-
Notifications
You must be signed in to change notification settings - Fork 305
/
Copy pathcreate-account-request.js
468 lines (419 loc) · 13.3 KB
/
create-account-request.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
'use strict'
const AuthRequest = require('./auth-request')
const WebIdTlsCertificate = require('../models/webid-tls-certificate')
const debug = require('../debug').accounts
const blacklistService = require('../services/blacklist-service')
const { isValidUsername } = require('../common/user-utils')
/**
* Represents a 'create new user account' http request (either a POST to the
* `/accounts/api/new` endpoint, or a GET to `/register`).
*
* Intended just for browser-based requests; to create new user accounts from
* a command line, use the `AccountManager` class directly.
*
* This is an abstract class, subclasses are created (for example
* `CreateOidcAccountRequest`) depending on which Authentication mode the server
* is running in.
*
* @class CreateAccountRequest
*/
class CreateAccountRequest extends AuthRequest {
/**
* @param [options={}] {Object}
* @param [options.accountManager] {AccountManager}
* @param [options.userAccount] {UserAccount}
* @param [options.session] {Session} e.g. req.session
* @param [options.response] {HttpResponse}
* @param [options.returnToUrl] {string} If present, redirect the agent to
* this url on successful account creation
* @param [options.enforceToc] {boolean} Whether or not to enforce the service provider's T&C
* @param [options.tocUri] {string} URI to the service provider's T&C
* @param [options.acceptToc] {boolean} Whether or not user has accepted T&C
*/
constructor (options) {
super(options)
this.username = options.username
this.userAccount = options.userAccount
this.acceptToc = options.acceptToc
this.disablePasswordChecks = options.disablePasswordChecks
}
/**
* Factory method, creates an appropriate CreateAccountRequest subclass from
* an HTTP request (browser form submit), depending on the authn method.
*
* @param req
* @param res
*
* @throws {Error} If required parameters are missing (via
* `userAccountFrom()`), or it encounters an unsupported authentication
* scheme.
*
* @return {CreateOidcAccountRequest|CreateTlsAccountRequest}
*/
static fromParams (req, res) {
const options = AuthRequest.requestOptions(req, res)
const locals = req.app.locals
const authMethod = locals.authMethod
const accountManager = locals.accountManager
const body = req.body || {}
if (body.username) {
options.username = body.username.toLowerCase()
options.userAccount = accountManager.userAccountFrom(body)
}
options.enforceToc = locals.enforceToc
options.tocUri = locals.tocUri
options.disablePasswordChecks = locals.disablePasswordChecks
switch (authMethod) {
case 'oidc':
options.password = body.password
return new CreateOidcAccountRequest(options)
case 'tls':
options.spkac = body.spkac
return new CreateTlsAccountRequest(options)
default:
throw new TypeError('Unsupported authentication scheme')
}
}
static async post (req, res) {
const request = CreateAccountRequest.fromParams(req, res)
try {
request.validate()
await request.createAccount()
} catch (error) {
request.error(error, req.body)
}
}
static get (req, res) {
const request = CreateAccountRequest.fromParams(req, res)
return Promise.resolve()
.then(() => request.renderForm())
.catch(error => request.error(error))
}
/**
* Renders the Register form
*/
renderForm (error, data = {}) {
const authMethod = this.accountManager.authMethod
const params = Object.assign({}, this.authQueryParams, {
enforceToc: this.enforceToc,
loginUrl: this.loginUrl(),
multiuser: this.accountManager.multiuser,
registerDisabled: authMethod === 'tls',
returnToUrl: this.returnToUrl,
tocUri: this.tocUri,
disablePasswordChecks: this.disablePasswordChecks,
username: data.username,
name: data.name,
email: data.email,
acceptToc: data.acceptToc
})
if (error) {
params.error = error.message
this.response.status(error.statusCode)
}
this.response.render('account/register', params)
}
/**
* Creates an account for a given user (from a POST to `/api/accounts/new`)
*
* @throws {Error} If errors were encountering while validating the username.
*
* @return {Promise<UserAccount>} Resolves with newly created account instance
*/
async createAccount () {
const userAccount = this.userAccount
const accountManager = this.accountManager
if (userAccount.externalWebId) {
const error = new Error('Linked users not currently supported, sorry (external WebID without TLS?)')
error.statusCode = 400
throw error
}
this.cancelIfUsernameInvalid(userAccount)
this.cancelIfBlacklistedUsername(userAccount)
await this.cancelIfAccountExists(userAccount)
await this.createAccountStorage(userAccount)
await this.saveCredentialsFor(userAccount)
await this.sendResponse(userAccount)
// 'return' not used deliberately, no need to block and wait for email
if (userAccount && userAccount.email) {
debug('Sending Welcome email')
accountManager.sendWelcomeEmail(userAccount)
}
return userAccount
}
/**
* Rejects with an error if an account already exists, otherwise simply
* resolves with the account.
*
* @param userAccount {UserAccount} Instance of the account to be created
*
* @return {Promise<UserAccount>} Chainable
*/
cancelIfAccountExists (userAccount) {
const accountManager = this.accountManager
return accountManager.accountExists(userAccount.username)
.then(exists => {
if (exists) {
debug(`Canceling account creation, ${userAccount.webId} already exists`)
const error = new Error('Account creation failed')
error.status = 400
throw error
}
// Account does not exist, proceed
return userAccount
})
}
/**
* Creates the root storage folder, initializes default containers and
* resources for the new account.
*
* @param userAccount {UserAccount} Instance of the account to be created
*
* @throws {Error} If errors were encountering while creating new account
* resources.
*
* @return {Promise<UserAccount>} Chainable
*/
createAccountStorage (userAccount) {
return this.accountManager.createAccountFor(userAccount)
.catch(error => {
error.message = 'Error creating account storage: ' + error.message
throw error
})
.then(() => {
debug('Account storage resources created')
return userAccount
})
}
/**
* Check if a username is a valid slug.
*
* @param userAccount {UserAccount} Instance of the account to be created
*
* @throws {Error} If errors were encountering while validating the
* username.
*
* @return {UserAccount} Chainable
*/
cancelIfUsernameInvalid (userAccount) {
if (!userAccount.username || !isValidUsername(userAccount.username)) {
debug('Invalid username ' + userAccount.username)
const error = new Error('Invalid username (contains invalid characters)')
error.status = 400
throw error
}
return userAccount
}
/**
* Check if a username is a valid slug.
*
* @param userAccount {UserAccount} Instance of the account to be created
*
* @throws {Error} If username is blacklisted
*
* @return {UserAccount} Chainable
*/
cancelIfBlacklistedUsername (userAccount) {
const validUsername = blacklistService.validate(userAccount.username)
if (!validUsername) {
debug('Invalid username ' + userAccount.username)
const error = new Error('Invalid username (username is blacklisted)')
error.status = 400
throw error
}
return userAccount
}
}
/**
* Models a Create Account request for a server using WebID-OIDC (OpenID Connect)
* as a primary authentication mode. Handles saving user credentials to the
* `UserStore`, etc.
*
* @class CreateOidcAccountRequest
* @extends CreateAccountRequest
*/
class CreateOidcAccountRequest extends CreateAccountRequest {
/**
* @constructor
*
* @param [options={}] {Object} See `CreateAccountRequest` constructor docstring
* @param [options.password] {string} Password, as entered by the user at signup
* @param [options.acceptToc] {boolean} Whether or not user has accepted T&C
*/
constructor (options) {
super(options)
this.password = options.password
}
/**
* Validates the Login request (makes sure required parameters are present),
* and throws an error if not.
*
* @throws {Error} If missing required params
*/
validate () {
let error
if (!this.username) {
error = new Error('Username required')
error.statusCode = 400
throw error
}
if (!this.password) {
error = new Error('Password required')
error.statusCode = 400
throw error
}
if (this.enforceToc && !this.acceptToc) {
error = new Error('Accepting Terms & Conditions is required for this service')
error.statusCode = 400
throw error
}
}
/**
* Generate salted password hash, etc.
*
* @param userAccount {UserAccount}
*
* @return {Promise<null|Graph>}
*/
saveCredentialsFor (userAccount) {
return this.userStore.createUser(userAccount, this.password)
.then(() => {
debug('User credentials stored')
return userAccount
})
}
/**
* Generate the response for the account creation
*
* @param userAccount {UserAccount}
*
* @return {UserAccount}
*/
sendResponse (userAccount) {
const redirectUrl = this.returnToUrl || userAccount.podUri
this.response.redirect(redirectUrl)
return userAccount
}
}
/**
* Models a Create Account request for a server using WebID-TLS as primary
* authentication mode. Handles generating and saving a TLS certificate, etc.
*
* @class CreateTlsAccountRequest
* @extends CreateAccountRequest
*/
class CreateTlsAccountRequest extends CreateAccountRequest {
/**
* @constructor
*
* @param [options={}] {Object} See `CreateAccountRequest` constructor docstring
* @param [options.spkac] {string}
* @param [options.acceptToc] {boolean} Whether or not user has accepted T&C
*/
constructor (options) {
super(options)
this.spkac = options.spkac
this.certificate = null
}
/**
* Validates the Signup request (makes sure required parameters are present),
* and throws an error if not.
*
* @throws {Error} If missing required params
*/
validate () {
let error
if (!this.username) {
error = new Error('Username required')
error.statusCode = 400
throw error
}
if (this.enforceToc && !this.acceptToc) {
error = new Error('Accepting Terms & Conditions is required for this service')
error.statusCode = 400
throw error
}
}
/**
* Generates a new X.509v3 RSA certificate (if `spkac` was passed in) and
* adds it to the user account. Used for storage in an agent's WebID
* Profile, for WebID-TLS authentication.
*
* @param userAccount {UserAccount}
* @param userAccount.webId {string} An agent's WebID URI
*
* @throws {Error} HTTP 400 error if errors were encountering during
* certificate generation.
*
* @return {Promise<UserAccount>} Chainable
*/
generateTlsCertificate (userAccount) {
if (!this.spkac) {
debug('Missing spkac param, not generating cert during account creation')
return Promise.resolve(userAccount)
}
return Promise.resolve()
.then(() => {
const host = this.accountManager.host
return WebIdTlsCertificate.fromSpkacPost(this.spkac, userAccount, host)
.generateCertificate()
})
.catch(err => {
err.status = 400
err.message = 'Error generating a certificate: ' + err.message
throw err
})
.then(certificate => {
debug('Generated a WebID-TLS certificate as part of account creation')
this.certificate = certificate
return userAccount
})
}
/**
* Generates a WebID-TLS certificate and saves it to the user's profile
* graph.
*
* @param userAccount {UserAccount}
*
* @return {Promise<UserAccount>} Chainable
*/
saveCredentialsFor (userAccount) {
return this.generateTlsCertificate(userAccount)
.then(userAccount => {
if (this.certificate) {
return this.accountManager
.addCertKeyToProfile(this.certificate, userAccount)
.then(() => {
debug('Saved generated WebID-TLS certificate to profile')
})
} else {
debug('No certificate generated, no need to save to profile')
}
})
.then(() => {
return userAccount
})
}
/**
* Writes the generated TLS certificate to the http Response object.
*
* @param userAccount {UserAccount}
*
* @return {UserAccount} Chainable
*/
sendResponse (userAccount) {
const res = this.response
res.set('User', userAccount.webId)
res.status(200)
if (this.certificate) {
res.set('Content-Type', 'application/x-x509-user-cert')
res.send(this.certificate.toDER())
} else {
res.end()
}
return userAccount
}
}
module.exports = CreateAccountRequest
module.exports.CreateAccountRequest = CreateAccountRequest
module.exports.CreateTlsAccountRequest = CreateTlsAccountRequest