@stamhoofd/models 2.1.1

package/src/models/EmailVerificationCode.ts

@@ -0,0 +1,352 @@
+import { column, Model } from "@simonbackx/simple-database";
+import { SimpleError } from "@simonbackx/simple-errors";
+import { I18n } from "@stamhoofd/backend-i18n";
+import { Email } from "@stamhoofd/email";
+import basex from "base-x";
+import crypto from "crypto";
+import { v4 as uuidv4 } from "uuid";
+
+const ALPHABET = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz'
+const bs58 = basex(ALPHABET)
+
+async function randomBytes(size: number): Promise<Buffer> {
+    return new Promise((resolve, reject) => {
+        crypto.randomBytes(size, (err: Error | null, buf: Buffer) => {
+            if (err) {
+                reject(err);
+                return;
+            }
+            resolve(buf);
+        });
+    });
+}
+
+async function randomInt(max: number): Promise<number> {
+    return new Promise((resolve, reject) => {
+        crypto.randomInt(max, (err: Error | null, n: number) => {
+            if (err) {
+                reject(err);
+                return;
+            }
+            resolve(n)
+        })
+    })
+}
+
+
+/**
+ * Holds the verificationCodes for a given email (not a user, since a user can switch email addresses and might avoid verification that way)
+ */
+export class EmailVerificationCode extends Model {
+    static table = "email_verification_codes";
+
+     @column({
+        primary: true, type: "string", beforeSave(value) {
+            return value ?? uuidv4();
+        }
+    })
+    id!: string;
+
+    @column({ type: "string", nullable: true })
+    organizationId: string|null = null;
+
+    @column({ type: "string" })
+    userId: string;
+
+    /**
+     * The e-mail that will get verified. If on verification, the user e-mail differs from this one,
+     * we'll set the user email to this email address
+     */
+    @column({ type: "string" })
+    email: string;
+
+    /**
+     * This one is send to the sender. Allows for polling + extra length + sender authentication
+     */
+    @column({ type: "string" })
+    token = "";
+
+    @column({ type: "string" })
+    code = "";
+
+    /**
+     * The amount of times this code has been generated for the same e-mail address
+     */
+    @column({ type: "integer" })
+    generatedCount = 0;
+
+    /**
+     * The amount of times this unique code has been tried.
+     */
+    @column({ type: "integer" })
+    tries = 0;
+
+    @column({ type: "datetime" })
+    expiresAt: Date;
+
+    /**
+     * createdAt behaves more like createdAt for verificationCode. Since every save is considered to have a new verificationCode
+     */
+    @column({
+        type: "datetime", beforeSave() {
+            const date = new Date()
+            date.setMilliseconds(0)
+            return date
+        }
+    })
+    createdAt: Date
+
+    static CODE_LENGTH = 6
+    static MAX_TRIES = 9 // minus 0..MAX_TRIES_VARY
+
+    async generateCode() {
+        this.code = ((await randomInt(Math.pow(10, EmailVerificationCode.CODE_LENGTH)))+"").padStart(EmailVerificationCode.CODE_LENGTH, "0")
+        this.token = bs58.encode(await randomBytes(100)).toLowerCase();
+
+        // Increase generatedCount if we changed the code
+        if (this.tries > 0) {
+            // For statistics (how many did they try and had to resend the email)
+            this.generatedCount++;
+        }
+
+        // Reset the real tries
+        this.tries = 0
+
+        // Expire in 12 hours
+        this.expiresAt = new Date(new Date().getTime() + 1000 * 60 * 60 * 12)
+    }
+
+    getEmailVerificationUrl(user: import('./User').User, organization: import('./Organization').Organization|null, i18n: I18n) {
+        let host: string;
+        if (user.permissions || !organization || STAMHOOFD.userMode === 'platform') {
+            host = "https://"+(STAMHOOFD.domains.dashboard ?? "stamhoofd.app")+"/"+i18n.locale
+        } else {
+            // Add language if different than default
+            host = "https://"+organization.getHost()
+
+            if (i18n.language != organization.i18n.language) {
+                host += "/"+i18n.language
+            }
+        }
+
+        return host+"/verify-email"+(user.organizationPermissions && this.organizationId ? "/"+encodeURIComponent(this.organizationId) : "")+"?code="+encodeURIComponent(this.code)+"&token="+encodeURIComponent(this.token);
+    }
+
+    /**
+     * Return true if this token is still valid (used for automatic polling in code view)
+     */
+    static async poll(organizationId: string|null, token: string): Promise<boolean> {
+        const verificationCodes = await this.where({ 
+            token, 
+            organizationId: {
+                sign: 'IN',
+                value: [organizationId, null]
+            } 
+        }, { limit: 1 })
+
+        if (verificationCodes.length == 0) {
+            return false // = expired or invalid
+        }
+
+        const verificationCode = verificationCodes[0]
+
+        if (verificationCode.token !== token) {
+            // Safety check, is not possible
+            console.error("Security check failed for verify: check MySQL optimization")
+            return false;
+        }
+
+        if (verificationCode.expiresAt < new Date()) {
+            // Expired. 
+            // Can't expose this because that would expose a user enumeration attack
+            // -> we'll include this expiry date in e-mails
+            return false
+        }
+
+        if (verificationCode.tries >= EmailVerificationCode.MAX_TRIES) {
+            return false
+        }
+
+        return true
+    }
+
+    /**
+     * We don't throw errors here, because we don't want to expose any information about the existance of the code.
+     * We just expose if it is valid or not, nothing else
+     * False = expired or invalid
+     * Error => token okay, but too many attempts checking the code
+     * 
+     */
+    static async verify(organizationId: string|null, token: string, code: string): Promise<EmailVerificationCode | undefined> {
+        if (code.length != EmailVerificationCode.CODE_LENGTH) {
+            return
+        }
+        
+        const verificationCodes = await this.where({ 
+            token, 
+            organizationId: {
+                sign: 'IN',
+                value: [organizationId, null]
+            }
+        }, { limit: 1 })
+
+        if (verificationCodes.length == 0) {
+            return // = expired or invalid
+        }
+
+        const verificationCode = verificationCodes[0]
+
+        if (verificationCode.token !== token) {
+            // Safety check, is not possible
+            console.error("Security check failed for verify: check MySQL optimization")
+            return;
+        }
+
+        if (verificationCode.expiresAt < new Date()) {
+            // Expired. 
+            // Can't expose this because that would expose a user enumeration attack
+            // -> we'll include this expiry date in e-mails
+            return
+        }
+
+        if (verificationCode.tries >= EmailVerificationCode.MAX_TRIES) {
+            // We can saferly inform the user, because he is authenticated with the token
+            throw new SimpleError({
+                code: "too_many_attempts",
+                message: "Too many attempts",
+                human: "Je hebt de code te veel foutief ingegeven. Verstuur eerst een nieuwe code voor je opnieuw probeert.",
+                statusCode: 429
+            })
+        }
+
+        if (verificationCode.code === code || (code === "111111" && STAMHOOFD.environment === "development")) {
+            // Delete all remaining information!
+            // To avoid leaving information about the existince of this user (tries)
+            await verificationCode.delete()
+
+            return verificationCode
+        }
+
+        verificationCode.tries++
+        await verificationCode.save()
+
+        if (verificationCode.tries >= EmailVerificationCode.MAX_TRIES) {
+            // We can saferly inform the user, because he is authenticated with the token
+            throw new SimpleError({
+                code: "too_many_attempts",
+                message: "Too many attempts",
+                human: "Je hebt de code te veel foutief ingegeven. Verstuur eerst een nieuwe code voor je opnieuw probeert.",
+                statusCode: 429
+            })
+        }
+    }
+
+    send(user: import('./User').User, organization: import('./Organization').Organization|null, i18n: I18n, withCode = true) {
+        const { from, replyTo } = {
+            from: (user.organizationPermissions || !organization ? Email.getInternalEmailFor(i18n) : organization.getStrongEmail(i18n)),
+            replyTo: undefined // Don't use replyTo because it affects deliverability rates due to spam filters
+        }
+
+        const url = this.getEmailVerificationUrl(user, organization, i18n)
+
+        const footer = (!user.organizationPermissions && organization ? "\n\n—\n\nOnze ledenadministratie werkt via het Stamhoofd platform, op maat van verenigingen. Probeer het ook via https://"+i18n.$t("shared.domains.marketing")+"/ledenadministratie\n\n" : '')
+        const footerHTML = (!user.organizationPermissions && organization ? "<br><br>—<br><br>Onze ledenadministratie werkt via het Stamhoofd platform, op maat van verenigingen. Probeer het ook via <a href=\"https://"+i18n.$t("shared.domains.marketing")+"/ledenadministratie\">Stamhoofd</a><br><br>" : '')
+
+        const name = organization?.name ?? 'Stamhoofd'
+
+        if (withCode) {
+            const formattedCode = this.code.substr(0, 3)+" "+this.code.substr(3)
+            Email.send({
+                from,
+                replyTo,
+                to: this.email,
+                subject: `[${user.organizationPermissions ? "Stamhoofd" : name}] Verifieer jouw e-mailadres`,
+                type: "transactional",
+                text: `Hallo${user.firstName ? (" "+user.firstName) : ""}!\n\nVerifieer jouw e-mailadres om te kunnen inloggen bij ${name}. Vul de code "${formattedCode}" in op de website of klik op de onderstaande link om jouw e-mailadres te bevestigen.\n${url}\n\nDit is een automatische e-mail. Gelieve niet op dit e-mailadres te reageren.\n\n${user.organizationPermissions ? "Stamhoofd" : name}`+footer,
+                html: `Hallo${user.firstName ? (" "+user.firstName) : ""}!<br><br>Verifieer jouw e-mailadres om te kunnen inloggen bij ${name}. Vul de onderstaande code in op de website<br><br><strong style="font-size: 30px; font-weight: bold;">${formattedCode}</strong><br><br>Of klik op de onderstaande link om jouw e-mailadres te bevestigen:<br>${url}<br><br>Dit is een automatische e-mail. Gelieve niet op dit e-mailadres te reageren.<br><br>${user.organizationPermissions ? "Stamhoofd" : name}`+footerHTML
+            })
+        } else {
+            Email.send({
+                from,
+                replyTo,
+                to: this.email,
+                type: "transactional",
+                subject: `[${user.organizationPermissions ? "Stamhoofd" : name}] Verifieer jouw e-mailadres`,
+                text: `Hallo${user.firstName ? (" "+user.firstName) : ""}!\n\nVerifieer jouw e-mailadres om te kunnen inloggen bij ${name}. Klik op de onderstaande link om jouw e-mailadres te bevestigen.\n${url}\n\nDit is een automatische e-mail. Gelieve niet op dit e-mailadres te reageren.\n\n${user.organizationPermissions ? "Stamhoofd" : name}`+footer
+            })
+        }
+    }
+
+    static async resend(organization: import('./Organization').Organization|null, token: string, i18n: I18n) {
+        const verificationCodes = await this.where({ 
+            token, 
+            organizationId: organization ? {
+                sign: 'IN',
+                value: [organization.id, null]
+            } : null
+        }, { limit: 1 })
+
+        if (verificationCodes.length == 0) {
+            console.log("Can't resend code, no coded found for token", token)
+            // TODO: maybe send a note via email
+            return
+        }
+
+        const verificationCode = verificationCodes[0]
+
+        if (verificationCode.expiresAt < new Date()) {
+            // Don't report error, could be brute forced
+            console.log("Can't resend code, token is expired", token)
+            return 
+        }
+
+        const {User} = await import('./User')
+        const user = await User.getByID(verificationCode.userId)
+        if (!user) {
+            return
+        }
+        verificationCode.send(user, organization, i18n)
+    }
+
+    /**
+     * Create or reuse a verification code for a given email address
+     * If needed, it will update the code. 
+     * Use this method for sending only, not for verification!
+     */
+    static async createFor(user: import('./User').User, email: string): Promise<EmailVerificationCode> {
+        // TODO: make this constant time to avoid complex timing attacks (especially when under load)
+        // Do we already have a verificationCode for this email?
+
+        // Only user <-> organization binding is unique
+        // Since, when changing email, we don't throw an error if it is use (user enumeration)
+        // So multiple users should be able to request changing to a password, but only on validation should they fail
+        // (or this should be noted in the verification email and accounts could be merged)
+        const verificationCodes = await this.where({ userId: user.id }, { limit: 1 })
+
+        let verificationCode: EmailVerificationCode
+        if (verificationCodes.length == 0) {
+            verificationCode = new EmailVerificationCode()
+            verificationCode.organizationId = user.organizationId
+            await verificationCode.generateCode()
+
+            // Reset the real tries
+            verificationCode.tries = 0
+
+            // Expire in 3 hours
+            verificationCode.expiresAt = new Date(new Date().getTime() + 1000 * 60 * 60 * 3)
+        } else {
+            verificationCode = verificationCodes[0]
+
+            if (verificationCode.expiresAt < new Date(new Date().getTime() - 15 * 60 * 1000) || verificationCode.tries >= EmailVerificationCode.MAX_TRIES) {
+                // Expired: also update the token
+                await verificationCode.generateCode()
+            }
+        }
+        
+        verificationCode.email = email
+        verificationCode.userId = user.id
+
+        await verificationCode.save()
+        return verificationCode
+    }
+}

package/src/models/Group.ts

@@ -0,0 +1,293 @@
+import { column, Database, ManyToOneRelation, Model, OneToManyRelation } from '@simonbackx/simple-database';
+import { CycleInformation, Group as GroupStruct, GroupCategory, GroupPrivateSettings, GroupSettings, GroupStatus } from '@stamhoofd/structures';
+import { v4 as uuidv4 } from "uuid";
+
+import { Member, MemberWithRegistrations, OrganizationRegistrationPeriod, Payment, Registration, User } from './';
+import { Formatter } from '@stamhoofd/utility';
+
+if (Member === undefined) {
+    throw new Error("Import Member is undefined")
+}
+if (User === undefined) {
+    throw new Error("Import User is undefined")
+}
+if (Payment === undefined) {
+    throw new Error("Import Payment is undefined")
+}
+if (Registration === undefined) {
+    throw new Error("Import Registration is undefined")
+}
+
+export class Group extends Model {
+    static table = "groups";
+
+    @column({
+        primary: true, type: "string", beforeSave(value) {
+            return value ?? uuidv4();
+        }
+    })
+    id!: string;
+
+    @column({ type: "json", decoder: GroupSettings })
+    settings: GroupSettings;
+
+    @column({ 
+        type: "json", decoder: GroupPrivateSettings
+    })
+    privateSettings = GroupPrivateSettings.create({})
+
+    @column({ type: "string" })
+    organizationId: string;
+
+    @column({ type: "string" })
+    periodId: string;
+
+    /**
+     * Every time a new registration period starts, this number increases. This is used to mark all older registrations as 'out of date' automatically
+     */
+    @column({ type: "integer" })
+    cycle = 0;
+
+    @column({
+        type: "datetime", beforeSave(old?: any) {
+            if (old !== undefined) {
+                return old;
+            }
+            const date = new Date()
+            date.setMilliseconds(0)
+            return date
+        }
+    })
+    createdAt: Date
+
+    @column({
+        type: "datetime", beforeSave() {
+            const date = new Date()
+            date.setMilliseconds(0)
+            return date
+        },
+        skipUpdate: true
+    })
+    updatedAt: Date
+
+    @column({
+        type: "datetime",
+        nullable: true
+    })
+    deletedAt: Date | null = null
+
+    /**
+     * Every time a new registration period starts, this number increases. This is used to mark all older registrations as 'out of date' automatically
+     */
+    @column({ type: "string" })
+    status = GroupStatus.Open;
+
+    static async getAll(organizationId: string, periodId: string|null, active = true) {
+        const w: any = periodId ? {periodId} : {}
+        if (active) {
+            // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
+            return await Group.where({ organizationId, deletedAt: null, ...w, status: {sign: '!=', value: GroupStatus.Archived} })
+        }
+        // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
+        return await Group.where({ organizationId, ...w })
+    }
+
+    /**
+     * Returns all parent and grandparents of this group
+     */
+    getParentCategories(all: GroupCategory[], recursive = true): GroupCategory[] {
+        const map = new Map<string, GroupCategory>()
+        
+        const parents = all.filter(g => g.groupIds.includes(this.id))
+        for (const parent of parents) {
+            map.set(parent.id, parent)
+
+            if (recursive) {
+                const hisParents = parent.getParentCategories(all)
+                for (const pp of hisParents) {
+                    map.set(pp.id, pp)
+                }
+            }
+        }
+
+        return [...map.values()]
+    }
+
+    /**
+     * Fetch all members with their corresponding (valid) registrations, users
+     */
+    async getMembersWithRegistration(waitingList = false, cycleOffset = 0): Promise<MemberWithRegistrations[]> {
+        let query = `SELECT ${Member.getDefaultSelect()}, ${Registration.getDefaultSelect()}, ${User.getDefaultSelect()} from \`${Member.table}\`\n`;
+        
+        query += `JOIN \`${Registration.table}\` ON \`${Registration.table}\`.\`${Member.registrations.foreignKey}\` = \`${Member.table}\`.\`${Member.primary.name}\` AND (\`${Registration.table}\`.\`registeredAt\` is not null OR \`${Registration.table}\`.\`waitingList\` = 1)\n`
+
+        if (waitingList) {
+            query += `JOIN \`${Registration.table}\` as reg_filter ON reg_filter.\`${Member.registrations.foreignKey}\` = \`${Member.table}\`.\`${Member.primary.name}\` AND reg_filter.\`waitingList\` = 1\n`
+        } else {
+            query += `JOIN \`${Registration.table}\` as reg_filter ON reg_filter.\`${Member.registrations.foreignKey}\` = \`${Member.table}\`.\`${Member.primary.name}\` AND reg_filter.\`waitingList\` = 0 AND reg_filter.\`registeredAt\` is not null\n`
+        }
+
+        query += Member.users.joinQuery(Member.table, User.table)+"\n"
+
+        // We do an extra join because we also need to get the other registrations of each member (only one regitration has to match the query)
+        query += `where reg_filter.\`groupId\` = ? AND reg_filter.\`cycle\` = ?`
+
+        const [results] = await Database.select(query, [this.id, this.cycle - cycleOffset])
+        const members: MemberWithRegistrations[] = []
+
+        const groupIds = results.map(r => r[Registration.table]?.groupId).filter(id => id) as string[]
+        const groups = await Group.getByIDs(...Formatter.uniqueArray(groupIds))
+
+        for (const row of results) {
+            const foundMember = Member.fromRow(row[Member.table])
+            if (!foundMember) {
+                throw new Error("Expected member in every row")
+            }
+            const _f = foundMember.setManyRelation(Member.registrations as unknown as OneToManyRelation<"registrations", Member, Registration & {group: Group}>, []).setManyRelation(Member.users, [])
+
+            // Seach if we already got this member?
+            const existingMember = members.find(m => m.id == _f.id)
+
+            const member: MemberWithRegistrations = (existingMember ?? _f)
+            if (!existingMember) {
+                members.push(member)
+            }
+
+            // Check if we have a registration with a payment
+            const registration = Registration.fromRow(row[Registration.table])
+            if (registration) {
+                // Check if we already have this registration
+                if (!member.registrations.find(r => r.id == registration.id)) {
+                    const group = groups.find(g => g.id == registration.groupId)
+                    if (!group) {
+                        throw new Error("Expected group")
+                    }
+                    member.registrations.push(registration.setRelation(Registration.group, group))
+                }
+            }
+
+            // Check if we have a user
+            const user = User.fromRow(row[User.table])
+            if (user) {
+                // Check if we already have this registration
+                if (!member.users.find(r => r.id == user.id)) {
+                    member.users.push(user)
+                }
+            }
+        }
+
+        return members
+
+    }
+
+    getStructure() {
+        return GroupStruct.create({ ...this, privateSettings: null })
+    }
+
+    getPrivateStructure() {
+        return GroupStruct.create(this)
+    }
+
+    private static async getCount(where: string, params: any[]) {
+        const query = `select count(*) as c from \`${Registration.table}\` where ${where}`
+        
+        const [results] = await Database.select(query, params)
+        const count = results[0]['']['c'];
+        if (Number.isInteger(count)) {
+            return count as number
+        }
+        return null
+    }
+
+    async updateOccupancy() {
+        this.settings.registeredMembers = await Group.getCount(
+            "groupId = ? and cycle = ? and waitingList = 0 and registeredAt is not null",
+            [this.id, this.cycle]
+        )
+        //const query = `select count(*) as c from \`${Registration.table}\` where groupId = ? and cycle = ? and (((registeredAt is not null or reservedUntil >= ?) and waitingList = 0) OR (waitingList = 1 AND canRegister = 1))`
+
+        this.settings.reservedMembers = await Group.getCount(
+            "groupId = ? and cycle = ? and ((waitingList = 0 and registeredAt is null AND reservedUntil >= ?) OR (waitingList = 1 and canRegister = 1))",
+            [this.id, this.cycle, new Date()]
+        )
+
+        this.settings.waitingListSize = await Group.getCount(
+            "groupId = ? and cycle = ? and waitingList = 1",
+            [this.id, this.cycle, new Date()]
+        )
+
+        // Loop cycle -1 until current (excluding current)
+        for (let cycle = -1; cycle < this.cycle; cycle++) {
+            if (!this.settings.cycleSettings.has(cycle)) {
+                this.settings.cycleSettings.set(cycle, CycleInformation.create({
+                    registeredMembers: 0,
+                    reservedMembers: 0,
+                    waitingListSize: 0
+                }))
+            }
+        }
+
+        // Older cycles
+        // todo: optimize this a bit
+        for (const [cycle, info] of this.settings.cycleSettings) {
+
+            info.registeredMembers = await Group.getCount(
+                "groupId = ? and cycle = ? and waitingList = 0 and registeredAt is not null",
+                [this.id, cycle]
+            )
+
+            info.reservedMembers = await Group.getCount(
+                "groupId = ? and cycle = ? and ((waitingList = 0 and registeredAt is null AND reservedUntil >= ?) OR (waitingList = 1 and canRegister = 1))",
+                [this.id, cycle, new Date()]
+            )
+
+            info.waitingListSize = await Group.getCount(
+                "groupId = ? and cycle = ? and waitingList = 1",
+                [this.id, cycle, new Date()]
+            )
+        }
+    }
+
+    static async deleteUnreachable(organizationId: string, period: OrganizationRegistrationPeriod, allGroups: Group[]) {
+        const reachable = new Map<string, boolean>()
+
+        const visited = new Map<string, boolean>()
+        const queue = [period.settings.rootCategoryId]
+        visited.set(period.settings.rootCategoryId, true)
+
+        while (queue.length > 0) {
+            const id = queue.shift()
+            if (!id) {
+                break
+            }
+
+            const category = period.settings.categories.find(c => c.id === id)
+            if (!category) {
+                continue
+            }
+
+            for (const i of category.categoryIds) {
+                if (!visited.get(i)) {
+                    queue.push(i)
+                    visited.set(i, true)
+                }
+            }
+
+            for (const g of category.groupIds) {
+                reachable.set(g, true)
+            }
+        }
+
+        for (const group of allGroups) {
+            if (!reachable.get(group.id) && group.status !== GroupStatus.Archived) {
+                console.log("Archiving unreachable group "+group.id+" from organization "+organizationId + " org period "+period.id)
+                group.status = GroupStatus.Archived
+                await group.save()
+            }
+        }
+    }
+
+}
+
+Registration.group = new ManyToOneRelation(Group, "group")
+Registration.group.foreignKey = "groupId"