defmodule Mobilizon.GraphQL.Resolvers.User do @moduledoc """ Handles the user-related GraphQL calls. """ import Mobilizon.Users.Guards alias Mobilizon.{Actors, Admin, Config, Events, FollowedGroupActivity, Users} alias Mobilizon.Actors.Actor alias Mobilizon.Federation.ActivityPub.{Actions, Relay} alias Mobilizon.Service.Auth.Authenticator alias Mobilizon.Storage.{Page, Repo} alias Mobilizon.Users.{Setting, User} alias Mobilizon.Web.{Auth, Email} import Mobilizon.Web.Gettext require Logger @doc """ Find an user by its ID """ @spec find_user(any(), map(), Absinthe.Resolution.t()) :: {:ok, User.t()} | {:error, String.t()} def find_user(_parent, %{id: id}, %{context: %{current_user: %User{role: role}}}) when is_moderator(role) do with {:ok, %User{} = user} <- Users.get_user_with_actors(id) do {:ok, user} end end @doc """ Return current logged-in user """ @spec get_current_user(any, map(), Absinthe.Resolution.t()) :: {:error, :unauthenticated} | {:ok, Mobilizon.Users.User.t()} def get_current_user(_parent, _args, %{context: %{current_user: %User{} = user}}) do {:ok, user} end def get_current_user(_parent, _args, _resolution) do {:error, :unauthenticated} end @doc """ List instance users """ @spec list_users(any(), map(), Absinthe.Resolution.t()) :: {:ok, Page.t(User.t())} | {:error, :unauthorized} def list_users( _parent, args, %{context: %{current_user: %User{role: role}}} ) when is_moderator(role) do {:ok, Users.list_users(Keyword.new(args))} end def list_users(_parent, _args, _resolution) do {:error, :unauthorized} end @doc """ Login an user. Returns a token and the user """ @spec login_user(any(), map(), Absinthe.Resolution.t()) :: {:ok, map()} | {:error, :user_not_found | String.t()} def login_user(_parent, %{email: email, password: password}, %{context: context}) do with {:ok, %{ access_token: _access_token, refresh_token: _refresh_token, user: %User{} = user } = user_and_tokens} <- Authenticator.authenticate(email, password), {:ok, %User{} = user} <- update_user_login_information(user, context) do {:ok, %{user_and_tokens | user: user}} else {:error, :user_not_found} -> {:error, :user_not_found} {:error, :disabled_user} -> {:error, dgettext("errors", "This user has been disabled")} {:error, _error} -> {:error, dgettext( "errors", "Impossible to authenticate, either your email or password are invalid." )} end end @doc """ Refresh a token """ @spec refresh_token(any(), map(), Absinthe.Resolution.t()) :: {:ok, map()} | {:error, String.t()} def refresh_token(_parent, %{refresh_token: refresh_token}, _resolution) do with {:ok, user, _claims} <- Auth.Guardian.resource_from_token(refresh_token), {:ok, _old, {exchanged_token, _claims}} <- Auth.Guardian.exchange(refresh_token, "refresh", "access"), {:ok, new_refresh_token} <- Authenticator.generate_refresh_token(user), {:ok, _claims} <- Auth.Guardian.revoke(refresh_token) do {:ok, %{access_token: exchanged_token, refresh_token: new_refresh_token}} else {:error, message} -> Logger.debug("Cannot refresh user token: #{inspect(message)}") {:error, dgettext("errors", "Cannot refresh the token")} end end def refresh_token(_parent, _params, _context) do {:error, dgettext("errors", "You need to have an existing token to get a refresh token")} end @spec logout(any(), map(), Absinthe.Resolution.t()) :: {:ok, String.t()} | {:error, :token_not_found | :unable_to_logout | :unauthenticated | :invalid_argument} def logout(_parent, %{refresh_token: refresh_token}, %{context: %{current_user: %User{}}}) do with {:ok, _claims} <- Auth.Guardian.decode_and_verify(refresh_token, %{"typ" => "refresh"}), {:ok, _claims} <- Auth.Guardian.revoke(refresh_token) do {:ok, refresh_token} else {:error, :token_not_found} -> {:error, :token_not_found} {:error, error} -> Logger.debug("Cannot remove user refresh token: #{inspect(error)}") {:error, :unable_to_logout} end end def logout(_parent, %{refresh_token: _refresh_token}, _context) do {:error, :unauthenticated} end def logout(_parent, _params, _context) do {:error, :invalid_argument} end @doc """ Register an user: - check registrations are enabled - create the user - send a validation email to the user """ @spec create_user(any, %{email: String.t()}, any) :: {:ok, User.t()} | {:error, String.t()} def create_user(_parent, %{email: email} = args, _resolution) do with {:ok, email} <- lowercase_domain(email), :registration_ok <- check_registration_config(email), :not_deny_listed <- check_registration_denylist(email), {:ok, %User{} = user} <- Users.register(%{args | email: email}) do Email.User.send_confirmation_email(user, Map.get(args, :locale, "en")) {:ok, user} else {:error, :invalid_email} -> {:error, dgettext("errors", "Your email seems to be using an invalid format")} :registration_closed -> {:error, dgettext("errors", "Registrations are not open")} :not_allowlisted -> {:error, dgettext("errors", "Your email is not on the allowlist")} :deny_listed -> {:error, dgettext( "errors", "Your e-mail has been denied registration or uses a disallowed e-mail provider" )} {:error, error} -> {:error, error} end end @spec check_registration_config(String.t()) :: :registration_ok | :registration_closed | :not_allowlisted defp check_registration_config(email) do cond do Config.instance_registrations_open?() -> :registration_ok Config.instance_registrations_allowlist?() -> check_allow_listed_email(email) true -> :registration_closed end end @spec check_registration_denylist(String.t()) :: :deny_listed | :not_deny_listed defp check_registration_denylist(email) do # Remove everything behind the + email = String.replace(email, ~r/(\+.*)(?=\@)/, "") if email_in_list?(email, Config.instance_registrations_denylist()), do: :deny_listed, else: :not_deny_listed end @spec check_allow_listed_email(String.t()) :: :registration_ok | :not_allowlisted defp check_allow_listed_email(email) do if email_in_list?(email, Config.instance_registrations_allowlist()), do: :registration_ok, else: :not_allowlisted end @spec email_in_list?(String.t(), list(String.t())) :: boolean() defp email_in_list?(email, list) do [_, domain] = split_email(email) domain in list or email in list end # Domains should always be lower-case, so let's force that @spec lowercase_domain(String.t()) :: {:ok, String.t()} | {:error, :invalid_email} defp lowercase_domain(email) do case split_email(email) do [user_part, domain_part] -> {:ok, "#{user_part}@#{String.downcase(domain_part)}"} _ -> {:error, :invalid_email} end end @spec split_email(String.t()) :: list(String.t()) defp split_email(email), do: String.split(email, "@", parts: 2, trim: true) @doc """ Validate an user, get its actor and a token """ @spec validate_user(map(), %{token: String.t()}, map()) :: {:ok, map()} | {:error, String.t()} def validate_user(_parent, %{token: token}, _resolution) do case Email.User.check_confirmation_token(token) do {:ok, %User{} = user} -> actor = Users.get_actor_for_user(user) {:ok, %{access_token: access_token, refresh_token: refresh_token}} = Authenticator.generate_tokens(user) {:ok, %{ access_token: access_token, refresh_token: refresh_token, user: Map.put(user, :default_actor, actor) }} {:error, :invalid_token} -> Logger.info("Invalid token #{token} to validate user") {:error, dgettext("errors", "Unable to validate user")} {:error, %Ecto.Changeset{} = err} -> Logger.info("Unable to validate user with token #{token}") Logger.debug(inspect(err)) {:error, dgettext("errors", "Unable to validate user")} end end @doc """ Send the confirmation email again. We only do this to accounts not activated """ def resend_confirmation_email(_parent, args, _resolution) do with {:ok, %User{locale: locale} = user} <- Users.get_user_by_email(Map.get(args, :email), activated: false, unconfirmed: false), {:ok, email} <- Email.User.resend_confirmation_email(user, Map.get(args, :locale, locale)) do {:ok, email} else {:error, :user_not_found} -> {:error, dgettext("errors", "No user to validate with this email was found")} {:error, :email_too_soon} -> {:error, dgettext("errors", "You requested again a confirmation email too soon")} end end @doc """ Send an email to reset the password from an user """ def send_reset_password(_parent, args, _resolution) do with email <- Map.get(args, :email), {:ok, %User{locale: locale} = user} <- Users.get_user_by_email(email, activated: true, unconfirmed: false), {:can_reset_password, true} <- {:can_reset_password, Authenticator.can_reset_password?(user)} do Email.User.send_password_reset_email(user, Map.get(args, :locale, locale)) {:ok, email} else {:can_reset_password, false} -> {:error, dgettext("errors", "This user can't reset their password")} {:error, :user_not_found} -> # TODO : implement rate limits for this endpoint {:error, dgettext("errors", "No user with this email was found")} {:error, :email_too_soon} -> {:error, dgettext("errors", "You requested again a confirmation email too soon")} end end @doc """ Reset the password from an user """ @spec reset_password(map(), %{password: String.t(), token: String.t()}, map()) :: {:ok, map()} | {:error, String.t()} def reset_password(_parent, %{password: password, token: token}, _resolution) do case Email.User.check_reset_password_token(password, token) do {:ok, %User{email: email} = user} -> {:ok, tokens} = Authenticator.authenticate(email, password) {:ok, Map.put(tokens, :user, user)} {:error, %Ecto.Changeset{errors: [password: {"registration.error.password_too_short", _}]}} -> {:error, gettext( "The password you have choosen is too short. Please make sure your password contains at least 6 charaters." )} {:error, _err} -> {:error, gettext( "The token you provided is invalid. Make sure that the URL is exactly the one provided inside the email you got." )} end end @doc "Change an user default actor" def change_default_actor( _parent, %{preferred_username: username}, %{context: %{current_user: %User{} = user}} ) do case Actors.get_local_actor_by_name(username) do %Actor{id: actor_id} = actor -> if actor_id in Enum.map(Users.get_actors_for_user(user), & &1.id) do %User{} = user = Users.update_user_default_actor(user, actor) {:ok, user} else {:error, dgettext("errors", "This profile does not belong to you")} end nil -> {:error, dgettext("errors", "Profile with username %{username} not found", %{username: username})} end end def change_default_actor(_parent, _args, _resolution), do: {:error, :unauthenticated} @doc """ Returns the list of events for all of this user's identities are going to """ def user_participations( %User{id: user_id}, args, %{context: %{current_user: %User{id: logged_user_id, role: role}}} ) do with true <- user_id == logged_user_id or is_moderator(role), %Page{} = page <- Events.list_participations_for_user( user_id, Map.get(args, :after_datetime), Map.get(args, :before_datetime), Map.get(args, :page), Map.get(args, :limit) ) do {:ok, page} end end @doc """ Returns the list of groups this user is a member is a member of """ def user_memberships( %User{id: user_id}, %{page: page, limit: limit} = args, %{context: %{current_user: %User{id: logged_user_id}}} ) do with true <- user_id == logged_user_id, memberships <- Actors.list_memberships_for_user( user_id, Map.get(args, :name), page, limit ) do {:ok, memberships} end end @doc """ Returns the list of draft events for the current user """ def user_drafted_events( %User{id: user_id}, args, %{context: %{current_user: %User{id: logged_user_id}}} ) do with {:same_user, true} <- {:same_user, user_id == logged_user_id}, events <- Events.list_drafts_for_user(user_id, Map.get(args, :page), Map.get(args, :limit)) do {:ok, events} end end def change_password( _parent, %{old_password: old_password, new_password: new_password}, %{context: %{current_user: %User{} = user}} ) do with {:can_change_password, true} <- {:can_change_password, Authenticator.can_change_password?(user)}, {:current_password, {:ok, %User{}}} <- {:current_password, Authenticator.login(user.email, old_password)}, {:same_password, false} <- {:same_password, old_password == new_password}, {:ok, %User{} = user} <- user |> User.password_change_changeset(%{"password" => new_password}) |> Repo.update() do {:ok, user} else {:can_change_password, false} -> {:error, dgettext("errors", "You cannot change your password.")} {:current_password, _} -> {:error, dgettext("errors", "The current password is invalid")} {:same_password, true} -> {:error, dgettext("errors", "The new password must be different")} {:error, %Ecto.Changeset{errors: [password: {"registration.error.password_too_short", _}]}} -> {:error, dgettext( "errors", "The password you have chosen is too short. Please make sure your password contains at least 6 characters." )} end end def change_password(_parent, _args, _resolution) do {:error, dgettext("errors", "You need to be logged-in to change your password")} end def change_email(_parent, %{email: new_email, password: password}, %{ context: %{current_user: %User{email: old_email} = user} }) do if Authenticator.can_change_email?(user) do case Authenticator.login(old_email, password) do {:ok, %User{}} -> if new_email != old_email do if Email.Checker.valid?(new_email) do case Users.update_user_email(user, new_email) do {:ok, %User{} = user} -> user |> Email.User.send_email_reset_old_email() |> Email.Mailer.send_email() user |> Email.User.send_email_reset_new_email() |> Email.Mailer.send_email() {:ok, user} {:error, %Ecto.Changeset{} = err} -> Logger.debug(inspect(err)) {:error, dgettext("errors", "Failed to update user email")} end else {:error, dgettext("errors", "The new email doesn't seem to be valid")} end else {:error, dgettext("errors", "The new email must be different")} end {:error, _} -> {:error, dgettext("errors", "The password provided is invalid")} end else {:error, dgettext("errors", "User cannot change email")} end end def change_email(_parent, _args, _resolution) do {:error, dgettext("errors", "You need to be logged-in to change your email")} end @spec validate_email(map(), %{token: String.t()}, map()) :: {:ok, User.t()} | {:error, String.t()} def validate_email(_parent, %{token: token}, _resolution) do case Users.get_user_by_activation_token(token) do %User{} = user -> case Users.validate_email(user) do {:ok, %User{} = user} -> {:ok, user} {:error, %Ecto.Changeset{} = err} -> Logger.debug(inspect(err)) {:error, dgettext("errors", "Failed to validate user email")} end nil -> {:error, dgettext("errors", "Invalid activation token")} end end def delete_account(_parent, %{user_id: user_id}, %{ context: %{ current_user: %User{role: role}, current_actor: %Actor{} = moderator_actor } }) when is_moderator(role) do with %User{disabled: false} = user <- Users.get_user(user_id), {:ok, %User{}} <- do_delete_account(%User{} = user, actor_performing: Relay.get_actor()) do Admin.log_action(moderator_actor, "delete", user) else %User{disabled: true} -> {:error, dgettext("errors", "User already disabled")} end end def delete_account(_parent, args, %{ context: %{current_user: %User{email: email} = user} }) do with {:user_has_password, true} <- {:user_has_password, Authenticator.has_password?(user)}, {:confirmation_password, password} when not is_nil(password) <- {:confirmation_password, Map.get(args, :password)}, {:current_password, {:ok, _}} <- {:current_password, Authenticator.authenticate(email, password)} do do_delete_account(user, reserve_email: false) else # If the user hasn't got any password (3rd-party auth) {:user_has_password, false} -> do_delete_account(user, reserve_email: false) {:confirmation_password, nil} -> {:error, dgettext("errors", "The password provided is invalid")} {:current_password, _} -> {:error, dgettext("errors", "The password provided is invalid")} end end def delete_account(_parent, _args, _resolution) do {:error, dgettext("errors", "You need to be logged-in to delete your account")} end @spec do_delete_account(User.t(), Keyword.t()) :: {:ok, User.t()} defp do_delete_account(%User{} = user, options) do with actors <- Users.get_actors_for_user(user), activated <- not is_nil(user.confirmed_at), # Detach actors from user :ok <- Enum.each(actors, fn actor -> Actors.update_actor(actor, %{user_id: nil}) end), # Launch a background job to delete actors :ok <- Enum.each(actors, fn actor -> actor_performing = Keyword.get(options, :actor_performing, actor) Actions.Delete.delete(actor, actor_performing, true) end) do # Delete user Users.delete_user(user, reserve_email: Keyword.get(options, :reserve_email, activated)) end end @spec user_settings(User.t(), map(), map()) :: {:ok, list(Setting.t())} | {:error, String.t()} def user_settings(%User{} = user, _args, %{ context: %{current_user: %User{role: role}} }) when is_moderator(role) do with {:setting, settings} <- {:setting, Users.get_setting(user)} do {:ok, settings} end end def user_settings(%User{id: user_id} = user, _args, %{ context: %{current_user: %User{id: logged_user_id}} }) do with {:same_user, true} <- {:same_user, user_id == logged_user_id}, {:setting, settings} <- {:setting, Users.get_setting(user)} do {:ok, settings} else {:same_user, _} -> {:error, dgettext("errors", "User requested is not logged-in")} end end @spec set_user_setting(map(), map(), map()) :: {:ok, Setting.t()} | {:error, any()} def set_user_setting(_parent, attrs, %{ context: %{current_user: %User{id: logged_user_id}} }) do attrs = Map.put(attrs, :user_id, logged_user_id) res = case Users.get_setting(logged_user_id) do nil -> Users.create_setting(attrs) %Setting{} = setting -> Users.update_setting(setting, attrs) end case res do {:ok, %Setting{} = setting} -> {:ok, setting} {:error, changeset} -> Logger.debug(inspect(changeset)) {:error, dgettext("errors", "Error while saving user settings")} end end def update_locale(_parent, %{locale: locale}, %{ context: %{current_user: %User{locale: current_locale} = user} }) do if current_locale != locale do case Users.update_user(user, %{locale: locale}) do {:ok, %User{} = updated_user} -> {:ok, updated_user} {:error, %Ecto.Changeset{} = err} -> Logger.debug(err) {:error, dgettext("errors", "Error while updating locale")} end else {:ok, user} end end def user_medias(%User{id: user_id}, %{page: page, limit: limit}, %{ context: %{current_user: %User{id: logged_in_user_id}} }) when user_id == logged_in_user_id do %{elements: elements, total: total} = Mobilizon.Medias.medias_for_user(user_id, page, limit) {:ok, %{ elements: Enum.map(elements, fn element -> %{ name: element.file.name, url: element.file.url, id: element.id, content_type: element.file.content_type, size: element.file.size } end), total: total }} end def user_followed_group_events(%User{id: user_id}, %{page: page, limit: limit} = args, %{ context: %{current_user: %User{id: logged_in_user_id}} }) when user_id == logged_in_user_id do activities = FollowedGroupActivity.user_followed_group_events( user_id, Map.get(args, :after_datetime), page, limit ) activities = %Page{ activities | elements: Enum.map(activities.elements, fn [event, group, profile] -> %{group: group, profile: profile, event: event} end) } {:ok, activities} end @spec update_user_login_information(User.t(), map()) :: {:ok, User.t()} | {:error, Ecto.Changeset.t()} defp update_user_login_information( %User{current_sign_in_at: current_sign_in_at, current_sign_in_ip: current_sign_in_ip} = user, context ) do current_ip = Map.get(context, :ip) now = DateTime.utc_now() Users.update_user(user, %{ last_sign_in_at: current_sign_in_at || now, last_sign_in_ip: current_sign_in_ip || current_ip, current_sign_in_ip: current_ip, current_sign_in_at: now }) end end