2023-12-27 02:50:43 -08:00
|
|
|
import { Response } from 'express';
|
2024-01-24 04:38:57 -08:00
|
|
|
import validator from 'validator';
|
2023-12-27 02:50:43 -08:00
|
|
|
|
|
|
|
|
import config from '@/config';
|
2023-11-28 03:41:34 -08:00
|
|
|
import { Authorized, NoAuthRequired, Post, RequireGlobalScope, RestController } from '@/decorators';
|
2023-11-16 09:39:43 -08:00
|
|
|
import { issueCookie } from '@/auth/jwt';
|
|
|
|
|
import { RESPONSE_ERROR_MESSAGES } from '@/constants';
|
|
|
|
|
import { UserRequest } from '@/requests';
|
|
|
|
|
import { License } from '@/License';
|
|
|
|
|
import { UserService } from '@/services/user.service';
|
|
|
|
|
import { Logger } from '@/Logger';
|
|
|
|
|
import { isSamlLicensedAndEnabled } from '@/sso/saml/samlHelpers';
|
2023-12-11 09:23:42 -08:00
|
|
|
import { PasswordUtility } from '@/services/password.utility';
|
2023-11-16 09:39:43 -08:00
|
|
|
import { PostHogClient } from '@/posthog';
|
|
|
|
|
import type { User } from '@/databases/entities/User';
|
2024-01-24 04:38:57 -08:00
|
|
|
import { UserRepository } from '@db/repositories/user.repository';
|
2023-11-28 01:19:27 -08:00
|
|
|
import { BadRequestError } from '@/errors/response-errors/bad-request.error';
|
|
|
|
|
import { UnauthorizedError } from '@/errors/response-errors/unauthorized.error';
|
2023-12-27 02:50:43 -08:00
|
|
|
import { InternalHooks } from '@/InternalHooks';
|
|
|
|
|
import { ExternalHooks } from '@/ExternalHooks';
|
2023-11-16 09:39:43 -08:00
|
|
|
|
2023-11-28 03:41:34 -08:00
|
|
|
@Authorized()
|
2023-11-16 09:39:43 -08:00
|
|
|
@RestController('/invitations')
|
|
|
|
|
export class InvitationController {
|
|
|
|
|
constructor(
|
|
|
|
|
private readonly logger: Logger,
|
2023-12-27 02:50:43 -08:00
|
|
|
private readonly internalHooks: InternalHooks,
|
|
|
|
|
private readonly externalHooks: ExternalHooks,
|
2023-11-16 09:39:43 -08:00
|
|
|
private readonly userService: UserService,
|
2023-11-29 04:55:41 -08:00
|
|
|
private readonly license: License,
|
2023-12-11 09:23:42 -08:00
|
|
|
private readonly passwordUtility: PasswordUtility,
|
2023-12-28 00:27:47 -08:00
|
|
|
private readonly userRepository: UserRepository,
|
2023-12-27 02:50:43 -08:00
|
|
|
private readonly postHog: PostHogClient,
|
2023-11-16 09:39:43 -08:00
|
|
|
) {}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Send email invite(s) to one or multiple users and create user shell(s).
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
@Post('/')
|
2023-11-28 03:41:34 -08:00
|
|
|
@RequireGlobalScope('user:create')
|
2023-11-16 09:39:43 -08:00
|
|
|
async inviteUser(req: UserRequest.Invite) {
|
2023-12-27 02:50:43 -08:00
|
|
|
const isWithinUsersLimit = this.license.isWithinUsersLimit();
|
2023-11-16 09:39:43 -08:00
|
|
|
|
|
|
|
|
if (isSamlLicensedAndEnabled()) {
|
|
|
|
|
this.logger.debug(
|
|
|
|
|
'SAML is enabled, so users are managed by the Identity Provider and cannot be added through invites',
|
|
|
|
|
);
|
|
|
|
|
throw new BadRequestError(
|
|
|
|
|
'SAML is enabled, so users are managed by the Identity Provider and cannot be added through invites',
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!isWithinUsersLimit) {
|
|
|
|
|
this.logger.debug(
|
|
|
|
|
'Request to send email invite(s) to user(s) failed because the user limit quota has been reached',
|
|
|
|
|
);
|
|
|
|
|
throw new UnauthorizedError(RESPONSE_ERROR_MESSAGES.USERS_QUOTA_REACHED);
|
|
|
|
|
}
|
|
|
|
|
|
2023-12-27 02:50:43 -08:00
|
|
|
if (!config.getEnv('userManagement.isInstanceOwnerSetUp')) {
|
2023-11-16 09:39:43 -08:00
|
|
|
this.logger.debug(
|
|
|
|
|
'Request to send email invite(s) to user(s) failed because the owner account is not set up',
|
|
|
|
|
);
|
|
|
|
|
throw new BadRequestError('You must set up your own account before inviting others');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!Array.isArray(req.body)) {
|
|
|
|
|
this.logger.debug(
|
|
|
|
|
'Request to send email invite(s) to user(s) failed because the payload is not an array',
|
|
|
|
|
{
|
|
|
|
|
payload: req.body,
|
|
|
|
|
},
|
|
|
|
|
);
|
|
|
|
|
throw new BadRequestError('Invalid payload');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!req.body.length) return [];
|
|
|
|
|
|
|
|
|
|
req.body.forEach((invite) => {
|
|
|
|
|
if (typeof invite !== 'object' || !invite.email) {
|
|
|
|
|
throw new BadRequestError(
|
|
|
|
|
'Request to send email invite(s) to user(s) failed because the payload is not an array shaped Array<{ email: string }>',
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!validator.isEmail(invite.email)) {
|
|
|
|
|
this.logger.debug('Invalid email in payload', { invalidEmail: invite.email });
|
|
|
|
|
throw new BadRequestError(
|
|
|
|
|
`Request to send email invite(s) to user(s) failed because of an invalid email address: ${invite.email}`,
|
|
|
|
|
);
|
|
|
|
|
}
|
2023-11-29 04:55:41 -08:00
|
|
|
|
2024-01-24 04:38:57 -08:00
|
|
|
if (invite.role && !['global:member', 'global:admin'].includes(invite.role)) {
|
2023-11-29 04:55:41 -08:00
|
|
|
throw new BadRequestError(
|
2024-01-24 04:38:57 -08:00
|
|
|
`Cannot invite user with invalid role: ${invite.role}. Please ensure all invitees' roles are either 'global:member' or 'global:admin'.`,
|
2023-11-29 04:55:41 -08:00
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
2024-01-24 04:38:57 -08:00
|
|
|
if (invite.role === 'global:admin' && !this.license.isAdvancedPermissionsLicensed()) {
|
2023-11-29 04:55:41 -08:00
|
|
|
throw new UnauthorizedError(
|
|
|
|
|
'Cannot invite admin user without advanced permissions. Please upgrade to a license that includes this feature.',
|
|
|
|
|
);
|
|
|
|
|
}
|
2023-11-16 09:39:43 -08:00
|
|
|
});
|
|
|
|
|
|
2023-11-29 04:55:41 -08:00
|
|
|
const attributes = req.body.map(({ email, role }) => ({
|
|
|
|
|
email,
|
2024-01-24 04:38:57 -08:00
|
|
|
role: role ?? 'global:member',
|
2023-11-29 04:55:41 -08:00
|
|
|
}));
|
2023-11-16 09:39:43 -08:00
|
|
|
|
2023-11-29 04:55:41 -08:00
|
|
|
const { usersInvited, usersCreated } = await this.userService.inviteUsers(req.user, attributes);
|
2023-11-16 09:39:43 -08:00
|
|
|
|
|
|
|
|
await this.externalHooks.run('user.invited', [usersCreated]);
|
|
|
|
|
|
|
|
|
|
return usersInvited;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Fill out user shell with first name, last name, and password.
|
|
|
|
|
*/
|
|
|
|
|
@NoAuthRequired()
|
|
|
|
|
@Post('/:id/accept')
|
|
|
|
|
async acceptInvitation(req: UserRequest.Update, res: Response) {
|
|
|
|
|
const { id: inviteeId } = req.params;
|
|
|
|
|
|
|
|
|
|
const { inviterId, firstName, lastName, password } = req.body;
|
|
|
|
|
|
|
|
|
|
if (!inviterId || !inviteeId || !firstName || !lastName || !password) {
|
|
|
|
|
this.logger.debug(
|
|
|
|
|
'Request to fill out a user shell failed because of missing properties in payload',
|
|
|
|
|
{ payload: req.body },
|
|
|
|
|
);
|
|
|
|
|
throw new BadRequestError('Invalid payload');
|
|
|
|
|
}
|
|
|
|
|
|
2023-12-11 09:23:42 -08:00
|
|
|
const validPassword = this.passwordUtility.validate(password);
|
2023-11-16 09:39:43 -08:00
|
|
|
|
2024-01-22 03:29:28 -08:00
|
|
|
const users = await this.userRepository.findManyByIds([inviterId, inviteeId]);
|
2023-11-16 09:39:43 -08:00
|
|
|
|
|
|
|
|
if (users.length !== 2) {
|
|
|
|
|
this.logger.debug(
|
|
|
|
|
'Request to fill out a user shell failed because the inviter ID and/or invitee ID were not found in database',
|
|
|
|
|
{
|
|
|
|
|
inviterId,
|
|
|
|
|
inviteeId,
|
|
|
|
|
},
|
|
|
|
|
);
|
|
|
|
|
throw new BadRequestError('Invalid payload or URL');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const invitee = users.find((user) => user.id === inviteeId) as User;
|
|
|
|
|
|
|
|
|
|
if (invitee.password) {
|
|
|
|
|
this.logger.debug(
|
|
|
|
|
'Request to fill out a user shell failed because the invite had already been accepted',
|
|
|
|
|
{ inviteeId },
|
|
|
|
|
);
|
|
|
|
|
throw new BadRequestError('This invite has been accepted already');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
invitee.firstName = firstName;
|
|
|
|
|
invitee.lastName = lastName;
|
2023-12-11 09:23:42 -08:00
|
|
|
invitee.password = await this.passwordUtility.hash(validPassword);
|
2023-11-16 09:39:43 -08:00
|
|
|
|
2024-02-20 07:34:54 -08:00
|
|
|
const updatedUser = await this.userRepository.save(invitee, { transaction: false });
|
2023-11-16 09:39:43 -08:00
|
|
|
|
|
|
|
|
await issueCookie(res, updatedUser);
|
|
|
|
|
|
|
|
|
|
void this.internalHooks.onUserSignup(updatedUser, {
|
|
|
|
|
user_type: 'email',
|
|
|
|
|
was_disabled_ldap_user: false,
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
const publicInvitee = await this.userService.toPublic(invitee);
|
|
|
|
|
|
|
|
|
|
await this.externalHooks.run('user.profile.update', [invitee.email, publicInvitee]);
|
|
|
|
|
await this.externalHooks.run('user.password.update', [invitee.email, invitee.password]);
|
|
|
|
|
|
2024-01-17 07:08:50 -08:00
|
|
|
return await this.userService.toPublic(updatedUser, {
|
|
|
|
|
posthog: this.postHog,
|
|
|
|
|
withScopes: true,
|
|
|
|
|
});
|
2023-11-16 09:39:43 -08:00
|
|
|
}
|
|
|
|
|
}
|
