yuuza/outline
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remove NotificationSettings table (#5036

Browse Source 
* helper

* Add script to move notification settings

* wip, removal of NotificationSettings

* event name

* iteration

* test

* test

* Remove last of NotificationSettings model

* refactor

* More fixes

* snapshots

* Change emails to class instances for type safety

* test

* docs

* Update migration for self-hosted

* tsc
This commit is contained in:
Tom Moor
2023-03-18 09:32:41 -04:00
committed by GitHub
parent 41f97b0563
commit 45831e9469
58 changed files with 972 additions and 711 deletions
Download Patch File Download Diff File Expand all files Collapse all files

307
server/routes/api/users/__snapshots__/users.test.ts.snap Normal file
View File

@@ -0,0 +1,307 @@
// Jest Snapshot v1, https://goo.gl/fbAQLP
exports[`#users.activate should activate a suspended user 1`] = `
{
"data": {
"avatarUrl": null,
"color": "#e600e0",
"createdAt": "2018-01-02T00:00:00.000Z",
"email": "user1@example.com",
"id": "46fde1d4-0050-428f-9f0b-0bf77f4bdf61",
"isAdmin": false,
"isSuspended": false,
"isViewer": false,
"language": "en_US",
"lastActiveAt": null,
"name": "User 1",
"notificationSettings": {},
"preferences": null,
"updatedAt": "2018-01-02T00:00:00.000Z",
},
"ok": true,
"policies": [
{
"abilities": {
"activate": true,
"delete": true,
"demote": true,
"promote": true,
"read": true,
"readDetails": true,
"resendInvite": true,
"suspend": true,
"update": false,
},
"id": "46fde1d4-0050-428f-9f0b-0bf77f4bdf61",
},
],
"status": 200,
}
`;
exports[`#users.activate should require admin 1`] = `
{
"error": "admin_required",
"message": "An admin role is required to access this resource",
"ok": false,
"status": 403,
}
`;
exports[`#users.delete should require authentication 1`] = `
{
"error": "authentication_required",
"message": "Authentication required",
"ok": false,
"status": 401,
}
`;
exports[`#users.demote should demote an admin 1`] = `
{
"data": {
"avatarUrl": null,
"color": "#e600e0",
"createdAt": "2018-01-02T00:00:00.000Z",
"email": "user1@example.com",
"id": "46fde1d4-0050-428f-9f0b-0bf77f4bdf61",
"isAdmin": false,
"isSuspended": false,
"isViewer": false,
"language": "en_US",
"lastActiveAt": null,
"name": "User 1",
"notificationSettings": {},
"preferences": null,
"updatedAt": "2018-01-02T00:00:00.000Z",
},
"ok": true,
"policies": [
{
"abilities": {
"activate": true,
"delete": true,
"demote": true,
"promote": true,
"read": true,
"readDetails": true,
"resendInvite": true,
"suspend": true,
"update": false,
},
"id": "46fde1d4-0050-428f-9f0b-0bf77f4bdf61",
},
],
"status": 200,
}
`;
exports[`#users.demote should demote an admin to member 1`] = `
{
"data": {
"avatarUrl": null,
"color": "#e600e0",
"createdAt": "2018-01-02T00:00:00.000Z",
"email": "user1@example.com",
"id": "46fde1d4-0050-428f-9f0b-0bf77f4bdf61",
"isAdmin": false,
"isSuspended": false,
"isViewer": false,
"language": "en_US",
"lastActiveAt": null,
"name": "User 1",
"notificationSettings": {},
"preferences": null,
"updatedAt": "2018-01-02T00:00:00.000Z",
},
"ok": true,
"policies": [
{
"abilities": {
"activate": true,
"delete": true,
"demote": true,
"promote": true,
"read": true,
"readDetails": true,
"resendInvite": true,
"suspend": true,
"update": false,
},
"id": "46fde1d4-0050-428f-9f0b-0bf77f4bdf61",
},
],
"status": 200,
}
`;
exports[`#users.demote should demote an admin to viewer 1`] = `
{
"data": {
"avatarUrl": null,
"color": "#e600e0",
"createdAt": "2018-01-02T00:00:00.000Z",
"email": "user1@example.com",
"id": "46fde1d4-0050-428f-9f0b-0bf77f4bdf61",
"isAdmin": false,
"isSuspended": false,
"isViewer": true,
"language": "en_US",
"lastActiveAt": null,
"name": "User 1",
"notificationSettings": {},
"preferences": null,
"updatedAt": "2018-01-02T00:00:00.000Z",
},
"ok": true,
"policies": [
{
"abilities": {
"activate": true,
"delete": true,
"demote": true,
"promote": true,
"read": true,
"readDetails": true,
"resendInvite": true,
"suspend": true,
"update": false,
},
"id": "46fde1d4-0050-428f-9f0b-0bf77f4bdf61",
},
],
"status": 200,
}
`;
exports[`#users.demote should not allow demoting self 1`] = `
{
"error": "validation_error",
"message": "Unable to demote the current user",
"ok": false,
"status": 400,
}
`;
exports[`#users.demote should require admin 1`] = `
{
"error": "admin_required",
"message": "An admin role is required to access this resource",
"ok": false,
"status": 403,
}
`;
exports[`#users.promote should promote a new admin 1`] = `
{
"data": {
"avatarUrl": null,
"color": "#e600e0",
"createdAt": "2018-01-02T00:00:00.000Z",
"email": "user1@example.com",
"id": "46fde1d4-0050-428f-9f0b-0bf77f4bdf61",
"isAdmin": true,
"isSuspended": false,
"isViewer": false,
"language": "en_US",
"lastActiveAt": null,
"name": "User 1",
"notificationSettings": {},
"preferences": null,
"updatedAt": "2018-01-02T00:00:00.000Z",
},
"ok": true,
"policies": [
{
"abilities": {
"activate": true,
"delete": true,
"demote": true,
"promote": false,
"read": true,
"readDetails": true,
"resendInvite": true,
"suspend": true,
"update": false,
},
"id": "46fde1d4-0050-428f-9f0b-0bf77f4bdf61",
},
],
"status": 200,
}
`;
exports[`#users.promote should require admin 1`] = `
{
"error": "admin_required",
"message": "An admin role is required to access this resource",
"ok": false,
"status": 403,
}
`;
exports[`#users.suspend should not allow suspending the user themselves 1`] = `
{
"error": "validation_error",
"message": "Unable to suspend the current user",
"ok": false,
"status": 400,
}
`;
exports[`#users.suspend should require admin 1`] = `
{
"error": "admin_required",
"message": "An admin role is required to access this resource",
"ok": false,
"status": 403,
}
`;
exports[`#users.suspend should suspend an user 1`] = `
{
"data": {
"avatarUrl": null,
"color": "#e600e0",
"createdAt": "2018-01-02T00:00:00.000Z",
"email": "user1@example.com",
"id": "46fde1d4-0050-428f-9f0b-0bf77f4bdf61",
"isAdmin": false,
"isSuspended": true,
"isViewer": false,
"language": "en_US",
"lastActiveAt": null,
"name": "User 1",
"notificationSettings": {},
"preferences": null,
"updatedAt": "2018-01-02T00:00:00.000Z",
},
"ok": true,
"policies": [
{
"abilities": {
"activate": true,
"delete": true,
"demote": false,
"promote": false,
"read": true,
"readDetails": true,
"resendInvite": true,
"suspend": true,
"update": false,
},
"id": "46fde1d4-0050-428f-9f0b-0bf77f4bdf61",
},
],
"status": 200,
}
`;
exports[`#users.update should require authentication 1`] = `
{
"error": "authentication_required",
"message": "Authentication required",
"ok": false,
"status": 401,
}
`;

1
server/routes/api/users/index.ts Normal file
View File

@@ -0,0 +1 @@
export { default } from "./users";

22
server/routes/api/users/schema.ts Normal file
View File

@@ -0,0 +1,22 @@
import { z } from "zod";
import { NotificationEventType } from "@shared/types";
export const UsersNotificationsSubscribeSchema = z.object({
body: z.object({
eventType: z.nativeEnum(NotificationEventType),
}),
});
export type UsersNotificationsSubscribeReq = z.infer<
typeof UsersNotificationsSubscribeSchema
>;
export const UsersNotificationsUnsubscribeSchema = z.object({
body: z.object({
eventType: z.nativeEnum(NotificationEventType),
}),
});
export type UsersNotificationsUnsubscribeReq = z.infer<
typeof UsersNotificationsUnsubscribeSchema
>;

735
server/routes/api/users/users.test.ts Normal file
View File

@@ -0,0 +1,735 @@
import {
buildTeam,
buildAdmin,
buildUser,
buildInvite,
} from "@server/test/factories";
import { seed, getTestServer } from "@server/test/support";
const server = getTestServer();
beforeAll(() => {
jest.useFakeTimers().setSystemTime(new Date("2018-01-02T00:00:00.000Z"));
});
afterAll(() => {
jest.useRealTimers();
});
describe("#users.list", () => {
it("should allow filtering by user name", async () => {
const user = await buildUser({
name: "Tester",
});
// suspended user should not be returned
await buildUser({
name: "Tester",
teamId: user.teamId,
suspendedAt: new Date(),
});
const res = await server.post("/api/users.list", {
body: {
query: "test",
token: user.getJwtToken(),
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.length).toEqual(1);
expect(body.data[0].id).toEqual(user.id);
});
it("should allow filtering to suspended users", async () => {
const admin = await buildAdmin();
await buildUser({
name: "Tester",
teamId: admin.teamId,
suspendedAt: new Date(),
});
const res = await server.post("/api/users.list", {
body: {
query: "test",
filter: "suspended",
token: admin.getJwtToken(),
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.length).toEqual(1);
});
it("should not allow members to view suspended users", async () => {
const user = await buildUser();
await buildUser({
name: "Tester",
teamId: user.teamId,
suspendedAt: new Date(),
});
const res = await server.post("/api/users.list", {
body: {
query: "test",
token: user.getJwtToken(),
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.length).toEqual(0);
});
it("should allow filtering to active", async () => {
const user = await buildUser({
name: "Tester",
});
await buildInvite({
name: "Tester",
teamId: user.teamId,
});
const res = await server.post("/api/users.list", {
body: {
query: "test",
filter: "active",
token: user.getJwtToken(),
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.length).toEqual(1);
});
it("should allow filtering to invited", async () => {
const user = await buildUser({
name: "Tester",
});
await buildUser({
name: "Tester",
teamId: user.teamId,
lastActiveAt: null,
});
const res = await server.post("/api/users.list", {
body: {
query: "test",
filter: "invited",
token: user.getJwtToken(),
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.length).toEqual(1);
});
it("should return teams paginated user list", async () => {
const { admin, user } = await seed();
const res = await server.post("/api/users.list", {
body: {
token: admin.getJwtToken(),
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.length).toEqual(2);
expect(body.data[0].id).toEqual(user.id);
expect(body.data[1].id).toEqual(admin.id);
});
it("should allow filtering by id", async () => {
const { admin, user } = await seed();
const res = await server.post("/api/users.list", {
body: {
token: admin.getJwtToken(),
ids: [user.id],
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.length).toEqual(1);
expect(body.data[0].id).toEqual(user.id);
});
it("should require admin for detailed info", async () => {
const { user, admin } = await seed();
const res = await server.post("/api/users.list", {
body: {
token: user.getJwtToken(),
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.length).toEqual(2);
expect(body.data[0].email).toEqual(undefined);
expect(body.data[1].email).toEqual(undefined);
expect(body.data[0].id).toEqual(user.id);
expect(body.data[1].id).toEqual(admin.id);
});
});
describe("#users.info", () => {
it("should return current user with no id", async () => {
const user = await buildUser();
const res = await server.post("/api/users.info", {
body: {
token: user.getJwtToken(),
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.id).toEqual(user.id);
expect(body.data.name).toEqual(user.name);
expect(body.data.email).toEqual(user.email);
});
it("should return user with permission", async () => {
const user = await buildUser();
const another = await buildUser({
teamId: user.teamId,
});
const res = await server.post("/api/users.info", {
body: {
token: user.getJwtToken(),
id: another.id,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.id).toEqual(another.id);
expect(body.data.name).toEqual(another.name);
// no emails of other users
expect(body.data.email).toEqual(undefined);
});
it("should now return user without permission", async () => {
const user = await buildUser();
const another = await buildUser();
const res = await server.post("/api/users.info", {
body: {
token: user.getJwtToken(),
id: another.id,
},
});
expect(res.status).toEqual(403);
});
it("should require authentication", async () => {
const res = await server.post("/api/users.info");
expect(res.status).toEqual(401);
});
});
describe("#users.invite", () => {
it("should return sent invites", async () => {
const user = await buildAdmin();
const res = await server.post("/api/users.invite", {
body: {
token: user.getJwtToken(),
invites: [
{
email: "test@example.com",
name: "Test",
role: "member",
},
],
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.sent.length).toEqual(1);
});
it("should require invites to be an array", async () => {
const admin = await buildAdmin();
const res = await server.post("/api/users.invite", {
body: {
token: admin.getJwtToken(),
invites: {
email: "test@example.com",
name: "Test",
role: "member",
},
},
});
expect(res.status).toEqual(400);
});
it("should require admin", async () => {
const admin = await buildUser();
const res = await server.post("/api/users.invite", {
body: {
token: admin.getJwtToken(),
invites: [
{
email: "test@example.com",
name: "Test",
role: "member",
},
],
},
});
expect(res.status).toEqual(403);
});
it("should invite user as an admin", async () => {
const admin = await buildAdmin();
const res = await server.post("/api/users.invite", {
body: {
token: admin.getJwtToken(),
invites: [
{
email: "test@example.com",
name: "Test",
role: "admin",
},
],
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.sent.length).toEqual(1);
expect(body.data.users[0].isAdmin).toBeTruthy();
expect(body.data.users[0].isViewer).toBeFalsy();
});
it("should invite user as a viewer", async () => {
const admin = await buildAdmin();
const res = await server.post("/api/users.invite", {
body: {
token: admin.getJwtToken(),
invites: [
{
email: "test@example.com",
name: "Test",
role: "viewer",
},
],
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.sent.length).toEqual(1);
expect(body.data.users[0].isViewer).toBeTruthy();
expect(body.data.users[0].isAdmin).toBeFalsy();
});
it("should invite user as a member if role is any arbitary value", async () => {
const admin = await buildAdmin();
const res = await server.post("/api/users.invite", {
body: {
token: admin.getJwtToken(),
invites: [
{
email: "test@example.com",
name: "Test",
role: "arbitary",
},
],
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.sent.length).toEqual(1);
expect(body.data.users[0].isViewer).toBeFalsy();
expect(body.data.users[0].isAdmin).toBeFalsy();
});
it("should require authentication", async () => {
const res = await server.post("/api/users.invite");
expect(res.status).toEqual(401);
});
});
describe("#users.delete", () => {
it("should not allow deleting last admin if many users", async () => {
const user = await buildAdmin();
await buildUser({
teamId: user.teamId,
isAdmin: false,
});
const res = await server.post("/api/users.delete", {
body: {
token: user.getJwtToken(),
},
});
expect(res.status).toEqual(400);
});
it("should require correct code when no id passed", async () => {
const user = await buildAdmin();
await buildUser({
teamId: user.teamId,
isAdmin: false,
});
const res = await server.post("/api/users.delete", {
body: {
code: "123",
token: user.getJwtToken(),
},
});
expect(res.status).toEqual(400);
});
it("should allow deleting user account with correct code", async () => {
const user = await buildUser();
await buildUser({
teamId: user.teamId,
});
const res = await server.post("/api/users.delete", {
body: {
code: user.deleteConfirmationCode,
token: user.getJwtToken(),
},
});
expect(res.status).toEqual(200);
});
it("should allow deleting user account as admin", async () => {
const admin = await buildAdmin();
const user = await buildUser({
teamId: admin.teamId,
});
const res = await server.post("/api/users.delete", {
body: {
id: user.id,
token: admin.getJwtToken(),
},
});
expect(res.status).toEqual(200);
});
it("should require authentication", async () => {
const res = await server.post("/api/users.delete");
const body = await res.json();
expect(res.status).toEqual(401);
expect(body).toMatchSnapshot();
});
});
describe("#users.update", () => {
it("should update user profile information", async () => {
const { user } = await seed();
const res = await server.post("/api/users.update", {
body: {
token: user.getJwtToken(),
name: "New name",
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.name).toEqual("New name");
});
it("should fail upon sending invalid user preference", async () => {
const { user } = await seed();
const res = await server.post("/api/users.update", {
body: {
token: user.getJwtToken(),
name: "New name",
preferences: { invalidPreference: "invalidValue" },
},
});
expect(res.status).toEqual(400);
});
it("should fail upon sending invalid user preference value", async () => {
const { user } = await seed();
const res = await server.post("/api/users.update", {
body: {
token: user.getJwtToken(),
name: "New name",
preferences: { rememberLastPath: "invalidValue" },
},
});
expect(res.status).toEqual(400);
});
it("should update rememberLastPath user preference", async () => {
const { user } = await seed();
const res = await server.post("/api/users.update", {
body: {
token: user.getJwtToken(),
name: "New name",
preferences: {
rememberLastPath: true,
},
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.preferences.rememberLastPath).toBe(true);
});
it("should require authentication", async () => {
const res = await server.post("/api/users.update");
const body = await res.json();
expect(res.status).toEqual(401);
expect(body).toMatchSnapshot();
});
});
describe("#users.promote", () => {
it("should promote a new admin", async () => {
const { admin, user } = await seed();
const res = await server.post("/api/users.promote", {
body: {
token: admin.getJwtToken(),
id: user.id,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body).toMatchSnapshot();
});
it("should require admin", async () => {
const user = await buildUser();
const res = await server.post("/api/users.promote", {
body: {
token: user.getJwtToken(),
id: user.id,
},
});
const body = await res.json();
expect(res.status).toEqual(403);
expect(body).toMatchSnapshot();
});
});
describe("#users.demote", () => {
it("should demote an admin", async () => {
const { admin, user } = await seed();
await user.update({
isAdmin: true,
}); // Make another admin
const res = await server.post("/api/users.demote", {
body: {
token: admin.getJwtToken(),
id: user.id,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body).toMatchSnapshot();
});
it("should demote an admin to viewer", async () => {
const { admin, user } = await seed();
await user.update({
isAdmin: true,
}); // Make another admin
const res = await server.post("/api/users.demote", {
body: {
token: admin.getJwtToken(),
id: user.id,
to: "viewer",
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body).toMatchSnapshot();
});
it("should demote an admin to member", async () => {
const { admin, user } = await seed();
await user.update({
isAdmin: true,
}); // Make another admin
const res = await server.post("/api/users.demote", {
body: {
token: admin.getJwtToken(),
id: user.id,
to: "member",
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body).toMatchSnapshot();
});
it("should not allow demoting self", async () => {
const admin = await buildAdmin();
const res = await server.post("/api/users.demote", {
body: {
token: admin.getJwtToken(),
id: admin.id,
},
});
const body = await res.json();
expect(res.status).toEqual(400);
expect(body).toMatchSnapshot();
});
it("should require admin", async () => {
const user = await buildUser();
const res = await server.post("/api/users.promote", {
body: {
token: user.getJwtToken(),
id: user.id,
},
});
const body = await res.json();
expect(res.status).toEqual(403);
expect(body).toMatchSnapshot();
});
});
describe("#users.suspend", () => {
it("should suspend an user", async () => {
const { admin, user } = await seed();
const res = await server.post("/api/users.suspend", {
body: {
token: admin.getJwtToken(),
id: user.id,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body).toMatchSnapshot();
});
it("should not allow suspending the user themselves", async () => {
const admin = await buildAdmin();
const res = await server.post("/api/users.suspend", {
body: {
token: admin.getJwtToken(),
id: admin.id,
},
});
const body = await res.json();
expect(res.status).toEqual(400);
expect(body).toMatchSnapshot();
});
it("should require admin", async () => {
const user = await buildUser();
const res = await server.post("/api/users.suspend", {
body: {
token: user.getJwtToken(),
id: user.id,
},
});
const body = await res.json();
expect(res.status).toEqual(403);
expect(body).toMatchSnapshot();
});
});
describe("#users.activate", () => {
it("should activate a suspended user", async () => {
const { admin, user } = await seed();
await user.update({
suspendedById: admin.id,
suspendedAt: new Date(),
});
expect(user.isSuspended).toBe(true);
const res = await server.post("/api/users.activate", {
body: {
token: admin.getJwtToken(),
id: user.id,
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body).toMatchSnapshot();
});
it("should require admin", async () => {
const user = await buildUser();
const res = await server.post("/api/users.activate", {
body: {
token: user.getJwtToken(),
id: user.id,
},
});
const body = await res.json();
expect(res.status).toEqual(403);
expect(body).toMatchSnapshot();
});
});
describe("#users.count", () => {
it("should count active users", async () => {
const team = await buildTeam();
const user = await buildUser({
teamId: team.id,
});
const res = await server.post("/api/users.count", {
body: {
token: user.getJwtToken(),
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.counts.all).toEqual(1);
expect(body.data.counts.admins).toEqual(0);
expect(body.data.counts.invited).toEqual(0);
expect(body.data.counts.suspended).toEqual(0);
expect(body.data.counts.active).toEqual(1);
});
it("should count admin users", async () => {
const team = await buildTeam();
const user = await buildUser({
teamId: team.id,
isAdmin: true,
});
const res = await server.post("/api/users.count", {
body: {
token: user.getJwtToken(),
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.counts.all).toEqual(1);
expect(body.data.counts.admins).toEqual(1);
expect(body.data.counts.invited).toEqual(0);
expect(body.data.counts.suspended).toEqual(0);
expect(body.data.counts.active).toEqual(1);
});
it("should count suspended users", async () => {
const team = await buildTeam();
const user = await buildUser({
teamId: team.id,
});
await buildUser({
teamId: team.id,
suspendedAt: new Date(),
});
const res = await server.post("/api/users.count", {
body: {
token: user.getJwtToken(),
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.counts.all).toEqual(2);
expect(body.data.counts.admins).toEqual(0);
expect(body.data.counts.invited).toEqual(0);
expect(body.data.counts.suspended).toEqual(1);
expect(body.data.counts.active).toEqual(1);
});
it("should count invited users", async () => {
const team = await buildTeam();
const user = await buildUser({
teamId: team.id,
lastActiveAt: null,
});
const res = await server.post("/api/users.count", {
body: {
token: user.getJwtToken(),
},
});
const body = await res.json();
expect(res.status).toEqual(200);
expect(body.data.counts.all).toEqual(1);
expect(body.data.counts.admins).toEqual(0);
expect(body.data.counts.invited).toEqual(1);
expect(body.data.counts.suspended).toEqual(0);
expect(body.data.counts.active).toEqual(0);
});
it("should require authentication", async () => {
const res = await server.post("/api/users.count");
expect(res.status).toEqual(401);
});
});

528
server/routes/api/users/users.ts Normal file
View File

@@ -0,0 +1,528 @@
import crypto from "crypto";
import Router from "koa-router";
import { has } from "lodash";
import { Op, WhereOptions } from "sequelize";
import { UserPreference } from "@shared/types";
import { UserValidation } from "@shared/validations";
import userDemoter from "@server/commands/userDemoter";
import userDestroyer from "@server/commands/userDestroyer";
import userInviter from "@server/commands/userInviter";
import userSuspender from "@server/commands/userSuspender";
import userUnsuspender from "@server/commands/userUnsuspender";
import ConfirmUserDeleteEmail from "@server/emails/templates/ConfirmUserDeleteEmail";
import InviteEmail from "@server/emails/templates/InviteEmail";
import env from "@server/env";
import { ValidationError } from "@server/errors";
import logger from "@server/logging/Logger";
import auth from "@server/middlewares/authentication";
import { rateLimiter } from "@server/middlewares/rateLimiter";
import { transaction } from "@server/middlewares/transaction";
import validate from "@server/middlewares/validate";
import { Event, User, Team } from "@server/models";
import { UserFlag, UserRole } from "@server/models/User";
import { can, authorize } from "@server/policies";
import { presentUser, presentPolicies } from "@server/presenters";
import { APIContext } from "@server/types";
import { RateLimiterStrategy } from "@server/utils/RateLimiter";
import {
assertIn,
assertSort,
assertPresent,
assertArray,
assertUuid,
assertKeysIn,
assertBoolean,
} from "@server/validation";
import pagination from "../middlewares/pagination";
import * as T from "./schema";
const router = new Router();
const emailEnabled = !!(env.SMTP_HOST || env.ENVIRONMENT === "development");
router.post("users.list", auth(), pagination(), async (ctx: APIContext) => {
let { direction } = ctx.request.body;
const { sort = "createdAt", query, filter, ids } = ctx.request.body;
if (direction !== "ASC") {
direction = "DESC";
}
assertSort(sort, User);
if (filter) {
assertIn(
filter,
["invited", "viewers", "admins", "members", "active", "all", "suspended"],
"Invalid filter"
);
}
const actor = ctx.state.auth.user;
let where: WhereOptions<User> = {
teamId: actor.teamId,
};
// Filter out suspended users if we're not an admin
if (!actor.isAdmin) {
where = {
...where,
suspendedAt: {
[Op.eq]: null,
},
};
}
switch (filter) {
case "invited": {
where = { ...where, lastActiveAt: null };
break;
}
case "viewers": {
where = { ...where, isViewer: true };
break;
}
case "admins": {
where = { ...where, isAdmin: true };
break;
}
case "members": {
where = { ...where, isAdmin: false, isViewer: false };
break;
}
case "suspended": {
if (actor.isAdmin) {
where = {
...where,
suspendedAt: {
[Op.ne]: null,
},
};
}
break;
}
case "active": {
where = {
...where,
lastActiveAt: {
[Op.ne]: null,
},
suspendedAt: {
[Op.is]: null,
},
};
break;
}
case "all": {
break;
}
default: {
where = {
...where,
suspendedAt: {
[Op.is]: null,
},
};
break;
}
}
if (query) {
where = {
...where,
name: {
[Op.iLike]: `%${query}%`,
},
};
}
if (ids) {
assertArray(ids, "ids must be an array of UUIDs");
where = {
...where,
id: ids,
};
}
const [users, total] = await Promise.all([
User.findAll({
where,
order: [[sort, direction]],
offset: ctx.state.pagination.offset,
limit: ctx.state.pagination.limit,
}),
User.count({
where,
}),
]);
ctx.body = {
pagination: { ...ctx.state.pagination, total },
data: users.map((user) =>
presentUser(user, {
includeDetails: can(actor, "readDetails", user),
})
),
policies: presentPolicies(actor, users),
};
});
router.post("users.count", auth(), async (ctx: APIContext) => {
const { user } = ctx.state.auth;
const counts = await User.getCounts(user.teamId);
ctx.body = {
data: {
counts,
},
};
});
router.post("users.info", auth(), async (ctx: APIContext) => {
const { id } = ctx.request.body;
const actor = ctx.state.auth.user;
const user = id ? await User.findByPk(id) : actor;
authorize(actor, "read", user);
const includeDetails = can(actor, "readDetails", user);
ctx.body = {
data: presentUser(user, {
includeDetails,
}),
policies: presentPolicies(actor, [user]),
};
});
router.post("users.update", auth(), transaction(), async (ctx: APIContext) => {
const { auth, transaction } = ctx.state;
const { user } = auth;
const { name, avatarUrl, language, preferences } = ctx.request.body;
if (name) {
user.name = name;
}
if (avatarUrl) {
user.avatarUrl = avatarUrl;
}
if (language) {
user.language = language;
}
if (preferences) {
assertKeysIn(preferences, UserPreference);
for (const value of Object.values(UserPreference)) {
if (has(preferences, value)) {
assertBoolean(preferences[value]);
user.setPreference(value, preferences[value]);
}
}
}
await user.save({ transaction });
await Event.create(
{
name: "users.update",
actorId: user.id,
userId: user.id,
teamId: user.teamId,
ip: ctx.request.ip,
},
{ transaction }
);
ctx.body = {
data: presentUser(user, {
includeDetails: true,
}),
};
});
// Admin specific
router.post("users.promote", auth(), async (ctx: APIContext) => {
const userId = ctx.request.body.id;
const actor = ctx.state.auth.user;
const teamId = actor.teamId;
assertPresent(userId, "id is required");
const user = await User.findByPk(userId);
authorize(actor, "promote", user);
await user.promote();
await Event.create({
name: "users.promote",
actorId: actor.id,
userId,
teamId,
data: {
name: user.name,
},
ip: ctx.request.ip,
});
const includeDetails = can(actor, "readDetails", user);
ctx.body = {
data: presentUser(user, {
includeDetails,
}),
policies: presentPolicies(actor, [user]),
};
});
router.post("users.demote", auth(), async (ctx: APIContext) => {
const userId = ctx.request.body.id;
let { to } = ctx.request.body;
const actor = ctx.state.auth.user;
assertPresent(userId, "id is required");
to = (to === "viewer" ? "viewer" : "member") as UserRole;
const user = await User.findByPk(userId, {
rejectOnEmpty: true,
});
authorize(actor, "demote", user);
await userDemoter({
to,
user,
actorId: actor.id,
ip: ctx.request.ip,
});
const includeDetails = can(actor, "readDetails", user);
ctx.body = {
data: presentUser(user, {
includeDetails,
}),
policies: presentPolicies(actor, [user]),
};
});
router.post("users.suspend", auth(), async (ctx: APIContext) => {
const userId = ctx.request.body.id;
const actor = ctx.state.auth.user;
assertPresent(userId, "id is required");
const user = await User.findByPk(userId, {
rejectOnEmpty: true,
});
authorize(actor, "suspend", user);
await userSuspender({
user,
actorId: actor.id,
ip: ctx.request.ip,
});
const includeDetails = can(actor, "readDetails", user);
ctx.body = {
data: presentUser(user, {
includeDetails,
}),
policies: presentPolicies(actor, [user]),
};
});
router.post("users.activate", auth(), async (ctx: APIContext) => {
const userId = ctx.request.body.id;
const actor = ctx.state.auth.user;
assertPresent(userId, "id is required");
const user = await User.findByPk(userId, {
rejectOnEmpty: true,
});
authorize(actor, "activate", user);
await userUnsuspender({
user,
actorId: actor.id,
ip: ctx.request.ip,
});
const includeDetails = can(actor, "readDetails", user);
ctx.body = {
data: presentUser(user, {
includeDetails,
}),
policies: presentPolicies(actor, [user]),
};
});
router.post(
"users.invite",
auth(),
rateLimiter(RateLimiterStrategy.TenPerHour),
async (ctx: APIContext) => {
const { invites } = ctx.request.body;
assertArray(invites, "invites must be an array");
const { user } = ctx.state.auth;
const team = await Team.findByPk(user.teamId);
authorize(user, "inviteUser", team);
const response = await userInviter({
user,
invites: invites.slice(0, UserValidation.maxInvitesPerRequest),
ip: ctx.request.ip,
});
ctx.body = {
data: {
sent: response.sent,
users: response.users.map((user) => presentUser(user)),
},
};
}
);
router.post(
"users.resendInvite",
auth(),
transaction(),
async (ctx: APIContext) => {
const { id } = ctx.request.body;
const { auth, transaction } = ctx.state;
const actor = auth.user;
const user = await User.findByPk(id, {
lock: transaction.LOCK.UPDATE,
transaction,
});
authorize(actor, "resendInvite", user);
if (user.getFlag(UserFlag.InviteSent) > 2) {
throw ValidationError("This invite has been sent too many times");
}
await new InviteEmail({
to: user.email,
name: user.name,
actorName: actor.name,
actorEmail: actor.email,
teamName: actor.team.name,
teamUrl: actor.team.url,
}).schedule();
user.incrementFlag(UserFlag.InviteSent);
await user.save({ transaction });
if (env.ENVIRONMENT === "development") {
logger.info(
"email",
`Sign in immediately: ${
env.URL
}/auth/email.callback?token=${user.getEmailSigninToken()}`
);
}
ctx.body = {
success: true,
};
}
);
router.post(
"users.requestDelete",
auth(),
rateLimiter(RateLimiterStrategy.FivePerHour),
async (ctx: APIContext) => {
const { user } = ctx.state.auth;
authorize(user, "delete", user);
if (emailEnabled) {
await new ConfirmUserDeleteEmail({
to: user.email,
deleteConfirmationCode: user.deleteConfirmationCode,
}).schedule();
}
ctx.body = {
success: true,
};
}
);
router.post(
"users.delete",
auth(),
rateLimiter(RateLimiterStrategy.TenPerHour),
async (ctx: APIContext) => {
const { id, code = "" } = ctx.request.body;
const actor = ctx.state.auth.user;
let user: User;
if (id) {
assertUuid(id, "id must be a UUID");
user = await User.findByPk(id, {
rejectOnEmpty: true,
});
} else {
user = actor;
}
authorize(actor, "delete", user);
// If we're attempting to delete our own account then a confirmation code
// is required. This acts as CSRF protection.
if ((!id || id === actor.id) && emailEnabled) {
const deleteConfirmationCode = user.deleteConfirmationCode;
if (
!code ||
code.length !== deleteConfirmationCode.length ||
!crypto.timingSafeEqual(
Buffer.from(code),
Buffer.from(deleteConfirmationCode)
)
) {
throw ValidationError("The confirmation code was incorrect");
}
}
await userDestroyer({
user,
actor,
ip: ctx.request.ip,
});
ctx.body = {
success: true,
};
}
);
router.post(
"users.notificationsSubscribe",
auth(),
validate(T.UsersNotificationsSubscribeSchema),
transaction(),
async (ctx: APIContext<T.UsersNotificationsSubscribeReq>) => {
const { eventType } = ctx.input.body;
const { transaction } = ctx.state;
const { user } = ctx.state.auth;
user.setNotificationEventType(eventType, true);
await user.save({ transaction });
ctx.body = {
data: presentUser(user, { includeDetails: true }),
};
}
);
router.post(
"users.notificationsUnsubscribe",
auth(),
validate(T.UsersNotificationsUnsubscribeSchema),
transaction(),
async (ctx: APIContext<T.UsersNotificationsUnsubscribeReq>) => {
const { eventType } = ctx.input.body;
const { transaction } = ctx.state;
const { user } = ctx.state.auth;
user.setNotificationEventType(eventType, false);
await user.save({ transaction });
ctx.body = {
data: presentUser(user, { includeDetails: true }),
};
}
);
export default router;