Ghost/core/server/api/authentication.js

var dataProvider     = require('../models'),
    settings         = require('./settings'),
    mail             = require('./mail'),
    utils            = require('./utils'),
    when             = require('when'),
    errors           = require('../errors'),
    config           = require('../config'),
    ONE_DAY          = 60 * 60 * 24 * 1000,
    authentication;

/**
 * ## Authentication API Methods
 *
 * **See:** [API Methods](index.js.html#api%20methods)
 */
authentication = {

    /**
     * ## Generate Reset Token
     * generate a reset token for a given email address
     * @param {{passwordreset}}
     * @returns {Promise(passwordreset)} message
     */
    generateResetToken: function generateResetToken(object) {
        var expires = Date.now() + ONE_DAY,
            email;

        return utils.checkObject(object, 'passwordreset').then(function (checkedPasswordReset) {
            if (checkedPasswordReset.passwordreset[0].email) {
                email = checkedPasswordReset.passwordreset[0].email;
            } else {
                return when.reject(new errors.BadRequestError('No email provided.'));
            }

            return settings.read({context: {internal: true}, key: 'dbHash'}).then(function (response) {
                var dbHash = response.settings[0].value;
                return dataProvider.User.generateResetToken(email, expires, dbHash);
            }).then(function (resetToken) {
                var baseUrl = config().forceAdminSSL ? (config().urlSSL || config().url) : config().url,
                    siteLink = '<a href="' + baseUrl + '">' + baseUrl + '</a>',
                    resetUrl = baseUrl.replace(/\/$/, '') +  '/ghost/reset/' + resetToken + '/',
                    resetLink = '<a href="' + resetUrl + '">' + resetUrl + '</a>',
                    payload = {
                        mail: [{
                            message: {
                                to: email,
                                subject: 'Reset Password',
                                html: '<p><strong>Hello!</strong></p>' +
                                    '<p>A request has been made to reset the password on the site ' + siteLink + '.</p>' +
                                    '<p>Please follow the link below to reset your password:<br><br>' + resetLink + '</p>' +
                                    '<p>Ghost</p>'
                            },
                            options: {}
                        }]
                    };

                return mail.send(payload);
            }).then(function () {
                return when.resolve({passwordreset: [{message: 'Check your email for further instructions.'}]});
            }).otherwise(function (error) {
                // TODO: This is kind of sketchy, depends on magic string error.message from Bookshelf.
                if (error && error.message === 'NotFound') {
                    error = new errors.UnauthorizedError('Invalid email address');
                }
                return when.reject(error);
            });
        });
    },

    /**
     * ## Reset Password
     * reset password if a valid token and password (2x) is passed
     * @param {{passwordreset}}
     * @returns {Promise(passwordreset)} message
     */
    resetPassword: function resetPassword(object) {
        var resetToken,
            newPassword,
            ne2Password;
        return utils.checkObject(object, 'passwordreset').then(function (checkedPasswordReset) {
            resetToken = checkedPasswordReset.passwordreset[0].token;
            newPassword = checkedPasswordReset.passwordreset[0].newPassword;
            ne2Password = checkedPasswordReset.passwordreset[0].ne2Password;

            return settings.read({context: {internal: true}, key: 'dbHash'}).then(function (response) {
                var dbHash = response.settings[0].value;
                return dataProvider.User.resetPassword(resetToken, newPassword, ne2Password, dbHash);
            }).then(function () {
                return when.resolve({passwordreset: [{message: 'Password changed successfully.'}]});
            }).otherwise(function (error) {
                return when.reject(new errors.UnauthorizedError(error.message));
            });
        });
    },

    /**
     * ### Accept Invitation
     * @param {User} object the user to create
     * @returns {Promise(User}} Newly created user
     */
    acceptInvitation: function acceptInvitation(object) {
        var resetToken,
            newPassword,
            ne2Password,
            name,
            email;

        return utils.checkObject(object, 'invitation').then(function (checkedInvitation) {
            resetToken = checkedInvitation.invitation[0].token;
            newPassword = checkedInvitation.invitation[0].password;
            ne2Password = checkedInvitation.invitation[0].password;
            email = checkedInvitation.invitation[0].email;
            name = checkedInvitation.invitation[0].name;

            return settings.read({context: {internal: true}, key: 'dbHash'}).then(function (response) {
                var dbHash = response.settings[0].value;
                return dataProvider.User.resetPassword(resetToken, newPassword, ne2Password, dbHash);
            }).then(function (user) {
                return dataProvider.User.edit({name: name, email: email}, {id: user.id});
            }).then(function () {
                return when.resolve({invitation: [{message: 'Invitation accepted.'}]});
            }).otherwise(function (error) {
                return when.reject(new errors.UnauthorizedError(error.message));
            });
        });
    }
};

module.exports = authentication;
User API changes closes #2822 - added destroy user method - added remove user permission - added API end point for get reset token - added API end point for reset password - added API end point for change password 2014-06-20 11:15:01 +02:00			`var dataProvider = require('../models'),`
			`settings = require('./settings'),`
			`mail = require('./mail'),`
			`utils = require('./utils'),`
			`when = require('when'),`
			`errors = require('../errors'),`
			`config = require('../config'),`
Invite user API closes #3080 - added users.invite() to add user from email with random password - added `GET /ghost/api/v0.1/users/` to invite users and resend invitations - removed one user limit - added global utils for uid generation - changed some „“ to ‚‘ 2014-07-02 16:22:18 +02:00			`ONE_DAY = 60 * 60 * 24 * 1000,`
User API changes closes #2822 - added destroy user method - added remove user permission - added API end point for get reset token - added API end point for reset password - added API end point for change password 2014-06-20 11:15:01 +02:00			`authentication;`

			`/**`
			`* ## Authentication API Methods`
			`*`
			`* See: [API Methods](index.js.html#api%20methods)`
			`*/`
			`authentication = {`

			`/**`
			`* ## Generate Reset Token`
			`* generate a reset token for a given email address`
			`* @param {{passwordreset}}`
			`* @returns {Promise(passwordreset)} message`
			`*/`
			`generateResetToken: function generateResetToken(object) {`
			`var expires = Date.now() + ONE_DAY,`
			`email;`
Invite user API closes #3080 - added users.invite() to add user from email with random password - added `GET /ghost/api/v0.1/users/` to invite users and resend invitations - removed one user limit - added global utils for uid generation - changed some „“ to ‚‘ 2014-07-02 16:22:18 +02:00
User API changes closes #2822 - added destroy user method - added remove user permission - added API end point for get reset token - added API end point for reset password - added API end point for change password 2014-06-20 11:15:01 +02:00			`return utils.checkObject(object, 'passwordreset').then(function (checkedPasswordReset) {`
			`if (checkedPasswordReset.passwordreset[0].email) {`
			`email = checkedPasswordReset.passwordreset[0].email;`
			`} else {`
			`return when.reject(new errors.BadRequestError('No email provided.'));`
			`}`
Made ember version of reset password work Closes #2843 * Implemnted the ember validator correctly for both reset request and actual reset (with the token) * added reset validator * changed the request route addresses to be `/authentication/passwordreset` * changed the format of data to be `{ thing: [ {data } ] }` Missing: * notifications * tests for these use cases 2014-06-27 21:08:16 +02:00
User API changes closes #2822 - added destroy user method - added remove user permission - added API end point for get reset token - added API end point for reset password - added API end point for change password 2014-06-20 11:15:01 +02:00			`return settings.read({context: {internal: true}, key: 'dbHash'}).then(function (response) {`
			`var dbHash = response.settings[0].value;`
Invite user API closes #3080 - added users.invite() to add user from email with random password - added `GET /ghost/api/v0.1/users/` to invite users and resend invitations - removed one user limit - added global utils for uid generation - changed some „“ to ‚‘ 2014-07-02 16:22:18 +02:00			`return dataProvider.User.generateResetToken(email, expires, dbHash);`
			`}).then(function (resetToken) {`
			`var baseUrl = config().forceAdminSSL ? (config().urlSSL \|\| config().url) : config().url,`
			`siteLink = '<a href="' + baseUrl + '">' + baseUrl + '</a>',`
			`resetUrl = baseUrl.replace(/\/$/, '') + '/ghost/reset/' + resetToken + '/',`
			`resetLink = '<a href="' + resetUrl + '">' + resetUrl + '</a>',`
			`payload = {`
			`mail: [{`
			`message: {`
			`to: email,`
			`subject: 'Reset Password',`
			`html: '<p><strong>Hello!</strong></p>' +`
			`'<p>A request has been made to reset the password on the site ' + siteLink + '.</p>' +`
			`'<p>Please follow the link below to reset your password:<br><br>' + resetLink + '</p>' +`
			`'<p>Ghost</p>'`
			`},`
			`options: {}`
			`}]`
			`};`
User API changes closes #2822 - added destroy user method - added remove user permission - added API end point for get reset token - added API end point for reset password - added API end point for change password 2014-06-20 11:15:01 +02:00
Invite user API closes #3080 - added users.invite() to add user from email with random password - added `GET /ghost/api/v0.1/users/` to invite users and resend invitations - removed one user limit - added global utils for uid generation - changed some „“ to ‚‘ 2014-07-02 16:22:18 +02:00			`return mail.send(payload);`
			`}).then(function () {`
			`return when.resolve({passwordreset: [{message: 'Check your email for further instructions.'}]});`
			`}).otherwise(function (error) {`
			`// TODO: This is kind of sketchy, depends on magic string error.message from Bookshelf.`
			`if (error && error.message === 'NotFound') {`
			`error = new errors.UnauthorizedError('Invalid email address');`
			`}`
			`return when.reject(error);`
User API changes closes #2822 - added destroy user method - added remove user permission - added API end point for get reset token - added API end point for reset password - added API end point for change password 2014-06-20 11:15:01 +02:00			`});`
			`});`
			`},`

			`/**`
			`* ## Reset Password`
			`* reset password if a valid token and password (2x) is passed`
			`* @param {{passwordreset}}`
			`* @returns {Promise(passwordreset)} message`
			`*/`
			`resetPassword: function resetPassword(object) {`
			`var resetToken,`
			`newPassword,`
			`ne2Password;`
			`return utils.checkObject(object, 'passwordreset').then(function (checkedPasswordReset) {`
			`resetToken = checkedPasswordReset.passwordreset[0].token;`
			`newPassword = checkedPasswordReset.passwordreset[0].newPassword;`
			`ne2Password = checkedPasswordReset.passwordreset[0].ne2Password;`

			`return settings.read({context: {internal: true}, key: 'dbHash'}).then(function (response) {`
			`var dbHash = response.settings[0].value;`
			`return dataProvider.User.resetPassword(resetToken, newPassword, ne2Password, dbHash);`
			`}).then(function () {`
			`return when.resolve({passwordreset: [{message: 'Password changed successfully.'}]});`
			`}).otherwise(function (error) {`
			`return when.reject(new errors.UnauthorizedError(error.message));`
			`});`
			`});`
Allow user to accept invitation closes #3081 - added route `/ghost/api/v0.1/authentication/invitation` - added accept invitation - added signup with token - removed check() from users api - fixed promise in resetPassword() 2014-07-03 17:06:07 +02:00			`},`

			`/**`
			`* ### Accept Invitation`
			`* @param {User} object the user to create`
			`* @returns {Promise(User}} Newly created user`
			`*/`
			`acceptInvitation: function acceptInvitation(object) {`
			`var resetToken,`
			`newPassword,`
			`ne2Password,`
			`name,`
			`email;`

			`return utils.checkObject(object, 'invitation').then(function (checkedInvitation) {`
			`resetToken = checkedInvitation.invitation[0].token;`
			`newPassword = checkedInvitation.invitation[0].password;`
			`ne2Password = checkedInvitation.invitation[0].password;`
			`email = checkedInvitation.invitation[0].email;`
			`name = checkedInvitation.invitation[0].name;`

			`return settings.read({context: {internal: true}, key: 'dbHash'}).then(function (response) {`
			`var dbHash = response.settings[0].value;`
			`return dataProvider.User.resetPassword(resetToken, newPassword, ne2Password, dbHash);`
			`}).then(function (user) {`
			`return dataProvider.User.edit({name: name, email: email}, {id: user.id});`
			`}).then(function () {`
			`return when.resolve({invitation: [{message: 'Invitation accepted.'}]});`
			`}).otherwise(function (error) {`
			`return when.reject(new errors.UnauthorizedError(error.message));`
			`});`
			`});`
User API changes closes #2822 - added destroy user method - added remove user permission - added API end point for get reset token - added API end point for reset password - added API end point for change password 2014-06-20 11:15:01 +02:00			`}`
			`};`

			`module.exports = authentication;`