router.post('/login_account', koaBody, function *() { if (rateLimitReq(this, this.req)) return; const params = this.request.body; const {csrf, account} = typeof(params) === 'string' ? JSON.parse(params) : params; if (!checkCSRF(this, csrf)) return; console.log('-- /login_account -->', this.session.uid, account); try { this.session.a = account; const db_account = yield models.Account.findOne( {attributes: ['user_id'], where: {name: esc(account)}} ); if (db_account) this.session.user = db_account.user_id; this.body = JSON.stringify({status: 'ok'}); } catch (error) { console.error('Error in /login_account api call', this.session.uid, error); this.body = JSON.stringify({error: error.message}); this.status = 500; } recordWebEvent(this, 'api/login_account', account); });
router.post('/accounts', koaBody, function *() { if (rateLimitReq(this, this.req)) return; const params = this.request.body; const account = typeof(params) === 'string' ? JSON.parse(params) : params; if (!checkCSRF(this, account.csrf)) return; console.log('-- /accounts -->', this.session.uid, this.session.user, account); if ($STM_Config.disable_signups) { this.body = JSON.stringify({error: 'New signups are temporary disabled.'}); this.status = 401; return; } const remote_ip = getRemoteIp(this.req); const user_id = this.session.user; if (!user_id) { // require user to sign in with identity provider this.body = JSON.stringify({error: 'Unauthorized'}); this.status = 401; return; } try { const user = yield models.User.findOne( {attributes: ['verified', 'waiting_list'], where: {id: user_id}} ); if (!user) { this.body = JSON.stringify({error: 'Unauthorized'}); this.status = 401; return; } // if (!user.verified) throw new Error('Verified Facebook account is required'); const existing_account = yield models.Account.findOne({ attributes: ['id', 'created_at'], where: {user_id, id: {$gt: 13152}}, order: 'id DESC' }); if (existing_account) { const days_ago = (Date.now() - existing_account.created_at) / 60000 / 60 / 24; if (days_ago < 7) throw new Error("Only one Steem account per user is allowed in order to prevent abuse (Steemit, Inc. funds each new account with 3 STEEM)"); } const same_ip_account = yield models.Account.findOne( {attributes: ['created_at'], where: {remote_ip: esc(remote_ip)}, order: 'id DESC'} ); if (same_ip_account) { const minutes = (Date.now() - same_ip_account.created_at) / 60000; if (minutes < 10) { console.log(`api /accounts: IP rate limit for user ${this.session.uid} #${user_id}, IP ${remote_ip}`); throw new Error('Only one Steem account allowed per IP address every 10 minutes'); } } if (user.waiting_list) { console.log(`api /accounts: waiting_list user ${this.session.uid} #${user_id}`); throw new Error('You are on the waiting list. We will get back to you at the earliest possible opportunity.'); } yield createAccount({ signingKey: config.registrar.signing_key, fee: config.registrar.fee, creator: config.registrar.account, new_account_name: account.name, owner: account.owner_key, active: account.active_key, posting: account.posting_key, memo: account.memo_key, broadcast: true }); console.log('-- create_account_with_keys created -->', this.session.uid, account.name, user.id, account.owner_key); this.body = JSON.stringify({status: 'ok'}); models.Account.create(escAttrs({ user_id, name: account.name, owner_key: account.owner_key, active_key: account.active_key, posting_key: account.posting_key, memo_key: account.memo_key, remote_ip, referrer: this.session.r })).catch(error => { console.error('!!! Can\'t create account model in /accounts api', this.session.uid, error); }); } catch (error) { console.error('Error in /accounts api call', this.session.uid, error.toString()); this.body = JSON.stringify({error: error.message}); this.status = 500; } recordWebEvent(this, 'api/accounts', account ? account.name : 'n/a'); });
function* handleFacebookCallback() { console.log('-- /handle_facebook_callback -->', this.session.uid, this.query); let verified_email = false; try { if (this.query['error[error][message]']) { return logErrorAndRedirect(this, 'facebook:1', this.query['error[error][message]']); } const u = yield retrieveFacebookUserData(this.query.access_token); verified_email = false; // verified_email = !!(u.verified && u.email); const attrs = { uid: this.session.uid, name: u.name, email: u.email, first_name: u.first_name, last_name: u.last_name, birthday: u.birthday ? new Date(u.birthday) : null, gender: u.gender, picture_small: u.picture ? u.picture.data.url : null, location_id: u.location ? u.location.id : null, location_name: u.location ? u.location.name : null, locale: u.locale, timezone: u.timezone, remote_ip: getRemoteIp(this.request.req), verified: u.verified, waiting_list: false, facebook_id: u.id }; const i_attrs = { provider: 'facebook', uid: u.id, name: u.name, email: u.email, verified: u.verified, provider_user_id: u.id }; const i_attrs_email = { provider: 'email', email: u.email, verified: verified_email }; let user = yield findUser({email: u.email, provider_user_id: u.id}); console.log('-- /handle_facebook_callback user id -->', this.session.uid, user ? user.id : 'not found'); let account_recovery_record = null; const provider = 'facebook'; if (this.session.arec) { const arec = yield models.AccountRecoveryRequest.findOne({ attributes: ['id', 'created_at', 'account_name', 'owner_key'], where: {id: this.session.arec} }); if (arec) { const seconds_ago = (Date.now() - arec.created_at) / 1000; console.log('-- /handle_facebook_callback arec -->', this.session.uid, seconds_ago, arec.created_at); if (seconds_ago < 600) account_recovery_record = arec; } } if (account_recovery_record) { if (user) { const existing_account = yield models.Account.findOne({ attributes: ['id'], where: {user_id: user.id, name: account_recovery_record.account_name}, order: 'id DESC' }); if (existing_account) { console.log('-- arec: confirmed user for account -->', this.session.uid, provider, account_recovery_record.id, existing_account.name, this.session.uid, account_recovery_record.owner_key); account_recovery_record.update({user_id: user.id, status: 'confirmed'}); this.redirect('/recover_account_step_2'); } else { console.log('-- arec: failed to confirm user for account (no account) -->', this.session.uid, provider, account_recovery_record.id, user.id, this.session.uid, account_recovery_record.owner_key); account_recovery_record.update({user_id: user.id, status: 'account not found'}); this.body = 'We cannot verify the user account. Please contact support@steemit.com'; } } else { console.log('-- arec: failed to confirm user for account (no user) -->', this.session.uid, provider, this.session.uid, this.session.email); account_recovery_record.update({status: 'user not found'}); this.body = 'We cannot verify the user account. Please contact support@steemit.com'; } return null; } if (!u.email) { console.log('-- /handle_facebook_callback no email -->', this.session.uid, u); this.flash = {alert: 'Facebook login didn\'t provide any email addresses. Please make sure your Facebook account has a primary email address and try again.'}; this.redirect('/'); return; } if (user) { i_attrs_email.user_id = attrs.id = user.id; yield models.User.update(attrs, {where: {id: user.id}}); yield models.Identity.update(i_attrs, {where: {user_id: user.id, provider: 'facebook'}}); if (verified_email) { const eid = yield models.Identity.findOne( {attributes: ['id', 'verified'], where: {user_id: user.id, provider: 'email'}, order: 'id DESC'} ); if (eid) { if (!eid.verified) yield eid.update({email: u.email, verified: true}); } else { yield models.Identity.create(i_attrs_email); } } console.log('-- fb updated user -->', this.session.uid, user.id, u.name, u.email); } else { user = yield models.User.create(attrs); i_attrs_email.user_id = i_attrs.user_id = user.id; console.log('-- fb created user -->', user.id, u.name, u.email); const identity = yield models.Identity.create(i_attrs); console.log('-- fb created identity -->', this.session.uid, identity.id); if (i_attrs_email.email) { const email_identity = yield models.Identity.create(i_attrs_email); console.log('-- fb created email identity -->', this.session.uid, email_identity.id); } } this.session.user = user.id; } catch (error) { return logErrorAndRedirect(this, 'facebook:2', error); } this.flash = {success: 'Successfully authenticated with Facebook'}; if (verified_email) { this.redirect('/create_account'); } else { this.redirect('/enter_email'); } return null; }
function* handleRedditCallback() { try { const u = yield retrieveRedditUserData(this.query.access_token); console.log('-- /handle_reddit_callback -->', this.session.uid, u); let user = yield findUser({provider_user_id: u.id}); console.log('-- /handle_reddit_callback user id -->', this.session.uid, user ? user.id : 'not found'); let account_recovery_record = null; const provider = 'reddit'; if (this.session.arec) { const arec = yield models.AccountRecoveryRequest.findOne({ attributes: ['id', 'created_at', 'account_name', 'owner_key'], where: {id: this.session.arec} }); if (arec) { const seconds_ago = (Date.now() - arec.created_at) / 1000; if (seconds_ago < 600) account_recovery_record = arec; } } if (account_recovery_record) { if (user) { const existing_account = yield models.Account.findOne({ attributes: ['id'], where: {user_id: user.id, name: account_recovery_record.account_name}, order: 'id DESC' }); if (existing_account) { console.log('-- arec: confirmed user for account -->', this.session.uid, provider, account_recovery_record.id, existing_account.name, this.session.uid, account_recovery_record.owner_key); account_recovery_record.update({user_id: user.id, status: 'confirmed'}); this.redirect('/recover_account_step_2'); } else { console.log('-- arec: failed to confirm user for account (no account) -->', this.session.uid, provider, account_recovery_record.id, user.id, this.session.uid, account_recovery_record.owner_key); account_recovery_record.update({user_id: user.id, status: 'account not found'}); this.body = 'We cannot verify the user account. Please contact support@steemit.com'; } } else { console.log('-- arec: failed to confirm user for account (no user) -->', this.session.uid, provider, this.session.arec, this.session.email); account_recovery_record.update({status: 'user not found'}); this.body = 'We cannot verify the user account. Please contact support@steemit.com'; } return null; } const waiting_list = !u.comment_karma || u.comment_karma < 5; const i_attrs = { provider: 'reddit', provider_user_id: u.id, name: u.name, score: u.comment_karma }; const attrs = { id: user ? user.id : null, uid: this.session.uid, name: u.name, remote_ip: getRemoteIp(this.req), verified: false }; if (user) { if (!waiting_list) attrs.waiting_list = false; yield models.User.update(attrs, {where: {id: user.id}}); yield models.Identity.update(i_attrs, {where: {user_id: user.id}}); console.log('-- reddit updated user -->', this.session.uid, user.id, u.name); } else { attrs.waiting_list = waiting_list; user = yield models.User.create(attrs); console.log('-- reddit created user -->', this.session.uid, user.id, u.name); i_attrs.user_id = user.id; const identity = yield models.Identity.create(i_attrs); console.log('-- reddit created identity -->', this.session.uid, identity.id); } this.session.user = user.id; if (waiting_list) { this.redirect('/waiting_list.html'); return null; } } catch (error) { return logErrorAndRedirect(this, 'reddit', error); } this.redirect('/enter_email'); return null; }