mirrors
/
wikijs
mirror de https://github.com/Requarks/wiki.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362
							import _ from 'lodash-es'
import { generateError, generateSuccess } from '../../helpers/graph.mjs'
import jwt from 'jsonwebtoken'
import ms from 'ms'
import { DateTime } from 'luxon'

export default {
  Query: {
    /**
     * List of API Keys
     */
    async apiKeys (obj, args, context) {
      const keys = await WIKI.db.apiKeys.query().orderBy(['isRevoked', 'name'])
      return keys.map(k => ({
        id: k.id,
        name: k.name,
        keyShort: '...' + k.key.substring(k.key.length - 20),
        isRevoked: k.isRevoked,
        expiration: k.expiration,
        createdAt: k.createdAt,
        updatedAt: k.updatedAt
      }))
    },
    /**
     * Current API State
     */
    apiState () {
      return WIKI.config.api.isEnabled
    },
    /**
     * Fetch authentication strategies
     */
    async authStrategies () {
      return WIKI.data.authentication.map(stg => ({
        ...stg,
        isAvailable: stg.isAvailable === true
      }))
    },
    /**
     * Fetch active authentication strategies
     */
    async authActiveStrategies (obj, args, context) {
      const strategies = await WIKI.db.authentication.getStrategies({ enabledOnly: args.enabledOnly })
      return strategies.map(a => {
        const str = _.find(WIKI.data.authentication, ['key', a.module]) || {}
        return {
          ...a,
          config: _.transform(str.props, (r, v, k) => {
            r[k] = v.sensitive ? '********' : a.config[k]
          }, {})
        }
      })
    },
    /**
     * Fetch site authentication strategies
     */
    async authSiteStrategies (obj, args, context, info) {
      const site = await WIKI.db.sites.query().findById(args.siteId)
      const activeStrategies = await WIKI.db.authentication.getStrategies({ enabledOnly: true })
      const siteStrategies = _.sortBy(activeStrategies.map(str => {
        const siteAuth = _.find(site.config.authStrategies, ['id', str.id]) || {}
        return {
          id: str.id,
          activeStrategy: str,
          order: siteAuth.order ?? 0,
          isVisible: siteAuth.isVisible ?? false
        }
      }), ['order'])
      return args.visibleOnly ? siteStrategies.filter(s => s.isVisible) : siteStrategies
    }
  },
  Mutation: {
    /**
     * Create New API Key
     */
    async createApiKey (obj, args, context) {
      try {
        const key = await WIKI.db.apiKeys.createNewKey(args)
        await WIKI.auth.reloadApiKeys()
        WIKI.events.outbound.emit('reloadApiKeys')
        return {
          key,
          operation: generateSuccess('API Key created successfully')
        }
      } catch (err) {
        WIKI.logger.warn(err)
        return generateError(err)
      }
    },
    /**
     * Perform Login
     */
    async login (obj, args, context) {
      try {
        const authResult = await WIKI.db.users.login(args, context)
        return {
          ...authResult,
          operation: generateSuccess('Login success')
        }
      } catch (err) {
        // LDAP Debug Flag
        if (args.strategy === 'ldap' && WIKI.config.flags.ldapdebug) {
          WIKI.logger.warn('LDAP LOGIN ERROR (c1): ', err)
        }
        WIKI.logger.debug(err)

        return generateError(err)
      }
    },
    /**
     * Perform 2FA Login
     */
    async loginTFA (obj, args, context) {
      try {
        const authResult = await WIKI.db.users.loginTFA(args, context)
        return {
          ...authResult,
          operation: generateSuccess('TFA success')
        }
      } catch (err) {
        WIKI.logger.debug(err)
        return generateError(err)
      }
    },
    /**
     * Perform Password Change
     */
    async changePassword (obj, args, context) {
      try {
        if (args.continuationToken) {
          const authResult = await WIKI.db.users.loginChangePassword(args, context)
          return {
            ...authResult,
            operation: generateSuccess('Password set successfully')
          }
        } else {
          await WIKI.db.users.changePassword(args, context)
          return {
            operation: generateSuccess('Password changed successfully')
          }
        }
      } catch (err) {
        WIKI.logger.debug(err)
        return generateError(err)
      }
    },
    /**
     * Perform Forget Password
     */
    async forgotPassword (obj, args, context) {
      try {
        await WIKI.db.users.loginForgotPassword(args, context)
        return {
          operation: generateSuccess('Password reset request processed.')
        }
      } catch (err) {
        return generateError(err)
      }
    },
    /**
     * Register a new account
     */
    async register (obj, args, context) {
      try {
        const usr = await WIKI.db.users.createNewUser({ ...args, userInitiated: true })
        const authResult = await WIKI.db.users.afterLoginChecks(usr, WIKI.data.systemIds.localAuthId, context)
        return {
          ...authResult,
          operation: generateSuccess('Registration success')
        }
      } catch (err) {
        return generateError(err)
      }
    },
    /**
     * Refresh Token
     */
    async refreshToken (obj, args, context) {
      try {
        let decoded = {}
        if (!args.token) {
          throw new Error('ERR_MISSING_TOKEN')
        }
        try {
          decoded = jwt.verify(args.token, WIKI.config.auth.certs.public, {
            audience: WIKI.config.auth.audience,
            issuer: 'urn:wiki.js',
            algorithms: ['RS256'],
            ignoreExpiration: true
          })
        } catch (err) {
          throw new Error('ERR_INVALID_TOKEN')
        }
        if (DateTime.utc().minus(ms(WIKI.config.auth.tokenRenewal)) > DateTime.fromSeconds(decoded.exp)) {
          throw new Error('ERR_EXPIRED_TOKEN')
        }
        const newToken = await WIKI.db.users.refreshToken(decoded.id)
        return {
          jwt: newToken.token,
          operation: generateSuccess('Token refreshed successfully')
        }
      } catch (err) {
        return generateError(err)
      }
    },
    /**
     * Set API state
     */
    async setApiState (obj, args, context) {
      try {
        if (!WIKI.auth.checkAccess(context.req.user, ['manage:system'])) {
          throw new Error('ERR_FORBIDDEN')
        }

        WIKI.config.api.isEnabled = args.enabled
        await WIKI.configSvc.saveToDb(['api'])
        return {
          operation: generateSuccess('API State changed successfully')
        }
      } catch (err) {
        return generateError(err)
      }
    },
    /**
     * Revoke an API key
     */
    async revokeApiKey (obj, args, context) {
      try {
        if (!WIKI.auth.checkAccess(context.req.user, ['manage:system'])) {
          throw new Error('ERR_FORBIDDEN')
        }

        await WIKI.db.apiKeys.query().findById(args.id).patch({
          isRevoked: true
        })
        await WIKI.auth.reloadApiKeys()
        WIKI.events.outbound.emit('reloadApiKeys')
        return {
          operation: generateSuccess('API Key revoked successfully')
        }
      } catch (err) {
        return generateError(err)
      }
    },
    /**
     * Update Authentication Strategies
     */
    async updateAuthStrategies (obj, args, context) {
      try {
        if (!WIKI.auth.checkAccess(context.req.user, ['manage:system'])) {
          throw new Error('ERR_FORBIDDEN')
        }

        const previousStrategies = await WIKI.db.authentication.getStrategies()
        for (const str of args.strategies) {
          const newStr = {
            displayName: str.displayName,
            isEnabled: str.isEnabled,
            config: _.reduce(str.config, (result, value, key) => {
              _.set(result, `${value.key}`, _.get(JSON.parse(value.value), 'v', null))
              return result
            }, {}),
            selfRegistration: str.selfRegistration,
            domainWhitelist: { v: str.domainWhitelist },
            autoEnrollGroups: { v: str.autoEnrollGroups }
          }

          if (_.some(previousStrategies, ['key', str.key])) {
            await WIKI.db.authentication.query().patch({
              key: str.key,
              strategyKey: str.strategyKey,
              ...newStr
            }).where('key', str.key)
          } else {
            await WIKI.db.authentication.query().insert({
              key: str.key,
              strategyKey: str.strategyKey,
              ...newStr
            })
          }
        }

        for (const str of _.differenceBy(previousStrategies, args.strategies, 'key')) {
          const hasUsers = await WIKI.db.users.query().count('* as total').where({ providerKey: str.key }).first()
          if (_.toSafeInteger(hasUsers.total) > 0) {
            throw new Error(`Cannot delete ${str.displayName} as 1 or more users are still using it.`)
          } else {
            await WIKI.db.authentication.query().delete().where('key', str.key)
          }
        }

        await WIKI.auth.activateStrategies()
        WIKI.events.outbound.emit('reloadAuthStrategies')
        return {
          responseResult: generateSuccess('Strategies updated successfully')
        }
      } catch (err) {
        return generateError(err)
      }
    },
    /**
     * Generate New Authentication Public / Private Key Certificates
     */
    async regenerateCertificates (obj, args, context) {
      try {
        if (!WIKI.auth.checkAccess(context.req.user, ['manage:system'])) {
          throw new Error('ERR_FORBIDDEN')
        }

        await WIKI.auth.regenerateCertificates()
        return {
          responseResult: generateSuccess('Certificates have been regenerated successfully.')
        }
      } catch (err) {
        return generateError(err)
      }
    },
    /**
     * Reset Guest User
     */
    async resetGuestUser (obj, args, context) {
      try {
        if (!WIKI.auth.checkAccess(context.req.user, ['manage:system'])) {
          throw new Error('ERR_FORBIDDEN')
        }

        await WIKI.auth.resetGuestUser()
        return {
          responseResult: generateSuccess('Guest user has been reset successfully.')
        }
      } catch (err) {
        return generateError(err)
      }
    }
  },
  // ------------------------------------------------------------------
  // TYPE: AuthenticationActiveStrategy
  // ------------------------------------------------------------------
  AuthenticationActiveStrategy: {
    config (obj, args, context) {
      if (!WIKI.auth.checkAccess(context.req.user, ['manage:system'])) {
        throw new Error('ERR_FORBIDDEN')
      }
      return obj.config ?? {}
    },
    allowedEmailRegex (obj, args, context) {
      if (!WIKI.auth.checkAccess(context.req.user, ['manage:system'])) {
        throw new Error('ERR_FORBIDDEN')
      }
      return obj.allowedEmailRegex ?? ''
    },
    autoEnrollGroups (obj, args, context) {
      if (!WIKI.auth.checkAccess(context.req.user, ['manage:system'])) {
        throw new Error('ERR_FORBIDDEN')
      }
      return obj.autoEnrollGroups ?? []
    },
    strategy (obj, args, context) {
      return _.find(WIKI.data.authentication, ['key', obj.module])
    }
  }
}