2016-12-28 15:49:51 -07:00
|
|
|
import * as express from 'express';
|
2017-01-17 22:19:50 -07:00
|
|
|
import * as bcrypt from 'bcryptjs';
|
2017-12-08 06:57:58 -07:00
|
|
|
import * as speakeasy from 'speakeasy';
|
2018-03-27 01:51:12 -06:00
|
|
|
import { default as User, ILocalAccount, IUser } from '../models/user';
|
2018-02-01 18:31:17 -07:00
|
|
|
import Signin, { pack } from '../models/signin';
|
2016-12-28 15:49:51 -07:00
|
|
|
import event from '../event';
|
2017-11-22 21:25:33 -07:00
|
|
|
import signin from '../common/signin';
|
2018-03-28 10:20:40 -06:00
|
|
|
import config from '../../../conf';
|
2016-12-28 15:49:51 -07:00
|
|
|
|
|
|
|
export default async (req: express.Request, res: express.Response) => {
|
2017-12-11 00:43:35 -07:00
|
|
|
res.header('Access-Control-Allow-Origin', config.url);
|
2016-12-28 15:49:51 -07:00
|
|
|
res.header('Access-Control-Allow-Credentials', 'true');
|
|
|
|
|
|
|
|
const username = req.body['username'];
|
|
|
|
const password = req.body['password'];
|
2017-12-08 06:57:58 -07:00
|
|
|
const token = req.body['token'];
|
2016-12-28 15:49:51 -07:00
|
|
|
|
2017-02-22 03:39:34 -07:00
|
|
|
if (typeof username != 'string') {
|
|
|
|
res.sendStatus(400);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (typeof password != 'string') {
|
|
|
|
res.sendStatus(400);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2017-12-08 06:57:58 -07:00
|
|
|
if (token != null && typeof token != 'string') {
|
|
|
|
res.sendStatus(400);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2016-12-28 15:49:51 -07:00
|
|
|
// Fetch user
|
2017-09-16 02:31:37 -06:00
|
|
|
const user: IUser = await User.findOne({
|
2018-03-28 23:48:47 -06:00
|
|
|
usernameLower: username.toLowerCase(),
|
2018-03-27 01:51:12 -06:00
|
|
|
host: null
|
2017-02-21 21:08:33 -07:00
|
|
|
}, {
|
|
|
|
fields: {
|
|
|
|
data: false,
|
2018-03-25 09:19:07 -06:00
|
|
|
'account.profile': false
|
2017-02-21 21:08:33 -07:00
|
|
|
}
|
2016-12-28 15:49:51 -07:00
|
|
|
});
|
|
|
|
|
|
|
|
if (user === null) {
|
2017-03-09 14:42:57 -07:00
|
|
|
res.status(404).send({
|
|
|
|
error: 'user not found'
|
|
|
|
});
|
2016-12-28 15:49:51 -07:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2018-03-27 01:51:12 -06:00
|
|
|
const account = user.account as ILocalAccount;
|
|
|
|
|
2016-12-28 15:49:51 -07:00
|
|
|
// Compare password
|
2018-03-27 01:51:12 -06:00
|
|
|
const same = await bcrypt.compare(password, account.password);
|
2016-12-28 15:49:51 -07:00
|
|
|
|
|
|
|
if (same) {
|
2018-03-28 23:48:47 -06:00
|
|
|
if (account.twoFactorEnabled) {
|
2017-12-08 06:57:58 -07:00
|
|
|
const verified = (speakeasy as any).totp.verify({
|
2018-03-28 23:48:47 -06:00
|
|
|
secret: account.twoFactorSecret,
|
2017-12-08 06:57:58 -07:00
|
|
|
encoding: 'base32',
|
|
|
|
token: token
|
|
|
|
});
|
|
|
|
|
|
|
|
if (verified) {
|
|
|
|
signin(res, user, false);
|
|
|
|
} else {
|
|
|
|
res.status(400).send({
|
|
|
|
error: 'invalid token'
|
|
|
|
});
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
signin(res, user, false);
|
|
|
|
}
|
2016-12-28 15:49:51 -07:00
|
|
|
} else {
|
2017-03-09 14:42:57 -07:00
|
|
|
res.status(400).send({
|
|
|
|
error: 'incorrect password'
|
|
|
|
});
|
2016-12-28 15:49:51 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
// Append signin history
|
2017-01-16 18:49:27 -07:00
|
|
|
const record = await Signin.insert({
|
2018-03-28 23:48:47 -06:00
|
|
|
createdAt: new Date(),
|
|
|
|
userId: user._id,
|
2016-12-28 15:49:51 -07:00
|
|
|
ip: req.ip,
|
|
|
|
headers: req.headers,
|
|
|
|
success: same
|
|
|
|
});
|
|
|
|
|
|
|
|
// Publish signin event
|
2018-02-01 16:21:30 -07:00
|
|
|
event(user._id, 'signin', await pack(record));
|
2016-12-28 15:49:51 -07:00
|
|
|
};
|