feat: Add legal requirements (#1306)

2025-12-21 17:25:39 +03:00 · 2025-08-21 15:10:02 +02:00
parent bb40a22563
commit 2f4bcb0583
122 changed files with 1522 additions and 81 deletions
--- a/server/api/controllers/access-tokens/accept-terms.js
+++ b/server/api/controllers/access-tokens/accept-terms.js
@@ -0,0 +1,133 @@
+/*!
+ * Copyright (c) 2024 PLANKA Software GmbH
+ * Licensed under the Fair Use License: https://github.com/plankanban/planka/blob/master/LICENSE.md
+ */
+
+const { getRemoteAddress } = require('../../../utils/remote-address');
+
+const { AccessTokenSteps } = require('../../../constants');
+
+const Errors = {
+  INVALID_PENDING_TOKEN: {
+    invalidPendingToken: 'Invalid pending token',
+  },
+  INVALID_SIGNATURE: {
+    invalidSignature: 'Invalid signature',
+  },
+  ADMIN_LOGIN_REQUIRED_TO_INITIALIZE_INSTANCE: {
+    adminLoginRequiredToInitializeInstance: 'Admin login required to initialize instance',
+  },
+};
+
+module.exports = {
+  inputs: {
+    pendingToken: {
+      type: 'string',
+      maxLength: 1024,
+      required: true,
+    },
+    signature: {
+      type: 'string',
+      minLength: 64,
+      maxLength: 64,
+      required: true,
+    },
+  },
+
+  exits: {
+    invalidPendingToken: {
+      responseType: 'unauthorized',
+    },
+    invalidSignature: {
+      responseType: 'forbidden',
+    },
+    adminLoginRequiredToInitializeInstance: {
+      responseType: 'forbidden',
+    },
+  },
+
+  async fn(inputs) {
+    const remoteAddress = getRemoteAddress(this.req);
+    const { httpOnlyToken } = this.req.cookies;
+
+    try {
+      payload = sails.helpers.utils.verifyJwtToken(inputs.pendingToken);
+    } catch (error) {
+      if (error.raw.name === 'TokenExpiredError') {
+        throw Errors.INVALID_PENDING_TOKEN;
+      }
+
+      sails.log.warn(`Invalid pending token! (IP: ${remoteAddress})`);
+      throw Errors.INVALID_PENDING_TOKEN;
+    }
+
+    if (payload.subject !== AccessTokenSteps.ACCEPT_TERMS) {
+      throw Errors.INVALID_PENDING_TOKEN;
+    }
+
+    let session = await Session.qm.getOneUndeletedByPendingToken(inputs.pendingToken);
+
+    if (!session) {
+      sails.log.warn(`Invalid pending token! (IP: ${remoteAddress})`);
+      throw Errors.INVALID_PENDING_TOKEN;
+    }
+
+    if (session.httpOnlyToken && httpOnlyToken !== session.httpOnlyToken) {
+      throw Errors.INVALID_PENDING_TOKEN;
+    }
+
+    let user = await User.qm.getOneById(session.userId, {
+      withDeactivated: false,
+    });
+
+    if (!user) {
+      throw Errors.INVALID_PENDING_TOKEN; // TODO: introduce separate error?
+    }
+
+    if (!user.termsSignature) {
+      const termsSignature = sails.hooks.terms.getSignatureByUserRole(user.role);
+
+      if (inputs.signature !== termsSignature) {
+        throw Errors.INVALID_SIGNATURE;
+      }
+
+      user = await User.qm.updateOne(user.id, {
+        termsSignature,
+        termsAcceptedAt: new Date().toISOString(),
+      });
+    }
+
+    const config = await Config.qm.getOneMain();
+
+    if (!config.isInitialized) {
+      if (user.role === User.Roles.ADMIN) {
+        await Config.qm.updateOneMain({
+          isInitialized: true,
+        });
+      } else {
+        throw Errors.ADMIN_LOGIN_REQUIRED_TO_INITIALIZE_INSTANCE;
+      }
+    }
+
+    const { token: accessToken, payload: accessTokenPayload } = sails.helpers.utils.createJwtToken(
+      user.id,
+    );
+
+    session = await Session.qm.updateOne(session.id, {
+      accessToken,
+      pendingToken: null,
+    });
+
+    if (session.httpOnlyToken && !this.req.isSocket) {
+      sails.helpers.utils.setHttpOnlyTokenCookie(
+        session.httpOnlyToken,
+        accessTokenPayload,
+        this.res,
+      );
+    }
+
+    return {
+      item: accessToken,
+    };
+  },
+};
--- a/server/api/controllers/access-tokens/create.js
+++ b/server/api/controllers/access-tokens/create.js
@@ -4,7 +4,6 @@
 */

 const bcrypt = require('bcrypt');
-const { v4: uuid } = require('uuid');

 const { isEmailOrUsername } = require('../../../utils/validators');
 const { getRemoteAddress } = require('../../../utils/remote-address');
@@ -22,6 +21,9 @@ const Errors = {
  USE_SINGLE_SIGN_ON: {
    useSingleSignOn: 'Use single sign-on',
  },
+  TERMS_ACCEPTANCE_REQUIRED: {
+    termsAcceptanceRequired: 'Terms acceptance required',
+  },
 };

 module.exports = {
@@ -39,7 +41,6 @@ module.exports = {
    },
    withHttpOnlyToken: {
      type: 'boolean',
-      defaultsTo: false,
    },
  },

@@ -56,6 +57,12 @@ module.exports = {
    useSingleSignOn: {
      responseType: 'forbidden',
    },
+    termsAcceptanceRequired: {
+      responseType: 'forbidden',
+    },
+    adminLoginRequiredToInitializeInstance: {
+      responseType: 'forbidden',
+    },
  },

  async fn(inputs) {
@@ -90,26 +97,19 @@ module.exports = {
        : Errors.INVALID_CREDENTIALS;
    }

-    const { token: accessToken, payload: accessTokenPayload } = sails.helpers.utils.createJwtToken(
-      user.id,
-    );
-
-    const httpOnlyToken = inputs.withHttpOnlyToken ? uuid() : null;
-
-    await Session.qm.createOne({
-      accessToken,
-      httpOnlyToken,
-      remoteAddress,
-      userId: user.id,
-      userAgent: this.req.headers['user-agent'],
-    });
-
-    if (httpOnlyToken && !this.req.isSocket) {
-      sails.helpers.utils.setHttpOnlyTokenCookie(httpOnlyToken, accessTokenPayload, this.res);
-    }
-
-    return {
-      item: accessToken,
-    };
+    return sails.helpers.accessTokens.handleSteps
+      .with({
+        user,
+        remoteAddress,
+        request: this.req,
+        response: this.res,
+        withHttpOnlyToken: inputs.withHttpOnlyToken,
+      })
+      .intercept('adminLoginRequiredToInitializeInstance', (error) => ({
+        adminLoginRequiredToInitializeInstance: error.raw,
+      }))
+      .intercept('termsAcceptanceRequired', (error) => ({
+        termsAcceptanceRequired: error.raw,
+      }));
  },
 };
--- a/server/api/controllers/access-tokens/exchange-with-oidc.js
+++ b/server/api/controllers/access-tokens/exchange-with-oidc.js
@@ -3,8 +3,6 @@
 * Licensed under the Fair Use License: https://github.com/plankanban/planka/blob/master/LICENSE.md
 */

-const { v4: uuid } = require('uuid');
-
 const { getRemoteAddress } = require('../../../utils/remote-address');

 const Errors = {
@@ -17,6 +15,9 @@ const Errors = {
  INVALID_USERINFO_CONFIGURATION: {
    invalidUserinfoConfiguration: 'Invalid userinfo configuration',
  },
+  TERMS_ACCEPTANCE_REQUIRED: {
+    termsAcceptanceRequired: 'Terms acceptance required',
+  },
  EMAIL_ALREADY_IN_USE: {
    emailAlreadyInUse: 'Email already in use',
  },
@@ -45,7 +46,6 @@ module.exports = {
    },
    withHttpOnlyToken: {
      type: 'boolean',
-      defaultsTo: false,
    },
  },

@@ -59,6 +59,12 @@ module.exports = {
    invalidUserinfoConfiguration: {
      responseType: 'unauthorized',
    },
+    termsAcceptanceRequired: {
+      responseType: 'forbidden',
+    },
+    adminLoginRequiredToInitializeInstance: {
+      responseType: 'forbidden',
+    },
    emailAlreadyInUse: {
      responseType: 'conflict',
    },
@@ -89,26 +95,19 @@ module.exports = {
      .intercept('activeLimitReached', () => Errors.ACTIVE_USERS_LIMIT_REACHED)
      .intercept('missingValues', () => Errors.MISSING_VALUES);

-    const { token: accessToken, payload: accessTokenPayload } = sails.helpers.utils.createJwtToken(
-      user.id,
-    );
-
-    const httpOnlyToken = inputs.withHttpOnlyToken ? uuid() : null;
-
-    await Session.qm.createOne({
-      accessToken,
-      httpOnlyToken,
-      remoteAddress,
-      userId: user.id,
-      userAgent: this.req.headers['user-agent'],
-    });
-
-    if (httpOnlyToken && !this.req.isSocket) {
-      sails.helpers.utils.setHttpOnlyTokenCookie(httpOnlyToken, accessTokenPayload, this.res);
-    }
-
-    return {
-      item: accessToken,
-    };
+    return sails.helpers.accessTokens.handleSteps
+      .with({
+        user,
+        remoteAddress,
+        request: this.req,
+        response: this.res,
+        withHttpOnlyToken: inputs.withHttpOnlyToken,
+      })
+      .intercept('adminLoginRequiredToInitializeInstance', (error) => ({
+        adminLoginRequiredToInitializeInstance: error.raw,
+      }))
+      .intercept('termsAcceptanceRequired', (error) => ({
+        termsAcceptanceRequired: error.raw,
+      }));
  },
 };
--- a/server/api/controllers/access-tokens/revoke-pending-token.js
+++ b/server/api/controllers/access-tokens/revoke-pending-token.js
@@ -0,0 +1,49 @@
+/*!
+ * Copyright (c) 2024 PLANKA Software GmbH
+ * Licensed under the Fair Use License: https://github.com/plankanban/planka/blob/master/LICENSE.md
+ */
+
+const Errors = {
+  PENDING_TOKEN_NOT_FOUND: {
+    pendingTokenNotFound: 'Pending token not found',
+  },
+};
+
+module.exports = {
+  inputs: {
+    pendingToken: {
+      type: 'string',
+      maxLength: 1024,
+      required: true,
+    },
+  },
+
+  exits: {
+    pendingTokenNotFound: {
+      responseType: 'notFound',
+    },
+  },
+
+  async fn(inputs) {
+    const { httpOnlyToken } = this.req.cookies;
+    let session = await Session.qm.getOneUndeletedByPendingToken(inputs.pendingToken);
+
+    if (!session) {
+      throw Errors.PENDING_TOKEN_NOT_FOUND;
+    }
+
+    if (session.httpOnlyToken && httpOnlyToken !== session.httpOnlyToken) {
+      throw Errors.PENDING_TOKEN_NOT_FOUND; // Forbidden
+    }
+
+    session = await Session.qm.deleteOneById(session.id);
+
+    if (session.httpOnlyToken && !this.req.isSocket) {
+      sails.helpers.utils.clearHttpOnlyTokenCookie(this.res);
+    }
+
+    return {
+      item: null,
+    };
+  },
+};