expressCart/routes/user.js

const express = require('express');
const common = require('../lib/common');
const { restrict } = require('../lib/auth');
const colors = require('colors');
const bcrypt = require('bcryptjs');
const router = express.Router();

router.get('/admin/users', restrict, async (req, res) => {
    const db = req.app.db;
    const users = await db.users.find({}, { projection: { userPassword: 0 } }).toArray();

    if(req.apiAuthenticated){
        res.status(200).json(users);
        return;
    }

    res.render('users', {
        title: 'Users',
        users: users,
        admin: true,
        config: req.app.config,
        isAdmin: req.session.isAdmin,
        helpers: req.handlebars.helpers,
        session: req.session,
        message: common.clearSessionValue(req.session, 'message'),
        messageType: common.clearSessionValue(req.session, 'messageType')
    });
});

// edit user
router.get('/admin/user/edit/:id', restrict, async (req, res) => {
    const db = req.app.db;
    const user = await db.users.findOne({ _id: common.getId(req.params.id) });

    // Check user is found
    if(!user){
        if(req.apiAuthenticated){
            res.status(400).json({ message: 'User not found' });
            return;
        }

        req.session.message = 'User not found';
        req.session.messageType = 'danger';
        res.redirect('/admin/users');
        return;
    }

    // if the user we want to edit is not the current logged in user and the current user is not
    // an admin we render an access denied message
    if(user.userEmail !== req.session.user && req.session.isAdmin === false){
        if(req.apiAuthenticated){
            res.status(400).json({ message: 'Access denied' });
            return;
        }

        req.session.message = 'Access denied';
        req.session.messageType = 'danger';
        res.redirect('/admin/users');
        return;
    }

    res.render('user_edit', {
        title: 'User edit',
        user: user,
        admin: true,
        session: req.session,
        message: common.clearSessionValue(req.session, 'message'),
        messageType: common.clearSessionValue(req.session, 'messageType'),
        helpers: req.handlebars.helpers,
        config: req.app.config
    });
});

// users new
router.get('/admin/user/new', restrict, (req, res) => {
    res.render('user_new', {
        title: 'User - New',
        admin: true,
        session: req.session,
        helpers: req.handlebars.helpers,
        message: common.clearSessionValue(req.session, 'message'),
        messageType: common.clearSessionValue(req.session, 'messageType'),
        config: req.app.config
    });
});

// delete user
router.get('/admin/user/delete/:id', restrict, async (req, res) => {
    const db = req.app.db;

    // userId
    if(req.session.isAdmin !== true){
        if(req.apiAuthenticated){
            res.status(400).json({ message: 'Access denied' });
            return;
        }

        req.session.message = 'Access denied.';
        req.session.messageType = 'danger';
        res.redirect('/admin/users');
        return;
    }

    // Cannot delete your own account
    if(req.session.userId === req.params.id){
        if(req.apiAuthenticated){
            res.status(400).json({ message: 'Unable to delete own user account' });
            return;
        }

        req.session.message = 'Unable to delete own user account.';
        req.session.messageType = 'danger';
        res.redirect('/admin/users');
        return;
    }

    const user = await db.users.findOne({ _id: common.getId(req.params.id) });

    // If user is not found
    if(!user){
        if(req.apiAuthenticated){
            res.status(400).json({ message: 'User not found.' });
            return;
        }

        req.session.message = 'User not found.';
        req.session.messageType = 'danger';
        res.redirect('/admin/users');
        return;
    }

    // Cannot delete the original user/owner
    if(user.isOwner){
        if(req.apiAuthenticated){
            res.status(400).json({ message: 'Access denied.' });
            return;
        }

        req.session.message = 'Access denied.';
        req.session.messageType = 'danger';
        res.redirect('/admin/users');
        return;
    }

    try{
        await db.users.deleteOne({ _id: common.getId(req.params.id) }, {});
        if(req.apiAuthenticated){
            res.status(200).json({ message: 'User deleted.' });
            return;
        }
        req.session.message = 'User deleted.';
        req.session.messageType = 'success';
        res.redirect('/admin/users');
    }catch(ex){
        console.log('Failed to delete user', ex);
        if(req.apiAuthenticated){
            res.status(200).json({ message: 'Cannot delete user' });
            return;
        }
        req.session.message = 'Cannot delete user';
        req.session.messageType = 'danger';
        res.redirect('/admin/users');
    };
});

// update a user
router.post('/admin/user/update', restrict, async (req, res) => {
    const db = req.app.db;

    let isAdmin = req.body.user_admin === 'on';

    // get the user we want to update
    const user = await db.users.findOne({ _id: common.getId(req.body.userId) });

    // If user not found
    if(!user){
        if(req.apiAuthenticated){
            res.status(400).json({ message: 'User not found' });
            return;
        }

        req.session.message = 'User not found';
        req.session.messageType = 'danger';
        res.redirect('/admin/users');
        return;
    }

    // If the current user changing own account ensure isAdmin retains existing
    if(user.userEmail === req.session.user){
        isAdmin = user.isAdmin;
    }

    // if the user we want to edit is not the current logged in user and the current user is not
    // an admin we render an access denied message
    if(user.userEmail !== req.session.user && req.session.isAdmin === false){
        if(req.apiAuthenticated){
            res.status(400).json({ message: 'Access denied' });
            return;
        }

        req.session.message = 'Access denied';
        req.session.messageType = 'danger';
        res.redirect('/admin/users');
        return;
    }

    // create the update doc
    const updateDoc = {};
    updateDoc.isAdmin = isAdmin;
    updateDoc.usersName = req.body.usersName;
    if(req.body.userPassword){
        updateDoc.userPassword = bcrypt.hashSync(req.body.userPassword);
    }

    try{
        await db.users.updateOne(
            { _id: common.getId(req.body.userId) },
            {
                $set: updateDoc
            }, { multi: false }
        );
        if(req.apiAuthenticated){
            res.status(200).json({ message: 'User account updated.' });
            return;
        }
        // show the view
        req.session.message = 'User account updated.';
        req.session.messageType = 'success';
        res.redirect('/admin/user/edit/' + req.body.userId);
    }catch(ex){
        if(req.apiAuthenticated){
            res.status(400).json({ message: 'Failed to update user' });
            return;
        }
        console.error(colors.red('Failed updating user: ' + ex));
        req.session.message = 'Failed to update user';
        req.session.messageType = 'danger';
        res.redirect('/admin/user/edit/' + req.body.userId);
    }
});

// insert a user
router.post('/admin/user/insert', restrict, async (req, res) => {
    const db = req.app.db;

    // set the account to admin if using the setup form. Eg: First user account
    const urlParts = new URL(req.header('Referer'));

    // Check number of users
    const userCount = await db.users.countDocuments({});
    let isAdmin = false;

    // if no users, setup user as admin
    if(userCount === 0){
        isAdmin = true;
    }

    const doc = {
        usersName: req.body.usersName,
        userEmail: req.body.userEmail,
        userPassword: bcrypt.hashSync(req.body.userPassword, 10),
        isAdmin: isAdmin
    };

    // check for existing user
    const user = await db.users.findOne({ userEmail: req.body.userEmail });
    if(user){
        if(req.apiAuthenticated){
            res.status(400).json({ message: 'A user with that email address already exists' });
            return;
        }
        // user already exists with that email address
        console.error(colors.red('Failed to insert user, possibly already exists'));
        req.session.message = 'A user with that email address already exists';
        req.session.messageType = 'danger';
        res.redirect('/admin/user/new');
        return;
    }
    // email is ok to be used.
    try{
        await db.users.insertOne(doc);
        // if from setup we add user to session and redirect to login.
        // Otherwise we show users screen
        if(urlParts.path === '/admin/setup'){
            req.session.user = req.body.userEmail;
            res.redirect('/admin/login');
            return;
        }
        if(req.apiAuthenticated){
            res.status(200).json({ message: 'User account inserted' });
            return;
        }

        req.session.message = 'User account inserted';
        req.session.messageType = 'success';
        res.redirect('/admin/users');
    }catch(ex){
        if(req.apiAuthenticated){
            res.status(400).json({ message: 'New user creation failed' });
            return;
        }
        console.error(colors.red('Failed to insert user: ' + ex));
        req.session.message = 'New user creation failed';
        req.session.messageType = 'danger';
        res.redirect('/admin/user/new');
    }
});

module.exports = router;
Route separation 2018-02-05 23:20:44 +10:00			`const express = require('express');`
Moved common helper to more logical location 2018-02-06 04:20:30 +10:00			`const common = require('../lib/common');`
Linting and refactoring 2019-06-15 14:46:08 +10:00			`const { restrict } = require('../lib/auth');`
Route separation 2018-02-05 23:20:44 +10:00			`const colors = require('colors');`
			`const bcrypt = require('bcryptjs');`
			`const router = express.Router();`

Refactor user route 2019-11-09 09:18:32 +10:00			`router.get('/admin/users', restrict, async (req, res) => {`
Route separation 2018-02-05 23:20:44 +10:00			`const db = req.app.db;`
Refactor user route 2019-11-09 09:18:32 +10:00			`const users = await db.users.find({}, { projection: { userPassword: 0 } }).toArray();`

			`if(req.apiAuthenticated){`
			`res.status(200).json(users);`
			`return;`
			`}`

			`res.render('users', {`
			`title: 'Users',`
			`users: users,`
			`admin: true,`
			`config: req.app.config,`
			`isAdmin: req.session.isAdmin,`
			`helpers: req.handlebars.helpers,`
			`session: req.session,`
			`message: common.clearSessionValue(req.session, 'message'),`
			`messageType: common.clearSessionValue(req.session, 'messageType')`
Route separation 2018-02-05 23:20:44 +10:00			`});`
			`});`

			`// edit user`
Refactor user route 2019-11-09 09:18:32 +10:00			`router.get('/admin/user/edit/:id', restrict, async (req, res) => {`
Route separation 2018-02-05 23:20:44 +10:00			`const db = req.app.db;`
Refactor user route 2019-11-09 09:18:32 +10:00			`const user = await db.users.findOne({ _id: common.getId(req.params.id) });`
Stopped deleting of own user account 2019-11-06 20:57:00 +10:00
Refactor user route 2019-11-09 09:18:32 +10:00			`// Check user is found`
			`if(!user){`
			`if(req.apiAuthenticated){`
			`res.status(400).json({ message: 'User not found' });`
Stopped deleting of own user account 2019-11-06 20:57:00 +10:00			`return;`
Enhancing user management 2019-11-07 16:36:20 +10:00			`}`

Refactor user route 2019-11-09 09:18:32 +10:00			`req.session.message = 'User not found';`
			`req.session.messageType = 'danger';`
			`res.redirect('/admin/users');`
			`return;`
			`}`

			`// if the user we want to edit is not the current logged in user and the current user is not`
			`// an admin we render an access denied message`
			`if(user.userEmail !== req.session.user && req.session.isAdmin === false){`
			`if(req.apiAuthenticated){`
			`res.status(400).json({ message: 'Access denied' });`
Route separation 2018-02-05 23:20:44 +10:00			`return;`
			`}`

Refactor user route 2019-11-09 09:18:32 +10:00			`req.session.message = 'Access denied';`
			`req.session.messageType = 'danger';`
			`res.redirect('/admin/users');`
			`return;`
			`}`

			`res.render('user_edit', {`
			`title: 'User edit',`
			`user: user,`
			`admin: true,`
			`session: req.session,`
			`message: common.clearSessionValue(req.session, 'message'),`
			`messageType: common.clearSessionValue(req.session, 'messageType'),`
			`helpers: req.handlebars.helpers,`
			`config: req.app.config`
Route separation 2018-02-05 23:20:44 +10:00			`});`
			`});`

			`// users new`
Linting and refactoring 2019-06-15 14:46:08 +10:00			`router.get('/admin/user/new', restrict, (req, res) => {`
Route separation 2018-02-05 23:20:44 +10:00			`res.render('user_new', {`
			`title: 'User - New',`
			`admin: true,`
			`session: req.session,`
			`helpers: req.handlebars.helpers,`
			`message: common.clearSessionValue(req.session, 'message'),`
			`messageType: common.clearSessionValue(req.session, 'messageType'),`
Started adding some tests 2018-02-23 03:41:24 +10:00			`config: req.app.config`
Route separation 2018-02-05 23:20:44 +10:00			`});`
			`});`

			`// delete user`
Enhancing user management 2019-11-07 16:36:20 +10:00			`router.get('/admin/user/delete/:id', restrict, async (req, res) => {`
Route separation 2018-02-05 23:20:44 +10:00			`const db = req.app.db;`
Stopped deleting of own user account 2019-11-06 20:57:00 +10:00
			`// userId`
Enhancing user management 2019-11-07 16:36:20 +10:00			`if(req.session.isAdmin !== true){`
Refactor user route 2019-11-09 09:18:32 +10:00			`if(req.apiAuthenticated){`
			`res.status(400).json({ message: 'Access denied' });`
			`return;`
			`}`

Enhancing user management 2019-11-07 16:36:20 +10:00			`req.session.message = 'Access denied.';`
			`req.session.messageType = 'danger';`
			`res.redirect('/admin/users');`
			`return;`
			`}`
Stopped deleting of own user account 2019-11-06 20:57:00 +10:00
Enhancing user management 2019-11-07 16:36:20 +10:00			`// Cannot delete your own account`
			`if(req.session.userId === req.params.id){`
Refactor user route 2019-11-09 09:18:32 +10:00			`if(req.apiAuthenticated){`
			`res.status(400).json({ message: 'Unable to delete own user account' });`
			`return;`
			`}`

Enhancing user management 2019-11-07 16:36:20 +10:00			`req.session.message = 'Unable to delete own user account.';`
			`req.session.messageType = 'danger';`
			`res.redirect('/admin/users');`
			`return;`
			`}`

			`const user = await db.users.findOne({ _id: common.getId(req.params.id) });`

			`// If user is not found`
			`if(!user){`
Refactor user route 2019-11-09 09:18:32 +10:00			`if(req.apiAuthenticated){`
			`res.status(400).json({ message: 'User not found.' });`
			`return;`
			`}`

Enhancing user management 2019-11-07 16:36:20 +10:00			`req.session.message = 'User not found.';`
			`req.session.messageType = 'danger';`
			`res.redirect('/admin/users');`
			`return;`
			`}`

			`// Cannot delete the original user/owner`
			`if(user.isOwner){`
Refactor user route 2019-11-09 09:18:32 +10:00			`if(req.apiAuthenticated){`
			`res.status(400).json({ message: 'Access denied.' });`
			`return;`
			`}`

Route separation 2018-02-05 23:20:44 +10:00			`req.session.message = 'Access denied.';`
			`req.session.messageType = 'danger';`
			`res.redirect('/admin/users');`
Enhancing user management 2019-11-07 16:36:20 +10:00			`return;`
Route separation 2018-02-05 23:20:44 +10:00			`}`
Enhancing user management 2019-11-07 16:36:20 +10:00
Refactor user route 2019-11-09 09:18:32 +10:00			`try{`
			`await db.users.deleteOne({ _id: common.getId(req.params.id) }, {});`
			`if(req.apiAuthenticated){`
			`res.status(200).json({ message: 'User deleted.' });`
			`return;`
Enhancing user management 2019-11-07 16:36:20 +10:00			`}`
			`req.session.message = 'User deleted.';`
			`req.session.messageType = 'success';`
			`res.redirect('/admin/users');`
Refactor user route 2019-11-09 09:18:32 +10:00			`}catch(ex){`
			`console.log('Failed to delete user', ex);`
			`if(req.apiAuthenticated){`
			`res.status(200).json({ message: 'Cannot delete user' });`
			`return;`
			`}`
			`req.session.message = 'Cannot delete user';`
			`req.session.messageType = 'danger';`
			`res.redirect('/admin/users');`
			`};`
Route separation 2018-02-05 23:20:44 +10:00			`});`

			`// update a user`
Refactor user route 2019-11-09 09:18:32 +10:00			`router.post('/admin/user/update', restrict, async (req, res) => {`
Route separation 2018-02-05 23:20:44 +10:00			`const db = req.app.db;`

Fixed permissions 2018-02-06 07:28:04 +10:00			`let isAdmin = req.body.user_admin === 'on';`
Route separation 2018-02-05 23:20:44 +10:00
			`// get the user we want to update`
Refactor user route 2019-11-09 09:18:32 +10:00			`const user = await db.users.findOne({ _id: common.getId(req.body.userId) });`
Ensure admin role is retained on update 2018-02-06 07:43:22 +10:00
Refactor user route 2019-11-09 09:18:32 +10:00			`// If user not found`
			`if(!user){`
			`if(req.apiAuthenticated){`
			`res.status(400).json({ message: 'User not found' });`
			`return;`
Ensure admin role is retained on update 2018-02-06 07:43:22 +10:00			`}`

Refactor user route 2019-11-09 09:18:32 +10:00			`req.session.message = 'User not found';`
			`req.session.messageType = 'danger';`
			`res.redirect('/admin/users');`
			`return;`
			`}`

			`// If the current user changing own account ensure isAdmin retains existing`
			`if(user.userEmail === req.session.user){`
			`isAdmin = user.isAdmin;`
			`}`

			`// if the user we want to edit is not the current logged in user and the current user is not`
			`// an admin we render an access denied message`
			`if(user.userEmail !== req.session.user && req.session.isAdmin === false){`
			`if(req.apiAuthenticated){`
			`res.status(400).json({ message: 'Access denied' });`
Route separation 2018-02-05 23:20:44 +10:00			`return;`
			`}`

Refactor user route 2019-11-09 09:18:32 +10:00			`req.session.message = 'Access denied';`
			`req.session.messageType = 'danger';`
			`res.redirect('/admin/users');`
			`return;`
			`}`

			`// create the update doc`
			`const updateDoc = {};`
			`updateDoc.isAdmin = isAdmin;`
			`updateDoc.usersName = req.body.usersName;`
			`if(req.body.userPassword){`
			`updateDoc.userPassword = bcrypt.hashSync(req.body.userPassword);`
			`}`
Route separation 2018-02-05 23:20:44 +10:00
Refactor user route 2019-11-09 09:18:32 +10:00			`try{`
			`await db.users.updateOne(`
			`{ _id: common.getId(req.body.userId) },`
Route separation 2018-02-05 23:20:44 +10:00			`{`
			`$set: updateDoc`
Refactor user route 2019-11-09 09:18:32 +10:00			`}, { multi: false }`
			`);`
			`if(req.apiAuthenticated){`
			`res.status(200).json({ message: 'User account updated.' });`
			`return;`
			`}`
			`// show the view`
			`req.session.message = 'User account updated.';`
			`req.session.messageType = 'success';`
			`res.redirect('/admin/user/edit/' + req.body.userId);`
			`}catch(ex){`
			`if(req.apiAuthenticated){`
			`res.status(400).json({ message: 'Failed to update user' });`
			`return;`
			`}`
			`console.error(colors.red('Failed updating user: ' + ex));`
			`req.session.message = 'Failed to update user';`
			`req.session.messageType = 'danger';`
			`res.redirect('/admin/user/edit/' + req.body.userId);`
			`}`
Route separation 2018-02-05 23:20:44 +10:00			`});`

			`// insert a user`
Refactor user route 2019-11-09 09:18:32 +10:00			`router.post('/admin/user/insert', restrict, async (req, res) => {`
Route separation 2018-02-05 23:20:44 +10:00			`const db = req.app.db;`

			`// set the account to admin if using the setup form. Eg: First user account`
Linting 2019-07-12 18:06:34 +10:00			`const urlParts = new URL(req.header('Referer'));`
Route separation 2018-02-05 23:20:44 +10:00
Fix issue with ability to create admin user by setting referrer 2018-05-30 19:05:17 +10:00			`// Check number of users`
Refactor user route 2019-11-09 09:18:32 +10:00			`const userCount = await db.users.countDocuments({});`
			`let isAdmin = false;`

			`// if no users, setup user as admin`
			`if(userCount === 0){`
			`isAdmin = true;`
			`}`

			`const doc = {`
			`usersName: req.body.usersName,`
			`userEmail: req.body.userEmail,`
			`userPassword: bcrypt.hashSync(req.body.userPassword, 10),`
			`isAdmin: isAdmin`
			`};`

			`// check for existing user`
			`const user = await db.users.findOne({ userEmail: req.body.userEmail });`
			`if(user){`
			`if(req.apiAuthenticated){`
			`res.status(400).json({ message: 'A user with that email address already exists' });`
			`return;`
			`}`
			`// user already exists with that email address`
Fixed error loggging 2019-11-09 10:21:07 +10:00			`console.error(colors.red('Failed to insert user, possibly already exists'));`
Refactor user route 2019-11-09 09:18:32 +10:00			`req.session.message = 'A user with that email address already exists';`
			`req.session.messageType = 'danger';`
			`res.redirect('/admin/user/new');`
			`return;`
			`}`
			`// email is ok to be used.`
			`try{`
			`await db.users.insertOne(doc);`
			`// if from setup we add user to session and redirect to login.`
			`// Otherwise we show users screen`
			`if(urlParts.path === '/admin/setup'){`
			`req.session.user = req.body.userEmail;`
			`res.redirect('/admin/login');`
			`return;`
			`}`
			`if(req.apiAuthenticated){`
			`res.status(200).json({ message: 'User account inserted' });`
			`return;`
			`}`

			`req.session.message = 'User account inserted';`
			`req.session.messageType = 'success';`
			`res.redirect('/admin/users');`
			`}catch(ex){`
			`if(req.apiAuthenticated){`
			`res.status(400).json({ message: 'New user creation failed' });`
			`return;`
			`}`
			`console.error(colors.red('Failed to insert user: ' + ex));`
			`req.session.message = 'New user creation failed';`
			`req.session.messageType = 'danger';`
			`res.redirect('/admin/user/new');`
			`}`
Route separation 2018-02-05 23:20:44 +10:00			`});`

			`module.exports = router;`