vikunja/pkg/models/user.go

//  Vikunja is a todo-list application to facilitate your life.
//  Copyright 2018 Vikunja and contributors. All rights reserved.
//
//  This program is free software: you can redistribute it and/or modify
//  it under the terms of the GNU General Public License as published by
//  the Free Software Foundation, either version 3 of the License, or
//  (at your option) any later version.
//
//  This program is distributed in the hope that it will be useful,
//  but WITHOUT ANY WARRANTY; without even the implied warranty of
//  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
//  GNU General Public License for more details.
//
//  You should have received a copy of the GNU General Public License
//  along with this program.  If not, see <https://www.gnu.org/licenses/>.

package models

import (
	"code.vikunja.io/api/pkg/metrics"
	"code.vikunja.io/api/pkg/utils"
	"code.vikunja.io/web"
	"fmt"
	"github.com/dgrijalva/jwt-go"
	"github.com/labstack/echo/v4"
	"golang.org/x/crypto/bcrypt"
	"reflect"
	"time"
)

// UserLogin Object to recive user credentials in JSON format
type UserLogin struct {
	// The username used to log in.
	Username string `json:"username"`
	// The password for the user.
	Password string `json:"password"`
}

// User holds information about an user
type User struct {
	// The unique, numeric id of this user.
	ID int64 `xorm:"int(11) autoincr not null unique pk" json:"id"`
	// The username of the user. Is always unique.
	Username string `xorm:"varchar(250) not null unique" json:"username" valid:"length(3|250)" minLength:"3" maxLength:"250"`
	Password string `xorm:"varchar(250) not null" json:"-"`
	// The user's email address.
	Email    string `xorm:"varchar(250) null" json:"email,omitempty" valid:"email,length(0|250)" maxLength:"250"`
	IsActive bool   `xorm:"null" json:"-"`
	// The users md5-hashed email address, used to get the avatar from gravatar and the likes.
	AvatarURL string `xorm:"-" json:"avatarUrl"`

	PasswordResetToken string `xorm:"varchar(450) null" json:"-"`
	EmailConfirmToken  string `xorm:"varchar(450) null" json:"-"`

	// A unix timestamp when this task was created. You cannot change this value.
	Created int64 `xorm:"created not null" json:"created"`
	// A unix timestamp when this task was last updated. You cannot change this value.
	Updated int64 `xorm:"updated not null" json:"updated"`

	web.Auth `xorm:"-" json:"-"`
}

// AfterLoad is used to delete all emails to not have them leaked to the user
func (u *User) AfterLoad() {
	u.AvatarURL = utils.Md5String(u.Email)
	u.Email = ""
}

// GetID implements the Auth interface
func (u *User) GetID() int64 {
	return u.ID
}

// TableName returns the table name for users
func (User) TableName() string {
	return "users"
}

func getUserWithError(a web.Auth) (*User, error) {
	u, is := a.(*User)
	if !is {
		return &User{}, fmt.Errorf("user is not user element, is %s", reflect.TypeOf(a))
	}
	return u, nil
}

// APIUserPassword represents a user object without timestamps and a json password field.
type APIUserPassword struct {
	// The unique, numeric id of this user.
	ID int64 `json:"id"`
	// The username of the username. Is always unique.
	Username string `json:"username" valid:"length(3|250)" minLength:"3" maxLength:"250"`
	// The user's password in clear text. Only used when registering the user.
	Password string `json:"password" valid:"length(8|250)" minLength:"8" maxLength:"250"`
	// The user's email address
	Email string `json:"email" valid:"email,length(0|250)" maxLength:"250"`
}

// APIFormat formats an API User into a normal user struct
func (apiUser *APIUserPassword) APIFormat() User {
	return User{
		ID:       apiUser.ID,
		Username: apiUser.Username,
		Password: apiUser.Password,
		Email:    apiUser.Email,
	}
}

// GetUserByID gets informations about a user by its ID
func GetUserByID(id int64) (user User, err error) {
	// Apparently xorm does otherwise look for all users but return only one, which leads to returing one even if the ID is 0
	if id < 1 {
		return User{}, ErrUserDoesNotExist{}
	}

	return GetUser(User{ID: id})
}

// GetUserByUsername gets a user from its user name. This is an extra function to be able to add an extra error check.
func GetUserByUsername(username string) (user User, err error) {
	if username == "" {
		return User{}, ErrUserDoesNotExist{}
	}

	return GetUser(User{Username: username})
}

// GetUser gets a user object
func GetUser(user User) (userOut User, err error) {
	userOut = user
	exists, err := x.Get(&userOut)

	if !exists {
		return User{}, ErrUserDoesNotExist{UserID: user.ID}
	}

	return userOut, err
}

// CheckUserCredentials checks user credentials
func CheckUserCredentials(u *UserLogin) (User, error) {
	// Check if we have any credentials
	if u.Password == "" || u.Username == "" {
		return User{}, ErrNoUsernamePassword{}
	}

	// Check if the user exists
	user, err := GetUserByUsername(u.Username)
	if err != nil {
		// hashing the password takes a long time, so we hash something to not make it clear if the username was wrong
		bcrypt.GenerateFromPassword([]byte(u.Username), 14)
		return User{}, ErrWrongUsernameOrPassword{}
	}

	// User is invalid if it needs to verify its email address
	if !user.IsActive {
		return User{}, ErrEmailNotConfirmed{UserID: user.ID}
	}

	// Check the users password
	err = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(u.Password))
	if err != nil {
		if err == bcrypt.ErrMismatchedHashAndPassword {
			return User{}, ErrWrongUsernameOrPassword{}
		}
		return User{}, err
	}

	return user, nil
}

// GetCurrentUser returns the current user based on its jwt token
func GetCurrentUser(c echo.Context) (user *User, err error) {
	jwtinf := c.Get("user").(*jwt.Token)
	claims := jwtinf.Claims.(jwt.MapClaims)
	userID, ok := claims["id"].(float64)
	if !ok {
		return user, ErrCouldNotGetUserID{}
	}
	user = &User{
		ID:       int64(userID),
		Email:    claims["email"].(string),
		Username: claims["username"].(string),
	}

	return
}

// UpdateActiveUsersFromContext updates the currently active users in redis
func UpdateActiveUsersFromContext(c echo.Context) (err error) {
	user, err := GetCurrentUser(c)
	if err != nil {
		return err
	}

	allActiveUsers, err := metrics.GetActiveUsers()
	if err != nil {
		return
	}

	var uupdated bool
	for in, u := range allActiveUsers {
		if u.UserID == user.ID {
			allActiveUsers[in].LastSeen = time.Now()
			uupdated = true
		}
	}

	if !uupdated {
		allActiveUsers = append(allActiveUsers, &metrics.ActiveUser{UserID: user.ID, LastSeen: time.Now()})
	}

	return metrics.SetActiveUsers(allActiveUsers)
}
Change License to GPLv3 (#26) 2018-11-26 20:17:33 +00:00			`// Vikunja is a todo-list application to facilitate your life.`
			`// Copyright 2018 Vikunja and contributors. All rights reserved.`
			`//`
			`// This program is free software: you can redistribute it and/or modify`
			`// it under the terms of the GNU General Public License as published by`
			`// the Free Software Foundation, either version 3 of the License, or`
			`// (at your option) any later version.`
			`//`
			`// This program is distributed in the hope that it will be useful,`
			`// but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`// GNU General Public License for more details.`
			`//`
			`// You should have received a copy of the GNU General Public License`
			`// along with this program. If not, see <https://www.gnu.org/licenses/>.`

initial commit 2018-06-10 09:11:41 +00:00			`package models`

			`import (`
Add prometheus endpoint for getting metrics (#33) 2018-12-12 22:50:35 +00:00			`"code.vikunja.io/api/pkg/metrics"`
Add the md5-hashed user email to user objects for use with gravatar (#78) 2019-05-31 07:24:59 +00:00			`"code.vikunja.io/api/pkg/utils"`
Move the crudhandler to own repo (#27) 2018-11-30 23:26:56 +00:00			`"code.vikunja.io/web"`
			`"fmt"`
initial commit 2018-06-10 09:11:41 +00:00			`"github.com/dgrijalva/jwt-go"`
Updated libraries 2019-05-07 19:42:24 +00:00			`"github.com/labstack/echo/v4"`
initial commit 2018-06-10 09:11:41 +00:00			`"golang.org/x/crypto/bcrypt"`
Move the crudhandler to own repo (#27) 2018-11-30 23:26:56 +00:00			`"reflect"`
Add prometheus endpoint for getting metrics (#33) 2018-12-12 22:50:35 +00:00			`"time"`
initial commit 2018-06-10 09:11:41 +00:00			`)`

			`// UserLogin Object to recive user credentials in JSON format`
			`type UserLogin struct {`
API Docs improvements (#46) 2019-01-03 22:22:06 +00:00			`// The username used to log in.`
Refactor {List\|Namespace}{User\|Team} to not expose unneded values via json (#52) 2019-01-14 22:32:56 +00:00			Username string `json:"username"`
API Docs improvements (#46) 2019-01-03 22:22:06 +00:00			`// The password for the user.`
Refactor {List\|Namespace}{User\|Team} to not expose unneded values via json (#52) 2019-01-14 22:32:56 +00:00			Password string `json:"password"`
initial commit 2018-06-10 09:11:41 +00:00			`}`

			`// User holds information about an user`
			`type User struct {`
API Docs improvements (#46) 2019-01-03 22:22:06 +00:00			`// The unique, numeric id of this user.`
			ID int64 `xorm:"int(11) autoincr not null unique pk" json:"id"`
Refactor {List\|Namespace}{User\|Team} to not expose unneded values via json (#52) 2019-01-14 22:32:56 +00:00			`// The username of the user. Is always unique.`
API Docs improvements (#46) 2019-01-03 22:22:06 +00:00			Username string `xorm:"varchar(250) not null unique" json:"username" valid:"length(3\|250)" minLength:"3" maxLength:"250"`
Fixed returning of user infos when updating a todo item 2018-06-13 10:18:55 +00:00			Password string `xorm:"varchar(250) not null" json:"-"`
Refactor {List\|Namespace}{User\|Team} to not expose unneded values via json (#52) 2019-01-14 22:32:56 +00:00			`// The user's email address.`
Updated and re-enabled statickcheck 2019-04-23 08:34:06 +00:00			Email string `xorm:"varchar(250) null" json:"email,omitempty" valid:"email,length(0\|250)" maxLength:"250"`
DB Migrations (#67) 2019-03-29 17:54:35 +00:00			IsActive bool `xorm:"null" json:"-"`
Add the md5-hashed user email to user objects for use with gravatar (#78) 2019-05-31 07:24:59 +00:00			`// The users md5-hashed email address, used to get the avatar from gravatar and the likes.`
			AvatarURL string `xorm:"-" json:"avatarUrl"`
Add password reset (#3) 2018-10-27 09:33:28 +00:00
DB Migrations (#67) 2019-03-29 17:54:35 +00:00			PasswordResetToken string `xorm:"varchar(450) null" json:"-"`
			EmailConfirmToken string `xorm:"varchar(450) null" json:"-"`
Add password reset (#3) 2018-10-27 09:33:28 +00:00
API Docs improvements (#46) 2019-01-03 22:22:06 +00:00			`// A unix timestamp when this task was created. You cannot change this value.`
DB Migrations (#67) 2019-03-29 17:54:35 +00:00			Created int64 `xorm:"created not null" json:"created"`
API Docs improvements (#46) 2019-01-03 22:22:06 +00:00			`// A unix timestamp when this task was last updated. You cannot change this value.`
DB Migrations (#67) 2019-03-29 17:54:35 +00:00			Updated int64 `xorm:"updated not null" json:"updated"`
Move the crudhandler to own repo (#27) 2018-11-30 23:26:56 +00:00
			web.Auth `xorm:"-" json:"-"`
initial commit 2018-06-10 09:11:41 +00:00			`}`

Hide a users email everywhere (#69) 2019-04-01 18:19:55 +00:00			`// AfterLoad is used to delete all emails to not have them leaked to the user`
			`func (u *User) AfterLoad() {`
Add the md5-hashed user email to user objects for use with gravatar (#78) 2019-05-31 07:24:59 +00:00			`u.AvatarURL = utils.Md5String(u.Email)`
Hide a users email everywhere (#69) 2019-04-01 18:19:55 +00:00			`u.Email = ""`
			`}`

Use the auth methods to get IDs to avoid unneeded casts 2019-06-28 08:21:48 +00:00			`// GetID implements the Auth interface`
			`func (u *User) GetID() int64 {`
			`return u.ID`
			`}`
Move the crudhandler to own repo (#27) 2018-11-30 23:26:56 +00:00
initial commit 2018-06-10 09:11:41 +00:00			`// TableName returns the table name for users`
			`func (User) TableName() string {`
			`return "users"`
			`}`

Move the crudhandler to own repo (#27) 2018-11-30 23:26:56 +00:00			`func getUserWithError(a web.Auth) (*User, error) {`
			`u, is := a.(*User)`
			`if !is {`
			`return &User{}, fmt.Errorf("user is not user element, is %s", reflect.TypeOf(a))`
			`}`
			`return u, nil`
			`}`

Fixed lint + fmt 2018-07-10 12:02:23 +00:00			`// APIUserPassword represents a user object without timestamps and a json password field.`
			`type APIUserPassword struct {`
API Docs improvements (#46) 2019-01-03 22:22:06 +00:00			`// The unique, numeric id of this user.`
			ID int64 `json:"id"`
			`// The username of the username. Is always unique.`
			Username string `json:"username" valid:"length(3\|250)" minLength:"3" maxLength:"250"`
			`// The user's password in clear text. Only used when registering the user.`
			Password string `json:"password" valid:"length(8\|250)" minLength:"8" maxLength:"250"`
			`// The user's email address`
			Email string `json:"email" valid:"email,length(0\|250)" maxLength:"250"`
Added docs via swagger 2018-06-13 11:45:22 +00:00			`}`

Fixed lint + fmt 2018-07-10 12:02:23 +00:00			`// APIFormat formats an API User into a normal user struct`
			`func (apiUser *APIUserPassword) APIFormat() User {`
Added docs via swagger 2018-06-13 11:45:22 +00:00			`return User{`
			`ID: apiUser.ID,`
			`Username: apiUser.Username,`
			`Password: apiUser.Password,`
			`Email: apiUser.Email,`
			`}`
			`}`

initial commit 2018-06-10 09:11:41 +00:00			`// GetUserByID gets informations about a user by its ID`
Refactor GetUser & GetUserByID 2018-08-30 17:14:02 +00:00			`func GetUserByID(id int64) (user User, err error) {`
initial commit 2018-06-10 09:11:41 +00:00			`// Apparently xorm does otherwise look for all users but return only one, which leads to returing one even if the ID is 0`
when ID = 0 is passed to a 'GetSthByID'-function, it now returns a 'not exist' error 2018-09-13 18:07:11 +00:00			`if id < 1 {`
			`return User{}, ErrUserDoesNotExist{}`
initial commit 2018-06-10 09:11:41 +00:00			`}`

			`return GetUser(User{ID: id})`
			`}`

Use the username instead of a user when adding a user to a team or giving it rights (#76) 2019-05-25 09:47:16 +00:00			`// GetUserByUsername gets a user from its user name. This is an extra function to be able to add an extra error check.`
			`func GetUserByUsername(username string) (user User, err error) {`
			`if username == "" {`
			`return User{}, ErrUserDoesNotExist{}`
			`}`

			`return GetUser(User{Username: username})`
			`}`

initial commit 2018-06-10 09:11:41 +00:00			`// GetUser gets a user object`
Refactor GetUser & GetUserByID 2018-08-30 17:14:02 +00:00			`func GetUser(user User) (userOut User, err error) {`
initial commit 2018-06-10 09:11:41 +00:00			`userOut = user`
Refactor GetUser & GetUserByID 2018-08-30 17:14:02 +00:00			`exists, err := x.Get(&userOut)`
initial commit 2018-06-10 09:11:41 +00:00
			`if !exists {`
Add password reset (#3) 2018-10-27 09:33:28 +00:00			`return User{}, ErrUserDoesNotExist{UserID: user.ID}`
initial commit 2018-06-10 09:11:41 +00:00			`}`

Refactor GetUser & GetUserByID 2018-08-30 17:14:02 +00:00			`return userOut, err`
initial commit 2018-06-10 09:11:41 +00:00			`}`

			`// CheckUserCredentials checks user credentials`
			`func CheckUserCredentials(u *UserLogin) (User, error) {`
Fix not checking for user credentials upon login (#9) 2018-11-01 22:51:05 +00:00			`// Check if we have any credentials`
			`if u.Password == "" \|\| u.Username == "" {`
			`return User{}, ErrNoUsernamePassword{}`
			`}`

initial commit 2018-06-10 09:11:41 +00:00			`// Check if the user exists`
Use the username instead of a user when adding a user to a team or giving it rights (#76) 2019-05-25 09:47:16 +00:00			`user, err := GetUserByUsername(u.Username)`
initial commit 2018-06-10 09:11:41 +00:00			`if err != nil {`
Various user fixes (#38) 2018-12-19 21:05:25 +00:00			`// hashing the password takes a long time, so we hash something to not make it clear if the username was wrong`
			`bcrypt.GenerateFromPassword([]byte(u.Username), 14)`
			`return User{}, ErrWrongUsernameOrPassword{}`
initial commit 2018-06-10 09:11:41 +00:00			`}`

Prevent login from inactive (aka non-verified) users (#8) 2018-11-01 22:47:41 +00:00			`// User is invalid if it needs to verify its email address`
			`if !user.IsActive {`
			`return User{}, ErrEmailNotConfirmed{UserID: user.ID}`
			`}`

initial commit 2018-06-10 09:11:41 +00:00			`// Check the users password`
			`err = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(u.Password))`
			`if err != nil {`
Prevent login from inactive (aka non-verified) users (#8) 2018-11-01 22:47:41 +00:00			`if err == bcrypt.ErrMismatchedHashAndPassword {`
			`return User{}, ErrWrongUsernameOrPassword{}`
			`}`
initial commit 2018-06-10 09:11:41 +00:00			`return User{}, err`
			`}`

			`return user, nil`
			`}`

			`// GetCurrentUser returns the current user based on its jwt token`
Move the crudhandler to own repo (#27) 2018-11-30 23:26:56 +00:00			`func GetCurrentUser(c echo.Context) (user *User, err error) {`
initial commit 2018-06-10 09:11:41 +00:00			`jwtinf := c.Get("user").(*jwt.Token)`
			`claims := jwtinf.Claims.(jwt.MapClaims)`
			`userID, ok := claims["id"].(float64)`
			`if !ok {`
			`return user, ErrCouldNotGetUserID{}`
			`}`
Move the crudhandler to own repo (#27) 2018-11-30 23:26:56 +00:00			`user = &User{`
initial commit 2018-06-10 09:11:41 +00:00			`ID: int64(userID),`
			`Email: claims["email"].(string),`
			`Username: claims["username"].(string),`
			`}`

			`return`
			`}`
Add prometheus endpoint for getting metrics (#33) 2018-12-12 22:50:35 +00:00
			`// UpdateActiveUsersFromContext updates the currently active users in redis`
			`func UpdateActiveUsersFromContext(c echo.Context) (err error) {`
			`user, err := GetCurrentUser(c)`
			`if err != nil {`
			`return err`
			`}`

			`allActiveUsers, err := metrics.GetActiveUsers()`
			`if err != nil {`
			`return`
			`}`

			`var uupdated bool`
			`for in, u := range allActiveUsers {`
			`if u.UserID == user.ID {`
			`allActiveUsers[in].LastSeen = time.Now()`
			`uupdated = true`
			`}`
			`}`

			`if !uupdated {`
			`allActiveUsers = append(allActiveUsers, &metrics.ActiveUser{UserID: user.ID, LastSeen: time.Now()})`
			`}`

			`return metrics.SetActiveUsers(allActiveUsers)`
			`}`