verdaccio/packages/api/src/user.ts

import _ from 'lodash';
import Cookies from 'cookies';
import { Response, Router } from 'express';

import { createRemoteUser, createSessionToken, getAuthenticatedMessage, validatePassword, ErrorCode } from '@verdaccio/utils';
import { getApiToken } from '@verdaccio/auth';
import { logger } from '@verdaccio/logger';

import { Config, RemoteUser } from '@verdaccio/types';
import { $RequestExtend, $ResponseExtend, $NextFunctionVer, IAuth } from '@verdaccio/dev-types';
import { API_ERROR, API_MESSAGE, HTTP_STATUS } from '@verdaccio/dev-commons';

export default function(route: Router, auth: IAuth, config: Config): void {
  route.get('/-/user/:org_couchdb_user', function(req: $RequestExtend, res: Response, next: $NextFunctionVer): void {
    res.status(HTTP_STATUS.OK);
    next({
      ok: getAuthenticatedMessage(req.remote_user.name),
    });
  });

  route.put('/-/user/:org_couchdb_user/:_rev?/:revision?', function(req: $RequestExtend, res: Response, next: $NextFunctionVer): void {
    const { name, password } = req.body;
    const remoteName = req.remote_user.name;

    if (_.isNil(remoteName) === false && _.isNil(name) === false && remoteName === name) {
      auth.authenticate(name, password, async function callbackAuthenticate(err, user): Promise<void> {
        if (err) {
          logger.trace({ name, err }, 'authenticating for user @{username} failed. Error: @{err.message}');
          return next(ErrorCode.getCode(HTTP_STATUS.UNAUTHORIZED, API_ERROR.BAD_USERNAME_PASSWORD));
        }

        const restoredRemoteUser: RemoteUser = createRemoteUser(name, user.groups || []);
        const token = await getApiToken(auth, config, restoredRemoteUser, password);

        res.status(HTTP_STATUS.CREATED);

        return next({
          ok: getAuthenticatedMessage(req.remote_user.name),
          token,
        });
      });
    } else {
      if (validatePassword(password) === false) {
        // eslint-disable-next-line new-cap
        return next(ErrorCode.getCode(HTTP_STATUS.BAD_REQUEST, API_ERROR.PASSWORD_SHORT()));
      }

      auth.add_user(name, password, async function(err, user): Promise<void> {
        if (err) {
          if (err.status >= HTTP_STATUS.BAD_REQUEST && err.status < HTTP_STATUS.INTERNAL_ERROR) {
            // With npm registering is the same as logging in,
            // and npm accepts only an 409 error.
            // So, changing status code here.
            return next(ErrorCode.getCode(err.status, err.message) || ErrorCode.getConflict(err.message));
          }
          return next(err);
        }

        const token = name && password ? await getApiToken(auth, config, user, password) : undefined;

        req.remote_user = user;
        res.status(HTTP_STATUS.CREATED);
        return next({
          ok: `user '${req.body.name}' created`,
          token,
        });
      });
    }
  });

  route.delete('/-/user/token/*', function(req: $RequestExtend, res: Response, next: $NextFunctionVer): void {
    res.status(HTTP_STATUS.OK);
    next({
      ok: API_MESSAGE.LOGGED_OUT,
    });
  });
}
chore: update some endpoints with flow 2018-03-02 23:19:08 +01:00			`import _ from 'lodash';`
			`import Cookies from 'cookies';`
chore: update eslint dependencies (#2126) * chore: update eslint * chore: update rules and style * chore: aling formatting * chore: update ci rules * chore: aling formatting * chore: aling formatting 2021-03-14 08:42:46 +01:00			`import { Response, Router } from 'express';`
feat: add support for jwt on api (#896) * feat: add support for jwt on api * test: add unit test for sign token with jwt add multiple scenarios with configuration file * chore: add JWT verification on middleware * chore: restore headless * chore: restore middleware header validation * refactor: fix login whether user exists * refactor: JWT is signed asynchronously * refactor: better structure and new naming convention * test: add unit test for token signature * test: add unit test for creating user with JWT enabled #168 * docs: add security section jwt * refactor: renable web auth middleware * test(auth): add legacy disabled scenario * chore: update gitignore * chore: add some es6 sugar * feat: enable JWT token signature for new installations * chore: add yaml files to git I forgot add this before :mask: * chore: trace log on auth in case we want more output 2018-08-21 08:05:34 +02:00
refactor: fix imports 2020-03-08 10:13:56 +01:00			`import { createRemoteUser, createSessionToken, getAuthenticatedMessage, validatePassword, ErrorCode } from '@verdaccio/utils';`
			`import { getApiToken } from '@verdaccio/auth';`
feat: migrate yarn workspaces (#1546) 2020-03-03 23:59:19 +01:00			`import { logger } from '@verdaccio/logger';`

			`import { Config, RemoteUser } from '@verdaccio/types';`
			`import { $RequestExtend, $ResponseExtend, $NextFunctionVer, IAuth } from '@verdaccio/dev-types';`
			`import { API_ERROR, API_MESSAGE, HTTP_STATUS } from '@verdaccio/dev-commons';`
feat: add support for jwt on api (#896) * feat: add support for jwt on api * test: add unit test for sign token with jwt add multiple scenarios with configuration file * chore: add JWT verification on middleware * chore: restore headless * chore: restore middleware header validation * refactor: fix login whether user exists * refactor: JWT is signed asynchronously * refactor: better structure and new naming convention * test: add unit test for token signature * test: add unit test for creating user with JWT enabled #168 * docs: add security section jwt * refactor: renable web auth middleware * test(auth): add legacy disabled scenario * chore: update gitignore * chore: add some es6 sugar * feat: enable JWT token signature for new installations * chore: add yaml files to git I forgot add this before :mask: * chore: trace log on auth in case we want more output 2018-08-21 08:05:34 +02:00
feat: migrate yarn workspaces (#1546) 2020-03-03 23:59:19 +01:00			`export default function(route: Router, auth: IAuth, config: Config): void {`
			`route.get('/-/user/:org_couchdb_user', function(req: $RequestExtend, res: Response, next: $NextFunctionVer): void {`
refactor: improve logging (#2154) * refactor: improve logging * chore: update test * chore: update local-storage.ts * chore: update local-storage.ts 2021-03-31 23:22:32 +02:00			`res.status(HTTP_STATUS.OK);`
			`next({`
			`ok: getAuthenticatedMessage(req.remote_user.name),`
			`});`
			`});`
Refactor api, relocate routes and clean up the code 2017-06-15 15:53:55 +02:00
feat: migrate yarn workspaces (#1546) 2020-03-03 23:59:19 +01:00			`route.put('/-/user/:org_couchdb_user/:_rev?/:revision?', function(req: $RequestExtend, res: Response, next: $NextFunctionVer): void {`
refactor: improve logging (#2154) * refactor: improve logging * chore: update test * chore: update local-storage.ts * chore: update local-storage.ts 2021-03-31 23:22:32 +02:00			`const { name, password } = req.body;`
			`const remoteName = req.remote_user.name;`
feat: add support for jwt on api (#896) * feat: add support for jwt on api * test: add unit test for sign token with jwt add multiple scenarios with configuration file * chore: add JWT verification on middleware * chore: restore headless * chore: restore middleware header validation * refactor: fix login whether user exists * refactor: JWT is signed asynchronously * refactor: better structure and new naming convention * test: add unit test for token signature * test: add unit test for creating user with JWT enabled #168 * docs: add security section jwt * refactor: renable web auth middleware * test(auth): add legacy disabled scenario * chore: update gitignore * chore: add some es6 sugar * feat: enable JWT token signature for new installations * chore: add yaml files to git I forgot add this before :mask: * chore: trace log on auth in case we want more output 2018-08-21 08:05:34 +02:00
refactor: improve logging (#2154) * refactor: improve logging * chore: update test * chore: update local-storage.ts * chore: update local-storage.ts 2021-03-31 23:22:32 +02:00			`if (_.isNil(remoteName) === false && _.isNil(name) === false && remoteName === name) {`
			`auth.authenticate(name, password, async function callbackAuthenticate(err, user): Promise<void> {`
			`if (err) {`
feat: migrate yarn workspaces (#1546) 2020-03-03 23:59:19 +01:00			`logger.trace({ name, err }, 'authenticating for user @{username} failed. Error: @{err.message}');`
refactor: improve logging (#2154) * refactor: improve logging * chore: update test * chore: update local-storage.ts * chore: update local-storage.ts 2021-03-31 23:22:32 +02:00			`return next(ErrorCode.getCode(HTTP_STATUS.UNAUTHORIZED, API_ERROR.BAD_USERNAME_PASSWORD));`
			`}`
fix(api): force authenticate on login (#1347) When a user has a valid token and tries to login with other credentials the endpoint returns 201. The reason was if another user logged previously and had a valid token stored in the terminal. We must authenticate any user that tries to log in even if the token stored is valid. We must check credentials again and return a new token, if the credentials are wrong we reject the login. Furthermore, the new token will update the list of groups. 2019-06-13 06:58:43 +02:00
refactor: improve logging (#2154) * refactor: improve logging * chore: update test * chore: update local-storage.ts * chore: update local-storage.ts 2021-03-31 23:22:32 +02:00			`const restoredRemoteUser: RemoteUser = createRemoteUser(name, user.groups \|\| []);`
			`const token = await getApiToken(auth, config, restoredRemoteUser, password);`
feat: add support for jwt on api (#896) * feat: add support for jwt on api * test: add unit test for sign token with jwt add multiple scenarios with configuration file * chore: add JWT verification on middleware * chore: restore headless * chore: restore middleware header validation * refactor: fix login whether user exists * refactor: JWT is signed asynchronously * refactor: better structure and new naming convention * test: add unit test for token signature * test: add unit test for creating user with JWT enabled #168 * docs: add security section jwt * refactor: renable web auth middleware * test(auth): add legacy disabled scenario * chore: update gitignore * chore: add some es6 sugar * feat: enable JWT token signature for new installations * chore: add yaml files to git I forgot add this before :mask: * chore: trace log on auth in case we want more output 2018-08-21 08:05:34 +02:00
refactor: improve logging (#2154) * refactor: improve logging * chore: update test * chore: update local-storage.ts * chore: update local-storage.ts 2021-03-31 23:22:32 +02:00			`res.status(HTTP_STATUS.CREATED);`
feat: add support for jwt on api (#896) * feat: add support for jwt on api * test: add unit test for sign token with jwt add multiple scenarios with configuration file * chore: add JWT verification on middleware * chore: restore headless * chore: restore middleware header validation * refactor: fix login whether user exists * refactor: JWT is signed asynchronously * refactor: better structure and new naming convention * test: add unit test for token signature * test: add unit test for creating user with JWT enabled #168 * docs: add security section jwt * refactor: renable web auth middleware * test(auth): add legacy disabled scenario * chore: update gitignore * chore: add some es6 sugar * feat: enable JWT token signature for new installations * chore: add yaml files to git I forgot add this before :mask: * chore: trace log on auth in case we want more output 2018-08-21 08:05:34 +02:00
refactor: improve logging (#2154) * refactor: improve logging * chore: update test * chore: update local-storage.ts * chore: update local-storage.ts 2021-03-31 23:22:32 +02:00			`return next({`
			`ok: getAuthenticatedMessage(req.remote_user.name),`
			`token,`
			`});`
			`});`
			`} else {`
			`if (validatePassword(password) === false) {`
			`// eslint-disable-next-line new-cap`
			`return next(ErrorCode.getCode(HTTP_STATUS.BAD_REQUEST, API_ERROR.PASSWORD_SHORT()));`
			`}`
Refactor api, relocate routes and clean up the code 2017-06-15 15:53:55 +02:00
feat: migrate yarn workspaces (#1546) 2020-03-03 23:59:19 +01:00			`auth.add_user(name, password, async function(err, user): Promise<void> {`
refactor: improve logging (#2154) * refactor: improve logging * chore: update test * chore: update local-storage.ts * chore: update local-storage.ts 2021-03-31 23:22:32 +02:00			`if (err) {`
			`if (err.status >= HTTP_STATUS.BAD_REQUEST && err.status < HTTP_STATUS.INTERNAL_ERROR) {`
			`// With npm registering is the same as logging in,`
			`// and npm accepts only an 409 error.`
			`// So, changing status code here.`
			`return next(ErrorCode.getCode(err.status, err.message) \|\| ErrorCode.getConflict(err.message));`
chore: update eslint dependencies (#2126) * chore: update eslint * chore: update rules and style * chore: aling formatting * chore: update ci rules * chore: aling formatting * chore: aling formatting 2021-03-14 08:42:46 +01:00			`}`
refactor: improve logging (#2154) * refactor: improve logging * chore: update test * chore: update local-storage.ts * chore: update local-storage.ts 2021-03-31 23:22:32 +02:00			`return next(err);`
			`}`
chore: update eslint dependencies (#2126) * chore: update eslint * chore: update rules and style * chore: aling formatting * chore: update ci rules * chore: aling formatting * chore: aling formatting 2021-03-14 08:42:46 +01:00
refactor: improve logging (#2154) * refactor: improve logging * chore: update test * chore: update local-storage.ts * chore: update local-storage.ts 2021-03-31 23:22:32 +02:00			`const token = name && password ? await getApiToken(auth, config, user, password) : undefined;`
feat: add support for jwt on api (#896) * feat: add support for jwt on api * test: add unit test for sign token with jwt add multiple scenarios with configuration file * chore: add JWT verification on middleware * chore: restore headless * chore: restore middleware header validation * refactor: fix login whether user exists * refactor: JWT is signed asynchronously * refactor: better structure and new naming convention * test: add unit test for token signature * test: add unit test for creating user with JWT enabled #168 * docs: add security section jwt * refactor: renable web auth middleware * test(auth): add legacy disabled scenario * chore: update gitignore * chore: add some es6 sugar * feat: enable JWT token signature for new installations * chore: add yaml files to git I forgot add this before :mask: * chore: trace log on auth in case we want more output 2018-08-21 08:05:34 +02:00
refactor: improve logging (#2154) * refactor: improve logging * chore: update test * chore: update local-storage.ts * chore: update local-storage.ts 2021-03-31 23:22:32 +02:00			`req.remote_user = user;`
			`res.status(HTTP_STATUS.CREATED);`
			`return next({`
			ok: `user '${req.body.name}' created`,
			`token,`
Refactor api, relocate routes and clean up the code 2017-06-15 15:53:55 +02:00			`});`
chore: update eslint dependencies (#2126) * chore: update eslint * chore: update rules and style * chore: aling formatting * chore: update ci rules * chore: aling formatting * chore: aling formatting 2021-03-14 08:42:46 +01:00			`});`
			`}`
refactor: improve logging (#2154) * refactor: improve logging * chore: update test * chore: update local-storage.ts * chore: update local-storage.ts 2021-03-31 23:22:32 +02:00			`});`

feat: migrate yarn workspaces (#1546) 2020-03-03 23:59:19 +01:00			`route.delete('/-/user/token/*', function(req: $RequestExtend, res: Response, next: $NextFunctionVer): void {`
refactor: improve logging (#2154) * refactor: improve logging * chore: update test * chore: update local-storage.ts * chore: update local-storage.ts 2021-03-31 23:22:32 +02:00			`res.status(HTTP_STATUS.OK);`
			`next({`
			`ok: API_MESSAGE.LOGGED_OUT,`
			`});`
			`});`
refactor: apply flow and imports es6 2018-03-10 21:09:04 +01:00			`}`