HackMD/lib/web/userRouter.js

'use strict'

const archiver = require('archiver')
const async = require('async')
const Router = require('express').Router

const response = require('../response')
const config = require('../config')
const models = require('../models')
const logger = require('../logger')
const { generateAvatar } = require('../letter-avatars')

const UserRouter = module.exports = Router()

// get me info
UserRouter.get('/me', function (req, res) {
  if (req.isAuthenticated()) {
    models.User.findOne({
      where: {
        id: req.user.id
      }
    }).then(function (user) {
      if (!user) { return response.errorNotFound(res) }
      var profile = models.User.getProfile(user)
      res.send({
        status: 'ok',
        id: req.user.id,
        name: profile.name,
        photo: profile.photo
      })
    }).catch(function (err) {
      logger.error('read me failed: ' + err)
      return response.errorInternalError(res)
    })
  } else {
    res.send({
      status: 'forbidden'
    })
  }
})

// delete the currently authenticated user
UserRouter.get('/me/delete/:token?', function (req, res) {
  if (req.isAuthenticated()) {
    models.User.findOne({
      where: {
        id: req.user.id
      }
    }).then(function (user) {
      if (!user) {
        return response.errorNotFound(res)
      }
      if (user.deleteToken === req.params.token) {
        user.destroy().then(function () {
          res.redirect(config.serverURL + '/')
        })
      } else {
        return response.errorForbidden(res)
      }
    }).catch(function (err) {
      logger.error('delete user failed: ' + err)
      return response.errorInternalError(res)
    })
  } else {
    return response.errorForbidden(res)
  }
})

// export the data of the authenticated user
UserRouter.get('/me/export', function (req, res) {
  if (req.isAuthenticated()) {
    // let output = fs.createWriteStream(__dirname + '/example.zip');
    let archive = archiver('zip', {
      zlib: { level: 3 } // Sets the compression level.
    })
    res.setHeader('Content-Type', 'application/zip')
    res.attachment('archive.zip')
    archive.pipe(res)
    archive.on('error', function (err) {
      logger.error('export user data failed: ' + err)
      return response.errorInternalError(res)
    })
    models.User.findOne({
      where: {
        id: req.user.id
      }
    }).then(function (user) {
      models.Note.findAll({
        where: {
          ownerId: user.id
        }
      }).then(function (notes) {
        let filenames = {}
        async.each(notes, function (note, callback) {
          let basename = note.title.replace(/\//g, '-') // Prevent subdirectories
          let filename
          let suffix = ''
          do {
            let seperator = typeof suffix === 'number' ? '-' : ''
            filename = basename + seperator + suffix + '.md'
            suffix++
          } while (filenames[filename])
          filenames[filename] = true

          logger.debug('Write: ' + filename)
          archive.append(Buffer.from(note.content), { name: filename, date: note.lastchangeAt })
          callback(null, null)
        }, function (err) {
          if (err) {
            return response.errorInternalError(res)
          }

          archive.finalize()
        })
      })
    }).catch(function (err) {
      logger.error('export user data failed: ' + err)
      return response.errorInternalError(res)
    })
  } else {
    return response.errorForbidden(res)
  }
})

UserRouter.get('/user/:username/avatar.svg', function (req, res, next) {
  res.setHeader('Content-Type', 'image/svg+xml')
  res.setHeader('Cache-Control', 'public, max-age=86400')
  res.send(generateAvatar(req.params.username))
})
refactor(app.js): Extract /me page 2017-04-11 21:55:36 +00:00			`'use strict'`

Add note export function This function is the first step to get out data following GDPR about the transportability of data. Details: https://gdpr-info.eu/art-20-gdpr/ Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-05-26 00:53:21 +00:00			`const archiver = require('archiver')`
			`const async = require('async')`
refactor(app.js): Extract /me page 2017-04-11 21:55:36 +00:00			`const Router = require('express').Router`

			`const response = require('../response')`
Add delete function for authenticated users Allow users to delete themselbes. This is require to be GDPR compliant. See: https://gdpr-info.eu/art-17-gdpr/ Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-05-25 13:20:38 +00:00			`const config = require('../config')`
refactor(app.js): Extract /me page 2017-04-11 21:55:36 +00:00			`const models = require('../models')`
			`const logger = require('../logger')`
Fix eslint warnings Since we are about to release it's time to finally fix our linting. This patch basically runs eslint --fix and does some further manual fixes. Also it sets up eslint to fail on every warning on order to make warnings visable in the CI process. There should no functional change be introduced. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2019-05-30 22:27:56 +00:00			`const { generateAvatar } = require('../letter-avatars')`
refactor(app.js): Extract /me page 2017-04-11 21:55:36 +00:00
			`const UserRouter = module.exports = Router()`

			`// get me info`
			`UserRouter.get('/me', function (req, res) {`
			`if (req.isAuthenticated()) {`
			`models.User.findOne({`
			`where: {`
			`id: req.user.id`
			`}`
			`}).then(function (user) {`
			`if (!user) { return response.errorNotFound(res) }`
			`var profile = models.User.getProfile(user)`
			`res.send({`
			`status: 'ok',`
			`id: req.user.id,`
			`name: profile.name,`
			`photo: profile.photo`
			`})`
			`}).catch(function (err) {`
			`logger.error('read me failed: ' + err)`
			`return response.errorInternalError(res)`
			`})`
			`} else {`
			`res.send({`
			`status: 'forbidden'`
			`})`
			`}`
			`})`
Move letter-avatars into own request To prevent further weakening of our CSP policies, moving the Avatars into a non-inline version is the way to go. This implementation probably needs some beautification. But already fixes the bug. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-04-12 11:14:42 +00:00
Add delete function for authenticated users Allow users to delete themselbes. This is require to be GDPR compliant. See: https://gdpr-info.eu/art-17-gdpr/ Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-05-25 13:20:38 +00:00			`// delete the currently authenticated user`
Add token based security feature In the current setup users could be tricked into deleting their data by providing a malicious link like `[click me](/me/delete)`. This commit prevents such an easy attack and need the user's deleteToken to get his data deleted. In case someone requests his deletion by email you can also ask him for this token. We can add a GUI that shows it later on. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-05-25 16:19:31 +00:00			`UserRouter.get('/me/delete/:token?', function (req, res) {`
Add delete function for authenticated users Allow users to delete themselbes. This is require to be GDPR compliant. See: https://gdpr-info.eu/art-17-gdpr/ Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-05-25 13:20:38 +00:00			`if (req.isAuthenticated()) {`
			`models.User.findOne({`
			`where: {`
			`id: req.user.id`
			`}`
			`}).then(function (user) {`
Add token based security feature In the current setup users could be tricked into deleting their data by providing a malicious link like `[click me](/me/delete)`. This commit prevents such an easy attack and need the user's deleteToken to get his data deleted. In case someone requests his deletion by email you can also ask him for this token. We can add a GUI that shows it later on. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-05-25 16:19:31 +00:00			`if (!user) {`
			`return response.errorNotFound(res)`
			`}`
			`if (user.deleteToken === req.params.token) {`
			`user.destroy().then(function () {`
			`res.redirect(config.serverURL + '/')`
			`})`
			`} else {`
			`return response.errorForbidden(res)`
			`}`
Add delete function for authenticated users Allow users to delete themselbes. This is require to be GDPR compliant. See: https://gdpr-info.eu/art-17-gdpr/ Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-05-25 13:20:38 +00:00			`}).catch(function (err) {`
			`logger.error('delete user failed: ' + err)`
			`return response.errorInternalError(res)`
			`})`
			`} else {`
Add token based security feature In the current setup users could be tricked into deleting their data by providing a malicious link like `[click me](/me/delete)`. This commit prevents such an easy attack and need the user's deleteToken to get his data deleted. In case someone requests his deletion by email you can also ask him for this token. We can add a GUI that shows it later on. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-05-25 16:19:31 +00:00			`return response.errorForbidden(res)`
Add delete function for authenticated users Allow users to delete themselbes. This is require to be GDPR compliant. See: https://gdpr-info.eu/art-17-gdpr/ Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-05-25 13:20:38 +00:00			`}`
			`})`

Add note export function This function is the first step to get out data following GDPR about the transportability of data. Details: https://gdpr-info.eu/art-20-gdpr/ Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-05-26 00:53:21 +00:00			`// export the data of the authenticated user`
			`UserRouter.get('/me/export', function (req, res) {`
			`if (req.isAuthenticated()) {`
			`// let output = fs.createWriteStream(__dirname + '/example.zip');`
			`let archive = archiver('zip', {`
			`zlib: { level: 3 } // Sets the compression level.`
			`})`
			`res.setHeader('Content-Type', 'application/zip')`
			`res.attachment('archive.zip')`
			`archive.pipe(res)`
			`archive.on('error', function (err) {`
			`logger.error('export user data failed: ' + err)`
			`return response.errorInternalError(res)`
			`})`
			`models.User.findOne({`
			`where: {`
			`id: req.user.id`
			`}`
			`}).then(function (user) {`
			`models.Note.findAll({`
			`where: {`
			`ownerId: user.id`
			`}`
			`}).then(function (notes) {`
Prevent subdirectories in user export This commit also refactors the code a bit, and adds a '-' separator between a filename and its duplicate index. This commit fixes #1079. Signed-off-by: Daan Sprenkels <hello@dsprenkels.com> 2018-11-27 21:56:53 +00:00			`let filenames = {}`
Add note export function This function is the first step to get out data following GDPR about the transportability of data. Details: https://gdpr-info.eu/art-20-gdpr/ Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-05-26 00:53:21 +00:00			`async.each(notes, function (note, callback) {`
Prevent subdirectories in user export This commit also refactors the code a bit, and adds a '-' separator between a filename and its duplicate index. This commit fixes #1079. Signed-off-by: Daan Sprenkels <hello@dsprenkels.com> 2018-11-27 21:56:53 +00:00			`let basename = note.title.replace(/\//g, '-') // Prevent subdirectories`
			`let filename`
			`let suffix = ''`
Add note export function This function is the first step to get out data following GDPR about the transportability of data. Details: https://gdpr-info.eu/art-20-gdpr/ Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-05-26 00:53:21 +00:00			`do {`
Prevent subdirectories in user export This commit also refactors the code a bit, and adds a '-' separator between a filename and its duplicate index. This commit fixes #1079. Signed-off-by: Daan Sprenkels <hello@dsprenkels.com> 2018-11-27 21:56:53 +00:00			`let seperator = typeof suffix === 'number' ? '-' : ''`
			`filename = basename + seperator + suffix + '.md'`
			`suffix++`
			`} while (filenames[filename])`
			`filenames[filename] = true`
Add note export function This function is the first step to get out data following GDPR about the transportability of data. Details: https://gdpr-info.eu/art-20-gdpr/ Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-05-26 00:53:21 +00:00
Prevent subdirectories in user export This commit also refactors the code a bit, and adds a '-' separator between a filename and its duplicate index. This commit fixes #1079. Signed-off-by: Daan Sprenkels <hello@dsprenkels.com> 2018-11-27 21:56:53 +00:00			`logger.debug('Write: ' + filename)`
			`archive.append(Buffer.from(note.content), { name: filename, date: note.lastchangeAt })`
Add note export function This function is the first step to get out data following GDPR about the transportability of data. Details: https://gdpr-info.eu/art-20-gdpr/ Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-05-26 00:53:21 +00:00			`callback(null, null)`
			`}, function (err) {`
			`if (err) {`
			`return response.errorInternalError(res)`
			`}`

			`archive.finalize()`
			`})`
			`})`
			`}).catch(function (err) {`
			`logger.error('export user data failed: ' + err)`
			`return response.errorInternalError(res)`
			`})`
			`} else {`
			`return response.errorForbidden(res)`
			`}`
			`})`

Move letter-avatars into own request To prevent further weakening of our CSP policies, moving the Avatars into a non-inline version is the way to go. This implementation probably needs some beautification. But already fixes the bug. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com> 2018-04-12 11:14:42 +00:00			`UserRouter.get('/user/:username/avatar.svg', function (req, res, next) {`
			`res.setHeader('Content-Type', 'image/svg+xml')`
			`res.setHeader('Cache-Control', 'public, max-age=86400')`
			`res.send(generateAvatar(req.params.username))`
			`})`