misskey/src/server/api/private/signin.ts

92 lines
1.9 KiB
TypeScript
Raw Normal View History

2016-12-28 22:49:51 +00:00
import * as express from 'express';
2017-01-18 05:19:50 +00:00
import * as bcrypt from 'bcryptjs';
2017-12-08 13:57:58 +00:00
import * as speakeasy from 'speakeasy';
2018-04-01 19:01:34 +00:00
import User, { ILocalUser } from '../../../models/user';
2018-03-29 11:32:18 +00:00
import Signin, { pack } from '../../../models/signin';
2018-03-31 10:55:00 +00:00
import event from '../../../common/event';
2017-11-23 04:25:33 +00:00
import signin from '../common/signin';
2018-03-28 16:20:40 +00:00
import config from '../../../conf';
2016-12-28 22:49:51 +00:00
export default async (req: express.Request, res: express.Response) => {
2017-12-11 07:43:35 +00:00
res.header('Access-Control-Allow-Origin', config.url);
2016-12-28 22:49:51 +00:00
res.header('Access-Control-Allow-Credentials', 'true');
const username = req.body['username'];
const password = req.body['password'];
2017-12-08 13:57:58 +00:00
const token = req.body['token'];
2016-12-28 22:49:51 +00:00
2017-02-22 10:39:34 +00:00
if (typeof username != 'string') {
res.sendStatus(400);
return;
}
if (typeof password != 'string') {
res.sendStatus(400);
return;
}
2017-12-08 13:57:58 +00:00
if (token != null && typeof token != 'string') {
res.sendStatus(400);
return;
}
2016-12-28 22:49:51 +00:00
// Fetch user
2018-04-01 19:01:34 +00:00
const user = await User.findOne({
2018-03-29 05:48:47 +00:00
usernameLower: username.toLowerCase(),
2018-03-27 07:51:12 +00:00
host: null
2017-02-22 04:08:33 +00:00
}, {
fields: {
data: false,
'account.profile': false
2017-02-22 04:08:33 +00:00
}
2018-04-01 19:01:34 +00:00
}) as ILocalUser;
2016-12-28 22:49:51 +00:00
if (user === null) {
2017-03-09 21:42:57 +00:00
res.status(404).send({
error: 'user not found'
});
2016-12-28 22:49:51 +00:00
return;
}
2018-04-01 19:01:34 +00:00
const account = user.account;
2018-03-27 07:51:12 +00:00
2016-12-28 22:49:51 +00:00
// Compare password
2018-03-27 07:51:12 +00:00
const same = await bcrypt.compare(password, account.password);
2016-12-28 22:49:51 +00:00
if (same) {
2018-03-29 05:48:47 +00:00
if (account.twoFactorEnabled) {
2017-12-08 13:57:58 +00:00
const verified = (speakeasy as any).totp.verify({
2018-03-29 05:48:47 +00:00
secret: account.twoFactorSecret,
2017-12-08 13:57:58 +00:00
encoding: 'base32',
token: token
});
if (verified) {
signin(res, user, false);
} else {
res.status(400).send({
error: 'invalid token'
});
}
} else {
signin(res, user, false);
}
2016-12-28 22:49:51 +00:00
} else {
2017-03-09 21:42:57 +00:00
res.status(400).send({
error: 'incorrect password'
});
2016-12-28 22:49:51 +00:00
}
// Append signin history
2017-01-17 01:49:27 +00:00
const record = await Signin.insert({
2018-03-29 05:48:47 +00:00
createdAt: new Date(),
userId: user._id,
2016-12-28 22:49:51 +00:00
ip: req.ip,
headers: req.headers,
success: same
});
// Publish signin event
2018-02-01 23:21:30 +00:00
event(user._id, 'signin', await pack(record));
2016-12-28 22:49:51 +00:00
};