codecombat/server/routes/auth.coffee

authentication = require('passport')
LocalStrategy = require('passport-local').Strategy
User = require('../users/User')
UserHandler = require('../users/user_handler')
LevelSession = require '../levels/sessions/LevelSession'
config = require '../../server_config'
errors = require '../commons/errors'
mail = require '../commons/mail'
languages = require '../routes/languages'

module.exports.setup = (app) ->
  authentication.serializeUser((user, done) -> done(null, user._id))
  authentication.deserializeUser((id, done) ->
    User.findById(id, (err, user) -> done(err, user)))

  authentication.use(new LocalStrategy(
    (username, password, done) ->
      User.findOne({emailLower:username.toLowerCase()}).exec((err, user) ->
        return done(err) if err
        return done(null, false, {message:'not found', property:'email'}) if not user
        passwordReset = (user.get('passwordReset') or '').toLowerCase()
        if passwordReset and password.toLowerCase() is passwordReset
          User.update {_id: user.get('_id')}, {passwordReset: ''}, {}, ->
          return done(null, user)

        hash = User.hashPassword(password)
        unless user.get('passwordHash') is hash
          return done(null, false, {message:'is wrong.', property:'password'})
        return done(null, user)
      )
  ))
  app.post '/auth/spy', (req, res, next) ->
    if req?.user?.isAdmin()

      username = req.body.usernameLower
      emailLower = req.body.emailLower
      if emailLower
        query = {"emailLower":emailLower}
      else if username
        query = {"nameLower":username}
      else
        return errors.badInput res, "You need to supply one of emailLower or username"

      User.findOne query, (err, user) ->
        if err? then return errors.serverError res, "There was an error finding the specified user"

        unless user then return errors.badInput res, "The specified user couldn't be found"

        req.logIn user, (err) ->
          if err? then return errors.serverError res, "There was an error logging in with the specified"
          res.send(UserHandler.formatEntity(req, user))
          return res.end()
    else
      return errors.unauthorized res, "You must be an admin to enter espionage mode"

  app.post('/auth/login', (req, res, next) ->
    authentication.authenticate('local', (err, user, info) ->
      return next(err) if err
      if not user
        return errors.unauthorized(res, [{message:info.message, property:info.property}])

      req.logIn(user, (err) ->
        return next(err) if (err)
        res.send(UserHandler.formatEntity(req, req.user))
        return res.end()
      )
    )(req, res, next)
  )

  app.get('/auth/whoami', (req, res) ->
    if req.user
      sendSelf(req, res)
    else
      user = makeNewUser(req)
      makeNext = (req, res) -> -> sendSelf(req, res)
      next = makeNext(req, res)
      loginUser(req, res, user, false, next)
  )

  sendSelf = (req, res) ->
    res.setHeader('Content-Type', 'text/json')
    res.send(UserHandler.formatEntity(req, req.user))
    res.end()

  app.post('/auth/logout', (req, res) ->
    req.logout()
    res.end()
  )

  app.post('/auth/reset', (req, res) ->
    unless req.body.email
      return errors.badInput(res, [{message:'Need an email specified.', property:'email'}])

    User.findOne({emailLower:req.body.email.toLowerCase()}).exec((err, user) ->
      if not user
        return errors.notFound(res, [{message:'not found.', property:'email'}])

      user.set('passwordReset', Math.random().toString(36).slice(2,7).toUpperCase())
      user.save (err) =>
        return errors.serverError(res) if err
        if config.isProduction
          options = createMailOptions req.body.email, user.get('passwordReset')
          mail.transport.sendMail options, (error, response) ->
            if error
              console.error "Error sending mail: #{error.message or error}"
              return errors.serverError(res) if err
            else
              return res.end()
        else
          res.send user.get('passwordReset')
          return res.end()
    )
  )

  app.get '/auth/unsubscribe', (req, res) ->
    email = req.query.email
    unless req.query.email
      return errors.badInput res, 'No email provided to unsubscribe.'

    if req.query.session
      # Unsubscribe from just one session's notifications instead.
      return LevelSession.findOne({_id: req.query.session}).exec (err, session) ->
        return errors.serverError res, 'Could not unsubscribe: #{req.query.session}, #{req.query.email}: #{err}' if err
        session.set 'unsubscribed', true
        session.save (err) ->
          return errors.serverError res, 'Database failure.' if err
          res.send "Unsubscribed #{req.query.email} from CodeCombat emails for #{session.levelName} #{session.team} ladder updates. Sorry to see you go! <p><a href='/play/ladder/#{session.levelID}#my-matches'>Ladder preferences</a></p>"
          res.end()

    User.findOne({emailLower:req.query.email.toLowerCase()}).exec (err, user) ->
      if not user
        return errors.notFound res, "No user found with email '#{req.query.email}'"

      user.set('emailSubscriptions', [])
      user.save (err) =>
        return errors.serverError res, 'Database failure.' if err

        res.send "Unsubscribed #{req.query.email} from all CodeCombat emails. Sorry to see you go! <p><a href='/account/settings'>Account settings</a></p>"
        res.end()

module.exports.loginUser = loginUser = (req, res, user, send=true, next=null) ->
  user.save((err) ->
    if err
      return @sendDatabaseError(res, err)

    req.logIn(user, (err) ->
      if err
        return @sendDatabaseError(res, err)

      if send
        return @sendSuccess(res, user)
      next() if next
    )
  )

module.exports.makeNewUser = makeNewUser = (req) ->
  user = new User({anonymous:true})
  user.set 'testGroupNumber', Math.floor(Math.random() * 256)  # also in app/lib/auth
  user.set 'preferredLanguage', languages.languageCodeFromAcceptedLanguages req.acceptedLanguages
        
createMailOptions = (receiver, password) ->
  # TODO: use email templates here
  options =
    from: config.mail.username
    to: receiver
    replyTo: config.mail.username
    subject: "[CodeCombat] Password Reset"
    text: "You can log into your account with: #{password}"
rename some variables 2014-02-04 17:08:20 -05:00			`authentication = require('passport')`
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`LocalStrategy = require('passport-local').Strategy`
server reorganize files and folder by features - move and rename files - use associative arrays which store handlers for 'dynamically' load module from de db route - store models_path in test/server/common, a global model variable has the same name that the filename of the model 2014-01-22 17:57:41 -05:00			`User = require('../users/User')`
			`UserHandler = require('../users/user_handler')`
Improved my-matches rank history and name fetching, ladder update emails, ladder update unsubscribes. 2014-03-11 00:30:46 -04:00			`LevelSession = require '../levels/sessions/LevelSession'`
server : move routes files (HTTP endpoint) in a new "routes" folder 2014-01-22 15:46:44 -05:00			`config = require '../../server_config'`
server reorganize files and folder by features - move and rename files - use associative arrays which store handlers for 'dynamically' load module from de db route - store models_path in test/server/common, a global model variable has the same name that the filename of the model 2014-01-22 17:57:41 -05:00			`errors = require '../commons/errors'`
Refactored some mail functions and constants to a new common module. 2014-01-24 14:47:14 -05:00			`mail = require '../commons/mail'`
Refactored user creation to /auth/whoami, and made the app call that first, so only one user is created. Fixed #318. Think this also fixes #406. 2014-02-24 14:12:52 -05:00			`languages = require '../routes/languages'`
Ready for action, sir! 2014-01-03 13:32:13 -05:00
use a mapping for handlers, schemas, and routes 2014-02-04 16:29:13 -05:00			`module.exports.setup = (app) ->`
rename some variables 2014-02-04 17:08:20 -05:00			`authentication.serializeUser((user, done) -> done(null, user._id))`
			`authentication.deserializeUser((id, done) ->`
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`User.findById(id, (err, user) -> done(err, user)))`

rename some variables 2014-02-04 17:08:20 -05:00			`authentication.use(new LocalStrategy(`
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`(username, password, done) ->`
			`User.findOne({emailLower:username.toLowerCase()}).exec((err, user) ->`
			`return done(err) if err`
			`return done(null, false, {message:'not found', property:'email'}) if not user`
			`passwordReset = (user.get('passwordReset') or '').toLowerCase()`
			`if passwordReset and password.toLowerCase() is passwordReset`
			`User.update {_id: user.get('_id')}, {passwordReset: ''}, {}, ->`
			`return done(null, user)`
Improved my-matches rank history and name fetching, ladder update emails, ladder update unsubscribes. 2014-03-11 00:30:46 -04:00
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`hash = User.hashPassword(password)`
			`unless user.get('passwordHash') is hash`
Probably too mean to tell users that their password is wrong three times, so just once will do. 2014-03-13 13:27:32 -04:00			`return done(null, false, {message:'is wrong.', property:'password'})`
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`return done(null, user)`
			`)`
			`))`
Implemented espionage mode 2014-02-26 17:14:43 -05:00			`app.post '/auth/spy', (req, res, next) ->`
			`if req?.user?.isAdmin()`
Improved my-matches rank history and name fetching, ladder update emails, ladder update unsubscribes. 2014-03-11 00:30:46 -04:00
Implemented espionage mode 2014-02-26 17:14:43 -05:00			`username = req.body.usernameLower`
			`emailLower = req.body.emailLower`
			`if emailLower`
			`query = {"emailLower":emailLower}`
			`else if username`
			`query = {"nameLower":username}`
			`else`
			`return errors.badInput res, "You need to supply one of emailLower or username"`
Improved my-matches rank history and name fetching, ladder update emails, ladder update unsubscribes. 2014-03-11 00:30:46 -04:00
Implemented espionage mode 2014-02-26 17:14:43 -05:00			`User.findOne query, (err, user) ->`
			`if err? then return errors.serverError res, "There was an error finding the specified user"`
Improved my-matches rank history and name fetching, ladder update emails, ladder update unsubscribes. 2014-03-11 00:30:46 -04:00
Implemented espionage mode 2014-02-26 17:14:43 -05:00			`unless user then return errors.badInput res, "The specified user couldn't be found"`
Improved my-matches rank history and name fetching, ladder update emails, ladder update unsubscribes. 2014-03-11 00:30:46 -04:00
Implemented espionage mode 2014-02-26 17:14:43 -05:00			`req.logIn user, (err) ->`
			`if err? then return errors.serverError res, "There was an error logging in with the specified"`
			`res.send(UserHandler.formatEntity(req, user))`
			`return res.end()`
			`else`
			`return errors.unauthorized res, "You must be an admin to enter espionage mode"`
Improved my-matches rank history and name fetching, ladder update emails, ladder update unsubscribes. 2014-03-11 00:30:46 -04:00
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`app.post('/auth/login', (req, res, next) ->`
rename some variables 2014-02-04 17:08:20 -05:00			`authentication.authenticate('local', (err, user, info) ->`
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`return next(err) if err`
			`if not user`
refactor server http errors - error.coffee centralize all http errors response - unauthorized = 401 and forbiden = 403 2014-01-14 17:13:47 -05:00			`return errors.unauthorized(res, [{message:info.message, property:info.property}])`
Ready for action, sir! 2014-01-03 13:32:13 -05:00
			`req.logIn(user, (err) ->`
			`return next(err) if (err)`
			`res.send(UserHandler.formatEntity(req, req.user))`
			`return res.end()`
			`)`
			`)(req, res, next)`
			`)`

			`app.get('/auth/whoami', (req, res) ->`
Refactored user creation to /auth/whoami, and made the app call that first, so only one user is created. Fixed #318. Think this also fixes #406. 2014-02-24 14:12:52 -05:00			`if req.user`
			`sendSelf(req, res)`
			`else`
Refactored user authentication again. Now the user object is inserted into main.html, which was renamed from index.html so the express static middleware wouldn't serve it. 2014-04-02 16:12:24 -04:00			`user = makeNewUser(req)`
Refactored user creation to /auth/whoami, and made the app call that first, so only one user is created. Fixed #318. Think this also fixes #406. 2014-02-24 14:12:52 -05:00			`makeNext = (req, res) -> -> sendSelf(req, res)`
			`next = makeNext(req, res)`
			`loginUser(req, res, user, false, next)`
			`)`

			`sendSelf = (req, res) ->`
			`res.setHeader('Content-Type', 'text/json')`
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`res.send(UserHandler.formatEntity(req, req.user))`
			`res.end()`
Refactored user creation to /auth/whoami, and made the app call that first, so only one user is created. Fixed #318. Think this also fixes #406. 2014-02-24 14:12:52 -05:00
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`app.post('/auth/logout', (req, res) ->`
			`req.logout()`
			`res.end()`
			`)`
refactor server http errors - error.coffee centralize all http errors response - unauthorized = 401 and forbiden = 403 2014-01-14 17:13:47 -05:00
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`app.post('/auth/reset', (req, res) ->`
			`unless req.body.email`
Fix error 500 when resetting password if bad input. 2014-02-02 18:01:40 -05:00			`return errors.badInput(res, [{message:'Need an email specified.', property:'email'}])`
refactor server http errors - error.coffee centralize all http errors response - unauthorized = 401 and forbiden = 403 2014-01-14 17:13:47 -05:00
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`User.findOne({emailLower:req.body.email.toLowerCase()}).exec((err, user) ->`
			`if not user`
refactor server http errors - error.coffee centralize all http errors response - unauthorized = 401 and forbiden = 403 2014-01-14 17:13:47 -05:00			`return errors.notFound(res, [{message:'not found.', property:'email'}])`
Improved my-matches rank history and name fetching, ladder update emails, ladder update unsubscribes. 2014-03-11 00:30:46 -04:00
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`user.set('passwordReset', Math.random().toString(36).slice(2,7).toUpperCase())`
			`user.save (err) =>`
refactor server http errors - error.coffee centralize all http errors response - unauthorized = 401 and forbiden = 403 2014-01-14 17:13:47 -05:00			`return errors.serverError(res) if err`
Turned off sending mail on the dev environment. 2014-01-03 17:28:26 -05:00			`if config.isProduction`
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`options = createMailOptions req.body.email, user.get('passwordReset')`
Refactored some mail functions and constants to a new common module. 2014-01-24 14:47:14 -05:00			`mail.transport.sendMail options, (error, response) ->`
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`if error`
			`console.error "Error sending mail: #{error.message or error}"`
refactor server http errors - error.coffee centralize all http errors response - unauthorized = 401 and forbiden = 403 2014-01-14 17:13:47 -05:00			`return errors.serverError(res) if err`
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`else`
			`return res.end()`
Fixed account recovery on dev server. 2014-01-06 15:14:12 -05:00			`else`
add server auth test (reset password) 2014-02-02 18:02:47 -05:00			`res.send user.get('passwordReset')`
Fixed account recovery on dev server. 2014-01-06 15:14:12 -05:00			`return res.end()`
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`)`
			`)`
Improved my-matches rank history and name fetching, ladder update emails, ladder update unsubscribes. 2014-03-11 00:30:46 -04:00
Added unsubscribe view. 2014-01-17 13:47:42 -05:00			`app.get '/auth/unsubscribe', (req, res) ->`
			`email = req.query.email`
			`unless req.query.email`
			`return errors.badInput res, 'No email provided to unsubscribe.'`
Improved my-matches rank history and name fetching, ladder update emails, ladder update unsubscribes. 2014-03-11 00:30:46 -04:00
			`if req.query.session`
			`# Unsubscribe from just one session's notifications instead.`
			`return LevelSession.findOne({_id: req.query.session}).exec (err, session) ->`
			`return errors.serverError res, 'Could not unsubscribe: #{req.query.session}, #{req.query.email}: #{err}' if err`
			`session.set 'unsubscribed', true`
			`session.save (err) ->`
			`return errors.serverError res, 'Database failure.' if err`
			`res.send "Unsubscribed #{req.query.email} from CodeCombat emails for #{session.levelName} #{session.team} ladder updates. Sorry to see you go! <p><a href='/play/ladder/#{session.levelID}#my-matches'>Ladder preferences</a></p>"`
			`res.end()`

Added unsubscribe view. 2014-01-17 13:47:42 -05:00			`User.findOne({emailLower:req.query.email.toLowerCase()}).exec (err, user) ->`
			`if not user`
			`return errors.notFound res, "No user found with email '#{req.query.email}'"`

			`user.set('emailSubscriptions', [])`
			`user.save (err) =>`
			`return errors.serverError res, 'Database failure.' if err`

			`res.send "Unsubscribed #{req.query.email} from all CodeCombat emails. Sorry to see you go! <p><a href='/account/settings'>Account settings</a></p>"`
			`res.end()`
Ready for action, sir! 2014-01-03 13:32:13 -05:00
Refactored user authentication again. Now the user object is inserted into main.html, which was renamed from index.html so the express static middleware wouldn't serve it. 2014-04-02 16:12:24 -04:00			`module.exports.loginUser = loginUser = (req, res, user, send=true, next=null) ->`
			`user.save((err) ->`
			`if err`
			`return @sendDatabaseError(res, err)`

			`req.logIn(user, (err) ->`
			`if err`
			`return @sendDatabaseError(res, err)`

			`if send`
			`return @sendSuccess(res, user)`
			`next() if next`
			`)`
			`)`

			`module.exports.makeNewUser = makeNewUser = (req) ->`
			`user = new User({anonymous:true})`
			`user.set 'testGroupNumber', Math.floor(Math.random() * 256) # also in app/lib/auth`
			`user.set 'preferredLanguage', languages.languageCodeFromAcceptedLanguages req.acceptedLanguages`

Ready for action, sir! 2014-01-03 13:32:13 -05:00			`createMailOptions = (receiver, password) ->`
			`# TODO: use email templates here`
			`options =`
			`from: config.mail.username`
			`to: receiver`
			`replyTo: config.mail.username`
			`subject: "[CodeCombat] Password Reset"`
			`text: "You can log into your account with: #{password}"`
Refactored user authentication again. Now the user object is inserted into main.html, which was renamed from index.html so the express static middleware wouldn't serve it. 2014-04-02 16:12:24 -04:00