123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531 |
- package v2
- import (
- "context"
- "fmt"
- "net/http"
- "strings"
- "time"
- "github.com/golang-jwt/jwt/v5"
- "github.com/labstack/echo/v4"
- "github.com/pkg/errors"
- "golang.org/x/crypto/bcrypt"
- "golang.org/x/exp/slices"
- "google.golang.org/grpc/codes"
- "google.golang.org/grpc/status"
- "google.golang.org/protobuf/types/known/timestamppb"
- "github.com/usememos/memos/api/auth"
- "github.com/usememos/memos/internal/util"
- apiv2pb "github.com/usememos/memos/proto/gen/api/v2"
- storepb "github.com/usememos/memos/proto/gen/store"
- "github.com/usememos/memos/store"
- )
- func (s *APIV2Service) ListUsers(ctx context.Context, _ *apiv2pb.ListUsersRequest) (*apiv2pb.ListUsersResponse, error) {
- currentUser, err := getCurrentUser(ctx, s.Store)
- if err != nil {
- return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
- }
- if currentUser.Role != store.RoleHost && currentUser.Role != store.RoleAdmin {
- return nil, status.Errorf(codes.PermissionDenied, "permission denied")
- }
- users, err := s.Store.ListUsers(ctx, &store.FindUser{})
- if err != nil {
- return nil, status.Errorf(codes.Internal, "failed to list users: %v", err)
- }
- response := &apiv2pb.ListUsersResponse{
- Users: []*apiv2pb.User{},
- }
- for _, user := range users {
- response.Users = append(response.Users, convertUserFromStore(user))
- }
- return response, nil
- }
- func (s *APIV2Service) GetUser(ctx context.Context, request *apiv2pb.GetUserRequest) (*apiv2pb.GetUserResponse, error) {
- username, err := ExtractUsernameFromName(request.Name)
- if err != nil {
- return nil, status.Errorf(codes.InvalidArgument, "name is required")
- }
- user, err := s.Store.GetUser(ctx, &store.FindUser{
- Username: &username,
- })
- if err != nil {
- return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
- }
- if user == nil {
- return nil, status.Errorf(codes.NotFound, "user not found")
- }
- userMessage := convertUserFromStore(user)
- response := &apiv2pb.GetUserResponse{
- User: userMessage,
- }
- return response, nil
- }
- func (s *APIV2Service) CreateUser(ctx context.Context, request *apiv2pb.CreateUserRequest) (*apiv2pb.CreateUserResponse, error) {
- currentUser, err := getCurrentUser(ctx, s.Store)
- if err != nil {
- return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
- }
- if currentUser.Role != store.RoleHost {
- return nil, status.Errorf(codes.PermissionDenied, "permission denied")
- }
- username, err := ExtractUsernameFromName(request.User.Name)
- if err != nil {
- return nil, status.Errorf(codes.InvalidArgument, "name is required")
- }
- if !util.ResourceNameMatcher.MatchString(strings.ToLower(username)) {
- return nil, status.Errorf(codes.InvalidArgument, "invalid username: %s", username)
- }
- passwordHash, err := bcrypt.GenerateFromPassword([]byte(request.User.Password), bcrypt.DefaultCost)
- if err != nil {
- return nil, echo.NewHTTPError(http.StatusInternalServerError, "failed to generate password hash").SetInternal(err)
- }
- user, err := s.Store.CreateUser(ctx, &store.User{
- Username: username,
- Role: convertUserRoleToStore(request.User.Role),
- Email: request.User.Email,
- Nickname: request.User.Nickname,
- PasswordHash: string(passwordHash),
- })
- if err != nil {
- return nil, status.Errorf(codes.Internal, "failed to create user: %v", err)
- }
- response := &apiv2pb.CreateUserResponse{
- User: convertUserFromStore(user),
- }
- return response, nil
- }
- func (s *APIV2Service) UpdateUser(ctx context.Context, request *apiv2pb.UpdateUserRequest) (*apiv2pb.UpdateUserResponse, error) {
- username, err := ExtractUsernameFromName(request.User.Name)
- if err != nil {
- return nil, status.Errorf(codes.InvalidArgument, "name is required")
- }
- currentUser, err := getCurrentUser(ctx, s.Store)
- if err != nil {
- return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
- }
- if currentUser.Username != username && currentUser.Role != store.RoleAdmin && currentUser.Role != store.RoleHost {
- return nil, status.Errorf(codes.PermissionDenied, "permission denied")
- }
- if request.UpdateMask == nil || len(request.UpdateMask.Paths) == 0 {
- return nil, status.Errorf(codes.InvalidArgument, "update mask is empty")
- }
- user, err := s.Store.GetUser(ctx, &store.FindUser{Username: &username})
- if err != nil {
- return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
- }
- if user == nil {
- return nil, status.Errorf(codes.NotFound, "user not found")
- }
- currentTs := time.Now().Unix()
- update := &store.UpdateUser{
- ID: user.ID,
- UpdatedTs: ¤tTs,
- }
- for _, field := range request.UpdateMask.Paths {
- if field == "username" {
- if !util.ResourceNameMatcher.MatchString(strings.ToLower(request.User.Username)) {
- return nil, status.Errorf(codes.InvalidArgument, "invalid username: %s", request.User.Username)
- }
- update.Username = &request.User.Username
- } else if field == "nickname" {
- update.Nickname = &request.User.Nickname
- } else if field == "email" {
- update.Email = &request.User.Email
- } else if field == "avatar_url" {
- update.AvatarURL = &request.User.AvatarUrl
- } else if field == "role" {
- role := convertUserRoleToStore(request.User.Role)
- update.Role = &role
- } else if field == "password" {
- passwordHash, err := bcrypt.GenerateFromPassword([]byte(request.User.Password), bcrypt.DefaultCost)
- if err != nil {
- return nil, echo.NewHTTPError(http.StatusInternalServerError, "failed to generate password hash").SetInternal(err)
- }
- passwordHashStr := string(passwordHash)
- update.PasswordHash = &passwordHashStr
- } else if field == "row_status" {
- rowStatus := convertRowStatusToStore(request.User.RowStatus)
- update.RowStatus = &rowStatus
- } else {
- return nil, status.Errorf(codes.InvalidArgument, "invalid update path: %s", field)
- }
- }
- updatedUser, err := s.Store.UpdateUser(ctx, update)
- if err != nil {
- return nil, status.Errorf(codes.Internal, "failed to update user: %v", err)
- }
- response := &apiv2pb.UpdateUserResponse{
- User: convertUserFromStore(updatedUser),
- }
- return response, nil
- }
- func (s *APIV2Service) DeleteUser(ctx context.Context, request *apiv2pb.DeleteUserRequest) (*apiv2pb.DeleteUserResponse, error) {
- username, err := ExtractUsernameFromName(request.Name)
- if err != nil {
- return nil, status.Errorf(codes.InvalidArgument, "name is required")
- }
- currentUser, err := getCurrentUser(ctx, s.Store)
- if err != nil {
- return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
- }
- if currentUser.Username != username && currentUser.Role != store.RoleAdmin && currentUser.Role != store.RoleHost {
- return nil, status.Errorf(codes.PermissionDenied, "permission denied")
- }
- user, err := s.Store.GetUser(ctx, &store.FindUser{Username: &username})
- if err != nil {
- return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
- }
- if user == nil {
- return nil, status.Errorf(codes.NotFound, "user not found")
- }
- if err := s.Store.DeleteUser(ctx, &store.DeleteUser{
- ID: user.ID,
- }); err != nil {
- return nil, status.Errorf(codes.Internal, "failed to delete user: %v", err)
- }
- return &apiv2pb.DeleteUserResponse{}, nil
- }
- func getDefaultUserSetting() *apiv2pb.UserSetting {
- return &apiv2pb.UserSetting{
- Locale: "en",
- Appearance: "system",
- MemoVisibility: "PRIVATE",
- }
- }
- func (s *APIV2Service) GetUserSetting(ctx context.Context, _ *apiv2pb.GetUserSettingRequest) (*apiv2pb.GetUserSettingResponse, error) {
- user, err := getCurrentUser(ctx, s.Store)
- if err != nil {
- return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
- }
- userSettings, err := s.Store.ListUserSettings(ctx, &store.FindUserSetting{
- UserID: &user.ID,
- })
- if err != nil {
- return nil, status.Errorf(codes.Internal, "failed to list user settings: %v", err)
- }
- userSettingMessage := getDefaultUserSetting()
- for _, setting := range userSettings {
- if setting.Key == storepb.UserSettingKey_USER_SETTING_LOCALE {
- userSettingMessage.Locale = setting.GetLocale()
- } else if setting.Key == storepb.UserSettingKey_USER_SETTING_APPEARANCE {
- userSettingMessage.Appearance = setting.GetAppearance()
- } else if setting.Key == storepb.UserSettingKey_USER_SETTING_MEMO_VISIBILITY {
- userSettingMessage.MemoVisibility = setting.GetMemoVisibility()
- } else if setting.Key == storepb.UserSettingKey_USER_SETTING_TELEGRAM_USER_ID {
- userSettingMessage.TelegramUserId = setting.GetTelegramUserId()
- }
- }
- return &apiv2pb.GetUserSettingResponse{
- Setting: userSettingMessage,
- }, nil
- }
- func (s *APIV2Service) UpdateUserSetting(ctx context.Context, request *apiv2pb.UpdateUserSettingRequest) (*apiv2pb.UpdateUserSettingResponse, error) {
- user, err := getCurrentUser(ctx, s.Store)
- if err != nil {
- return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
- }
- if request.UpdateMask == nil || len(request.UpdateMask.Paths) == 0 {
- return nil, status.Errorf(codes.InvalidArgument, "update mask is empty")
- }
- for _, field := range request.UpdateMask.Paths {
- if field == "locale" {
- if _, err := s.Store.UpsertUserSetting(ctx, &storepb.UserSetting{
- UserId: user.ID,
- Key: storepb.UserSettingKey_USER_SETTING_LOCALE,
- Value: &storepb.UserSetting_Locale{
- Locale: request.Setting.Locale,
- },
- }); err != nil {
- return nil, status.Errorf(codes.Internal, "failed to upsert user setting: %v", err)
- }
- } else if field == "appearance" {
- if _, err := s.Store.UpsertUserSetting(ctx, &storepb.UserSetting{
- UserId: user.ID,
- Key: storepb.UserSettingKey_USER_SETTING_APPEARANCE,
- Value: &storepb.UserSetting_Appearance{
- Appearance: request.Setting.Appearance,
- },
- }); err != nil {
- return nil, status.Errorf(codes.Internal, "failed to upsert user setting: %v", err)
- }
- } else if field == "memo_visibility" {
- if _, err := s.Store.UpsertUserSetting(ctx, &storepb.UserSetting{
- UserId: user.ID,
- Key: storepb.UserSettingKey_USER_SETTING_MEMO_VISIBILITY,
- Value: &storepb.UserSetting_MemoVisibility{
- MemoVisibility: request.Setting.MemoVisibility,
- },
- }); err != nil {
- return nil, status.Errorf(codes.Internal, "failed to upsert user setting: %v", err)
- }
- } else if field == "telegram_user_id" {
- if _, err := s.Store.UpsertUserSetting(ctx, &storepb.UserSetting{
- UserId: user.ID,
- Key: storepb.UserSettingKey_USER_SETTING_TELEGRAM_USER_ID,
- Value: &storepb.UserSetting_TelegramUserId{
- TelegramUserId: request.Setting.TelegramUserId,
- },
- }); err != nil {
- return nil, status.Errorf(codes.Internal, "failed to upsert user setting: %v", err)
- }
- } else {
- return nil, status.Errorf(codes.InvalidArgument, "invalid update path: %s", field)
- }
- }
- userSettingResponse, err := s.GetUserSetting(ctx, &apiv2pb.GetUserSettingRequest{})
- if err != nil {
- return nil, status.Errorf(codes.Internal, "failed to get user setting: %v", err)
- }
- return &apiv2pb.UpdateUserSettingResponse{
- Setting: userSettingResponse.Setting,
- }, nil
- }
- func (s *APIV2Service) ListUserAccessTokens(ctx context.Context, request *apiv2pb.ListUserAccessTokensRequest) (*apiv2pb.ListUserAccessTokensResponse, error) {
- user, err := getCurrentUser(ctx, s.Store)
- if err != nil {
- return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
- }
- if user == nil {
- return nil, status.Errorf(codes.PermissionDenied, "permission denied")
- }
- userID := user.ID
- username, err := ExtractUsernameFromName(request.Name)
- if err != nil {
- return nil, status.Errorf(codes.InvalidArgument, "name is required")
- }
- // List access token for other users need to be verified.
- if user.Username != username {
- // Normal users can only list their access tokens.
- if user.Role == store.RoleUser {
- return nil, status.Errorf(codes.PermissionDenied, "permission denied")
- }
- // The request user must be exist.
- requestUser, err := s.Store.GetUser(ctx, &store.FindUser{Username: &username})
- if requestUser == nil || err != nil {
- return nil, status.Errorf(codes.NotFound, "fail to find user %s", username)
- }
- userID = requestUser.ID
- }
- userAccessTokens, err := s.Store.GetUserAccessTokens(ctx, userID)
- if err != nil {
- return nil, status.Errorf(codes.Internal, "failed to list access tokens: %v", err)
- }
- accessTokens := []*apiv2pb.UserAccessToken{}
- for _, userAccessToken := range userAccessTokens {
- claims := &auth.ClaimsMessage{}
- _, err := jwt.ParseWithClaims(userAccessToken.AccessToken, claims, func(t *jwt.Token) (any, error) {
- if t.Method.Alg() != jwt.SigningMethodHS256.Name {
- return nil, errors.Errorf("unexpected access token signing method=%v, expect %v", t.Header["alg"], jwt.SigningMethodHS256)
- }
- if kid, ok := t.Header["kid"].(string); ok {
- if kid == "v1" {
- return []byte(s.Secret), nil
- }
- }
- return nil, errors.Errorf("unexpected access token kid=%v", t.Header["kid"])
- })
- if err != nil {
- // If the access token is invalid or expired, just ignore it.
- continue
- }
- userAccessToken := &apiv2pb.UserAccessToken{
- AccessToken: userAccessToken.AccessToken,
- Description: userAccessToken.Description,
- IssuedAt: timestamppb.New(claims.IssuedAt.Time),
- }
- if claims.ExpiresAt != nil {
- userAccessToken.ExpiresAt = timestamppb.New(claims.ExpiresAt.Time)
- }
- accessTokens = append(accessTokens, userAccessToken)
- }
- // Sort by issued time in descending order.
- slices.SortFunc(accessTokens, func(i, j *apiv2pb.UserAccessToken) int {
- return int(i.IssuedAt.Seconds - j.IssuedAt.Seconds)
- })
- response := &apiv2pb.ListUserAccessTokensResponse{
- AccessTokens: accessTokens,
- }
- return response, nil
- }
- func (s *APIV2Service) CreateUserAccessToken(ctx context.Context, request *apiv2pb.CreateUserAccessTokenRequest) (*apiv2pb.CreateUserAccessTokenResponse, error) {
- user, err := getCurrentUser(ctx, s.Store)
- if err != nil {
- return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
- }
- expiresAt := time.Time{}
- if request.ExpiresAt != nil {
- expiresAt = request.ExpiresAt.AsTime()
- }
- accessToken, err := auth.GenerateAccessToken(user.Username, user.ID, expiresAt, []byte(s.Secret))
- if err != nil {
- return nil, status.Errorf(codes.Internal, "failed to generate access token: %v", err)
- }
- claims := &auth.ClaimsMessage{}
- _, err = jwt.ParseWithClaims(accessToken, claims, func(t *jwt.Token) (any, error) {
- if t.Method.Alg() != jwt.SigningMethodHS256.Name {
- return nil, errors.Errorf("unexpected access token signing method=%v, expect %v", t.Header["alg"], jwt.SigningMethodHS256)
- }
- if kid, ok := t.Header["kid"].(string); ok {
- if kid == "v1" {
- return []byte(s.Secret), nil
- }
- }
- return nil, errors.Errorf("unexpected access token kid=%v", t.Header["kid"])
- })
- if err != nil {
- return nil, status.Errorf(codes.Internal, "failed to parse access token: %v", err)
- }
- // Upsert the access token to user setting store.
- if err := s.UpsertAccessTokenToStore(ctx, user, accessToken, request.Description); err != nil {
- return nil, status.Errorf(codes.Internal, "failed to upsert access token to store: %v", err)
- }
- userAccessToken := &apiv2pb.UserAccessToken{
- AccessToken: accessToken,
- Description: request.Description,
- IssuedAt: timestamppb.New(claims.IssuedAt.Time),
- }
- if claims.ExpiresAt != nil {
- userAccessToken.ExpiresAt = timestamppb.New(claims.ExpiresAt.Time)
- }
- response := &apiv2pb.CreateUserAccessTokenResponse{
- AccessToken: userAccessToken,
- }
- return response, nil
- }
- func (s *APIV2Service) DeleteUserAccessToken(ctx context.Context, request *apiv2pb.DeleteUserAccessTokenRequest) (*apiv2pb.DeleteUserAccessTokenResponse, error) {
- user, err := getCurrentUser(ctx, s.Store)
- if err != nil {
- return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
- }
- userAccessTokens, err := s.Store.GetUserAccessTokens(ctx, user.ID)
- if err != nil {
- return nil, status.Errorf(codes.Internal, "failed to list access tokens: %v", err)
- }
- updatedUserAccessTokens := []*storepb.AccessTokensUserSetting_AccessToken{}
- for _, userAccessToken := range userAccessTokens {
- if userAccessToken.AccessToken == request.AccessToken {
- continue
- }
- updatedUserAccessTokens = append(updatedUserAccessTokens, userAccessToken)
- }
- if _, err := s.Store.UpsertUserSetting(ctx, &storepb.UserSetting{
- UserId: user.ID,
- Key: storepb.UserSettingKey_USER_SETTING_ACCESS_TOKENS,
- Value: &storepb.UserSetting_AccessTokens{
- AccessTokens: &storepb.AccessTokensUserSetting{
- AccessTokens: updatedUserAccessTokens,
- },
- },
- }); err != nil {
- return nil, status.Errorf(codes.Internal, "failed to upsert user setting: %v", err)
- }
- return &apiv2pb.DeleteUserAccessTokenResponse{}, nil
- }
- func (s *APIV2Service) UpsertAccessTokenToStore(ctx context.Context, user *store.User, accessToken, description string) error {
- userAccessTokens, err := s.Store.GetUserAccessTokens(ctx, user.ID)
- if err != nil {
- return errors.Wrap(err, "failed to get user access tokens")
- }
- userAccessToken := storepb.AccessTokensUserSetting_AccessToken{
- AccessToken: accessToken,
- Description: description,
- }
- userAccessTokens = append(userAccessTokens, &userAccessToken)
- if _, err := s.Store.UpsertUserSetting(ctx, &storepb.UserSetting{
- UserId: user.ID,
- Key: storepb.UserSettingKey_USER_SETTING_ACCESS_TOKENS,
- Value: &storepb.UserSetting_AccessTokens{
- AccessTokens: &storepb.AccessTokensUserSetting{
- AccessTokens: userAccessTokens,
- },
- },
- }); err != nil {
- return errors.Wrap(err, "failed to upsert user setting")
- }
- return nil
- }
- func convertUserFromStore(user *store.User) *apiv2pb.User {
- return &apiv2pb.User{
- Name: fmt.Sprintf("%s%s", UserNamePrefix, user.Username),
- Id: user.ID,
- RowStatus: convertRowStatusFromStore(user.RowStatus),
- CreateTime: timestamppb.New(time.Unix(user.CreatedTs, 0)),
- UpdateTime: timestamppb.New(time.Unix(user.UpdatedTs, 0)),
- Role: convertUserRoleFromStore(user.Role),
- Username: user.Username,
- Email: user.Email,
- Nickname: user.Nickname,
- AvatarUrl: user.AvatarURL,
- }
- }
- func convertUserRoleFromStore(role store.Role) apiv2pb.User_Role {
- switch role {
- case store.RoleHost:
- return apiv2pb.User_HOST
- case store.RoleAdmin:
- return apiv2pb.User_ADMIN
- case store.RoleUser:
- return apiv2pb.User_USER
- default:
- return apiv2pb.User_ROLE_UNSPECIFIED
- }
- }
- func convertUserRoleToStore(role apiv2pb.User_Role) store.Role {
- switch role {
- case apiv2pb.User_HOST:
- return store.RoleHost
- case apiv2pb.User_ADMIN:
- return store.RoleAdmin
- case apiv2pb.User_USER:
- return store.RoleUser
- default:
- return store.RoleUser
- }
- }
|