From 4229084c6211db3d22cd9abec99b957725650b9e Mon Sep 17 00:00:00 2001 From: Sheogorath Date: Fri, 25 May 2018 15:20:38 +0200 Subject: Add delete function for authenticated users Allow users to delete themselbes. This is require to be GDPR compliant. See: https://gdpr-info.eu/art-17-gdpr/ Signed-off-by: Sheogorath --- lib/web/userRouter.js | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) (limited to 'lib/web/userRouter.js') diff --git a/lib/web/userRouter.js b/lib/web/userRouter.js index 963961c7..b8bd9154 100644 --- a/lib/web/userRouter.js +++ b/lib/web/userRouter.js @@ -3,6 +3,7 @@ const Router = require('express').Router const response = require('../response') +const config = require('../config') const models = require('../models') const logger = require('../logger') const {generateAvatar} = require('../letter-avatars') @@ -36,6 +37,29 @@ UserRouter.get('/me', function (req, res) { } }) +// delete the currently authenticated user +UserRouter.get('/me/delete', function (req, res) { + if (req.isAuthenticated()) { + models.User.findOne({ + where: { + id: req.user.id + } + }).then(function (user) { + if (!user) { return response.errorNotFound(res) } + user.destroy().then(function () { + res.redirect(config.serverURL + '/') + }) + }).catch(function (err) { + logger.error('delete user failed: ' + err) + return response.errorInternalError(res) + }) + } else { + res.send({ + status: 'forbidden' + }) + } +}) + UserRouter.get('/user/:username/avatar.svg', function (req, res, next) { res.setHeader('Content-Type', 'image/svg+xml') res.setHeader('Cache-Control', 'public, max-age=86400') -- cgit v1.2.3 From 70df29790a83db4abb40ed1e16cb05a3aa760672 Mon Sep 17 00:00:00 2001 From: Sheogorath Date: Fri, 25 May 2018 18:19:31 +0200 Subject: Add token based security feature In the current setup users could be tricked into deleting their data by providing a malicious link like `[click me](/me/delete)`. This commit prevents such an easy attack and need the user's deleteToken to get his data deleted. In case someone requests his deletion by email you can also ask him for this token. We can add a GUI that shows it later on. Signed-off-by: Sheogorath --- lib/web/userRouter.js | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) (limited to 'lib/web/userRouter.js') diff --git a/lib/web/userRouter.js b/lib/web/userRouter.js index b8bd9154..6832d901 100644 --- a/lib/web/userRouter.js +++ b/lib/web/userRouter.js @@ -38,25 +38,29 @@ UserRouter.get('/me', function (req, res) { }) // delete the currently authenticated user -UserRouter.get('/me/delete', function (req, res) { +UserRouter.get('/me/delete/:token?', function (req, res) { if (req.isAuthenticated()) { models.User.findOne({ where: { id: req.user.id } }).then(function (user) { - if (!user) { return response.errorNotFound(res) } - user.destroy().then(function () { - res.redirect(config.serverURL + '/') - }) + if (!user) { + return response.errorNotFound(res) + } + if (user.deleteToken === req.params.token) { + user.destroy().then(function () { + res.redirect(config.serverURL + '/') + }) + } else { + return response.errorForbidden(res) + } }).catch(function (err) { logger.error('delete user failed: ' + err) return response.errorInternalError(res) }) } else { - res.send({ - status: 'forbidden' - }) + return response.errorForbidden(res) } }) -- cgit v1.2.3 From bcbb8c67c9f8092643c318140f6613324f306bd2 Mon Sep 17 00:00:00 2001 From: Sheogorath Date: Sat, 26 May 2018 02:53:21 +0200 Subject: Add note export function This function is the first step to get out data following GDPR about the transportability of data. Details: https://gdpr-info.eu/art-20-gdpr/ Signed-off-by: Sheogorath --- lib/web/userRouter.js | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) (limited to 'lib/web/userRouter.js') diff --git a/lib/web/userRouter.js b/lib/web/userRouter.js index 6832d901..db786d53 100644 --- a/lib/web/userRouter.js +++ b/lib/web/userRouter.js @@ -1,5 +1,7 @@ 'use strict' +const archiver = require('archiver') +const async = require('async') const Router = require('express').Router const response = require('../response') @@ -64,6 +66,60 @@ UserRouter.get('/me/delete/:token?', function (req, res) { } }) +// export the data of the authenticated user +UserRouter.get('/me/export', function (req, res) { + if (req.isAuthenticated()) { + // let output = fs.createWriteStream(__dirname + '/example.zip'); + let archive = archiver('zip', { + zlib: { level: 3 } // Sets the compression level. + }) + res.setHeader('Content-Type', 'application/zip') + res.attachment('archive.zip') + archive.pipe(res) + archive.on('error', function (err) { + logger.error('export user data failed: ' + err) + return response.errorInternalError(res) + }) + models.User.findOne({ + where: { + id: req.user.id + } + }).then(function (user) { + models.Note.findAll({ + where: { + ownerId: user.id + } + }).then(function (notes) { + let list = [] + async.each(notes, function (note, callback) { + let title + let extension = '' + do { + title = note.title + extension + extension++ + } while (list.indexOf(title) !== -1) + + list.push(title) + logger.debug('Write: ' + title + '.md') + archive.append(Buffer.from(note.content), { name: title + '.md', date: note.lastchangeAt }) + callback(null, null) + }, function (err) { + if (err) { + return response.errorInternalError(res) + } + + archive.finalize() + }) + }) + }).catch(function (err) { + logger.error('export user data failed: ' + err) + return response.errorInternalError(res) + }) + } else { + return response.errorForbidden(res) + } +}) + UserRouter.get('/user/:username/avatar.svg', function (req, res, next) { res.setHeader('Content-Type', 'image/svg+xml') res.setHeader('Cache-Control', 'public, max-age=86400') -- cgit v1.2.3