expressCart/routes/user.js

const express = require('express');
const common = require('../lib/common');
const { restrict } = require('../lib/auth');
const colors = require('colors');
const bcrypt = require('bcryptjs');
const { validateJson } = require('../lib/schema');
const router = express.Router();

router.get('/admin/users', restrict, async (req, res) => {
    const db = req.app.db;
    const users = await db.users.find({}, { projection: { userPassword: 0 } }).toArray();

    if(req.apiAuthenticated){
        res.status(200).json(users);
        return;
    }

    res.render('users', {
        title: 'Users',
        users: users,
        admin: true,
        config: req.app.config,
        isAdmin: req.session.isAdmin,
        helpers: req.handlebars.helpers,
        session: req.session,
        message: common.clearSessionValue(req.session, 'message'),
        messageType: common.clearSessionValue(req.session, 'messageType')
    });
});

// edit user
router.get('/admin/user/edit/:id', restrict, async (req, res) => {
    const db = req.app.db;
    const user = await db.users.findOne({ _id: common.getId(req.params.id) });

    // Check user is found
    if(!user){
        if(req.apiAuthenticated){
            res.status(400).json({ message: 'User not found' });
            return;
        }

        req.session.message = 'User not found';
        req.session.messageType = 'danger';
        res.redirect('/admin/users');
        return;
    }

    // if the user we want to edit is not the current logged in user and the current user is not
    // an admin we render an access denied message
    if(user.userEmail !== req.session.user && req.session.isAdmin === false){
        if(req.apiAuthenticated){
            res.status(400).json({ message: 'Access denied' });
            return;
        }

        req.session.message = 'Access denied';
        req.session.messageType = 'danger';
        res.redirect('/admin/users');
        return;
    }

    res.render('user-edit', {
        title: 'User edit',
        user: user,
        admin: true,
        session: req.session,
        message: common.clearSessionValue(req.session, 'message'),
        messageType: common.clearSessionValue(req.session, 'messageType'),
        helpers: req.handlebars.helpers,
        config: req.app.config
    });
});

// users new
router.get('/admin/user/new', restrict, (req, res) => {
    res.render('user-new', {
        title: 'User - New',
        admin: true,
        session: req.session,
        helpers: req.handlebars.helpers,
        message: common.clearSessionValue(req.session, 'message'),
        messageType: common.clearSessionValue(req.session, 'messageType'),
        config: req.app.config
    });
});

// delete a user
router.post('/admin/user/delete', restrict, async (req, res) => {
    const db = req.app.db;

    // userId
    if(req.session.isAdmin !== true){
        res.status(400).json({ message: 'Access denied' });
        return;
    }

    // Cannot delete your own account
    if(req.session.userId === req.body.userId){
        res.status(400).json({ message: 'Unable to delete own user account' });
        return;
    }

    const user = await db.users.findOne({ _id: common.getId(req.body.userId) });

    // If user is not found
    if(!user){
        res.status(400).json({ message: 'User not found.' });
        return;
    }

    // Cannot delete the original user/owner
    if(user.isOwner){
        res.status(400).json({ message: 'Access denied.' });
        return;
    }

    try{
        await db.users.deleteOne({ _id: common.getId(req.body.userId) }, {});
        res.status(200).json({ message: 'User deleted.' });
        return;
    }catch(ex){
        console.log('Failed to delete user', ex);
        res.status(200).json({ message: 'Cannot delete user' });
        return;
    };
});

// update a user
router.post('/admin/user/update', restrict, async (req, res) => {
    const db = req.app.db;

    let isAdmin = req.body.userAdmin === 'on';

    // get the user we want to update
    const user = await db.users.findOne({ _id: common.getId(req.body.userId) });

    // If user not found
    if(!user){
        res.status(400).json({ message: 'User not found' });
        return;
    }

    // If the current user changing own account ensure isAdmin retains existing
    if(user.userEmail === req.session.user){
        isAdmin = user.isAdmin;
    }

    // if the user we want to edit is not the current logged in user and the current user is not
    // an admin we render an access denied message
    if(user.userEmail !== req.session.user && req.session.isAdmin === false){
        res.status(400).json({ message: 'Access denied' });
        return;
    }

    // create the update doc
    const updateDoc = {};
    updateDoc.isAdmin = isAdmin;
    if(req.body.usersName){
        updateDoc.usersName = req.body.usersName;
    }
    if(req.body.userEmail){
        updateDoc.userEmail = req.body.userEmail;
    }
    if(req.body.userPassword){
        updateDoc.userPassword = bcrypt.hashSync(req.body.userPassword);
    }

    // Validate update user
    const schemaResult = validateJson('editUser', updateDoc);
    if(!schemaResult.result){
        res.status(400).json({
            message: 'Failed to create user. Check inputs.',
            error: schemaResult.errors
        });
        return;
    }

    try{
        const updatedUser = await db.users.findOneAndUpdate(
            { _id: common.getId(req.body.userId) },
            {
                $set: updateDoc
            }, { multi: false, returnOriginal: false }
        );

        const returnUser = updatedUser.value;
        delete returnUser.userPassword;
        delete returnUser.apiKey;
        res.status(200).json({ message: 'User account updated', user: updatedUser.value });
        return;
    }catch(ex){
        console.error(colors.red('Failed updating user: ' + ex));
        res.status(400).json({ message: 'Failed to update user' });
    }
});

// insert a user
router.post('/admin/user/insert', restrict, async (req, res) => {
    const db = req.app.db;

    // Check number of users
    const userCount = await db.users.countDocuments({});
    let isAdmin = false;

    // if no users, setup user as admin
    if(userCount === 0){
        isAdmin = true;
    }

    const userObj = {
        usersName: req.body.usersName,
        userEmail: req.body.userEmail,
        userPassword: bcrypt.hashSync(req.body.userPassword, 10),
        isAdmin: isAdmin
    };

    // Validate new user
    const schemaResult = validateJson('newUser', userObj);
    if(!schemaResult.result){
        res.status(400).json({ message: 'Failed to create user. Check inputs.', error: schemaResult.errors });
        return;
    }

    // check for existing user
    const user = await db.users.findOne({ userEmail: req.body.userEmail });
    if(user){
        console.error(colors.red('Failed to insert user, possibly already exists'));
        res.status(400).json({ message: 'A user with that email address already exists' });
        return;
    }
    // email is ok to be used.
    try{
        const newUser = await db.users.insertOne(userObj);
        res.status(200).json({
            message: 'User account inserted',
            userId: newUser.insertedId
        });
    }catch(ex){
        console.error(colors.red('Failed to insert user: ' + ex));
        res.status(400).json({ message: 'New user creation failed' });
    }
});

module.exports = router;
Route separation 2018-02-05 23:20:44 +10:00			`const express = require('express');`
Moved common helper to more logical location 2018-02-06 04:20:30 +10:00			`const common = require('../lib/common');`
Linting and refactoring 2019-06-15 14:46:08 +10:00			`const { restrict } = require('../lib/auth');`
Route separation 2018-02-05 23:20:44 +10:00			`const colors = require('colors');`
			`const bcrypt = require('bcryptjs');`
Validate users routes 2019-11-16 19:37:48 +10:00			`const { validateJson } = require('../lib/schema');`
Route separation 2018-02-05 23:20:44 +10:00			`const router = express.Router();`

Refactor user route 2019-11-09 09:18:32 +10:00			`router.get('/admin/users', restrict, async (req, res) => {`
Route separation 2018-02-05 23:20:44 +10:00			`const db = req.app.db;`
Refactor user route 2019-11-09 09:18:32 +10:00			`const users = await db.users.find({}, { projection: { userPassword: 0 } }).toArray();`

			`if(req.apiAuthenticated){`
			`res.status(200).json(users);`
			`return;`
			`}`

			`res.render('users', {`
			`title: 'Users',`
			`users: users,`
			`admin: true,`
			`config: req.app.config,`
			`isAdmin: req.session.isAdmin,`
			`helpers: req.handlebars.helpers,`
			`session: req.session,`
			`message: common.clearSessionValue(req.session, 'message'),`
			`messageType: common.clearSessionValue(req.session, 'messageType')`
Route separation 2018-02-05 23:20:44 +10:00			`});`
			`});`

			`// edit user`
Refactor user route 2019-11-09 09:18:32 +10:00			`router.get('/admin/user/edit/:id', restrict, async (req, res) => {`
Route separation 2018-02-05 23:20:44 +10:00			`const db = req.app.db;`
Refactor user route 2019-11-09 09:18:32 +10:00			`const user = await db.users.findOne({ _id: common.getId(req.params.id) });`
Stopped deleting of own user account 2019-11-06 20:57:00 +10:00
Refactor user route 2019-11-09 09:18:32 +10:00			`// Check user is found`
			`if(!user){`
			`if(req.apiAuthenticated){`
			`res.status(400).json({ message: 'User not found' });`
Stopped deleting of own user account 2019-11-06 20:57:00 +10:00			`return;`
Enhancing user management 2019-11-07 16:36:20 +10:00			`}`

Refactor user route 2019-11-09 09:18:32 +10:00			`req.session.message = 'User not found';`
			`req.session.messageType = 'danger';`
			`res.redirect('/admin/users');`
			`return;`
			`}`

			`// if the user we want to edit is not the current logged in user and the current user is not`
			`// an admin we render an access denied message`
			`if(user.userEmail !== req.session.user && req.session.isAdmin === false){`
			`if(req.apiAuthenticated){`
			`res.status(400).json({ message: 'Access denied' });`
Route separation 2018-02-05 23:20:44 +10:00			`return;`
			`}`

Refactor user route 2019-11-09 09:18:32 +10:00			`req.session.message = 'Access denied';`
			`req.session.messageType = 'danger';`
			`res.redirect('/admin/users');`
			`return;`
			`}`

Normalise file names 2020-01-01 19:26:21 +10:00			`res.render('user-edit', {`
Refactor user route 2019-11-09 09:18:32 +10:00			`title: 'User edit',`
			`user: user,`
			`admin: true,`
			`session: req.session,`
			`message: common.clearSessionValue(req.session, 'message'),`
			`messageType: common.clearSessionValue(req.session, 'messageType'),`
			`helpers: req.handlebars.helpers,`
			`config: req.app.config`
Route separation 2018-02-05 23:20:44 +10:00			`});`
			`});`

			`// users new`
Linting and refactoring 2019-06-15 14:46:08 +10:00			`router.get('/admin/user/new', restrict, (req, res) => {`
Normalise file names 2020-01-01 19:26:21 +10:00			`res.render('user-new', {`
Route separation 2018-02-05 23:20:44 +10:00			`title: 'User - New',`
			`admin: true,`
			`session: req.session,`
			`helpers: req.handlebars.helpers,`
			`message: common.clearSessionValue(req.session, 'message'),`
			`messageType: common.clearSessionValue(req.session, 'messageType'),`
Started adding some tests 2018-02-23 03:41:24 +10:00			`config: req.app.config`
Route separation 2018-02-05 23:20:44 +10:00			`});`
			`});`

Linting 2019-12-30 12:48:45 +10:00			`// delete a user`
Fixed delete user account api 2019-12-16 14:45:02 +10:00			`router.post('/admin/user/delete', restrict, async (req, res) => {`
Route separation 2018-02-05 23:20:44 +10:00			`const db = req.app.db;`
Stopped deleting of own user account 2019-11-06 20:57:00 +10:00
			`// userId`
Enhancing user management 2019-11-07 16:36:20 +10:00			`if(req.session.isAdmin !== true){`
Fixed delete user account api 2019-12-16 14:45:02 +10:00			`res.status(400).json({ message: 'Access denied' });`
Enhancing user management 2019-11-07 16:36:20 +10:00			`return;`
			`}`
Stopped deleting of own user account 2019-11-06 20:57:00 +10:00
Enhancing user management 2019-11-07 16:36:20 +10:00			`// Cannot delete your own account`
Fixed delete user account api 2019-12-16 14:45:02 +10:00			`if(req.session.userId === req.body.userId){`
			`res.status(400).json({ message: 'Unable to delete own user account' });`
Enhancing user management 2019-11-07 16:36:20 +10:00			`return;`
			`}`

Fixed delete user account api 2019-12-16 14:45:02 +10:00			`const user = await db.users.findOne({ _id: common.getId(req.body.userId) });`
Enhancing user management 2019-11-07 16:36:20 +10:00
			`// If user is not found`
			`if(!user){`
Fixed delete user account api 2019-12-16 14:45:02 +10:00			`res.status(400).json({ message: 'User not found.' });`
Enhancing user management 2019-11-07 16:36:20 +10:00			`return;`
			`}`

			`// Cannot delete the original user/owner`
			`if(user.isOwner){`
Fixed delete user account api 2019-12-16 14:45:02 +10:00			`res.status(400).json({ message: 'Access denied.' });`
Enhancing user management 2019-11-07 16:36:20 +10:00			`return;`
Route separation 2018-02-05 23:20:44 +10:00			`}`
Enhancing user management 2019-11-07 16:36:20 +10:00
Refactor user route 2019-11-09 09:18:32 +10:00			`try{`
Fixed delete user account api 2019-12-16 14:45:02 +10:00			`await db.users.deleteOne({ _id: common.getId(req.body.userId) }, {});`
			`res.status(200).json({ message: 'User deleted.' });`
			`return;`
Refactor user route 2019-11-09 09:18:32 +10:00			`}catch(ex){`
			`console.log('Failed to delete user', ex);`
Fixed delete user account api 2019-12-16 14:45:02 +10:00			`res.status(200).json({ message: 'Cannot delete user' });`
			`return;`
Refactor user route 2019-11-09 09:18:32 +10:00			`};`
Route separation 2018-02-05 23:20:44 +10:00			`});`

			`// update a user`
Refactor user route 2019-11-09 09:18:32 +10:00			`router.post('/admin/user/update', restrict, async (req, res) => {`
Route separation 2018-02-05 23:20:44 +10:00			`const db = req.app.db;`

Fixed user create and update API endpoints 2019-12-16 14:22:27 +10:00			`let isAdmin = req.body.userAdmin === 'on';`
Route separation 2018-02-05 23:20:44 +10:00
			`// get the user we want to update`
Refactor user route 2019-11-09 09:18:32 +10:00			`const user = await db.users.findOne({ _id: common.getId(req.body.userId) });`
Ensure admin role is retained on update 2018-02-06 07:43:22 +10:00
Refactor user route 2019-11-09 09:18:32 +10:00			`// If user not found`
			`if(!user){`
Fixed user create and update API endpoints 2019-12-16 14:22:27 +10:00			`res.status(400).json({ message: 'User not found' });`
Refactor user route 2019-11-09 09:18:32 +10:00			`return;`
			`}`

			`// If the current user changing own account ensure isAdmin retains existing`
			`if(user.userEmail === req.session.user){`
			`isAdmin = user.isAdmin;`
			`}`

			`// if the user we want to edit is not the current logged in user and the current user is not`
			`// an admin we render an access denied message`
			`if(user.userEmail !== req.session.user && req.session.isAdmin === false){`
Fixed user create and update API endpoints 2019-12-16 14:22:27 +10:00			`res.status(400).json({ message: 'Access denied' });`
Refactor user route 2019-11-09 09:18:32 +10:00			`return;`
			`}`

			`// create the update doc`
			`const updateDoc = {};`
			`updateDoc.isAdmin = isAdmin;`
Update tests to update users 2019-11-16 19:57:50 +10:00			`if(req.body.usersName){`
			`updateDoc.usersName = req.body.usersName;`
			`}`
			`if(req.body.userEmail){`
			`updateDoc.userEmail = req.body.userEmail;`
			`}`
Refactor user route 2019-11-09 09:18:32 +10:00			`if(req.body.userPassword){`
			`updateDoc.userPassword = bcrypt.hashSync(req.body.userPassword);`
			`}`
Route separation 2018-02-05 23:20:44 +10:00
Validate users routes 2019-11-16 19:37:48 +10:00			`// Validate update user`
			`const schemaResult = validateJson('editUser', updateDoc);`
			`if(!schemaResult.result){`
Fixed user create and update API endpoints 2019-12-16 14:22:27 +10:00			`res.status(400).json({`
			`message: 'Failed to create user. Check inputs.',`
			`error: schemaResult.errors`
			`});`
Validate users routes 2019-11-16 19:37:48 +10:00			`return;`
			`}`

Refactor user route 2019-11-09 09:18:32 +10:00			`try{`
Update tests to update users 2019-11-16 19:57:50 +10:00			`const updatedUser = await db.users.findOneAndUpdate(`
Refactor user route 2019-11-09 09:18:32 +10:00			`{ _id: common.getId(req.body.userId) },`
Route separation 2018-02-05 23:20:44 +10:00			`{`
			`$set: updateDoc`
Update tests to update users 2019-11-16 19:57:50 +10:00			`}, { multi: false, returnOriginal: false }`
Refactor user route 2019-11-09 09:18:32 +10:00			`);`
Fixed user create and update API endpoints 2019-12-16 14:22:27 +10:00
			`const returnUser = updatedUser.value;`
			`delete returnUser.userPassword;`
			`delete returnUser.apiKey;`
			`res.status(200).json({ message: 'User account updated', user: updatedUser.value });`
			`return;`
Refactor user route 2019-11-09 09:18:32 +10:00			`}catch(ex){`
Update tests to update users 2019-11-16 19:57:50 +10:00			`console.error(colors.red('Failed updating user: ' + ex));`
Fixed user create and update API endpoints 2019-12-16 14:22:27 +10:00			`res.status(400).json({ message: 'Failed to update user' });`
Refactor user route 2019-11-09 09:18:32 +10:00			`}`
Route separation 2018-02-05 23:20:44 +10:00			`});`

			`// insert a user`
Refactor user route 2019-11-09 09:18:32 +10:00			`router.post('/admin/user/insert', restrict, async (req, res) => {`
Route separation 2018-02-05 23:20:44 +10:00			`const db = req.app.db;`

Fix issue with ability to create admin user by setting referrer 2018-05-30 19:05:17 +10:00			`// Check number of users`
Refactor user route 2019-11-09 09:18:32 +10:00			`const userCount = await db.users.countDocuments({});`
			`let isAdmin = false;`

			`// if no users, setup user as admin`
			`if(userCount === 0){`
			`isAdmin = true;`
			`}`

Validate users routes 2019-11-16 19:37:48 +10:00			`const userObj = {`
Refactor user route 2019-11-09 09:18:32 +10:00			`usersName: req.body.usersName,`
			`userEmail: req.body.userEmail,`
			`userPassword: bcrypt.hashSync(req.body.userPassword, 10),`
			`isAdmin: isAdmin`
			`};`

Validate users routes 2019-11-16 19:37:48 +10:00			`// Validate new user`
			`const schemaResult = validateJson('newUser', userObj);`
			`if(!schemaResult.result){`
Fixed user create and update API endpoints 2019-12-16 14:22:27 +10:00			`res.status(400).json({ message: 'Failed to create user. Check inputs.', error: schemaResult.errors });`
Validate users routes 2019-11-16 19:37:48 +10:00			`return;`
			`}`

Refactor user route 2019-11-09 09:18:32 +10:00			`// check for existing user`
			`const user = await db.users.findOne({ userEmail: req.body.userEmail });`
			`if(user){`
Fixed error loggging 2019-11-09 10:21:07 +10:00			`console.error(colors.red('Failed to insert user, possibly already exists'));`
Fixed user create and update API endpoints 2019-12-16 14:22:27 +10:00			`res.status(400).json({ message: 'A user with that email address already exists' });`
Refactor user route 2019-11-09 09:18:32 +10:00			`return;`
			`}`
			`// email is ok to be used.`
			`try{`
Fixed user create and update API endpoints 2019-12-16 14:22:27 +10:00			`const newUser = await db.users.insertOne(userObj);`
			`res.status(200).json({`
			`message: 'User account inserted',`
			`userId: newUser.insertedId`
			`});`
Refactor user route 2019-11-09 09:18:32 +10:00			`}catch(ex){`
Validate users routes 2019-11-16 19:37:48 +10:00			`console.error(colors.red('Failed to insert user: ' + ex));`
Fixed user create and update API endpoints 2019-12-16 14:22:27 +10:00			`res.status(400).json({ message: 'New user creation failed' });`
Refactor user route 2019-11-09 09:18:32 +10:00			`}`
Route separation 2018-02-05 23:20:44 +10:00			`});`

			`module.exports = router;`