codecombat/server/routes/auth.coffee

authentication = require 'passport'
LocalStrategy = require('passport-local').Strategy
User = require '../users/User'
UserHandler = require '../users/user_handler'
LevelSession = require '../levels/sessions/LevelSession'
config = require '../../server_config'
errors = require '../commons/errors'
mail = require '../commons/mail'
languages = require '../routes/languages'

module.exports.setup = (app) ->
  authentication.serializeUser((user, done) -> done(null, user._id))
  authentication.deserializeUser((id, done) ->
    User.findById(id, (err, user) -> done(err, user)))

  authentication.use(new LocalStrategy(
    (username, password, done) ->
      User.findOne({emailLower: username.toLowerCase()}).exec((err, user) ->
        return done(err) if err
        return done(null, false, {message: 'not found', property: 'email'}) if not user
        passwordReset = (user.get('passwordReset') or '').toLowerCase()
        if passwordReset and password.toLowerCase() is passwordReset
          User.update {_id: user.get('_id')}, {passwordReset: ''}, {}, ->
          return done(null, user)

        hash = User.hashPassword(password)
        unless user.get('passwordHash') is hash
          return done(null, false, {message: 'is wrong.', property: 'password'})
        return done(null, user)
      )
  ))

  app.post '/auth/spy', (req, res, next) ->
    if req?.user?.isAdmin()

      username = req.body.usernameLower
      emailLower = req.body.emailLower
      if emailLower
        query = {'emailLower': emailLower}
      else if username
        query = {'nameLower': username}
      else
        return errors.badInput res, 'You need to supply one of emailLower or username'

      User.findOne query, (err, user) ->
        if err? then return errors.serverError res, 'There was an error finding the specified user'

        unless user then return errors.badInput res, 'The specified user couldn\'t be found'

        req.logIn user, (err) ->
          if err? then return errors.serverError res, 'There was an error logging in with the specified'
          res.send(UserHandler.formatEntity(req, user))
          return res.end()
    else
      return errors.unauthorized res, 'You must be an admin to enter espionage mode'

  app.post('/auth/login', (req, res, next) ->
    authentication.authenticate('local', (err, user, info) ->
      return next(err) if err
      if not user
        return errors.unauthorized(res, [{message: info.message, property: info.property}])

      req.logIn(user, (err) ->
        return next(err) if (err)
        activity = req.user.trackActivity 'login', 1
        user.update {activity: activity}, (err) ->
          return next(err) if (err)
          res.send(UserHandler.formatEntity(req, req.user))
          return res.end()
      )
    )(req, res, next)
  )

  app.get('/auth/whoami', (req, res) ->
    if req.user
      sendSelf(req, res)
    else
      user = makeNewUser(req)
      makeNext = (req, res) -> -> sendSelf(req, res)
      next = makeNext(req, res)
      loginUser(req, res, user, false, next)
  )

  sendSelf = (req, res) ->
    res.setHeader('Content-Type', 'text/json')
    res.send(UserHandler.formatEntity(req, req.user))
    res.end()

  app.post('/auth/logout', (req, res) ->
    req.logout()
    res.end()
  )

  app.post('/auth/reset', (req, res) ->
    unless req.body.email
      return errors.badInput(res, [{message: 'Need an email specified.', property: 'email'}])

    User.findOne({emailLower: req.body.email.toLowerCase()}).exec((err, user) ->
      if not user
        return errors.notFound(res, [{message: 'not found.', property: 'email'}])

      user.set('passwordReset', Math.random().toString(36).slice(2, 7).toUpperCase())
      user.save (err) =>
        return errors.serverError(res) if err
        if config.isProduction
          options = createMailOptions req.body.email, user.get('passwordReset')
          mail.transport.sendMail options, (error, response) ->
            if error
              console.error "Error sending mail: #{error.message or error}"
              return errors.serverError(res) if err
            else
              return res.end()
        else
          console.log 'password is', user.get('passwordReset')
          res.send user.get('passwordReset')
          return res.end()
    )
  )

  app.get '/auth/unsubscribe', (req, res) ->
    email = req.query.email
    unless req.query.email
      return errors.badInput res, 'No email provided to unsubscribe.'

    if req.query.session
      # Unsubscribe from just one session's notifications instead.
      return LevelSession.findOne({_id: req.query.session}).exec (err, session) ->
        return errors.serverError res, 'Could not unsubscribe: #{req.query.session}, #{req.query.email}: #{err}' if err
        session.set 'unsubscribed', true
        session.save (err) ->
          return errors.serverError res, 'Database failure.' if err
          res.send "Unsubscribed #{req.query.email} from CodeCombat emails for #{session.levelName} #{session.team} ladder updates. Sorry to see you go! <p><a href='/play/ladder/#{session.levelID}#my-matches'>Ladder preferences</a></p>"
          res.end()

    User.findOne({emailLower: req.query.email.toLowerCase()}).exec (err, user) ->
      if not user
        return errors.notFound res, "No user found with email '#{req.query.email}'"

      emails = _.clone(user.get('emails')) or {}
      msg = ''

      if req.query.recruitNotes
        emails.recruitNotes ?= {}
        emails.recruitNotes.enabled = false
        msg = "Unsubscribed #{req.query.email} from recruiting emails."

      else
        msg = "Unsubscribed #{req.query.email} from all CodeCombat emails. Sorry to see you go!"
        emailSettings.enabled = false for emailSettings in _.values(emails)
        emails.generalNews ?= {}
        emails.generalNews.enabled = false
        emails.anyNotes ?= {}
        emails.anyNotes.enabled = false

      user.update {$set: {emails: emails}}, {}, =>
        return errors.serverError res, 'Database failure.' if err
        res.send msg + '<p><a href="/account/settings">Account settings</a></p>'
        res.end()

module.exports.loginUser = loginUser = (req, res, user, send=true, next=null) ->
  user.save((err) ->
    return errors.serverError res, err if err?

    req.logIn(user, (err) ->
      return errors.serverError res, err if err?
      return res.send user if send
      next() if next
    )
  )

module.exports.makeNewUser = makeNewUser = (req) ->
  user = new User({anonymous: true})
  user.set 'testGroupNumber', Math.floor(Math.random() * 256)  # also in app/lib/auth
  user.set 'preferredLanguage', languages.languageCodeFromAcceptedLanguages req.acceptedLanguages

createMailOptions = (receiver, password) ->
  # TODO: use email templates here
  options =
    from: config.mail.username
    to: receiver
    replyTo: config.mail.username
    subject: '[CodeCombat] Password Reset'
    text: "You can log into your account with: #{password}"
Clean up mixed quotes 2014-06-30 22:16:26 -04:00			`authentication = require 'passport'`
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`LocalStrategy = require('passport-local').Strategy`
Clean up mixed quotes 2014-06-30 22:16:26 -04:00			`User = require '../users/User'`
			`UserHandler = require '../users/user_handler'`
Improved my-matches rank history and name fetching, ladder update emails, ladder update unsubscribes. 2014-03-11 00:30:46 -04:00			`LevelSession = require '../levels/sessions/LevelSession'`
server : move routes files (HTTP endpoint) in a new "routes" folder 2014-01-22 15:46:44 -05:00			`config = require '../../server_config'`
server reorganize files and folder by features - move and rename files - use associative arrays which store handlers for 'dynamically' load module from de db route - store models_path in test/server/common, a global model variable has the same name that the filename of the model 2014-01-22 17:57:41 -05:00			`errors = require '../commons/errors'`
Refactored some mail functions and constants to a new common module. 2014-01-24 14:47:14 -05:00			`mail = require '../commons/mail'`
Refactored user creation to /auth/whoami, and made the app call that first, so only one user is created. Fixed #318. Think this also fixes #406. 2014-02-24 14:12:52 -05:00			`languages = require '../routes/languages'`
Ready for action, sir! 2014-01-03 13:32:13 -05:00
use a mapping for handlers, schemas, and routes 2014-02-04 16:29:13 -05:00			`module.exports.setup = (app) ->`
rename some variables 2014-02-04 17:08:20 -05:00			`authentication.serializeUser((user, done) -> done(null, user._id))`
			`authentication.deserializeUser((id, done) ->`
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`User.findById(id, (err, user) -> done(err, user)))`

rename some variables 2014-02-04 17:08:20 -05:00			`authentication.use(new LocalStrategy(`
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`(username, password, done) ->`
Clean up mixed quotes 2014-06-30 22:16:26 -04:00			`User.findOne({emailLower: username.toLowerCase()}).exec((err, user) ->`
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`return done(err) if err`
Clean up mixed quotes 2014-06-30 22:16:26 -04:00			`return done(null, false, {message: 'not found', property: 'email'}) if not user`
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`passwordReset = (user.get('passwordReset') or '').toLowerCase()`
			`if passwordReset and password.toLowerCase() is passwordReset`
			`User.update {_id: user.get('_id')}, {passwordReset: ''}, {}, ->`
			`return done(null, user)`
Improved my-matches rank history and name fetching, ladder update emails, ladder update unsubscribes. 2014-03-11 00:30:46 -04:00
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`hash = User.hashPassword(password)`
			`unless user.get('passwordHash') is hash`
Clean up mixed quotes 2014-06-30 22:16:26 -04:00			`return done(null, false, {message: 'is wrong.', property: 'password'})`
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`return done(null, user)`
			`)`
			`))`
Clean up mixed quotes 2014-06-30 22:16:26 -04:00
Implemented espionage mode 2014-02-26 17:14:43 -05:00			`app.post '/auth/spy', (req, res, next) ->`
			`if req?.user?.isAdmin()`
Improved my-matches rank history and name fetching, ladder update emails, ladder update unsubscribes. 2014-03-11 00:30:46 -04:00
Implemented espionage mode 2014-02-26 17:14:43 -05:00			`username = req.body.usernameLower`
			`emailLower = req.body.emailLower`
			`if emailLower`
Clean up mixed quotes 2014-06-30 22:16:26 -04:00			`query = {'emailLower': emailLower}`
Implemented espionage mode 2014-02-26 17:14:43 -05:00			`else if username`
Clean up mixed quotes 2014-06-30 22:16:26 -04:00			`query = {'nameLower': username}`
Implemented espionage mode 2014-02-26 17:14:43 -05:00			`else`
Clean up mixed quotes 2014-06-30 22:16:26 -04:00			`return errors.badInput res, 'You need to supply one of emailLower or username'`
Improved my-matches rank history and name fetching, ladder update emails, ladder update unsubscribes. 2014-03-11 00:30:46 -04:00
Implemented espionage mode 2014-02-26 17:14:43 -05:00			`User.findOne query, (err, user) ->`
Clean up mixed quotes 2014-06-30 22:16:26 -04:00			`if err? then return errors.serverError res, 'There was an error finding the specified user'`
Improved my-matches rank history and name fetching, ladder update emails, ladder update unsubscribes. 2014-03-11 00:30:46 -04:00
Clean up mixed quotes 2014-06-30 22:16:26 -04:00			`unless user then return errors.badInput res, 'The specified user couldn\'t be found'`
Improved my-matches rank history and name fetching, ladder update emails, ladder update unsubscribes. 2014-03-11 00:30:46 -04:00
Implemented espionage mode 2014-02-26 17:14:43 -05:00			`req.logIn user, (err) ->`
Clean up mixed quotes 2014-06-30 22:16:26 -04:00			`if err? then return errors.serverError res, 'There was an error logging in with the specified'`
Implemented espionage mode 2014-02-26 17:14:43 -05:00			`res.send(UserHandler.formatEntity(req, user))`
			`return res.end()`
			`else`
Clean up mixed quotes 2014-06-30 22:16:26 -04:00			`return errors.unauthorized res, 'You must be an admin to enter espionage mode'`
Improved my-matches rank history and name fetching, ladder update emails, ladder update unsubscribes. 2014-03-11 00:30:46 -04:00
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`app.post('/auth/login', (req, res, next) ->`
rename some variables 2014-02-04 17:08:20 -05:00			`authentication.authenticate('local', (err, user, info) ->`
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`return next(err) if err`
			`if not user`
Clean up mixed quotes 2014-06-30 22:16:26 -04:00			`return errors.unauthorized(res, [{message: info.message, property: info.property}])`
Ready for action, sir! 2014-01-03 13:32:13 -05:00
			`req.logIn(user, (err) ->`
			`return next(err) if (err)`
Added employer_list and activity tracking. 2014-06-10 19:30:07 -04:00			`activity = req.user.trackActivity 'login', 1`
			`user.update {activity: activity}, (err) ->`
			`return next(err) if (err)`
			`res.send(UserHandler.formatEntity(req, req.user))`
			`return res.end()`
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`)`
			`)(req, res, next)`
			`)`

			`app.get('/auth/whoami', (req, res) ->`
Refactored user creation to /auth/whoami, and made the app call that first, so only one user is created. Fixed #318. Think this also fixes #406. 2014-02-24 14:12:52 -05:00			`if req.user`
			`sendSelf(req, res)`
			`else`
Refactored user authentication again. Now the user object is inserted into main.html, which was renamed from index.html so the express static middleware wouldn't serve it. 2014-04-02 16:12:24 -04:00			`user = makeNewUser(req)`
Refactored user creation to /auth/whoami, and made the app call that first, so only one user is created. Fixed #318. Think this also fixes #406. 2014-02-24 14:12:52 -05:00			`makeNext = (req, res) -> -> sendSelf(req, res)`
			`next = makeNext(req, res)`
			`loginUser(req, res, user, false, next)`
			`)`

			`sendSelf = (req, res) ->`
			`res.setHeader('Content-Type', 'text/json')`
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`res.send(UserHandler.formatEntity(req, req.user))`
			`res.end()`
Refactored user creation to /auth/whoami, and made the app call that first, so only one user is created. Fixed #318. Think this also fixes #406. 2014-02-24 14:12:52 -05:00
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`app.post('/auth/logout', (req, res) ->`
			`req.logout()`
			`res.end()`
			`)`
refactor server http errors - error.coffee centralize all http errors response - unauthorized = 401 and forbiden = 403 2014-01-14 17:13:47 -05:00
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`app.post('/auth/reset', (req, res) ->`
			`unless req.body.email`
Clean up mixed quotes 2014-06-30 22:16:26 -04:00			`return errors.badInput(res, [{message: 'Need an email specified.', property: 'email'}])`
refactor server http errors - error.coffee centralize all http errors response - unauthorized = 401 and forbiden = 403 2014-01-14 17:13:47 -05:00
Clean up mixed quotes 2014-06-30 22:16:26 -04:00			`User.findOne({emailLower: req.body.email.toLowerCase()}).exec((err, user) ->`
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`if not user`
Clean up mixed quotes 2014-06-30 22:16:26 -04:00			`return errors.notFound(res, [{message: 'not found.', property: 'email'}])`
Improved my-matches rank history and name fetching, ladder update emails, ladder update unsubscribes. 2014-03-11 00:30:46 -04:00
Clean up mixed quotes 2014-06-30 22:16:26 -04:00			`user.set('passwordReset', Math.random().toString(36).slice(2, 7).toUpperCase())`
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`user.save (err) =>`
refactor server http errors - error.coffee centralize all http errors response - unauthorized = 401 and forbiden = 403 2014-01-14 17:13:47 -05:00			`return errors.serverError(res) if err`
Turned off sending mail on the dev environment. 2014-01-03 17:28:26 -05:00			`if config.isProduction`
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`options = createMailOptions req.body.email, user.get('passwordReset')`
Refactored some mail functions and constants to a new common module. 2014-01-24 14:47:14 -05:00			`mail.transport.sendMail options, (error, response) ->`
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`if error`
			`console.error "Error sending mail: #{error.message or error}"`
refactor server http errors - error.coffee centralize all http errors response - unauthorized = 401 and forbiden = 403 2014-01-14 17:13:47 -05:00			`return errors.serverError(res) if err`
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`else`
			`return res.end()`
Fixed account recovery on dev server. 2014-01-06 15:14:12 -05:00			`else`
Server console outputs recovery password if in development. 2014-05-09 19:33:06 -04:00			`console.log 'password is', user.get('passwordReset')`
add server auth test (reset password) 2014-02-02 18:02:47 -05:00			`res.send user.get('passwordReset')`
Fixed account recovery on dev server. 2014-01-06 15:14:12 -05:00			`return res.end()`
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`)`
			`)`
Improved my-matches rank history and name fetching, ladder update emails, ladder update unsubscribes. 2014-03-11 00:30:46 -04:00
Added unsubscribe view. 2014-01-17 13:47:42 -05:00			`app.get '/auth/unsubscribe', (req, res) ->`
			`email = req.query.email`
			`unless req.query.email`
			`return errors.badInput res, 'No email provided to unsubscribe.'`
Improved my-matches rank history and name fetching, ladder update emails, ladder update unsubscribes. 2014-03-11 00:30:46 -04:00
			`if req.query.session`
			`# Unsubscribe from just one session's notifications instead.`
			`return LevelSession.findOne({_id: req.query.session}).exec (err, session) ->`
			`return errors.serverError res, 'Could not unsubscribe: #{req.query.session}, #{req.query.email}: #{err}' if err`
			`session.set 'unsubscribed', true`
			`session.save (err) ->`
			`return errors.serverError res, 'Database failure.' if err`
			`res.send "Unsubscribed #{req.query.email} from CodeCombat emails for #{session.levelName} #{session.team} ladder updates. Sorry to see you go! <p><a href='/play/ladder/#{session.levelID}#my-matches'>Ladder preferences</a></p>"`
			`res.end()`

Clean up mixed quotes 2014-06-30 22:16:26 -04:00			`User.findOne({emailLower: req.query.email.toLowerCase()}).exec (err, user) ->`
Added unsubscribe view. 2014-01-17 13:47:42 -05:00			`if not user`
			`return errors.notFound res, "No user found with email '#{req.query.email}'"`

Migrated to the new email system, along with a setting for recruit notifications. 2014-04-21 19:15:23 -04:00			`emails = _.clone(user.get('emails')) or {}`
Added an unsubscribe url for recruit notifications. 2014-04-22 22:27:39 -04:00			`msg = ''`
Added employer_list and activity tracking. 2014-06-10 19:30:07 -04:00
Added an unsubscribe url for recruit notifications. 2014-04-22 22:27:39 -04:00			`if req.query.recruitNotes`
			`emails.recruitNotes ?= {}`
			`emails.recruitNotes.enabled = false`
			`msg = "Unsubscribed #{req.query.email} from recruiting emails."`
Added employer_list and activity tracking. 2014-06-10 19:30:07 -04:00
Added an unsubscribe url for recruit notifications. 2014-04-22 22:27:39 -04:00			`else`
			`msg = "Unsubscribed #{req.query.email} from all CodeCombat emails. Sorry to see you go!"`
			`emailSettings.enabled = false for emailSettings in _.values(emails)`
			`emails.generalNews ?= {}`
			`emails.generalNews.enabled = false`
			`emails.anyNotes ?= {}`
			`emails.anyNotes.enabled = false`
Added employer_list and activity tracking. 2014-06-10 19:30:07 -04:00
Added an unsubscribe url for recruit notifications. 2014-04-22 22:27:39 -04:00			`user.update {$set: {emails: emails}}, {}, =>`
Added unsubscribe view. 2014-01-17 13:47:42 -05:00			`return errors.serverError res, 'Database failure.' if err`
Clean up mixed quotes 2014-06-30 22:16:26 -04:00			`res.send msg + '<p><a href="/account/settings">Account settings</a></p>'`
Added unsubscribe view. 2014-01-17 13:47:42 -05:00			`res.end()`
Ready for action, sir! 2014-01-03 13:32:13 -05:00
Refactored user authentication again. Now the user object is inserted into main.html, which was renamed from index.html so the express static middleware wouldn't serve it. 2014-04-02 16:12:24 -04:00			`module.exports.loginUser = loginUser = (req, res, user, send=true, next=null) ->`
			`user.save((err) ->`
Corrected sending errors in auth 2014-07-10 04:07:36 -04:00			`return errors.serverError res, err if err?`
Refactored user authentication again. Now the user object is inserted into main.html, which was renamed from index.html so the express static middleware wouldn't serve it. 2014-04-02 16:12:24 -04:00
			`req.logIn(user, (err) ->`
Corrected sending errors in auth 2014-07-10 04:07:36 -04:00			`return errors.serverError res, err if err?`
			`return res.send user if send`
Refactored user authentication again. Now the user object is inserted into main.html, which was renamed from index.html so the express static middleware wouldn't serve it. 2014-04-02 16:12:24 -04:00			`next() if next`
			`)`
			`)`

			`module.exports.makeNewUser = makeNewUser = (req) ->`
Clean up mixed quotes 2014-06-30 22:16:26 -04:00			`user = new User({anonymous: true})`
Refactored user authentication again. Now the user object is inserted into main.html, which was renamed from index.html so the express static middleware wouldn't serve it. 2014-04-02 16:12:24 -04:00			`user.set 'testGroupNumber', Math.floor(Math.random() * 256) # also in app/lib/auth`
			`user.set 'preferredLanguage', languages.languageCodeFromAcceptedLanguages req.acceptedLanguages`
Added employer_list and activity tracking. 2014-06-10 19:30:07 -04:00
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`createMailOptions = (receiver, password) ->`
			`# TODO: use email templates here`
			`options =`
			`from: config.mail.username`
			`to: receiver`
			`replyTo: config.mail.username`
Clean up mixed quotes 2014-06-30 22:16:26 -04:00			`subject: '[CodeCombat] Password Reset'`
Ready for action, sir! 2014-01-03 13:32:13 -05:00			`text: "You can log into your account with: #{password}"`