userRepository.findOne({ where: { id: Number(req.params.id) }, }); const userWithPassword = await userRepository.findOne({ select: ['id', 'password'], where: { id: Number(req.params.id) }, }); if (!user || !userWithPassword) { return next({ status: 404, message: 'User not found.' }); } if (req.body.newPassword.length < 8) { return next({ status: 400, message: 'Password must be at least 8 characters.', }); } if ( (user.id === 1 && req.user?.id !== 1) || (user.hasPermission(Permission.ADMIN) && user.id !== req.user?.id && req.user?.id !== 1) ) { return next({ status: 403, message: "You do not have permission to modify this user's password.", }); } // If the user has the permission to manage users and they are not // editing themselves, we will just set the new password if ( req.user?.hasPermission(Permission.MANAGE_USERS) && req.user?.id !== user.id ) { await user.setPassword(req.body.newPassword); await userRepository.save(user); logger.debug('Password overriden by user.', { label: 'User Settings', userEmail: user.email, changingUser: req.user.email, }); return res.status(204).send(); } // If the user has a password, we need to check the currentPassword is correct if ( user.password && (!req.body.currentPassword || !(await userWithPassword.passwordMatch(req.body.currentPassword))) ) { logger.debug( 'Attempt to change password for user failed. Invalid current password provided.', { label: 'User Settings', userEmail: user.email } ); return next({ status: 403, message: 'Current password is invalid.' }); } await user.setPassword(req.body.newPassword); await userRepository.save(user); return res.status(204).send(); } catch (e) { next({ status: 500, message: e.message }); } }); userSettingsRoutes.get<{ id: string }, UserSettingsNotificationsResponse>( '/notifications', isOwnProfileOrAdmin(), async (req, res, next) => { const userRepository = getRepository(User); const settings = getSettings(); try { const user = await userRepository.findOne({ where: { id: Number(req.params.id) }, }); if (!user) { return next({ status: 404, message: 'User not found.' }); } return res.status(200).json({ enableNotifications: user.settings?.enableNotifications ?? true, telegramBotUsername: settings?.notifications.agents.telegram.options.botUsername, discordId: user.settings?.discordId, telegramChatId: user.settings?.telegramChatId, telegramSendSilently: user?.settings?.telegramSendSilently, pgpKey: user?.settings?.pgpKey, }); } catch (e) { next({ status: 500, message: e.message }); } } ); userSettingsRoutes.post< { id: string }, UserSettingsNotificationsResponse, UserSettingsNotificationsResponse >('/notifications', isOwnProfileOrAdmin(), async (req, res, next) => { const userRepository = getRepository(User); try { const user = await userRepository.findOne({ where: { id: Number(req.params.id) }, }); if (!user) { return next({ status: 404, message: 'User not found.' }); } // "Owner" user settings cannot be modified by other users if (user.id === 1 && req.user?.id !== 1) { return next({ status: 403, message: "You do not have permission to modify this user's settings.", }); } if (!user.settings) { user.settings = new UserSettings({ user: req.user, enableNotifications: req.body.enableNotifications, discordId: req.body.discordId, telegramChatId: req.body.telegramChatId, telegramSendSilently: req.body.telegramSendSilently, pgpKey: req.body.pgpKey, }); } else { user.settings.enableNotifications = req.body.enableNotifications; user.settings.discordId = req.body.discordId; user.settings.telegramChatId = req.body.telegramChatId; user.settings.telegramSendSilently = req.body.telegramSendSilently; user.settings.pgpKey = req.body.pgpKey; } userRepository.save(user); return res.status(200).json({ enableNotifications: user.settings.enableNotifications, discordId: user.settings.discordId, telegramChatId: user.settings.telegramChatId, telegramSendSilently: user.settings.telegramSendSilently, pgpKey: user.settings.pgpKey, }); } catch (e) { next({ status: 500, message: e.message }); } }); userSettingsRoutes.get<{ id: string }, { permissions?: number }>( '/permissions', isAuthenticated(Permission.MANAGE_USERS), async (req, res, next) => { const userRepository = getRepository(User); try { const user = await userRepository.findOne({ where: { id: Number(req.params.id) }, }); if (!user) { return next({ status: 404, message: 'User not found.' }); } return res.status(200).json({ permissions: user.permissions }); } catch (e) { next({ status: 500, message: e.message }); } } ); userSettingsRoutes.post< { id: string }, { permissions?: number }, { permissions: number } >( '/permissions', isAuthenticated(Permission.MANAGE_USERS), async (req, res, next) => { const userRepository = getRepository(User); try { const user = await userRepository.findOne({ where: { id: Number(req.params.id) }, }); if (!user) { return next({ status: 404, message: 'User not found.' }); } // "Owner" user permissions cannot be modified, and users cannot set their own permissions if (user.id === 1 || req.user?.id === user.id) { return next({ status: 403, message: 'You do not have permission to modify this user', }); } if (!canMakePermissionsChange(req.body.permissions, req.user)) { return next({ status: 403, message: 'You do not have permission to grant this level of access', }); } user.permissions = req.body.permissions; await userRepository.save(user); return res.status(200).json({ permissions: user.permissions }); } catch (e) { next({ status: 500, message: e.message }); } } ); export default userSettingsRoutes;