verdaccio/packages/api/src/user.ts

import _ from 'lodash';
import { Response, Router } from 'express';
import buildDebug from 'debug';

import {
  createRemoteUser,
  getAuthenticatedMessage,
  validatePassword,
  ErrorCode,
} from '@verdaccio/utils';
import { getApiToken } from '@verdaccio/auth';
import { logger } from '@verdaccio/logger';

import { Config, RemoteUser } from '@verdaccio/types';
import { IAuth } from '@verdaccio/auth';
import { API_ERROR, API_MESSAGE, HTTP_STATUS } from '@verdaccio/dev-commons';
import { $RequestExtend, $NextFunctionVer } from '../types/custom';

const debug = buildDebug('verdaccio:api:user');

export default function (route: Router, auth: IAuth, config: Config): void {
  route.get('/-/user/:org_couchdb_user', function (
    req: $RequestExtend,
    res: Response,
    next: $NextFunctionVer
  ): void {
    debug('verifying user');
    const message = getAuthenticatedMessage(req.remote_user.name);
    debug('user authenticated message %o', message);
    res.status(HTTP_STATUS.OK);
    next({
      ok: message,
    });
  });

  route.put('/-/user/:org_couchdb_user/:_rev?/:revision?', function (
    req: $RequestExtend,
    res: Response,
    next: $NextFunctionVer
  ): void {
    const { name, password } = req.body;
    debug('login or adduser');
    const remoteName = req.remote_user.name;

    if (_.isNil(remoteName) === false && _.isNil(name) === false && remoteName === name) {
      debug('login: no remote user detected');
      auth.authenticate(name, password, async function callbackAuthenticate(
        err,
        user
      ): Promise<void> {
        if (err) {
          logger.trace(
            { name, err },
            'authenticating for user @{username} failed. Error: @{err.message}'
          );
          return next(ErrorCode.getCode(HTTP_STATUS.UNAUTHORIZED, API_ERROR.BAD_USERNAME_PASSWORD));
        }

        const restoredRemoteUser: RemoteUser = createRemoteUser(name, user.groups || []);
        const token = await getApiToken(auth, config, restoredRemoteUser, password);
        debug('login: new token');
        if (!token) {
          return next(ErrorCode.getUnauthorized());
        }

        res.status(HTTP_STATUS.CREATED);

        const message = getAuthenticatedMessage(req.remote_user.name);
        debug('login: created user message %o', message);

        return next({
          ok: message,
          token,
        });
      });
    } else {
      if (validatePassword(password) === false) {
        debug('adduser: invalid password');
        // eslint-disable-next-line new-cap
        return next(ErrorCode.getCode(HTTP_STATUS.BAD_REQUEST, API_ERROR.PASSWORD_SHORT()));
      }

      auth.add_user(name, password, async function (err, user): Promise<void> {
        if (err) {
          if (err.status >= HTTP_STATUS.BAD_REQUEST && err.status < HTTP_STATUS.INTERNAL_ERROR) {
            debug('adduser: error on create user');
            // With npm registering is the same as logging in,
            // and npm accepts only an 409 error.
            // So, changing status code here.
            return next(
              ErrorCode.getCode(err.status, err.message) || ErrorCode.getConflict(err.message)
            );
          }
          return next(err);
        }

        const token =
          name && password ? await getApiToken(auth, config, user, password) : undefined;
        debug('adduser: new token %o', token);
        if (!token) {
          return next(ErrorCode.getUnauthorized());
        }

        req.remote_user = user;
        res.status(HTTP_STATUS.CREATED);
        debug('adduser: user has been created');
        return next({
          ok: `user '${req.body.name}' created`,
          token,
        });
      });
    }
  });

  route.delete('/-/user/token/*', function (
    req: $RequestExtend,
    res: Response,
    next: $NextFunctionVer
  ): void {
    res.status(HTTP_STATUS.OK);
    next({
      ok: API_MESSAGE.LOGGED_OUT,
    });
  });
}
chore: update some endpoints with flow 2018-03-02 23:19:08 +01:00			`import _ from 'lodash';`
chore: update eslint dependencies (#2126) * chore: update eslint * chore: update rules and style * chore: aling formatting * chore: update ci rules * chore: aling formatting * chore: aling formatting 2021-03-14 08:42:46 +01:00			`import { Response, Router } from 'express';`
feat: improve legacy token signature by removing deprecated crypto.cr… (#1953) * feat: improve legacy token signature by removing deprecated crypto.createDecipher * fix: wrong reference * chore: add debug 2020-10-03 05:47:04 -07:00			`import buildDebug from 'debug';`
feat: add support for jwt on api (#896) * feat: add support for jwt on api * test: add unit test for sign token with jwt add multiple scenarios with configuration file * chore: add JWT verification on middleware * chore: restore headless * chore: restore middleware header validation * refactor: fix login whether user exists * refactor: JWT is signed asynchronously * refactor: better structure and new naming convention * test: add unit test for token signature * test: add unit test for creating user with JWT enabled #168 * docs: add security section jwt * refactor: renable web auth middleware * test(auth): add legacy disabled scenario * chore: update gitignore * chore: add some es6 sugar * feat: enable JWT token signature for new installations * chore: add yaml files to git I forgot add this before :mask: * chore: trace log on auth in case we want more output 2018-08-21 08:05:34 +02:00
refactor: max-len and printWidth to 100 (#1941) * refactor: max-len and printWidth to 100 * chore: ci specific pnpm version * fix: add types peer package literally get rid of types package 2020-09-17 06:48:16 +02:00			`import {`
			`createRemoteUser,`
			`getAuthenticatedMessage,`
			`validatePassword,`
			`ErrorCode,`
			`} from '@verdaccio/utils';`
refactor: fix imports 2020-03-08 10:13:56 +01:00			`import { getApiToken } from '@verdaccio/auth';`
feat: migrate yarn workspaces (#1546) 2020-03-03 23:59:19 +01:00			`import { logger } from '@verdaccio/logger';`

			`import { Config, RemoteUser } from '@verdaccio/types';`
refactor: max-len and printWidth to 100 (#1941) * refactor: max-len and printWidth to 100 * chore: ci specific pnpm version * fix: add types peer package literally get rid of types package 2020-09-17 06:48:16 +02:00			`import { IAuth } from '@verdaccio/auth';`
feat: migrate yarn workspaces (#1546) 2020-03-03 23:59:19 +01:00			`import { API_ERROR, API_MESSAGE, HTTP_STATUS } from '@verdaccio/dev-commons';`
refactor: max-len and printWidth to 100 (#1941) * refactor: max-len and printWidth to 100 * chore: ci specific pnpm version * fix: add types peer package literally get rid of types package 2020-09-17 06:48:16 +02:00			`import { $RequestExtend, $NextFunctionVer } from '../types/custom';`
feat: add support for jwt on api (#896) * feat: add support for jwt on api * test: add unit test for sign token with jwt add multiple scenarios with configuration file * chore: add JWT verification on middleware * chore: restore headless * chore: restore middleware header validation * refactor: fix login whether user exists * refactor: JWT is signed asynchronously * refactor: better structure and new naming convention * test: add unit test for token signature * test: add unit test for creating user with JWT enabled #168 * docs: add security section jwt * refactor: renable web auth middleware * test(auth): add legacy disabled scenario * chore: update gitignore * chore: add some es6 sugar * feat: enable JWT token signature for new installations * chore: add yaml files to git I forgot add this before :mask: * chore: trace log on auth in case we want more output 2018-08-21 08:05:34 +02:00
feat: improve legacy token signature by removing deprecated crypto.cr… (#1953) * feat: improve legacy token signature by removing deprecated crypto.createDecipher * fix: wrong reference * chore: add debug 2020-10-03 05:47:04 -07:00			`const debug = buildDebug('verdaccio:api:user');`

chore: lint prettier update (#1904) * chore: update prettier@2.x * chore: prettier auto fix * chore: fake circleci we don't need it but I want make dissapear the error 2020-08-13 23:27:00 +02:00			`export default function (route: Router, auth: IAuth, config: Config): void {`
refactor: max-len and printWidth to 100 (#1941) * refactor: max-len and printWidth to 100 * chore: ci specific pnpm version * fix: add types peer package literally get rid of types package 2020-09-17 06:48:16 +02:00			`route.get('/-/user/:org_couchdb_user', function (`
			`req: $RequestExtend,`
			`res: Response,`
			`next: $NextFunctionVer`
			`): void {`
feat: improve legacy token signature by removing deprecated crypto.cr… (#1953) * feat: improve legacy token signature by removing deprecated crypto.createDecipher * fix: wrong reference * chore: add debug 2020-10-03 05:47:04 -07:00			`debug('verifying user');`
			`const message = getAuthenticatedMessage(req.remote_user.name);`
			`debug('user authenticated message %o', message);`
refactor: improve logging (#2154) * refactor: improve logging * chore: update test * chore: update local-storage.ts * chore: update local-storage.ts 2021-03-31 23:22:32 +02:00			`res.status(HTTP_STATUS.OK);`
			`next({`
feat: improve legacy token signature by removing deprecated crypto.cr… (#1953) * feat: improve legacy token signature by removing deprecated crypto.createDecipher * fix: wrong reference * chore: add debug 2020-10-03 05:47:04 -07:00			`ok: message,`
refactor: improve logging (#2154) * refactor: improve logging * chore: update test * chore: update local-storage.ts * chore: update local-storage.ts 2021-03-31 23:22:32 +02:00			`});`
			`});`
Refactor api, relocate routes and clean up the code 2017-06-15 15:53:55 +02:00
refactor: max-len and printWidth to 100 (#1941) * refactor: max-len and printWidth to 100 * chore: ci specific pnpm version * fix: add types peer package literally get rid of types package 2020-09-17 06:48:16 +02:00			`route.put('/-/user/:org_couchdb_user/:_rev?/:revision?', function (`
			`req: $RequestExtend,`
			`res: Response,`
			`next: $NextFunctionVer`
			`): void {`
refactor: improve logging (#2154) * refactor: improve logging * chore: update test * chore: update local-storage.ts * chore: update local-storage.ts 2021-03-31 23:22:32 +02:00			`const { name, password } = req.body;`
feat: improve legacy token signature by removing deprecated crypto.cr… (#1953) * feat: improve legacy token signature by removing deprecated crypto.createDecipher * fix: wrong reference * chore: add debug 2020-10-03 05:47:04 -07:00			`debug('login or adduser');`
refactor: improve logging (#2154) * refactor: improve logging * chore: update test * chore: update local-storage.ts * chore: update local-storage.ts 2021-03-31 23:22:32 +02:00			`const remoteName = req.remote_user.name;`
feat: add support for jwt on api (#896) * feat: add support for jwt on api * test: add unit test for sign token with jwt add multiple scenarios with configuration file * chore: add JWT verification on middleware * chore: restore headless * chore: restore middleware header validation * refactor: fix login whether user exists * refactor: JWT is signed asynchronously * refactor: better structure and new naming convention * test: add unit test for token signature * test: add unit test for creating user with JWT enabled #168 * docs: add security section jwt * refactor: renable web auth middleware * test(auth): add legacy disabled scenario * chore: update gitignore * chore: add some es6 sugar * feat: enable JWT token signature for new installations * chore: add yaml files to git I forgot add this before :mask: * chore: trace log on auth in case we want more output 2018-08-21 08:05:34 +02:00
refactor: improve logging (#2154) * refactor: improve logging * chore: update test * chore: update local-storage.ts * chore: update local-storage.ts 2021-03-31 23:22:32 +02:00			`if (_.isNil(remoteName) === false && _.isNil(name) === false && remoteName === name) {`
feat: improve legacy token signature by removing deprecated crypto.cr… (#1953) * feat: improve legacy token signature by removing deprecated crypto.createDecipher * fix: wrong reference * chore: add debug 2020-10-03 05:47:04 -07:00			`debug('login: no remote user detected');`
refactor: max-len and printWidth to 100 (#1941) * refactor: max-len and printWidth to 100 * chore: ci specific pnpm version * fix: add types peer package literally get rid of types package 2020-09-17 06:48:16 +02:00			`auth.authenticate(name, password, async function callbackAuthenticate(`
			`err,`
			`user`
			`): Promise<void> {`
refactor: improve logging (#2154) * refactor: improve logging * chore: update test * chore: update local-storage.ts * chore: update local-storage.ts 2021-03-31 23:22:32 +02:00			`if (err) {`
refactor: max-len and printWidth to 100 (#1941) * refactor: max-len and printWidth to 100 * chore: ci specific pnpm version * fix: add types peer package literally get rid of types package 2020-09-17 06:48:16 +02:00			`logger.trace(`
			`{ name, err },`
			`'authenticating for user @{username} failed. Error: @{err.message}'`
			`);`
refactor: improve logging (#2154) * refactor: improve logging * chore: update test * chore: update local-storage.ts * chore: update local-storage.ts 2021-03-31 23:22:32 +02:00			`return next(ErrorCode.getCode(HTTP_STATUS.UNAUTHORIZED, API_ERROR.BAD_USERNAME_PASSWORD));`
			`}`
fix(api): force authenticate on login (#1347) When a user has a valid token and tries to login with other credentials the endpoint returns 201. The reason was if another user logged previously and had a valid token stored in the terminal. We must authenticate any user that tries to log in even if the token stored is valid. We must check credentials again and return a new token, if the credentials are wrong we reject the login. Furthermore, the new token will update the list of groups. 2019-06-13 06:58:43 +02:00
refactor: improve logging (#2154) * refactor: improve logging * chore: update test * chore: update local-storage.ts * chore: update local-storage.ts 2021-03-31 23:22:32 +02:00			`const restoredRemoteUser: RemoteUser = createRemoteUser(name, user.groups \|\| []);`
			`const token = await getApiToken(auth, config, restoredRemoteUser, password);`
feat: improve legacy token signature by removing deprecated crypto.cr… (#1953) * feat: improve legacy token signature by removing deprecated crypto.createDecipher * fix: wrong reference * chore: add debug 2020-10-03 05:47:04 -07:00			`debug('login: new token');`
			`if (!token) {`
			`return next(ErrorCode.getUnauthorized());`
			`}`
feat: add support for jwt on api (#896) * feat: add support for jwt on api * test: add unit test for sign token with jwt add multiple scenarios with configuration file * chore: add JWT verification on middleware * chore: restore headless * chore: restore middleware header validation * refactor: fix login whether user exists * refactor: JWT is signed asynchronously * refactor: better structure and new naming convention * test: add unit test for token signature * test: add unit test for creating user with JWT enabled #168 * docs: add security section jwt * refactor: renable web auth middleware * test(auth): add legacy disabled scenario * chore: update gitignore * chore: add some es6 sugar * feat: enable JWT token signature for new installations * chore: add yaml files to git I forgot add this before :mask: * chore: trace log on auth in case we want more output 2018-08-21 08:05:34 +02:00
refactor: improve logging (#2154) * refactor: improve logging * chore: update test * chore: update local-storage.ts * chore: update local-storage.ts 2021-03-31 23:22:32 +02:00			`res.status(HTTP_STATUS.CREATED);`
feat: add support for jwt on api (#896) * feat: add support for jwt on api * test: add unit test for sign token with jwt add multiple scenarios with configuration file * chore: add JWT verification on middleware * chore: restore headless * chore: restore middleware header validation * refactor: fix login whether user exists * refactor: JWT is signed asynchronously * refactor: better structure and new naming convention * test: add unit test for token signature * test: add unit test for creating user with JWT enabled #168 * docs: add security section jwt * refactor: renable web auth middleware * test(auth): add legacy disabled scenario * chore: update gitignore * chore: add some es6 sugar * feat: enable JWT token signature for new installations * chore: add yaml files to git I forgot add this before :mask: * chore: trace log on auth in case we want more output 2018-08-21 08:05:34 +02:00
feat: improve legacy token signature by removing deprecated crypto.cr… (#1953) * feat: improve legacy token signature by removing deprecated crypto.createDecipher * fix: wrong reference * chore: add debug 2020-10-03 05:47:04 -07:00			`const message = getAuthenticatedMessage(req.remote_user.name);`
			`debug('login: created user message %o', message);`

refactor: improve logging (#2154) * refactor: improve logging * chore: update test * chore: update local-storage.ts * chore: update local-storage.ts 2021-03-31 23:22:32 +02:00			`return next({`
feat: improve legacy token signature by removing deprecated crypto.cr… (#1953) * feat: improve legacy token signature by removing deprecated crypto.createDecipher * fix: wrong reference * chore: add debug 2020-10-03 05:47:04 -07:00			`ok: message,`
refactor: improve logging (#2154) * refactor: improve logging * chore: update test * chore: update local-storage.ts * chore: update local-storage.ts 2021-03-31 23:22:32 +02:00			`token,`
			`});`
			`});`
			`} else {`
			`if (validatePassword(password) === false) {`
feat: improve legacy token signature by removing deprecated crypto.cr… (#1953) * feat: improve legacy token signature by removing deprecated crypto.createDecipher * fix: wrong reference * chore: add debug 2020-10-03 05:47:04 -07:00			`debug('adduser: invalid password');`
refactor: improve logging (#2154) * refactor: improve logging * chore: update test * chore: update local-storage.ts * chore: update local-storage.ts 2021-03-31 23:22:32 +02:00			`// eslint-disable-next-line new-cap`
			`return next(ErrorCode.getCode(HTTP_STATUS.BAD_REQUEST, API_ERROR.PASSWORD_SHORT()));`
			`}`
Refactor api, relocate routes and clean up the code 2017-06-15 15:53:55 +02:00
chore: lint prettier update (#1904) * chore: update prettier@2.x * chore: prettier auto fix * chore: fake circleci we don't need it but I want make dissapear the error 2020-08-13 23:27:00 +02:00			`auth.add_user(name, password, async function (err, user): Promise<void> {`
refactor: improve logging (#2154) * refactor: improve logging * chore: update test * chore: update local-storage.ts * chore: update local-storage.ts 2021-03-31 23:22:32 +02:00			`if (err) {`
			`if (err.status >= HTTP_STATUS.BAD_REQUEST && err.status < HTTP_STATUS.INTERNAL_ERROR) {`
feat: improve legacy token signature by removing deprecated crypto.cr… (#1953) * feat: improve legacy token signature by removing deprecated crypto.createDecipher * fix: wrong reference * chore: add debug 2020-10-03 05:47:04 -07:00			`debug('adduser: error on create user');`
refactor: improve logging (#2154) * refactor: improve logging * chore: update test * chore: update local-storage.ts * chore: update local-storage.ts 2021-03-31 23:22:32 +02:00			`// With npm registering is the same as logging in,`
			`// and npm accepts only an 409 error.`
			`// So, changing status code here.`
refactor: max-len and printWidth to 100 (#1941) * refactor: max-len and printWidth to 100 * chore: ci specific pnpm version * fix: add types peer package literally get rid of types package 2020-09-17 06:48:16 +02:00			`return next(`
			`ErrorCode.getCode(err.status, err.message) \|\| ErrorCode.getConflict(err.message)`
			`);`
chore: update eslint dependencies (#2126) * chore: update eslint * chore: update rules and style * chore: aling formatting * chore: update ci rules * chore: aling formatting * chore: aling formatting 2021-03-14 08:42:46 +01:00			`}`
refactor: improve logging (#2154) * refactor: improve logging * chore: update test * chore: update local-storage.ts * chore: update local-storage.ts 2021-03-31 23:22:32 +02:00			`return next(err);`
			`}`
chore: update eslint dependencies (#2126) * chore: update eslint * chore: update rules and style * chore: aling formatting * chore: update ci rules * chore: aling formatting * chore: aling formatting 2021-03-14 08:42:46 +01:00
refactor: max-len and printWidth to 100 (#1941) * refactor: max-len and printWidth to 100 * chore: ci specific pnpm version * fix: add types peer package literally get rid of types package 2020-09-17 06:48:16 +02:00			`const token =`
			`name && password ? await getApiToken(auth, config, user, password) : undefined;`
feat: improve legacy token signature by removing deprecated crypto.cr… (#1953) * feat: improve legacy token signature by removing deprecated crypto.createDecipher * fix: wrong reference * chore: add debug 2020-10-03 05:47:04 -07:00			`debug('adduser: new token %o', token);`
			`if (!token) {`
			`return next(ErrorCode.getUnauthorized());`
			`}`
feat: add support for jwt on api (#896) * feat: add support for jwt on api * test: add unit test for sign token with jwt add multiple scenarios with configuration file * chore: add JWT verification on middleware * chore: restore headless * chore: restore middleware header validation * refactor: fix login whether user exists * refactor: JWT is signed asynchronously * refactor: better structure and new naming convention * test: add unit test for token signature * test: add unit test for creating user with JWT enabled #168 * docs: add security section jwt * refactor: renable web auth middleware * test(auth): add legacy disabled scenario * chore: update gitignore * chore: add some es6 sugar * feat: enable JWT token signature for new installations * chore: add yaml files to git I forgot add this before :mask: * chore: trace log on auth in case we want more output 2018-08-21 08:05:34 +02:00
refactor: improve logging (#2154) * refactor: improve logging * chore: update test * chore: update local-storage.ts * chore: update local-storage.ts 2021-03-31 23:22:32 +02:00			`req.remote_user = user;`
			`res.status(HTTP_STATUS.CREATED);`
feat: improve legacy token signature by removing deprecated crypto.cr… (#1953) * feat: improve legacy token signature by removing deprecated crypto.createDecipher * fix: wrong reference * chore: add debug 2020-10-03 05:47:04 -07:00			`debug('adduser: user has been created');`
refactor: improve logging (#2154) * refactor: improve logging * chore: update test * chore: update local-storage.ts * chore: update local-storage.ts 2021-03-31 23:22:32 +02:00			`return next({`
			ok: `user '${req.body.name}' created`,
			`token,`
Refactor api, relocate routes and clean up the code 2017-06-15 15:53:55 +02:00			`});`
chore: update eslint dependencies (#2126) * chore: update eslint * chore: update rules and style * chore: aling formatting * chore: update ci rules * chore: aling formatting * chore: aling formatting 2021-03-14 08:42:46 +01:00			`});`
			`}`
refactor: improve logging (#2154) * refactor: improve logging * chore: update test * chore: update local-storage.ts * chore: update local-storage.ts 2021-03-31 23:22:32 +02:00			`});`

refactor: max-len and printWidth to 100 (#1941) * refactor: max-len and printWidth to 100 * chore: ci specific pnpm version * fix: add types peer package literally get rid of types package 2020-09-17 06:48:16 +02:00			`route.delete('/-/user/token/*', function (`
			`req: $RequestExtend,`
			`res: Response,`
			`next: $NextFunctionVer`
			`): void {`
refactor: improve logging (#2154) * refactor: improve logging * chore: update test * chore: update local-storage.ts * chore: update local-storage.ts 2021-03-31 23:22:32 +02:00			`res.status(HTTP_STATUS.OK);`
			`next({`
			`ok: API_MESSAGE.LOGGED_OUT,`
			`});`
			`});`
refactor: apply flow and imports es6 2018-03-10 21:09:04 +01:00			`}`