// Copyright (c) 2017 Mattermost, Inc. All Rights Reserved. // See License.txt for license information. package api4 import ( "net/http" l4g "github.com/alecthomas/log4go" "github.com/mattermost/platform/app" "github.com/mattermost/platform/model" "github.com/mattermost/platform/utils" ) func InitUser() { l4g.Debug(utils.T("api.user.init.debug")) BaseRoutes.Users.Handle("", ApiHandler(createUser)).Methods("POST") BaseRoutes.User.Handle("", ApiSessionRequired(getUser)).Methods("GET") BaseRoutes.User.Handle("", ApiSessionRequired(updateUser)).Methods("PUT") BaseRoutes.Users.Handle("/login", ApiHandler(login)).Methods("POST") BaseRoutes.Users.Handle("/logout", ApiHandler(logout)).Methods("POST") } func createUser(c *Context, w http.ResponseWriter, r *http.Request) { user := model.UserFromJson(r.Body) if user == nil { c.SetInvalidParam("user") return } hash := r.URL.Query().Get("h") inviteId := r.URL.Query().Get("iid") // No permission check required var ruser *model.User var err *model.AppError if len(hash) > 0 { ruser, err = app.CreateUserWithHash(user, hash, r.URL.Query().Get("d")) } else if len(inviteId) > 0 { ruser, err = app.CreateUserWithInviteId(user, inviteId, c.GetSiteURL()) } else { ruser, err = app.CreateUserFromSignup(user, c.GetSiteURL()) } if err != nil { c.Err = err return } w.WriteHeader(http.StatusCreated) w.Write([]byte(ruser.ToJson())) } func getUser(c *Context, w http.ResponseWriter, r *http.Request) { c.RequireUserId() if c.Err != nil { return } // No permission check required var user *model.User var err *model.AppError if user, err = app.GetUser(c.Params.UserId); err != nil { c.Err = err return } etag := user.Etag(utils.Cfg.PrivacySettings.ShowFullName, utils.Cfg.PrivacySettings.ShowEmailAddress) if HandleEtag(etag, "Get User", w, r) { return } else { app.SanitizeProfile(user, c.IsSystemAdmin()) w.Header().Set(model.HEADER_ETAG_SERVER, etag) w.Write([]byte(user.ToJson())) return } } func updateUser(c *Context, w http.ResponseWriter, r *http.Request) { c.RequireUserId() if c.Err != nil { return } user := model.UserFromJson(r.Body) if user == nil { c.SetInvalidParam("user") return } if !app.SessionHasPermissionToUser(c.Session, user.Id) { c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) return } if ruser, err := app.UpdateUserAsUser(user, c.GetSiteURL(), c.IsSystemAdmin()); err != nil { c.Err = err return } else { c.LogAudit("") w.Write([]byte(ruser.ToJson())) } } func login(c *Context, w http.ResponseWriter, r *http.Request) { props := model.MapFromJson(r.Body) id := props["id"] loginId := props["login_id"] password := props["password"] mfaToken := props["token"] deviceId := props["device_id"] ldapOnly := props["ldap_only"] == "true" c.LogAuditWithUserId(id, "attempt - login_id="+loginId) user, err := app.AuthenticateUserForLogin(id, loginId, password, mfaToken, deviceId, ldapOnly) if err != nil { c.LogAuditWithUserId(id, "failure - login_id="+loginId) c.Err = err return } c.LogAuditWithUserId(user.Id, "authenticated") var session *model.Session session, err = app.DoLogin(w, r, user, deviceId) if err != nil { c.Err = err return } c.LogAuditWithUserId(user.Id, "success") c.Session = *session user.Sanitize(map[string]bool{}) w.Write([]byte(user.ToJson())) } func logout(c *Context, w http.ResponseWriter, r *http.Request) { data := make(map[string]string) data["user_id"] = c.Session.UserId Logout(c, w, r) if c.Err == nil { w.Write([]byte(model.MapToJson(data))) } } func Logout(c *Context, w http.ResponseWriter, r *http.Request) { c.LogAudit("") c.RemoveSessionCookie(w, r) if c.Session.Id != "" { if err := app.RevokeSessionById(c.Session.Id); err != nil { c.Err = err return } } ReturnStatusOK(w) }