diff options
Diffstat (limited to 'lib/Travelynx/Controller/Account.pm')
| -rw-r--r-- | lib/Travelynx/Controller/Account.pm | 1256 |
1 files changed, 986 insertions, 270 deletions
diff --git a/lib/Travelynx/Controller/Account.pm b/lib/Travelynx/Controller/Account.pm index 12a059a..bf1eac2 100644 --- a/lib/Travelynx/Controller/Account.pm +++ b/lib/Travelynx/Controller/Account.pm @@ -1,25 +1,232 @@ package Travelynx::Controller::Account; -# Copyright (C) 2020 Daniel Friesel +# Copyright (C) 2020-2023 Birte Kristina Friesel +# Copyright (C) 2025 networkException <git@nwex.de> # # SPDX-License-Identifier: AGPL-3.0-or-later use Mojo::Base 'Mojolicious::Controller'; -use Crypt::Eksblowfish::Bcrypt qw(bcrypt en_base64); +use JSON; +use Math::Polygon; +use Mojo::Util qw(xml_escape); +use Text::Markdown; use UUID::Tiny qw(:std); -sub hash_password { - my ($password) = @_; - my @salt_bytes = map { int( rand(255) ) + 1 } ( 1 .. 16 ); - my $salt = en_base64( pack( 'C[16]', @salt_bytes ) ); +my %visibility_itoa = ( + 100 => 'public', + 80 => 'travelynx', + 60 => 'followers', + 30 => 'unlisted', + 10 => 'private', +); - return bcrypt( $password, '$2a$12$' . $salt ); -} +my %visibility_atoi = ( + public => 100, + travelynx => 80, + followers => 60, + unlisted => 30, + private => 10, +); + +# Internal Helpers sub make_token { return create_uuid_as_string(UUID_V4); } +sub send_registration_mail { + my ( $self, %opt ) = @_; + + my $email = $opt{email}; + my $token = $opt{token}; + my $user = $opt{user}; + my $user_id = $opt{user_id}; + my $ip = $opt{ip}; + my $date = DateTime->now( time_zone => 'Europe/Berlin' ) + ->strftime('%d.%m.%Y %H:%M:%S %z'); + + my $ua = $self->req->headers->user_agent; + my $reg_url = $self->url_for('reg')->to_abs->scheme('https'); + my $tos_url = $self->url_for('tos')->to_abs->scheme('https'); + my $imprint_url = $self->url_for('impressum')->to_abs->scheme('https'); + + my $body = "Hallo, ${user}!\n\n"; + $body .= "Mit deiner E-Mail-Adresse (${email}) wurde ein Account bei\n"; + $body .= "travelynx angelegt.\n\n"; + $body + .= "Falls die Registrierung von dir ausging, kannst du den Account unter\n"; + $body .= "${reg_url}/${user_id}/${token}\n"; + $body .= "freischalten.\n"; + $body .= "Beachte dabei die Nutzungsbedingungen: ${tos_url}\n\n"; + $body + .= "Falls nicht, ignoriere diese Mail bitte. Nach etwa 48 Stunden wird deine\n"; + $body + .= "Mail-Adresse erneut zur Registrierung freigeschaltet. Falls auch diese fehlschlägt,\n"; + $body + .= "werden wir sie dauerhaft sperren und keine Mails mehr dorthin schicken.\n\n"; + $body .= "Daten zur Registrierung:\n"; + $body .= " * Datum: ${date}\n"; + $body .= " * Client: ${ip}\n"; + $body .= " * UserAgent: ${ua}\n\n\n"; + $body .= "Impressum: ${imprint_url}\n"; + + return $self->sendmail->custom( $email, 'Registrierung bei travelynx', + $body ); +} + +sub send_address_confirmation_mail { + my ( $self, $email, $token ) = @_; + + my $name = $self->current_user->{name}; + my $ip = $self->req->headers->header('X-Forwarded-For'); + my $ua = $self->req->headers->user_agent; + my $date = DateTime->now( time_zone => 'Europe/Berlin' ) + ->strftime('%d.%m.%Y %H:%M:%S %z'); + + # In case Mojolicious is not running behind a reverse proxy + $ip + //= sprintf( '%s:%s', $self->tx->remote_address, $self->tx->remote_port ); + my $confirm_url = $self->url_for('confirm_mail')->to_abs->scheme('https'); + my $imprint_url = $self->url_for('impressum')->to_abs->scheme('https'); + + my $body = "Hallo ${name},\n\n"; + $body .= "Bitte bestätige unter <${confirm_url}/${token}>,\n"; + $body .= "dass du mit dieser Adresse E-Mail empfangen kannst.\n\n"; + $body + .= "Du erhältst diese Mail, da eine Änderung der deinem travelynx-Account\n"; + $body .= "zugeordneten Mail-Adresse beantragt wurde.\n\n"; + $body .= "Daten zur Anfrage:\n"; + $body .= " * Datum: ${date}\n"; + $body .= " * Client: ${ip}\n"; + $body .= " * UserAgent: ${ua}\n\n\n"; + $body .= "Impressum: ${imprint_url}\n"; + + return $self->sendmail->custom( $email, + 'travelynx: Mail-Adresse bestätigen', $body ); +} + +sub send_name_notification_mail { + my ( $self, $old_name, $new_name ) = @_; + + my $ip = $self->req->headers->header('X-Forwarded-For'); + my $ua = $self->req->headers->user_agent; + my $date = DateTime->now( time_zone => 'Europe/Berlin' ) + ->strftime('%d.%m.%Y %H:%M:%S %z'); + + # In case Mojolicious is not running behind a reverse proxy + $ip + //= sprintf( '%s:%s', $self->tx->remote_address, $self->tx->remote_port ); + my $confirm_url = $self->url_for('confirm_mail')->to_abs->scheme('https'); + my $imprint_url = $self->url_for('impressum')->to_abs->scheme('https'); + + my $body = "Hallo ${new_name},\n\n"; + $body .= "Der Name deines Travelynx-Accounts wurde erfolgreich geändert.\n"; + $body + .= "Bitte beachte, dass du dich ab sofort nur mit dem neuen Namen anmelden kannst.\n\n"; + $body .= "Alter Name: ${old_name}\n\n"; + $body .= "Neue Name: ${new_name}\n\n"; + $body .= "Daten zur Anfrage:\n"; + $body .= " * Datum: ${date}\n"; + $body .= " * Client: ${ip}\n"; + $body .= " * UserAgent: ${ua}\n\n\n"; + $body .= "Impressum: ${imprint_url}\n"; + + return $self->sendmail->custom( $self->current_user->{email}, + 'travelynx: Name geändert', $body ); +} + +sub send_password_notification_mail { + my ($self) = @_; + my $user = $self->current_user->{name}; + my $email = $self->current_user->{email}; + my $ip = $self->req->headers->header('X-Forwarded-For'); + my $ua = $self->req->headers->user_agent; + my $date = DateTime->now( time_zone => 'Europe/Berlin' ) + ->strftime('%d.%m.%Y %H:%M:%S %z'); + + # In case Mojolicious is not running behind a reverse proxy + $ip + //= sprintf( '%s:%s', $self->tx->remote_address, $self->tx->remote_port ); + my $imprint_url = $self->url_for('impressum')->to_abs->scheme('https'); + + my $body = "Hallo ${user},\n\n"; + $body + .= "Das Passwort deines travelynx-Accounts wurde soeben geändert.\n\n"; + $body .= "Daten zur Änderung:\n"; + $body .= " * Datum: ${date}\n"; + $body .= " * Client: ${ip}\n"; + $body .= " * UserAgent: ${ua}\n\n\n"; + $body .= "Impressum: ${imprint_url}\n"; + + $self->sendmail->custom( $email, 'travelynx: Passwort geändert', $body ); +} + +sub send_lostpassword_confirmation_mail { + my ( $self, %opt ) = @_; + my $email = $opt{email}; + my $name = $opt{name}; + my $uid = $opt{uid}; + my $token = $opt{token}; + + my $ip = $self->req->headers->header('X-Forwarded-For'); + my $ua = $self->req->headers->user_agent; + my $date = DateTime->now( time_zone => 'Europe/Berlin' ) + ->strftime('%d.%m.%Y %H:%M:%S %z'); + + # In case Mojolicious is not running behind a reverse proxy + $ip + //= sprintf( '%s:%s', $self->tx->remote_address, $self->tx->remote_port ); + my $recover_url = $self->url_for('recover')->to_abs->scheme('https'); + my $imprint_url = $self->url_for('impressum')->to_abs->scheme('https'); + + my $body = "Hallo ${name},\n\n"; + $body .= "Unter ${recover_url}/${uid}/${token}\n"; + $body + .= "kannst du ein neues Passwort für deinen travelynx-Account vergeben.\n\n"; + $body + .= "Du erhältst diese Mail, da mit deinem Accountnamen und deiner Mail-Adresse\n"; + $body + .= "ein Passwort-Reset angefordert wurde. Falls diese Anfrage nicht von dir\n"; + $body .= "ausging, kannst du sie ignorieren.\n\n"; + $body .= "Daten zur Anfrage:\n"; + $body .= " * Datum: ${date}\n"; + $body .= " * Client: ${ip}\n"; + $body .= " * UserAgent: ${ua}\n\n\n"; + $body .= "Impressum: ${imprint_url}\n"; + + my $success + = $self->sendmail->custom( $email, 'travelynx: Neues Passwort', $body ); +} + +sub send_lostpassword_notification_mail { + my ( $self, $account ) = @_; + my $user = $account->{name}; + my $email = $account->{email}; + my $ip = $self->req->headers->header('X-Forwarded-For'); + my $ua = $self->req->headers->user_agent; + my $date = DateTime->now( time_zone => 'Europe/Berlin' ) + ->strftime('%d.%m.%Y %H:%M:%S %z'); + + # In case Mojolicious is not running behind a reverse proxy + $ip + //= sprintf( '%s:%s', $self->tx->remote_address, $self->tx->remote_port ); + my $imprint_url = $self->url_for('impressum')->to_abs->scheme('https'); + + my $body = "Hallo ${user},\n\n"; + $body .= "Das Passwort deines travelynx-Accounts wurde soeben über die"; + $body .= " 'Passwort vergessen'-Funktion geändert.\n\n"; + $body .= "Daten zur Änderung:\n"; + $body .= " * Datum: ${date}\n"; + $body .= " * Client: ${ip}\n"; + $body .= " * UserAgent: ${ua}\n\n\n"; + $body .= "Impressum: ${imprint_url}\n"; + + return $self->sendmail->custom( $email, 'travelynx: Passwort geändert', + $body ); +} + +# Controllers + sub login_form { my ($self) = @_; $self->render('login'); @@ -35,8 +242,9 @@ sub do_login { if ( $self->validation->csrf_protect->has_error('csrf_token') ) { $self->render( - 'login', - invalid => 'csrf', + 'bad_request', + csrf => 1, + status => 400 ); } else { @@ -47,10 +255,18 @@ sub do_login { else { my $data = $self->users->get_login_data( name => $user ); if ( $data and $data->{status} == 0 ) { - $self->render( 'login', invalid => 'confirmation' ); + $self->render( + 'login', + status => 400, + invalid => 'confirmation' + ); } else { - $self->render( 'login', invalid => 'credentials' ); + $self->render( + 'login', + status => 400, + invalid => 'credentials' + ); } } } @@ -69,9 +285,6 @@ sub register { my $password = $self->req->param('password'); my $password2 = $self->req->param('password2'); my $ip = $self->req->headers->header('X-Forwarded-For'); - my $ua = $self->req->headers->user_agent; - my $date = DateTime->now( time_zone => 'Europe/Berlin' ) - ->strftime('%d.%m.%Y %H:%M:%S %z'); # In case Mojolicious is not running behind a reverse proxy $ip @@ -79,8 +292,9 @@ sub register { if ( $self->validation->csrf_protect->has_error('csrf_token') ) { $self->render( - 'register', - invalid => 'csrf', + 'bad_request', + csrf => 1, + status => 400 ); return; } @@ -88,17 +302,21 @@ sub register { if ( my $registration_denylist = $self->app->config->{registration}->{denylist} ) { - open( my $fh, "<", $registration_denylist ) - or die("cannot open($registration_denylist)"); - while ( my $line = <$fh> ) { - chomp $line; - if ( $ip eq $line ) { - close($fh); - $self->render( 'register', invalid => "denylist" ); - return; + if ( open( my $fh, "<", $registration_denylist ) ) { + while ( my $line = <$fh> ) { + chomp $line; + if ( $ip eq $line ) { + close($fh); + $self->render( 'register', invalid => "denylist" ); + return; + } } + close($fh); + } + else { + $self->log->error("Cannot open($registration_denylist): $!"); + die("Cannot verify registration: $!"); } - close($fh); } if ( my $error = $self->users->is_name_invalid( name => $user ) ) { @@ -132,47 +350,31 @@ sub register { # a human user should take at least five seconds to fill out the form. # Throw a CSRF error at presumed spammers. $self->render( - 'register', - invalid => 'csrf', + 'bad_request', + csrf => 1, + status => 400 ); return; } my $token = make_token(); - my $pw_hash = hash_password($password); my $db = $self->pg->db; my $tx = $db->begin; - my $user_id = $self->users->add_user( - db => $db, - name => $user, - email => $email, - token => $token, - password_hash => $pw_hash + my $user_id = $self->users->add( + db => $db, + name => $user, + email => $email, + token => $token, + password => $password, ); - my $reg_url = $self->url_for('reg')->to_abs->scheme('https'); - my $imprint_url = $self->url_for('impressum')->to_abs->scheme('https'); - my $body = "Hallo, ${user}!\n\n"; - $body .= "Mit deiner E-Mail-Adresse (${email}) wurde ein Account bei\n"; - $body .= "travelynx angelegt.\n\n"; - $body - .= "Falls die Registrierung von dir ausging, kannst du den Account unter\n"; - $body .= "${reg_url}/${user_id}/${token}\n"; - $body .= "freischalten.\n\n"; - $body - .= "Falls nicht, ignoriere diese Mail bitte. Nach etwa 48 Stunden wird deine\n"; - $body - .= "Mail-Adresse erneut zur Registrierung freigeschaltet. Falls auch diese fehlschlägt,\n"; - $body - .= "werden wir sie dauerhaft sperren und keine Mails mehr dorthin schicken.\n\n"; - $body .= "Daten zur Registrierung:\n"; - $body .= " * Datum: ${date}\n"; - $body .= " * Client: ${ip}\n"; - $body .= " * UserAgent: ${ua}\n\n\n"; - $body .= "Impressum: ${imprint_url}\n"; - - my $success - = $self->sendmail->custom( $email, 'Registrierung bei travelynx', $body ); + my $success = $self->send_registration_mail( + email => $email, + token => $token, + ip => $ip, + user => $user, + user_id => $user_id + ); if ($success) { $tx->commit; $self->render( 'login', from => 'register' ); @@ -209,8 +411,13 @@ sub verify { sub delete { my ($self) = @_; + my $uid = $self->current_user->{id}; if ( $self->validation->csrf_protect->has_error('csrf_token') ) { - $self->render( 'account', invalid => 'csrf' ); + $self->render( + 'bad_request', + csrf => 1, + status => 400 + ); return; } @@ -222,13 +429,14 @@ sub delete { ) ) { - $self->render( 'account', invalid => 'deletion password' ); + $self->flash( invalid => 'deletion password' ); + $self->redirect_to('account'); return; } - $self->users->flag_deletion( uid => $self->current_user->{id} ); + $self->users->flag_deletion( uid => $uid ); } else { - $self->users->unflag_deletion( uid => $self->current_user->{id} ); + $self->users->unflag_deletion( uid => $uid ); } $self->redirect_to('account'); } @@ -236,7 +444,11 @@ sub delete { sub do_logout { my ($self) = @_; if ( $self->validation->csrf_protect->has_error('csrf_token') ) { - $self->render( 'login', invalid => 'csrf' ); + $self->render( + 'bad_request', + csrf => 1, + status => 400 + ); return; } $self->logout; @@ -246,75 +458,346 @@ sub do_logout { sub privacy { my ($self) = @_; - my $user = $self->current_user; - my $public_level = $user->{is_public}; + my $user = $self->current_user; if ( $self->param('action') and $self->param('action') eq 'save' ) { - if ( $self->param('status_level') eq 'intern' ) { - $public_level |= 0x01; - $public_level &= ~0x02; + my %opt; + my $default_visibility + = $visibility_atoi{ $self->param('status_level') }; + if ( defined $default_visibility ) { + $opt{default_visibility} = $default_visibility; } - elsif ( $self->param('status_level') eq 'extern' ) { - $public_level |= 0x02; - $public_level &= ~0x01; + + my $past_visibility = $visibility_atoi{ $self->param('history_level') }; + if ( defined $past_visibility ) { + $opt{past_visibility} = $past_visibility; } - else { - $public_level &= ~0x03; + + $opt{comments_visible} = $self->param('public_comment') ? 1 : 0; + + $opt{past_all} = $self->param('history_age') eq 'infinite' ? 1 : 0; + $opt{past_status} = $self->param('past_status') ? 1 : 0; + + $self->users->set_privacy( + uid => $user->{id}, + %opt + ); + + $self->flash( success => 'privacy' ); + $self->redirect_to('account'); + } + else { + $self->param( + status_level => $visibility_itoa{ $user->{default_visibility} } ); + $self->param( public_comment => $user->{comments_visible} ); + $self->param( + history_level => $visibility_itoa{ $user->{past_visibility} } ); + $self->param( history_age => $user->{past_all} ? 'infinite' : 'month' ); + $self->param( past_status => $user->{past_status} ); + $self->render( 'privacy', name => $user->{name} ); + } +} + +sub social { + my ($self) = @_; + + my $user = $self->current_user; + + if ( $self->param('action') and $self->param('action') eq 'save' ) { + if ( $self->validation->csrf_protect->has_error('csrf_token') ) { + $self->render( + 'bad_request', + csrf => 1, + status => 400 + ); + return; } - # public comment with non-public status does not make sense - if ( $self->param('public_comment') - and $self->param('status_level') ne 'private' ) - { - $public_level |= 0x04; + my %opt; + my $accept_follow = $self->param('accept_follow'); + + if ( $accept_follow eq 'yes' ) { + $opt{accept_follows} = 1; } - else { - $public_level &= ~0x04; + elsif ( $accept_follow eq 'request' ) { + $opt{accept_follow_requests} = 1; } - if ( $self->param('history_level') eq 'intern' ) { - $public_level |= 0x10; - $public_level &= ~0x20; + $self->users->set_social( + uid => $user->{id}, + %opt + ); + + $self->flash( success => 'social' ); + $self->redirect_to('account'); + } + else { + if ( $user->{accept_follows} ) { + $self->param( accept_follow => 'yes' ); } - elsif ( $self->param('history_level') eq 'extern' ) { - $public_level |= 0x20; - $public_level &= ~0x10; + elsif ( $user->{accept_follow_requests} ) { + $self->param( accept_follow => 'request' ); } else { - $public_level &= ~0x30; + $self->param( accept_follow => 'no' ); } + $self->render( 'social', name => $user->{name} ); + } +} - if ( $self->param('history_age') eq 'infinite' ) { - $public_level |= 0x40; - } - else { - $public_level &= ~0x40; - } +sub social_list { + my ($self) = @_; - $self->users->set_privacy( - uid => $user->{id}, - level => $public_level - ); + my $kind = $self->stash('kind'); + my $user = $self->current_user; - $self->flash( success => 'privacy' ); - $self->redirect_to('account'); + if ( $kind eq 'follow-requests-received' ) { + my @follow_reqs + = $self->users->get_follow_requests( uid => $user->{id} ); + $self->render( + 'social_list', + type => 'follow-requests-received', + entries => [@follow_reqs], + notifications => $user->{notifications}, + ); + } + elsif ( $kind eq 'follow-requests-sent' ) { + my @follow_reqs = $self->users->get_follow_requests( + uid => $user->{id}, + sent => 1 + ); + $self->render( + 'social_list', + type => 'follow-requests-sent', + entries => [@follow_reqs], + notifications => $user->{notifications}, + ); + } + elsif ( $kind eq 'followers' ) { + my @followers = $self->users->get_followers( uid => $user->{id} ); + $self->render( + 'social_list', + type => 'followers', + entries => [@followers], + notifications => $user->{notifications}, + ); + } + elsif ( $kind eq 'follows' ) { + my @following = $self->users->get_followees( uid => $user->{id} ); + $self->render( + 'social_list', + type => 'follows', + entries => [@following], + notifications => $user->{notifications}, + ); + } + elsif ( $kind eq 'blocks' ) { + my @blocked = $self->users->get_blocked_users( uid => $user->{id} ); + $self->render( + 'social_list', + type => 'blocks', + entries => [@blocked], + notifications => $user->{notifications}, + ); } else { - $self->param( - status_level => $public_level & 0x01 ? 'intern' - : $public_level & 0x02 ? 'extern' - : 'private' + $self->render( 'not_found', status => 404 ); + } +} + +sub social_action { + my ($self) = @_; + + my $user = $self->current_user; + my $action = $self->param('action'); + my $target_ids = $self->param('target'); + my $redirect_to = $self->param('redirect_to'); + + for my $key ( + qw(follow request_follow follow_or_request unfollow remove_follower cancel_follow_request accept_follow_request reject_follow_request block unblock) + ) + { + if ( $self->param($key) ) { + $action = $key; + $target_ids = $self->param($key); + } + } + + if ( $self->validation->csrf_protect->has_error('csrf_token') ) { + $self->redirect_to('/'); + return; + } + + if ( $action and $action eq 'clear_notifications' ) { + $self->users->update_notifications( + db => $self->pg->db, + uid => $user->{id}, + has_follow_requests => 0 ); - $self->param( public_comment => $public_level & 0x04 ? 1 : 0 ); - $self->param( - history_level => $public_level & 0x10 ? 'intern' - : $public_level & 0x20 ? 'extern' - : 'private' + $self->flash( success => 'clear_notifications' ); + $self->redirect_to('account'); + return; + } + + if ( not( $action and $target_ids and $redirect_to ) ) { + $self->redirect_to('/'); + return; + } + + for my $target_id ( split( qr{,}, $target_ids ) ) { + my $target = $self->users->get_privacy_by( uid => $target_id ); + + if ( not $target ) { + next; + } + + if ( $action eq 'follow' and $target->{accept_follows} ) { + $self->users->follow( + uid => $user->{id}, + target => $target->{id} + ); + } + elsif ( $action eq 'request_follow' + and $target->{accept_follow_requests} ) + { + $self->users->request_follow( + uid => $user->{id}, + target => $target->{id} + ); + } + elsif ( $action eq 'follow_or_request' ) { + if ( $target->{accept_follows} ) { + $self->users->follow( + uid => $user->{id}, + target => $target->{id} + ); + } + elsif ( $target->{accept_follow_requests} ) { + $self->users->request_follow( + uid => $user->{id}, + target => $target->{id} + ); + } + } + elsif ( $action eq 'unfollow' ) { + $self->users->unfollow( + uid => $user->{id}, + target => $target->{id} + ); + } + elsif ( $action eq 'remove_follower' ) { + $self->users->remove_follower( + uid => $user->{id}, + follower => $target->{id} + ); + } + elsif ( $action eq 'cancel_follow_request' ) { + $self->users->cancel_follow_request( + uid => $user->{id}, + target => $target->{id} + ); + } + elsif ( $action eq 'accept_follow_request' ) { + $self->users->accept_follow_request( + uid => $user->{id}, + applicant => $target->{id} + ); + } + elsif ( $action eq 'reject_follow_request' ) { + $self->users->reject_follow_request( + uid => $user->{id}, + applicant => $target->{id} + ); + } + elsif ( $action eq 'block' ) { + $self->users->block( + uid => $user->{id}, + target => $target->{id} + ); + } + elsif ( $action eq 'unblock' ) { + $self->users->unblock( + uid => $user->{id}, + target => $target->{id} + ); + } + + if ( $redirect_to eq 'profile' ) { + + # profile links do not perform bulk actions + $self->redirect_to( '/p/' . $target->{name} ); + return; + } + } + + $self->redirect_to($redirect_to); +} + +sub profile { + my ($self) = @_; + my $user = $self->current_user; + + if ( $self->param('action') and $self->param('action') eq 'save' ) { + if ( $self->validation->csrf_protect->has_error('csrf_token') ) { + $self->render( + 'bad_request', + csrf => 1, + status => 400 + ); + return; + } + my $md = Text::Markdown->new; + my $bio = $self->param('bio'); + + if ( length($bio) > 2000 ) { + $bio = substr( $bio, 0, 2000 ) . '…'; + } + + my $profile = { + bio => { + markdown => $bio, + html => $md->markdown( xml_escape($bio) ), + }, + metadata => [], + }; + for my $i ( 0 .. 20 ) { + my $key = $self->param("key_$i"); + my $value = $self->param("value_$i"); + if ($key) { + if ( length($value) > 500 ) { + $value = substr( $value, 0, 500 ) . '…'; + } + my $html_value + = ( $value + =~ s{ \[ ([^]]+) \]\( ([^)]+) \) }{'<a href="' . xml_escape($2) . '" rel="me">' . xml_escape($1) .'</a>' }egrx + ); + $profile->{metadata}[$i] = { + key => $key, + value => { + markdown => $value, + html => $html_value, + }, + }; + } + else { + last; + } + } + $self->users->set_profile( + uid => $user->{id}, + profile => $profile ); - $self->param( - history_age => $public_level & 0x40 ? 'infinite' : 'month' ); - $self->render( 'privacy', name => $user->{name} ); + $self->redirect_to( '/p/' . $user->{name} ); + } + + my $profile = $self->users->get_profile( uid => $user->{id} ); + $self->param( bio => $profile->{bio}{markdown} ); + for my $i ( 0 .. $#{ $profile->{metadata} } ) { + $self->param( "key_$i" => $profile->{metadata}[$i]{key} ); + $self->param( "value_$i" => $profile->{metadata}[$i]{value}{markdown} ); } + + $self->render( 'edit_profile', name => $user->{name} ); } sub insight { @@ -355,13 +838,16 @@ sub insight { sub webhook { my ($self) = @_; - my $hook = $self->get_webhook; + my $uid = $self->current_user->{id}; + + my $hook = $self->users->get_webhook( uid => $uid ); if ( $self->param('action') and $self->param('action') eq 'save' ) { $hook->{url} = $self->param('url'); $hook->{token} = $self->param('token'); $hook->{enabled} = $self->param('enabled') // 0; - $self->set_webhook( + $self->users->set_webhook( + uid => $uid, url => $hook->{url}, token => $hook->{token}, enabled => $hook->{enabled} @@ -372,7 +858,7 @@ sub webhook { sub { $self->render( 'webhooks', - hook => $self->get_webhook, + hook => $self->users->get_webhook( uid => $uid ), new_hook => 1 ); } @@ -398,8 +884,9 @@ sub change_mail { if ( $action and $action eq 'update_mail' ) { if ( $self->validation->csrf_protect->has_error('csrf_token') ) { $self->render( - 'change_mail', - invalid => 'csrf', + 'bad_request', + csrf => 1, + status => 400 ); return; } @@ -421,7 +908,6 @@ sub change_mail { } my $token = make_token(); - my $name = $self->current_user->{name}; my $db = $self->pg->db; my $tx = $db->begin; @@ -432,34 +918,7 @@ sub change_mail { token => $token ); - my $ip = $self->req->headers->header('X-Forwarded-For'); - my $ua = $self->req->headers->user_agent; - my $date = DateTime->now( time_zone => 'Europe/Berlin' ) - ->strftime('%d.%m.%Y %H:%M:%S %z'); - - # In case Mojolicious is not running behind a reverse proxy - $ip - //= sprintf( '%s:%s', $self->tx->remote_address, - $self->tx->remote_port ); - my $confirm_url - = $self->url_for('confirm_mail')->to_abs->scheme('https'); - my $imprint_url = $self->url_for('impressum')->to_abs->scheme('https'); - - my $body = "Hallo ${name},\n\n"; - $body .= "Bitte bestätige unter <${confirm_url}/${token}>,\n"; - $body .= "dass du mit dieser Adresse E-Mail empfangen kannst.\n\n"; - $body - .= "Du erhältst diese Mail, da eine Änderung der deinem travelynx-Account\n"; - $body .= "zugeordneten Mail-Adresse beantragt wurde.\n\n"; - $body .= "Daten zur Anfrage:\n"; - $body .= " * Datum: ${date}\n"; - $body .= " * Client: ${ip}\n"; - $body .= " * UserAgent: ${ua}\n\n\n"; - $body .= "Impressum: ${imprint_url}\n"; - - my $success - = $self->sendmail->custom( $email, - 'travelynx: Mail-Adresse bestätigen', $body ); + my $success = $self->send_address_confirmation_mail( $email, $token ); if ($success) { $tx->commit; @@ -485,9 +944,9 @@ sub change_name { if ( $action and $action eq 'update_name' ) { if ( $self->validation->csrf_protect->has_error('csrf_token') ) { $self->render( - 'change_name', - name => $old_name, - invalid => 'csrf', + 'bad_request', + csrf => 1, + status => 400 ); return; } @@ -510,10 +969,10 @@ sub change_name { return; } - # The users table has a unique constraint on the "name" column, so having - # two users with the same name is not possible. The race condition - # between the user_name_exists check in is_name_invalid and this - # change_name call is harmless. + # The users table has a unique constraint on the "name" column, so having + # two users with the same name is not possible. The race condition + # between the user_name_exists check in is_name_invalid and this + # change_name call is harmless. my $success = $self->users->change_name( uid => $self->current_user->{id}, name => $new_name @@ -531,32 +990,7 @@ sub change_name { $self->flash( success => 'name' ); $self->redirect_to('account'); - my $ip = $self->req->headers->header('X-Forwarded-For'); - my $ua = $self->req->headers->user_agent; - my $date = DateTime->now( time_zone => 'Europe/Berlin' ) - ->strftime('%d.%m.%Y %H:%M:%S %z'); - - # In case Mojolicious is not running behind a reverse proxy - $ip - //= sprintf( '%s:%s', $self->tx->remote_address, - $self->tx->remote_port ); - my $confirm_url - = $self->url_for('confirm_mail')->to_abs->scheme('https'); - my $imprint_url = $self->url_for('impressum')->to_abs->scheme('https'); - - my $body = "Hallo ${new_name},\n\n"; - $body - .= "Der Name deines Travelynx-Accounts wurde erfolgreich geändert.\n"; - $body .= "Alter Name: ${old_name}\n"; - $body .= "Neue Name: ${new_name}\n\n"; - $body .= "Daten zur Anfrage:\n"; - $body .= " * Datum: ${date}\n"; - $body .= " * Client: ${ip}\n"; - $body .= " * UserAgent: ${ua}\n\n\n"; - $body .= "Impressum: ${imprint_url}\n"; - - $self->sendmail->custom( $self->current_user->{email}, - 'travelynx: Name geändert', $body ); + $self->send_name_notification_mail( $old_name, $new_name ); } else { $self->render( 'change_name', name => $old_name ); @@ -569,6 +1003,273 @@ sub password_form { $self->render('change_password'); } +sub lonlat_in_polygon { + my ( $self, $polygon, $lonlat ) = @_; + + my $circle = shift( @{$polygon} ); + my @holes = @{$polygon}; + + my $circle_poly = Math::Polygon->new( @{$circle} ); + if ( $circle_poly->contains($lonlat) ) { + for my $hole (@holes) { + my $hole_poly = Math::Polygon->new( @{$hole} ); + if ( $hole_poly->contains($lonlat) ) { + return; + } + } + return 1; + } + return; +} + +sub backend_form { + my ($self) = @_; + my $user = $self->current_user; + + my @backends = $self->stations->get_backends; + my @suggested_backends; + + my %place_map = ( + AT => 'Österreich', + CH => 'Schweiz', + 'CH-BE' => 'Kanton Bern', + 'CH-GE' => 'Kanton Genf', + 'CH-LU' => 'Kanton Luzern', + 'CH-ZH' => 'Kanton Zürich', + DE => 'Deutschland', + 'DE-BB' => 'Brandenburg', + 'DE-BW' => 'Baden-Württemberg', + 'DE-BE' => 'Berlin', + 'DE-BY' => 'Bayern', + 'DE-HB' => 'Bremen', + 'DE-HE' => 'Hessen', + 'DE-MV' => 'Mecklenburg-Vorpommern', + 'DE-NI' => 'Niedersachsen', + 'DE-NW' => 'Nordrhein-Westfalen', + 'DE-RP' => 'Rheinland-Pfalz', + 'DE-SH' => 'Schleswig-Holstein', + 'DE-ST' => 'Sachsen-Anhalt', + 'DE-TH' => 'Thüringen', + DK => 'Dänemark', + 'GB-NIR' => 'Nordirland', + LI => 'Liechtenstein', + LU => 'Luxembourg', + IE => 'Irland', + 'US-CA' => 'California', + 'US-TX' => 'Texas', + ); + + my ( $user_lat, $user_lon ) + = $self->journeys->get_latest_checkout_latlon( uid => $user->{id} ); + + for my $backend (@backends) { + my $type = 'UNKNOWN'; + if ( $backend->{iris} ) { + $type = 'IRIS-TTS'; + $backend->{name} = 'IRIS'; + $backend->{longname} = 'Deutsche Bahn: IRIS-TTS'; + $backend->{homepage} = 'https://www.bahn.de'; + $backend->{legacy} = 1; + } + elsif ( $backend->{dbris} ) { + $type = 'DBRIS'; + $backend->{longname} = 'Deutsche Bahn: bahn.de'; + $backend->{homepage} = 'https://www.bahn.de'; + $backend->{recommended} = 1; + } + elsif ( $backend->{efa} ) { + if ( my $s = $self->efa->get_service( $backend->{name} ) ) { + $type = 'EFA'; + $backend->{longname} = $s->{name}; + $backend->{homepage} = $s->{homepage}; + $backend->{regions} = [ map { $place_map{$_} // $_ } + @{ $s->{coverage}{regions} // [] } ]; + $backend->{has_area} = $s->{coverage}{area} ? 1 : 0; + $backend->{association} = 1; + + if ( + $s->{coverage}{area} + and $s->{coverage}{area}{type} eq 'Polygon' + and $self->lonlat_in_polygon( + $s->{coverage}{area}{coordinates}, + [ $user_lon, $user_lat ] + ) + ) + { + push( @suggested_backends, $backend ); + } + elsif ( $s->{coverage}{area} + and $s->{coverage}{area}{type} eq 'MultiPolygon' ) + { + for my $s_poly ( + @{ $s->{coverage}{area}{coordinates} // [] } ) + { + if ( + $self->lonlat_in_polygon( + $s_poly, [ $user_lon, $user_lat ] + ) + ) + { + push( @suggested_backends, $backend ); + last; + } + } + } + } + else { + $type = undef; + } + } + elsif ( $backend->{hafas} ) { + + # These backends lack a journey endpoint or are no longer + # operational and are thus useless for travelynx + if ( $backend->{name} eq 'Resrobot' + or $backend->{name} eq 'TPG' + or $backend->{name} eq 'VRN' + or $backend->{name} eq 'DB' ) + { + $type = undef; + } + + # PKP is behind a GeoIP filter. Only list it if travelynx.conf + # indicates that our IP is allowed or provides a proxy. + elsif ( + $backend->{name} eq 'PKP' + and not( $self->app->config->{hafas}{PKP}{geoip_ok} + or $self->app->config->{hafas}{PKP}{proxy} ) + ) + { + $type = undef; + } + elsif ( my $s = $self->hafas->get_service( $backend->{name} ) ) { + $type = 'HAFAS'; + $backend->{longname} = $s->{name}; + $backend->{homepage} = $s->{homepage}; + $backend->{regions} = [ map { $place_map{$_} // $_ } + @{ $s->{coverage}{regions} // [] } ]; + $backend->{has_area} = $s->{coverage}{area} ? 1 : 0; + + if ( $backend->{name} eq 'ÖBB' ) { + $backend->{recommended} = 1; + } + else { + $backend->{association} = 1; + } + + if ( + $s->{coverage}{area} + and $s->{coverage}{area}{type} eq 'Polygon' + and $self->lonlat_in_polygon( + $s->{coverage}{area}{coordinates}, + [ $user_lon, $user_lat ] + ) + ) + { + push( @suggested_backends, $backend ); + } + elsif ( $s->{coverage}{area} + and $s->{coverage}{area}{type} eq 'MultiPolygon' ) + { + for my $s_poly ( + @{ $s->{coverage}{area}{coordinates} // [] } ) + { + if ( + $self->lonlat_in_polygon( + $s_poly, [ $user_lon, $user_lat ] + ) + ) + { + push( @suggested_backends, $backend ); + last; + } + } + } + } + else { + $type = undef; + } + } + elsif ( $backend->{motis} ) { + my $s = $self->motis->get_service( $backend->{name} ); + + $type = 'MOTIS'; + $backend->{longname} = $s->{name}; + $backend->{homepage} = $s->{homepage}; + $backend->{regions} = [ map { $place_map{$_} // $_ } + @{ $s->{coverage}{regions} // [] } ]; + $backend->{has_area} = $s->{coverage}{area} ? 1 : 0; + $backend->{experimental} = 1; + + if ( $backend->{name} eq 'transitous' ) { + $backend->{regions} = ['Weltweit']; + } + if ( $backend->{name} eq 'RNV' ) { + $backend->{homepage} = 'https://rnv-online.de/'; + } + + if ( + $s->{coverage}{area} + and $s->{coverage}{area}{type} eq 'Polygon' + and $self->lonlat_in_polygon( + $s->{coverage}{area}{coordinates}, + [ $user_lon, $user_lat ] + ) + ) + { + push( @suggested_backends, $backend ); + } + elsif ( $s->{coverage}{area} + and $s->{coverage}{area}{type} eq 'MultiPolygon' ) + { + for my $s_poly ( @{ $s->{coverage}{area}{coordinates} // [] } ) + { + if ( + $self->lonlat_in_polygon( + $s_poly, [ $user_lon, $user_lat ] + ) + ) + { + push( @suggested_backends, $backend ); + last; + } + } + } + } + $backend->{type} = $type; + } + + @backends = map { $_->[1] } + sort { $a->[0] cmp $b->[0] } + map { [ lc( $_->{name} ), $_ ] } grep { $_->{type} } @backends; + + $self->render( + 'select_backend', + suggestions => \@suggested_backends, + backends => \@backends, + user => $user, + redirect_to => $self->req->param('redirect_to') // '/', + ); +} + +sub change_backend { + my ($self) = @_; + + my $backend_id = $self->req->param('backend'); + my $redir = $self->req->param('redirect_to') // '/'; + + if ( $backend_id !~ m{ ^ \d+ $ }x ) { + $self->redirect_to($redir); + } + + $self->users->set_backend( + uid => $self->current_user->{id}, + backend_id => $backend_id, + ); + + $self->redirect_to($redir); +} + sub change_password { my ($self) = @_; my $old_password = $self->req->param('oldpw'); @@ -576,7 +1277,11 @@ sub change_password { my $password2 = $self->req->param('newpw2'); if ( $self->validation->csrf_protect->has_error('csrf_token') ) { - $self->render( 'change_password', invalid => 'csrf' ); + $self->render( + 'bad_request', + csrf => 1, + status => 400 + ); return; } @@ -601,37 +1306,14 @@ sub change_password { return; } - my $pw_hash = hash_password($password); - $self->users->set_password_hash( - uid => $self->current_user->{id}, - password_hash => $pw_hash + $self->users->set_password( + uid => $self->current_user->{id}, + password => $password ); $self->flash( success => 'password' ); $self->redirect_to('account'); - - my $user = $self->current_user->{name}; - my $email = $self->current_user->{email}; - my $ip = $self->req->headers->header('X-Forwarded-For'); - my $ua = $self->req->headers->user_agent; - my $date = DateTime->now( time_zone => 'Europe/Berlin' ) - ->strftime('%d.%m.%Y %H:%M:%S %z'); - - # In case Mojolicious is not running behind a reverse proxy - $ip - //= sprintf( '%s:%s', $self->tx->remote_address, $self->tx->remote_port ); - my $imprint_url = $self->url_for('impressum')->to_abs->scheme('https'); - - my $body = "Hallo ${user},\n\n"; - $body - .= "Das Passwort deines travelynx-Accounts wurde soeben geändert.\n\n"; - $body .= "Daten zur Änderung:\n"; - $body .= " * Datum: ${date}\n"; - $body .= " * Client: ${ip}\n"; - $body .= " * UserAgent: ${ua}\n\n\n"; - $body .= "Impressum: ${imprint_url}\n"; - - $self->sendmail->custom( $email, 'travelynx: Passwort geändert', $body ); + $self->send_password_notification_mail(); } sub request_password_reset { @@ -639,7 +1321,11 @@ sub request_password_reset { if ( $self->param('action') and $self->param('action') eq 'initiate' ) { if ( $self->validation->csrf_protect->has_error('csrf_token') ) { - $self->render( 'recover_password', invalid => 'csrf' ); + $self->render( + 'bad_request', + csrf => 1, + status => 400 + ); return; } @@ -672,36 +1358,12 @@ sub request_password_reset { return; } - my $ip = $self->req->headers->header('X-Forwarded-For'); - my $ua = $self->req->headers->user_agent; - my $date = DateTime->now( time_zone => 'Europe/Berlin' ) - ->strftime('%d.%m.%Y %H:%M:%S %z'); - - # In case Mojolicious is not running behind a reverse proxy - $ip - //= sprintf( '%s:%s', $self->tx->remote_address, - $self->tx->remote_port ); - my $recover_url = $self->url_for('recover')->to_abs->scheme('https'); - my $imprint_url = $self->url_for('impressum')->to_abs->scheme('https'); - - my $body = "Hallo ${name},\n\n"; - $body .= "Unter ${recover_url}/${uid}/${token}\n"; - $body - .= "kannst du ein neues Passwort für deinen travelynx-Account vergeben.\n\n"; - $body - .= "Du erhältst diese Mail, da mit deinem Accountnamen und deiner Mail-Adresse\n"; - $body - .= "ein Passwort-Reset angefordert wurde. Falls diese Anfrage nicht von dir\n"; - $body .= "ausging, kannst du sie ignorieren.\n\n"; - $body .= "Daten zur Anfrage:\n"; - $body .= " * Datum: ${date}\n"; - $body .= " * Client: ${ip}\n"; - $body .= " * UserAgent: ${ua}\n\n\n"; - $body .= "Impressum: ${imprint_url}\n"; - - my $success - = $self->sendmail->custom( $email, 'travelynx: Neues Passwort', - $body ); + my $success = $self->send_lostpassword_confirmation_mail( + email => $email, + name => $name, + uid => $uid, + token => $token + ); if ($success) { $tx->commit; @@ -720,7 +1382,11 @@ sub request_password_reset { my $password2 = $self->param('newpw2'); if ( $self->validation->csrf_protect->has_error('csrf_token') ) { - $self->render( 'set_password', invalid => 'csrf' ); + $self->render( + 'bad_request', + csrf => 1, + status => 400 + ); return; } if ( @@ -743,10 +1409,9 @@ sub request_password_reset { return; } - my $pw_hash = hash_password($password); - $self->users->set_password_hash( - uid => $id, - password_hash => $pw_hash + $self->users->set_password( + uid => $id, + password => $password ); my $account = $self->get_user_data($id); @@ -764,31 +1429,7 @@ sub request_password_reset { token => $token ); - my $user = $account->{name}; - my $email = $account->{email}; - my $ip = $self->req->headers->header('X-Forwarded-For'); - my $ua = $self->req->headers->user_agent; - my $date = DateTime->now( time_zone => 'Europe/Berlin' ) - ->strftime('%d.%m.%Y %H:%M:%S %z'); - - # In case Mojolicious is not running behind a reverse proxy - $ip - //= sprintf( '%s:%s', $self->tx->remote_address, - $self->tx->remote_port ); - my $imprint_url = $self->url_for('impressum')->to_abs->scheme('https'); - - my $body = "Hallo ${user},\n\n"; - $body - .= "Das Passwort deines travelynx-Accounts wurde soeben über die"; - $body .= " 'Passwort vergessen'-Funktion geändert.\n\n"; - $body .= "Daten zur Änderung:\n"; - $body .= " * Datum: ${date}\n"; - $body .= " * Client: ${ip}\n"; - $body .= " * UserAgent: ${ua}\n\n\n"; - $body .= "Impressum: ${imprint_url}\n"; - - $self->sendmail->custom( $email, 'travelynx: Passwort geändert', - $body ); + $self->send_lostpassword_notification_mail($account); } else { $self->render('recover_password'); @@ -825,6 +1466,15 @@ sub confirm_mail { my $id = $self->current_user->{id}; my $token = $self->stash('token'); + # Some mail clients include the trailing ">" from the confirmation mail + # when opening/copying the confirmation link. A token will never contain + # this symbol, so remove it just in case. + $token =~ s{>}{}; + + # I did not yet find a mail client that also includes the trailing ",", + # but you never now... + $token =~ s{,}{}; + if ( $self->users->change_mail_with_token( uid => $id, @@ -841,10 +1491,27 @@ sub confirm_mail { } sub account { - my ($self) = @_; + my ($self) = @_; + my $uid = $self->current_user->{id}; + my $rx_follow_requests = $self->users->has_follow_requests( uid => $uid ); + my $tx_follow_requests = $self->users->has_follow_requests( + uid => $uid, + sent => 1 + ); + my $followers = $self->users->has_followers( uid => $uid ); + my $following = $self->users->has_followees( uid => $uid ); + my $blocked = $self->users->has_blocked_users( uid => $uid ); - $self->render('account'); - $self->users->mark_seen( uid => $self->current_user->{id} ); + $self->render( + 'account', + api_token => $self->users->get_api_token( uid => $uid ), + num_rx_follow_requests => $rx_follow_requests, + num_tx_follow_requests => $tx_follow_requests, + num_followers => $followers, + num_following => $following, + num_blocked => $blocked, + ); + $self->users->mark_seen( uid => $uid ); } sub json_export { @@ -868,4 +1535,53 @@ sub json_export { ); } +sub webfinger { + my ($self) = @_; + + my $resource = $self->param('resource'); + + if ( not $resource ) { + $self->render( 'not_found', status => 404 ); + return; + } + + my $root_url = $self->base_url_for('/')->to_abs->host; + + if ( not $root_url + or not $resource + =~ m{ ^ acct: [@]? (?<name> [^@]+ ) [@] $root_url $ }x ) + { + $self->render( 'not_found', status => 404 ); + return; + } + + my $name = $+{name}; + my $user = $self->users->get_privacy_by( name => $name ); + + if ( not $user ) { + $self->render( 'not_found', status => 404 ); + return; + } + + my $profile_url + = $self->base_url_for("/p/${name}")->to_abs->scheme('https')->to_string; + + $self->render( + text => JSON->new->encode( + { + subject => $resource, + aliases => [ $profile_url, ], + links => [ + { + rel => 'http://webfinger.net/rel/profile-page', + type => 'text/html', + href => $profile_url, + }, + ], + } + ), + format => 'json', + ); +} + 1; |