
989 lines
32 KiB
Raw Normal View History

2016-05-04 00:10:46 +00:00
// Copyright IBM Corp. 2014,2016. All Rights Reserved.
// Node module: loopback
// This file is licensed under the MIT License.
// License text available at https://opensource.org/licenses/MIT
2014-04-14 21:49:29 +00:00
2013-07-01 23:50:03 +00:00
* Module Dependencies.
2016-06-07 14:48:28 +00:00
var g = require('strong-globalize')();
var isEmail = require('isemail');
2014-11-04 12:52:49 +00:00
var loopback = require('../../lib/loopback');
2015-07-01 11:43:25 +00:00
var utils = require('../../lib/utils');
2014-11-04 12:52:49 +00:00
var path = require('path');
var qs = require('querystring');
2014-11-04 12:52:49 +00:00
var crypto = require('crypto');
var bcrypt;
try {
// Try the native module first
bcrypt = require('bcrypt');
2014-12-08 22:59:21 +00:00
// Browserify returns an empty object
if (bcrypt && typeof bcrypt.compare !== 'function') {
bcrypt = require('bcryptjs');
} catch (err) {
// Fall back to pure JS impl
bcrypt = require('bcryptjs');
2014-11-04 12:52:49 +00:00
var DEFAULT_TTL = 1209600; // 2 weeks in seconds
var DEFAULT_RESET_PW_TTL = 15 * 60; // 15 mins in seconds
var DEFAULT_MAX_TTL = 31556926; // 1 year in seconds
var assert = require('assert');
2013-07-01 23:50:03 +00:00
2014-01-27 22:31:38 +00:00
var debug = require('debug')('loopback:user');
2014-04-14 21:49:29 +00:00
2013-07-01 23:50:03 +00:00
* Built-in User model.
* Extends LoopBack [PersistedModel](#persistedmodel-new-persistedmodel).
* Default `User` ACLs.
2014-04-10 03:01:58 +00:00
* - ALLOW EVERYONE `create`
2014-07-16 16:09:07 +00:00
* - ALLOW OWNER `deleteById`
* - ALLOW EVERYONE `login`
* - ALLOW EVERYONE `logout`
* - ALLOW OWNER `findById`
* - ALLOW OWNER `updateAttributes`
* @property {String} username Must be unique.
* @property {String} password Hidden from remote clients.
* @property {String} email Must be valid email.
* @property {Boolean} emailVerified Set when a user's email has been verified via `confirm()`.
* @property {String} verificationToken Set when `verify()` is called.
* @property {String} realm The namespace the user belongs to. See [Partitioning users with realms](https://docs.strongloop.com/display/public/LB/Partitioning+users+with+realms) for details.
* @property {Date} created The property is not used by LoopBack, you are free to use it for your own purposes.
* @property {Date} lastUpdated The property is not used by LoopBack, you are free to use it for your own purposes.
* @property {String} status The property is not used by LoopBack, you are free to use it for your own purposes.
2015-02-04 22:09:01 +00:00
* @property {Object} settings Extends the `Model.settings` object.
* @property {Boolean} settings.emailVerificationRequired Require the email verification
* process before allowing a login.
* @property {Number} settings.ttl Default time to live (in seconds) for the `AccessToken` created by `User.login() / user.createAccessToken()`.
* Default is `1209600` (2 weeks)
* @property {Number} settings.maxTTL The max value a user can request a token to be alive / valid for.
* Default is `31556926` (1 year)
2015-02-23 21:13:52 +00:00
* @property {Boolean} settings.realmRequired Require a realm when logging in a user.
* @property {String} settings.realmDelimiter When set a realm is required.
* @property {Number} settings.resetPasswordTokenTTL Time to live for password reset `AccessToken`. Default is `900` (15 minutes).
2015-02-04 22:09:01 +00:00
* @property {Number} settings.saltWorkFactor The `bcrypt` salt work factor. Default is `10`.
* @property {Boolean} settings.caseSensitiveEmail Enable case sensitive email.
2014-10-01 17:33:36 +00:00
* @class User
* @inherits {PersistedModel}
2013-07-01 23:50:03 +00:00
module.exports = function(User) {
2013-07-01 23:50:03 +00:00
2014-11-04 12:52:49 +00:00
* Create access token for the logged in user. This method can be overridden to
* customize how access tokens are generated
* @param {Number} ttl The requested ttl
* @param {Object} [options] The options for access token, such as scope, appId
* @callback {Function} cb The callback function
2014-11-04 12:52:49 +00:00
* @param {String|Error} err The error string or object
* @param {AccessToken} token The generated access token object
User.prototype.createAccessToken = function(ttl, options, cb) {
if (cb === undefined && typeof options === 'function') {
// createAccessToken(ttl, cb)
cb = options;
options = undefined;
2015-07-01 11:43:25 +00:00
cb = cb || utils.createPromiseCallback();
if (typeof ttl === 'object' && !options) {
// createAccessToken(options, cb)
options = ttl;
ttl = options.ttl;
options = options || {};
2014-11-04 12:52:49 +00:00
var userModel = this.constructor;
ttl = Math.min(ttl || userModel.settings.ttl, userModel.settings.maxTTL);
ttl: ttl
}, cb);
2015-07-01 11:43:25 +00:00
return cb.promise;
2014-11-04 12:52:49 +00:00
function splitPrincipal(name, realmDelimiter) {
var parts = [null, name];
if (!realmDelimiter) {
return parts;
var index = name.indexOf(realmDelimiter);
if (index !== -1) {
parts[0] = name.substring(0, index);
parts[1] = name.substring(index + realmDelimiter.length);
2014-10-23 18:10:39 +00:00
return parts;
2014-11-04 12:52:49 +00:00
* Normalize the credentials
* @param {Object} credentials The credential object
* @param {Boolean} realmRequired
* @param {String} realmDelimiter The realm delimiter, if not set, no realm is needed
* @returns {Object} The normalized credential object
User.normalizeCredentials = function(credentials, realmRequired, realmDelimiter) {
var query = {};
credentials = credentials || {};
if (!realmRequired) {
if (credentials.email) {
query.email = credentials.email;
} else if (credentials.username) {
query.username = credentials.username;
2014-10-23 18:10:39 +00:00
2014-11-04 12:52:49 +00:00
} else {
if (credentials.realm) {
query.realm = credentials.realm;
2014-10-23 18:10:39 +00:00
2014-11-04 12:52:49 +00:00
var parts;
if (credentials.email) {
parts = splitPrincipal(credentials.email, realmDelimiter);
query.email = parts[1];
if (parts[0]) {
query.realm = parts[0];
2014-11-04 12:52:49 +00:00
} else if (credentials.username) {
parts = splitPrincipal(credentials.username, realmDelimiter);
query.username = parts[1];
if (parts[0]) {
query.realm = parts[0];
2013-07-02 23:51:38 +00:00
2014-11-04 12:52:49 +00:00
return query;
* Login a user by with the given `credentials`.
* ```js
* User.login({username: 'foo', password: 'bar'}, function (err, token) {
* console.log(token.id);
* });
* ```
* @param {Object} credentials username/password or email/password
* @param {String[]|String} [include] Optionally set it to "user" to include
* the user info
* @callback {Function} callback Callback function
* @param {Error} err Error object
* @param {AccessToken} token Access token if login is successful
User.login = function(credentials, include, fn) {
var self = this;
if (typeof include === 'function') {
fn = include;
include = undefined;
2013-07-02 23:51:38 +00:00
2013-07-03 05:37:31 +00:00
2015-07-01 11:43:25 +00:00
fn = fn || utils.createPromiseCallback();
2014-11-04 12:52:49 +00:00
include = (include || '');
if (Array.isArray(include)) {
include = include.map(function(val) {
return val.toLowerCase();
2013-07-03 05:37:31 +00:00
} else {
2014-11-04 12:52:49 +00:00
include = include.toLowerCase();
2013-07-03 05:37:31 +00:00
2014-11-04 12:52:49 +00:00
var realmDelimiter;
// Check if realm is required
var realmRequired = !!(self.settings.realmRequired ||
if (realmRequired) {
realmDelimiter = self.settings.realmDelimiter;
var query = self.normalizeCredentials(credentials, realmRequired,
2013-07-02 23:51:38 +00:00
if (realmRequired) {
if (!query.realm) {
var err1 = new Error(g.f('{{realm}} is required'));
err1.statusCode = 400;
err1.code = 'REALM_REQUIRED';
return fn.promise;
} else if (typeof query.realm !== 'string') {
var err5 = new Error(g.f('Invalid realm'));
err5.statusCode = 400;
err5.code = 'INVALID_REALM';
return fn.promise;
2014-11-04 12:52:49 +00:00
if (!query.email && !query.username) {
2016-06-07 14:48:28 +00:00
var err2 = new Error(g.f('{{username}} or {{email}} is required'));
2014-11-04 12:52:49 +00:00
err2.statusCode = 400;
2015-07-01 11:43:25 +00:00
return fn.promise;
2014-11-04 12:52:49 +00:00
if (query.username && typeof query.username !== 'string') {
var err3 = new Error(g.f('Invalid username'));
err3.statusCode = 400;
err3.code = 'INVALID_USERNAME';
return fn.promise;
} else if (query.email && typeof query.email !== 'string') {
var err4 = new Error(g.f('Invalid email'));
err4.statusCode = 400;
err4.code = 'INVALID_EMAIL';
return fn.promise;
2013-07-02 23:51:38 +00:00
2014-11-04 12:52:49 +00:00
self.findOne({where: query}, function(err, user) {
2016-06-07 14:48:28 +00:00
var defaultError = new Error(g.f('login failed'));
2014-11-04 12:52:49 +00:00
defaultError.statusCode = 401;
defaultError.code = 'LOGIN_FAILED';
2013-07-02 23:51:38 +00:00
function tokenHandler(err, token) {
if (err) return fn(err);
if (Array.isArray(include) ? include.indexOf('user') !== -1 : include === 'user') {
// NOTE(bajtos) We can't set token.user here:
// 1. token.user already exists, it's a function injected by
// "AccessToken belongsTo User" relation
// 2. ModelBaseClass.toJSON() ignores own properties, thus
// the value won't be included in the HTTP response
// See also loopback#161 and loopback#162
token.__data.user = user;
fn(err, token);
2014-11-04 12:52:49 +00:00
if (err) {
debug('An error is reported from User.findOne: %j', err);
} else if (user) {
user.hasPassword(credentials.password, function(err, isMatch) {
if (err) {
debug('An error is reported from User.hasPassword: %j', err);
} else if (isMatch) {
if (self.settings.emailVerificationRequired && !user.emailVerified) {
// Fail to log in if email verification is not done yet
debug('User email has not been verified');
2016-06-07 14:48:28 +00:00
err = new Error(g.f('login failed as the email has not been verified'));
err.statusCode = 401;
2015-07-01 11:43:25 +00:00
} else {
if (user.createAccessToken.length === 2) {
user.createAccessToken(credentials.ttl, tokenHandler);
} else {
user.createAccessToken(credentials.ttl, credentials, tokenHandler);
2014-11-04 12:52:49 +00:00
} else {
debug('The password is invalid for user %s', query.email || query.username);
} else {
debug('No matching record is found for user %s', query.email || query.username);
2015-07-01 11:43:25 +00:00
return fn.promise;
2014-11-04 12:52:49 +00:00
* Logout a user with the given accessToken id.
* ```js
* User.logout('asd0a9f8dsj9s0s3223mk', function (err) {
* console.log(err || 'Logged out');
* });
* ```
* @param {String} accessTokenID
* @callback {Function} callback
* @param {Error} err
User.logout = function(tokenId, fn) {
2015-07-01 11:43:25 +00:00
fn = fn || utils.createPromiseCallback();
if (!tokenId) {
var err = new Error(g.f('{{accessToken}} is required to logout'));
err.status = 401;
process.nextTick(function() { fn(err); });
return fn.promise;
this.relations.accessTokens.modelTo.destroyById(tokenId, function(err, info) {
2014-11-04 12:52:49 +00:00
if (err) {
2013-07-03 05:37:31 +00:00
} else if ('count' in info && info.count === 0) {
err = new Error(g.f('Could not find {{accessToken}}'));
err.status = 401;
2013-07-03 05:37:31 +00:00
} else {
2013-07-03 05:37:31 +00:00
2015-07-01 11:43:25 +00:00
return fn.promise;
2014-11-04 12:52:49 +00:00
2016-07-07 15:30:57 +00:00
User.observe('before delete', function(ctx, next) {
var AccessToken = ctx.Model.relations.accessTokens.modelTo;
var pkName = ctx.Model.definition.idName() || 'id';
ctx.Model.find({ where: ctx.where, fields: [pkName] }, function(err, list) {
if (err) return next(err);
var ids = list.map(function(u) { return u[pkName]; });
ctx.where = {};
ctx.where[pkName] = { inq: ids };
AccessToken.destroyAll({ userId: { inq: ids }}, next);
2014-11-04 12:52:49 +00:00
* Compare the given `password` with the users hashed password.
* @param {String} password The plain text password
* @callback {Function} callback Callback function
* @param {Error} err Error object
* @param {Boolean} isMatch Returns true if the given `password` matches record
2014-11-04 12:52:49 +00:00
User.prototype.hasPassword = function(plain, fn) {
2015-07-01 11:43:25 +00:00
fn = fn || utils.createPromiseCallback();
2014-11-04 12:52:49 +00:00
if (this.password && plain) {
bcrypt.compare(plain, this.password, function(err, isMatch) {
if (err) return fn(err);
fn(null, isMatch);
2013-07-03 05:37:31 +00:00
} else {
2014-11-04 12:52:49 +00:00
fn(null, false);
2015-07-01 11:43:25 +00:00
return fn.promise;
2014-11-04 12:52:49 +00:00
* Verify a user's identity by sending them a confirmation email.
* ```js
* var options = {
* type: 'email',
* to: user.email,
* template: 'verify.ejs',
* redirect: '/',
* tokenGenerator: function (user, cb) { cb("random-token"); }
* };
2014-11-04 12:52:49 +00:00
* user.verify(options, next);
* ```
* @options {Object} options
* @property {String} type Must be 'email'.
* @property {String} to Email address to which verification email is sent.
* @property {String} from Sender email addresss, for example
* `'noreply@myapp.com'`.
* @property {String} subject Subject line text.
* @property {String} text Text of email.
* @property {String} template Name of template that displays verification
* page, for example, `'verify.ejs'.
2016-11-11 13:28:49 +00:00
* @property {Function} templateFn A function generating the email HTML body
* from `verify()` options object and generated attributes like `options.verifyHref`.
* It must accept the option object and a callback function with `(err, html)`
* as parameters
2014-11-04 12:52:49 +00:00
* @property {String} redirect Page to which user will be redirected after
* they verify their email, for example `'/'` for root URI.
* @property {Function} generateVerificationToken A function to be used to
* generate the verification token. It must accept the user object and a
* callback function. This function should NOT add the token to the user
* object, instead simply execute the callback with the token! User saving
* and email sending will be handled in the `verify()` method.
2014-11-04 12:52:49 +00:00
User.prototype.verify = function(options, fn) {
2015-07-01 11:43:25 +00:00
fn = fn || utils.createPromiseCallback();
2014-11-04 12:52:49 +00:00
var user = this;
var userModel = this.constructor;
var registry = userModel.registry;
var pkName = userModel.definition.idName() || 'id';
2014-11-04 12:52:49 +00:00
assert(typeof options === 'object', 'options required when calling user.verify()');
assert(options.type, 'You must supply a verification type (options.type)');
assert(options.type === 'email', 'Unsupported verification type');
assert(options.to || this.email, 'Must include options.to when calling user.verify() or the user must have an email property');
assert(options.from, 'Must include options.from when calling user.verify()');
2014-11-04 12:52:49 +00:00
options.redirect = options.redirect || '/';
options.template = path.resolve(options.template || path.join(__dirname, '..', '..', 'templates', 'verify.ejs'));
options.user = this;
options.protocol = options.protocol || 'http';
var app = userModel.app;
options.host = options.host || (app && app.get('host')) || 'localhost';
options.port = options.port || (app && app.get('port')) || 3000;
options.restApiRoot = options.restApiRoot || (app && app.get('restApiRoot')) || '/api';
var displayPort = (
(options.protocol === 'http' && options.port == '80') ||
(options.protocol === 'https' && options.port == '443')
) ? '' : ':' + options.port;
var urlPath = joinUrlPath(
userModel.sharedClass.find('confirm', true).http.path
2014-11-04 12:52:49 +00:00
options.verifyHref = options.verifyHref ||
options.protocol +
'://' +
options.host +
displayPort +
urlPath +
'?' + qs.stringify({
uid: '' + options.user[pkName],
redirect: options.redirect,
2014-11-04 12:52:49 +00:00
2016-11-11 13:28:49 +00:00
options.templateFn = options.templateFn || createVerificationEmailBody;
2014-11-04 12:52:49 +00:00
// Email model
var Email = options.mailer || this.constructor.email || registry.getModelByType(loopback.Email);
2014-11-04 12:52:49 +00:00
// Set a default token generation function if one is not provided
var tokenGenerator = options.generateVerificationToken || User.generateVerificationToken;
tokenGenerator(user, function(err, token) {
if (err) { return fn(err); }
user.verificationToken = token;
user.save(function(err) {
if (err) {
} else {
2014-11-04 12:52:49 +00:00
2013-11-20 18:59:29 +00:00
2014-11-04 12:52:49 +00:00
// TODO - support more verification types
function sendEmail(user) {
options.verifyHref += '&token=' + user.verificationToken;
options.text = options.text || g.f('Please verify your email by opening ' +
'this link in a web browser:\n\t%s', options.verifyHref);
options.text = options.text.replace(/\{href\}/g, options.verifyHref);
2013-11-20 18:59:29 +00:00
options.to = options.to || user.email;
options.subject = options.subject || g.f('Thanks for Registering');
2016-06-07 14:48:28 +00:00
options.headers = options.headers || {};
2016-11-11 13:28:49 +00:00
options.templateFn(options, function(err, html) {
2014-11-04 12:52:49 +00:00
if (err) {
} else {
2016-11-11 13:28:49 +00:00
2014-11-04 12:52:49 +00:00
2016-11-11 13:28:49 +00:00
function setHtmlContentAndSend(html) {
options.html = html;
// Remove options.template to prevent rejection by certain
// nodemailer transport plugins.
delete options.template;
2016-11-11 13:28:49 +00:00
Email.send(options, function(err, email) {
if (err) {
} else {
fn(null, {email: email, token: user.verificationToken, uid: user[pkName]});
2016-11-11 13:28:49 +00:00
2014-11-04 12:52:49 +00:00
2015-07-01 11:43:25 +00:00
return fn.promise;
2014-11-04 12:52:49 +00:00
2016-11-11 13:28:49 +00:00
function createVerificationEmailBody(options, cb) {
var template = loopback.template(options.template);
var body = template(options);
cb(null, body);
* A default verification token generator which accepts the user the token is
* being generated for and a callback function to indicate completion.
* This one uses the crypto library and 64 random bytes (converted to hex)
* for the token. When used in combination with the user.verify() method this
* function will be called with the `user` object as it's context (`this`).
* @param {object} user The User this token is being generated for.
* @param {Function} cb The generator must pass back the new token with this function call
User.generateVerificationToken = function(user, cb) {
crypto.randomBytes(64, function(err, buf) {
cb(err, buf && buf.toString('hex'));
2014-11-04 12:52:49 +00:00
* Confirm the user's identity.
* @param {Any} userId
* @param {String} token The validation token
* @param {String} redirect URL to redirect the user to once confirmed
* @callback {Function} callback
* @param {Error} err
User.confirm = function(uid, token, redirect, fn) {
2015-07-01 11:43:25 +00:00
fn = fn || utils.createPromiseCallback();
2014-11-04 12:52:49 +00:00
this.findById(uid, function(err, user) {
if (err) {
2014-11-04 12:52:49 +00:00
} else {
if (user && user.verificationToken === token) {
2016-06-16 06:20:33 +00:00
user.verificationToken = null;
2014-11-04 12:52:49 +00:00
user.emailVerified = true;
user.save(function(err) {
if (err) {
} else {
} else {
if (user) {
2016-06-07 14:48:28 +00:00
err = new Error(g.f('Invalid token: %s', token));
2014-11-04 12:52:49 +00:00
err.statusCode = 400;
err.code = 'INVALID_TOKEN';
2013-11-20 18:59:29 +00:00
} else {
2016-06-07 14:48:28 +00:00
err = new Error(g.f('User not found: %s', uid));
2014-11-04 12:52:49 +00:00
err.statusCode = 404;
err.code = 'USER_NOT_FOUND';
2013-11-20 18:59:29 +00:00
2014-11-04 12:52:49 +00:00
2013-11-20 18:59:29 +00:00
2015-07-01 11:43:25 +00:00
return fn.promise;
2014-11-04 12:52:49 +00:00
* Create a short lived access token for temporary login. Allows users
2014-11-04 12:52:49 +00:00
* to change passwords if forgotten.
* @options {Object} options
* @property {String} email The user's email address
* @property {String} realm The user's realm (optional)
2014-11-04 12:52:49 +00:00
* @callback {Function} callback
* @param {Error} err
User.resetPassword = function(options, cb) {
2015-07-01 11:43:25 +00:00
cb = cb || utils.createPromiseCallback();
2014-11-04 12:52:49 +00:00
var UserModel = this;
var ttl = UserModel.settings.resetPasswordTokenTTL || DEFAULT_RESET_PW_TTL;
options = options || {};
if (typeof options.email !== 'string') {
2016-06-07 14:48:28 +00:00
var err = new Error(g.f('Email is required'));
2014-11-04 12:52:49 +00:00
err.statusCode = 400;
err.code = 'EMAIL_REQUIRED';
2014-11-04 12:52:49 +00:00
return cb.promise;
2014-11-04 12:52:49 +00:00
try {
if (options.password) {
} catch (err) {
return cb(err);
var where = {
email: options.email
if (options.realm) {
where.realm = options.realm;
UserModel.findOne({ where: where }, function(err, user) {
if (err) {
return cb(err);
if (!user) {
2016-06-07 14:48:28 +00:00
err = new Error(g.f('Email not found'));
err.statusCode = 404;
err.code = 'EMAIL_NOT_FOUND';
return cb(err);
// create a short lived access token for temp login to change password
// TODO(ritch) - eventually this should only allow password change
if (UserModel.settings.emailVerificationRequired && !user.emailVerified) {
err = new Error(g.f('Email has not been verified'));
err.statusCode = 401;
return cb(err);
user.createAccessToken(ttl, function(err, accessToken) {
if (err) {
return cb(err);
UserModel.emit('resetPasswordRequest', {
email: options.email,
accessToken: accessToken,
user: user,
options: options,
2015-07-01 11:43:25 +00:00
return cb.promise;
2014-11-04 12:52:49 +00:00
* Hash the plain password
User.hashPassword = function(plain) {
var salt = bcrypt.genSaltSync(this.settings.saltWorkFactor || SALT_WORK_FACTOR);
return bcrypt.hashSync(plain, salt);
User.validatePassword = function(plain) {
var err;
if (plain && typeof plain === 'string' && plain.length <= MAX_PASSWORD_LENGTH) {
return true;
if (plain.length > MAX_PASSWORD_LENGTH) {
err = new Error(g.f('Password too long: %s', plain));
err.code = 'PASSWORD_TOO_LONG';
} else {
err = new Error(g.f('Invalid password: %s', plain));
err.code = 'INVALID_PASSWORD';
err.statusCode = 422;
throw err;
User._invalidateAccessTokensOfUsers = function(userIds, options, cb) {
if (typeof options === 'function' && cb === undefined) {
cb = options;
options = {};
if (!Array.isArray(userIds) || !userIds.length)
return process.nextTick(cb);
var accessTokenRelation = this.relations.accessTokens;
if (!accessTokenRelation)
return process.nextTick(cb);
var AccessToken = accessTokenRelation.modelTo;
var query = {userId: {inq: userIds}};
var tokenPK = AccessToken.definition.idName() || 'id';
if (options.accessToken && tokenPK in options.accessToken) {
query[tokenPK] = {neq: options.accessToken[tokenPK]};
AccessToken.deleteAll(query, options, cb);
2014-11-04 12:52:49 +00:00
* Setup an extended user model.
User.setup = function() {
// We need to call the base class's setup method
var UserModel = this;
// max ttl
this.settings.maxTTL = this.settings.maxTTL || DEFAULT_MAX_TTL;
this.settings.ttl = this.settings.ttl || DEFAULT_TTL;
2014-11-04 12:52:49 +00:00
UserModel.setter.email = function(value) {
if (!UserModel.settings.caseSensitiveEmail) {
this.$email = value.toLowerCase();
} else {
this.$email = value;
2014-11-04 12:52:49 +00:00
UserModel.setter.password = function(plain) {
if (typeof plain !== 'string') {
if (plain.indexOf('$2a$') === 0 && plain.length === 60) {
// The password is already hashed. It can be the case
// when the instance is loaded from DB
this.$password = plain;
} else {
this.$password = this.constructor.hashPassword(plain);
2014-11-04 12:52:49 +00:00
// Make sure emailVerified is not set by creation
UserModel.beforeRemote('create', function(ctx, user, next) {
var body = ctx.req.body;
if (body && body.emailVerified) {
body.emailVerified = false;
2013-07-03 05:37:31 +00:00
2014-11-04 12:52:49 +00:00
2013-07-03 05:37:31 +00:00
2014-04-10 03:01:58 +00:00
2014-11-04 12:52:49 +00:00
description: 'Login a user with username/email and password.',
2014-11-04 12:52:49 +00:00
accepts: [
{arg: 'credentials', type: 'object', required: true, http: {source: 'body'}},
2016-06-07 14:48:28 +00:00
{arg: 'include', type: ['string'], http: {source: 'query'},
description: 'Related objects to include in the response. ' +
'See the description of return value for more details.' },
2014-11-04 12:52:49 +00:00
returns: {
arg: 'accessToken', type: 'object', root: true,
2016-06-07 14:48:28 +00:00
g.f('The response body contains properties of the {{AccessToken}} created on login.\n' +
2014-11-04 12:52:49 +00:00
'Depending on the value of `include` parameter, the body may contain ' +
'additional properties:\n\n' +
2016-06-07 14:48:28 +00:00
' - `user` - `U+007BUserU+007D` - Data of the currently logged in user. ' +
2014-11-04 12:52:49 +00:00
http: {verb: 'post'}
2014-11-04 12:52:49 +00:00
description: 'Logout a user with access token.',
2014-11-04 12:52:49 +00:00
accepts: [
{arg: 'access_token', type: 'string', http: function(ctx) {
2016-06-07 14:48:28 +00:00
var req = ctx && ctx.req;
var accessToken = req && req.accessToken;
var tokenID = accessToken ? accessToken.id : undefined;
2016-06-07 14:48:28 +00:00
return tokenID;
}, description: 'Do not supply this argument, it is automatically extracted ' +
'from request headers.',
2016-06-07 14:48:28 +00:00
2014-11-04 12:52:49 +00:00
http: {verb: 'all'}
2014-11-04 12:52:49 +00:00
description: 'Confirm a user registration with email verification token.',
2014-11-04 12:52:49 +00:00
accepts: [
{arg: 'uid', type: 'string', required: true},
{arg: 'token', type: 'string', required: true},
{arg: 'redirect', type: 'string'}
2014-11-04 12:52:49 +00:00
http: {verb: 'get', path: '/confirm'}
2014-11-04 12:52:49 +00:00
description: 'Reset password for a user with email.',
2014-11-04 12:52:49 +00:00
accepts: [
{arg: 'options', type: 'object', required: true, http: {source: 'body'}}
http: {verb: 'post', path: '/reset'}
UserModel.afterRemote('confirm', function(ctx, inst, next) {
if (ctx.args.redirect !== undefined) {
if (!ctx.res) {
2016-06-07 14:48:28 +00:00
return next(new Error(g.f('The transport does not support HTTP redirects.')));
2014-11-04 12:52:49 +00:00
2014-11-04 12:52:49 +00:00
2014-04-10 03:01:58 +00:00
2014-11-04 12:52:49 +00:00
// default models
assert(loopback.Email, 'Email model must be defined before User model');
UserModel.email = loopback.Email;
2014-04-10 03:01:58 +00:00
2014-11-04 12:52:49 +00:00
assert(loopback.AccessToken, 'AccessToken model must be defined before User model');
UserModel.accessToken = loopback.AccessToken;
2014-10-23 18:10:39 +00:00
UserModel.validate('email', emailValidator, {
message: g.f('Must provide a valid email')
2014-04-10 03:01:58 +00:00
2014-11-04 12:52:49 +00:00
// FIXME: We need to add support for uniqueness of composite keys in juggler
if (!(UserModel.settings.realmRequired || UserModel.settings.realmDelimiter)) {
UserModel.validatesUniquenessOf('email', {message: 'Email already exists'});
UserModel.validatesUniquenessOf('username', {message: 'User already exists'});
2013-07-02 23:51:38 +00:00
UserModel.once('attached', function() {
if (UserModel.app.get('logoutSessionsOnSensitiveChanges') !== undefined)
'The user model %j is attached to an application that does not specify',
'whether other sessions should be invalidated when a password or',
'an email has changed. Session invalidation is important for security',
'reasons as it allows users to recover from various account breach',
'We recommend turning this feature on by setting',
'"{{logoutSessionsOnSensitiveChanges}}" to {{true}} in',
'{{server/config.json}} (unless you have implemented your own solution',
'for token invalidation).',
'We also recommend enabling "{{injectOptionsFromRemoteContext}}" in',
'%s\'s settings (typically via common/models/*.json file).',
'This setting is required for the invalidation algorithm to keep ',
'the current session valid.',
'Learn more in our documentation at',
].join('\n'), UserModel.modelName, UserModel.modelName);
2014-11-04 12:52:49 +00:00
return UserModel;
* Setup the base user.
2013-07-03 05:37:31 +00:00
2014-11-04 12:52:49 +00:00
// Important: Operation hooks are inherited by subclassed models,
// therefore they must be registered outside of setup() function
// Access token to normalize email credentials
User.observe('access', function normalizeEmailCase(ctx, next) {
if (!ctx.Model.settings.caseSensitiveEmail && ctx.query.where &&
ctx.query.where.email && typeof(ctx.query.where.email) === 'string') {
ctx.query.where.email = ctx.query.where.email.toLowerCase();
User.observe('before save', function prepareForTokenInvalidation(ctx, next) {
var invalidationEnabled = ctx.Model.app &&
if (!invalidationEnabled) return next();
if (ctx.isNewInstance) return next();
if (!ctx.where && !ctx.instance) return next();
var pkName = ctx.Model.definition.idName() || 'id';
var where = ctx.where;
if (!where) {
where = {};
where[pkName] = ctx.instance[pkName];
ctx.Model.find({where: where}, ctx.options, function(err, userInstances) {
if (err) return next(err);
ctx.hookState.originalUserData = userInstances.map(function(u) {
var user = {};
user[pkName] = u[pkName];
user.email = u.email;
user.password = u.password;
return user;
var emailChanged;
if (ctx.instance) {
// Check if map does not return an empty array
// Fix server crashes when try to PUT a non existent id
if (ctx.hookState.originalUserData.length > 0) {
emailChanged = ctx.instance.email !== ctx.hookState.originalUserData[0].email;
} else {
emailChanged = true;
if (emailChanged && ctx.Model.settings.emailVerificationRequired) {
ctx.instance.emailVerified = false;
} else if (ctx.data.email) {
emailChanged = ctx.hookState.originalUserData.some(function(data) {
return data.email != ctx.data.email;
if (emailChanged && ctx.Model.settings.emailVerificationRequired) {
ctx.data.emailVerified = false;
User.observe('after save', function invalidateOtherTokens(ctx, next) {
var invalidationEnabled = ctx.Model.app &&
if (!invalidationEnabled) return next();
if (!ctx.instance && !ctx.data) return next();
if (!ctx.hookState.originalUserData) return next();
var pkName = ctx.Model.definition.idName() || 'id';
var newEmail = (ctx.instance || ctx.data).email;
var newPassword = (ctx.instance || ctx.data).password;
if (!newEmail && !newPassword) return next();
var userIdsToExpire = ctx.hookState.originalUserData.filter(function(u) {
return (newEmail && u.email !== newEmail) ||
(newPassword && u.password !== newPassword);
}).map(function(u) {
return u[pkName];
ctx.Model._invalidateAccessTokensOfUsers(userIdsToExpire, ctx.options, next);
function emailValidator(err, done) {
var value = this.email;
if (value == null)
if (typeof value !== 'string')
return err('string');
if (value === '') return;
if (!isEmail(value))
return err('email');
function joinUrlPath(args) {
var result = arguments[0];
for (var ix = 1; ix < arguments.length; ix++) {
var next = arguments[ix];
result += result[result.length - 1] === '/' && next[0] === '/' ?
next.slice(1) : next;
return result;