| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471 |
- import { generateError, generateSuccess } from '../../helpers/graph.mjs'
- import _, { isNil } from 'lodash-es'
- import path from 'node:path'
- import fs from 'fs-extra'
- import { DateTime } from 'luxon'
- import bcrypt from 'bcryptjs'
- export default {
- Query: {
- /**
- * FETCH ALL USERS
- */
- async users (obj, args, context, info) {
- if (!WIKI.auth.checkAccess(context.req.user, ['read:users', 'write:users', 'manage:users'])) {
- throw new Error('ERR_FORBIDDEN')
- }
- // -> Sanitize limit
- let limit = args.pageSize ?? 20
- if (limit < 1 || limit > 1000) {
- limit = 1000
- }
- // -> Sanitize offset
- let offset = args.page ?? 1
- if (offset < 1) {
- offset = 1
- }
- // -> Fetch Users
- return WIKI.db.users.query()
- .select('id', 'email', 'name', 'isSystem', 'isActive', 'createdAt', 'lastLoginAt')
- .where(builder => {
- if (args.filter) {
- builder.where('email', 'like', `%${args.filter}%`)
- .orWhere('name', 'like', `%${args.filter}%`)
- }
- })
- .orderBy(args.orderBy ?? 'name', args.orderByDirection ?? 'asc')
- .offset((offset - 1) * limit)
- .limit(limit)
- },
- /**
- * FETCH A SINGLE USER
- */
- async userById (obj, args, context, info) {
- if (!context.req.isAuthenticated || context.req.user.id !== args.id) {
- if (!WIKI.auth.checkAccess(context.req.user, ['read:users', 'write:users', 'manage:users'])) {
- throw new Error('ERR_FORBIDDEN')
- }
- }
- const usr = await WIKI.db.users.query().findById(args.id)
- if (!usr) {
- throw new Error('ERR_INVALID_USER')
- }
- // const str = _.get(WIKI.auth.strategies, usr.providerKey)
- // str.strategy = _.find(WIKI.data.authentication, ['key', str.strategyKey])
- // usr.providerName = str.displayName
- // usr.providerIs2FACapable = _.get(str, 'strategy.useForm', false)
- usr.auth = _.mapValues(usr.auth, (auth, providerKey) => {
- if (auth.password) {
- auth.password = 'redacted'
- }
- if (auth.tfaSecret) {
- auth.tfaSecret = 'redacted'
- }
- return auth
- })
- usr.passkeys = usr.passkeys.authenticators?.map(a => ({
- id: a.id,
- createdAt: DateTime.fromISO(a.createdAt).toJSDate(),
- name: a.name,
- siteHostname: a.rpID
- })) ?? []
- return usr
- },
- async userDefaults (obj, args, context) {
- if (!WIKI.auth.checkAccess(context.req.user, ['read:users', 'write:users', 'manage:users'])) {
- throw new Error('ERR_FORBIDDEN')
- }
- return WIKI.config.userDefaults
- },
- async userEditorSettings (obj, args, context) {
- if (!context.req.user || context.req.user.id === WIKI.auth.guest.id) {
- throw new WIKI.Error.AuthRequired()
- }
- const config = await WIKI.db.knex('userEditorSettings').first('config').where({
- id: context.req.user.id,
- editor: args.editor
- })
- return config ?? {}
- },
- async lastLogins (obj, args, context, info) {
- if (!WIKI.auth.checkAccess(context.req.user, ['read:dashboard', 'read:users', 'write:users', 'manage:users'])) {
- throw new Error('ERR_FORBIDDEN')
- }
- return WIKI.db.users.query()
- .select('id', 'name', 'lastLoginAt')
- .whereNotNull('lastLoginAt')
- .orderBy('lastLoginAt', 'desc')
- .limit(10)
- },
- async userPermissions (obj, args, context) {
- if (!context.req.user || context.req.user.id === WIKI.auth.guest.id) {
- throw new WIKI.Error.AuthRequired()
- }
- const currentUser = await WIKI.db.users.getById(context.req.user.id)
- return currentUser.getPermissions()
- },
- async userPermissionsAtPath (obj, args, context) {
- return []
- }
- },
- Mutation: {
- async createUser (obj, args, context) {
- try {
- if (!WIKI.auth.checkAccess(context.req.user, ['write:users', 'manage:users'])) {
- throw new Error('ERR_FORBIDDEN')
- }
- await WIKI.db.users.createNewUser({ ...args, isVerified: true })
- return {
- operation: generateSuccess('User created successfully')
- }
- } catch (err) {
- return generateError(err)
- }
- },
- async deleteUser (obj, args, context) {
- try {
- if (!WIKI.auth.checkAccess(context.req.user, ['manage:users'])) {
- throw new Error('ERR_FORBIDDEN')
- }
- if (args.id <= 2) {
- throw new WIKI.Error.UserDeleteProtected()
- }
- await WIKI.db.users.deleteUser(args.id, args.replaceId)
- WIKI.auth.revokeUserTokens({ id: args.id, kind: 'u' })
- WIKI.events.outbound.emit('addAuthRevoke', { id: args.id, kind: 'u' })
- return {
- operation: generateSuccess('User deleted successfully')
- }
- } catch (err) {
- if (err.message.indexOf('foreign') >= 0) {
- return generateError(new WIKI.Error.UserDeleteForeignConstraint())
- } else {
- return generateError(err)
- }
- }
- },
- async updateUser (obj, args, context) {
- try {
- if (!WIKI.auth.checkAccess(context.req.user, ['manage:users'])) {
- throw new Error('ERR_FORBIDDEN')
- }
- await WIKI.db.users.updateUser(args.id, args.patch)
- return {
- operation: generateSuccess('User updated successfully')
- }
- } catch (err) {
- return generateError(err)
- }
- },
- async verifyUser (obj, args, context) {
- try {
- if (!WIKI.auth.checkAccess(context.req.user, ['manage:users'])) {
- throw new Error('ERR_FORBIDDEN')
- }
- await WIKI.db.users.query().patch({ isVerified: true }).findById(args.id)
- return {
- operation: generateSuccess('User verified successfully')
- }
- } catch (err) {
- return generateError(err)
- }
- },
- async activateUser (obj, args, context) {
- try {
- if (!WIKI.auth.checkAccess(context.req.user, ['manage:users'])) {
- throw new Error('ERR_FORBIDDEN')
- }
- await WIKI.db.users.query().patch({ isActive: true }).findById(args.id)
- return {
- operation: generateSuccess('User activated successfully')
- }
- } catch (err) {
- return generateError(err)
- }
- },
- async deactivateUser (obj, args, context) {
- try {
- if (!WIKI.auth.checkAccess(context.req.user, ['manage:users'])) {
- throw new Error('ERR_FORBIDDEN')
- }
- if (args.id <= 2) {
- throw new Error('Cannot deactivate system accounts.')
- }
- await WIKI.db.users.query().patch({ isActive: false }).findById(args.id)
- WIKI.auth.revokeUserTokens({ id: args.id, kind: 'u' })
- WIKI.events.outbound.emit('addAuthRevoke', { id: args.id, kind: 'u' })
- return {
- operation: generateSuccess('User deactivated successfully')
- }
- } catch (err) {
- return generateError(err)
- }
- },
- async enableUserTFA (obj, args, context) {
- try {
- if (!WIKI.auth.checkAccess(context.req.user, ['manage:users'])) {
- throw new Error('ERR_FORBIDDEN')
- }
- await WIKI.db.users.query().patch({ tfaIsActive: true, tfaSecret: null }).findById(args.id)
- return {
- operation: generateSuccess('User 2FA enabled successfully')
- }
- } catch (err) {
- return generateError(err)
- }
- },
- async disableUserTFA (obj, args, context) {
- try {
- if (!WIKI.auth.checkAccess(context.req.user, ['manage:users'])) {
- throw new Error('ERR_FORBIDDEN')
- }
- await WIKI.db.users.query().patch({ tfaIsActive: false, tfaSecret: null }).findById(args.id)
- return {
- operation: generateSuccess('User 2FA disabled successfully')
- }
- } catch (err) {
- return generateError(err)
- }
- },
- async changeUserPassword (obj, args, context) {
- try {
- if (!WIKI.auth.checkAccess(context.req.user, ['manage:users'])) {
- throw new Error('ERR_FORBIDDEN')
- }
- if (args.newPassword?.length < 8) {
- throw new Error('ERR_PASSWORD_TOO_SHORT')
- }
- const usr = await WIKI.db.users.query().findById(args.id)
- if (!usr) {
- throw new Error('ERR_INVALID_USER')
- }
- const localAuth = await WIKI.db.authentication.getStrategy('local')
- usr.auth[localAuth.id].password = await bcrypt.hash(args.newPassword, 12)
- if (!isNil(args.mustChangePassword)) {
- usr.auth[localAuth.id].mustChangePwd = args.mustChangePassword
- }
- await WIKI.db.users.query().patch({
- auth: usr.auth
- }).findById(args.id)
- return {
- operation: generateSuccess('User password updated successfully')
- }
- } catch (err) {
- return generateError(err)
- }
- },
- async updateProfile (obj, args, context) {
- try {
- if (!context.req.user || context.req.user.id === WIKI.auth.guest.id) {
- throw new Error('ERR_NOT_AUTHENTICATED')
- }
- const usr = await WIKI.db.users.query().findById(context.req.user.id)
- if (!usr.isActive) {
- throw new Error('ERR_INACTIVE_USER')
- }
- if (!usr.isVerified) {
- throw new Error('ERR_USER_NOT_VERIFIED')
- }
- if (args.dateFormat && !['', 'DD/MM/YYYY', 'DD.MM.YYYY', 'MM/DD/YYYY', 'YYYY-MM-DD', 'YYYY/MM/DD'].includes(args.dateFormat)) {
- throw new Error('ERR_INVALID_INPUT')
- }
- if (args.appearance && !['site', 'light', 'dark'].includes(args.appearance)) {
- throw new Error('ERR_INVALID_INPUT')
- }
- await WIKI.db.users.query().findById(usr.id).patch({
- name: args.name?.trim() ?? usr.name,
- meta: {
- ...usr.meta,
- location: args.location?.trim() ?? usr.meta.location,
- jobTitle: args.jobTitle?.trim() ?? usr.meta.jobTitle,
- pronouns: args.pronouns?.trim() ?? usr.meta.pronouns
- },
- prefs: {
- ...usr.prefs,
- timezone: args.timezone || usr.prefs.timezone,
- dateFormat: args.dateFormat ?? usr.prefs.dateFormat,
- timeFormat: args.timeFormat ?? usr.prefs.timeFormat,
- appearance: args.appearance || usr.prefs.appearance,
- cvd: args.cvd || usr.prefs.cvd
- }
- })
- return {
- operation: generateSuccess('User profile updated successfully')
- }
- } catch (err) {
- return generateError(err)
- }
- },
- /**
- * UPLOAD USER AVATAR
- */
- async uploadUserAvatar (obj, args, context) {
- try {
- if (!context.req.user || context.req.user.id === WIKI.auth.guest.id) {
- throw new Error('ERR_NOT_AUTHENTICATED')
- }
- const usr = await WIKI.db.users.query().findById(context.req.user.id)
- if (!usr) {
- throw new Error('ERR_INVALID_USER')
- }
- const { filename, mimetype, createReadStream } = await args.image
- const lowercaseFilename = filename.toLowerCase()
- WIKI.logger.debug(`Processing user ${args.id} avatar ${lowercaseFilename} of type ${mimetype}...`)
- if (!WIKI.extensions.ext.sharp.isInstalled) {
- throw new Error('This feature requires the Sharp extension but it is not installed. Contact your wiki administrator.')
- }
- if (!['.png', '.jpg', '.webp', '.gif'].some(s => lowercaseFilename.endsWith(s))) {
- throw new Error('Invalid File Extension. Must be png, jpg, webp or gif.')
- }
- const destFolder = path.resolve(
- process.cwd(),
- WIKI.config.dataPath,
- `assets`
- )
- const destPath = path.join(destFolder, `userav-${args.id}.jpg`)
- await fs.ensureDir(destFolder)
- // -> Resize
- await WIKI.extensions.ext.sharp.resize({
- format: 'jpg',
- inputStream: createReadStream(),
- outputPath: destPath,
- width: 180,
- height: 180
- })
- // -> Set avatar flag for this user in the DB
- usr.$query().patch({ hasAvatar: true })
- // -> Save image data to DB
- const imgBuffer = await fs.readFile(destPath)
- await WIKI.db.knex('userAvatars').insert({
- id: args.id,
- data: imgBuffer
- }).onConflict('id').merge()
- WIKI.logger.debug(`Processed user ${args.id} avatar successfully.`)
- return {
- operation: generateSuccess('User avatar uploaded successfully')
- }
- } catch (err) {
- WIKI.logger.warn(err)
- return generateError(err)
- }
- },
- /**
- * CLEAR USER AVATAR
- */
- async clearUserAvatar (obj, args, context) {
- try {
- if (!context.req.user || context.req.user.id === WIKI.auth.guest.id) {
- throw new Error('ERR_NOT_AUTHENTICATED')
- }
- const usr = await WIKI.db.users.query().findById(context.req.user.id)
- if (!usr) {
- throw new Error('ERR_INVALID_USER')
- }
- WIKI.logger.debug(`Clearing user ${args.id} avatar...`)
- usr.$query.patch({ hasAvatar: false })
- await WIKI.db.knex('userAvatars').where({ id: args.id }).del()
- WIKI.logger.debug(`Cleared user ${args.id} avatar successfully.`)
- return {
- operation: generateSuccess('User avatar cleared successfully')
- }
- } catch (err) {
- WIKI.logger.warn(err)
- return generateError(err)
- }
- },
- /**
- * UPDATE USER DEFAULTS
- */
- async updateUserDefaults (obj, args, context) {
- try {
- if (!WIKI.auth.checkAccess(context.req.user, ['manage:users'])) {
- throw new Error('ERR_FORBIDDEN')
- }
- WIKI.config.userDefaults = {
- timezone: args.timezone,
- dateFormat: args.dateFormat,
- timeFormat: args.timeFormat
- }
- await WIKI.configSvc.saveToDb(['userDefaults'])
- return {
- operation: generateSuccess('User defaults saved successfully')
- }
- } catch (err) {
- return generateError(err)
- }
- }
- },
- User: {
- async auth (usr, args, context) {
- const authStrategies = await WIKI.db.authentication.getStrategies({ enabledOnly: true })
- return _.transform(usr.auth, (result, value, key) => {
- const authStrategy = _.find(authStrategies, ['id', key])
- const authModule = _.find(WIKI.data.authentication, ['key', authStrategy.module])
- if (!authStrategy || !authModule) { return }
- result.push({
- authId: key,
- authName: authStrategy.displayName,
- strategyKey: authStrategy.module,
- strategyIcon: authModule.icon,
- config: authStrategy.module === 'local' ? {
- isPasswordSet: value.password?.length > 0,
- isTfaSetup: value.tfaIsActive && value.tfaSecret?.length > 0,
- isTfaRequired: (value.tfaRequired || authStrategy.config.enforceTfa) ?? false,
- mustChangePwd: value.mustChangePwd ?? false,
- restrictLogin: value.restrictLogin ?? false
- } : value
- })
- }, [])
- },
- groups (usr) {
- return usr.$relatedQuery('groups')
- }
- }
- }
|
