Sharkey/src/api/private/signin.ts

import * as express from 'express';
import * as bcrypt from 'bcryptjs';
import * as speakeasy from 'speakeasy';
import { default as User, IUser } from '../models/user';
import Signin from '../models/signin';
import serialize from '../serializers/signin';
import event from '../event';
import signin from '../common/signin';

export default async (req: express.Request, res: express.Response) => {
	res.header('Access-Control-Allow-Credentials', 'true');

	const username = req.body['username'];
	const password = req.body['password'];
	const token = req.body['token'];

	if (typeof username != 'string') {
		res.sendStatus(400);
		return;
	}

	if (typeof password != 'string') {
		res.sendStatus(400);
		return;
	}

	if (token != null && typeof token != 'string') {
		res.sendStatus(400);
		return;
	}

	// Fetch user
	const user: IUser = await User.findOne({
		username_lower: username.toLowerCase()
	}, {
		fields: {
			data: false,
			profile: false
		}
	});

	if (user === null) {
		res.status(404).send({
			error: 'user not found'
		});
		return;
	}

	// Compare password
	const same = await bcrypt.compare(password, user.password);

	if (same) {
		if (user.two_factor_enabled) {
			const verified = (speakeasy as any).totp.verify({
				secret: user.two_factor_secret,
				encoding: 'base32',
				token: token
			});

			if (verified) {
				signin(res, user, false);
			} else {
				res.status(400).send({
					error: 'invalid token'
				});
			}
		} else {
			signin(res, user, false);
		}
	} else {
		res.status(400).send({
			error: 'incorrect password'
		});
	}

	// Append signin history
	const record = await Signin.insert({
		created_at: new Date(),
		user_id: user._id,
		ip: req.ip,
		headers: req.headers,
		success: same
	});

	// Publish signin event
	event(user._id, 'signin', await serialize(record));
};