@vsaas/loopback 10.0.0

package/dist/common/models/user.cjs

@@ -0,0 +1,810 @@
+"use strict";
+const require_runtime$1 = require("../../_virtual/_rolldown/runtime.cjs");
+const require_lib_globalize = require("../../lib/globalize.cjs");
+const require_lib_runtime = require("../../lib/runtime.cjs");
+const require_lib_utils = require("../../lib/utils.cjs");
+//#region src/common/models/user.ts
+var require_user = /* @__PURE__ */ require_runtime$1.__commonJSMin(((exports, module) => {
+	const path = require("path");
+	const g = require_lib_globalize;
+	const runtime = require_lib_runtime;
+	require("ejs");
+	require("fs");
+	const isEmail = require("isemail");
+	const utils = require_lib_utils;
+	const qs = require("querystring");
+	const crypto = require("crypto");
+	const assert = require("assert");
+	const SALT_WORK_FACTOR = 10;
+	const MAX_PASSWORD_LENGTH = 72;
+	let bcrypt;
+	try {
+		bcrypt = require("bcrypt");
+		if (bcrypt && typeof bcrypt.compare !== "function") bcrypt = require("bcryptjs");
+	} catch (err) {
+		bcrypt = require("bcryptjs");
+	}
+	const DEFAULT_TTL = 1209600;
+	const DEFAULT_RESET_PW_TTL = 900;
+	const DEFAULT_MAX_TTL = 31556926;
+	const debug = require("debug")("loopback:user");
+	const hasOwnProperty = Object.prototype.hasOwnProperty;
+	function configureUser(User) {
+		User.prototype.createAccessToken = function(ttl, options, cb) {
+			if (cb === void 0 && typeof options === "function") {
+				cb = options;
+				options = void 0;
+			}
+			cb = cb || utils.createPromiseCallback();
+			let tokenData;
+			if (typeof ttl !== "object") tokenData = { ttl };
+			else if (options) tokenData = ttl;
+			else tokenData = {};
+			const userSettings = this.constructor.settings;
+			tokenData.ttl = Math.min(tokenData.ttl || userSettings.ttl, userSettings.maxTTL);
+			this.accessTokens.create(tokenData, options, cb);
+			return cb.promise;
+		};
+		function splitPrincipal(name, realmDelimiter) {
+			const parts = [null, name];
+			if (!realmDelimiter) return parts;
+			const index = name.indexOf(realmDelimiter);
+			if (index !== -1) {
+				parts[0] = name.substring(0, index);
+				parts[1] = name.substring(index + realmDelimiter.length);
+			}
+			return parts;
+		}
+		User.normalizeCredentials = function(credentials, realmRequired, realmDelimiter) {
+			const query = {};
+			credentials = credentials || {};
+			if (!realmRequired) {
+				if (credentials.email) query.email = credentials.email;
+				else if (credentials.username) query.username = credentials.username;
+			} else {
+				if (credentials.realm) query.realm = credentials.realm;
+				let parts;
+				if (credentials.email) {
+					parts = splitPrincipal(credentials.email, realmDelimiter);
+					query.email = parts[1];
+					if (parts[0]) query.realm = parts[0];
+				} else if (credentials.username) {
+					parts = splitPrincipal(credentials.username, realmDelimiter);
+					query.username = parts[1];
+					if (parts[0]) query.realm = parts[0];
+				}
+			}
+			return query;
+		};
+		User.login = function(credentials, include, fn) {
+			const self = this;
+			if (typeof include === "function") {
+				fn = include;
+				include = void 0;
+			}
+			fn = fn || utils.createPromiseCallback();
+			include = include || "";
+			if (Array.isArray(include)) include = include.map(function(val) {
+				return val.toLowerCase();
+			});
+			else include = include.toLowerCase();
+			let realmDelimiter;
+			const realmRequired = !!(self.settings.realmRequired || self.settings.realmDelimiter);
+			if (realmRequired) realmDelimiter = self.settings.realmDelimiter;
+			const query = self.normalizeCredentials(credentials, realmRequired, realmDelimiter);
+			if (realmRequired) {
+				if (!query.realm) {
+					const err1 = new Error(g.f("{{realm}} is required"));
+					err1.statusCode = 400;
+					err1.code = "REALM_REQUIRED";
+					fn(err1);
+					return fn.promise;
+				} else if (typeof query.realm !== "string") {
+					const err5 = new Error(g.f("Invalid realm"));
+					err5.statusCode = 400;
+					err5.code = "INVALID_REALM";
+					fn(err5);
+					return fn.promise;
+				}
+			}
+			if (!query.email && !query.username) {
+				const err2 = new Error(g.f("{{username}} or {{email}} is required"));
+				err2.statusCode = 400;
+				err2.code = "USERNAME_EMAIL_REQUIRED";
+				fn(err2);
+				return fn.promise;
+			}
+			if (query.username && typeof query.username !== "string") {
+				const err3 = new Error(g.f("Invalid username"));
+				err3.statusCode = 400;
+				err3.code = "INVALID_USERNAME";
+				fn(err3);
+				return fn.promise;
+			} else if (query.email && typeof query.email !== "string") {
+				const err4 = new Error(g.f("Invalid email"));
+				err4.statusCode = 400;
+				err4.code = "INVALID_EMAIL";
+				fn(err4);
+				return fn.promise;
+			}
+			self.findOne({ where: query }, function(err, user) {
+				const defaultError = new Error(g.f("login failed"));
+				defaultError.statusCode = 401;
+				defaultError.code = "LOGIN_FAILED";
+				function tokenHandler(err, token) {
+					if (err) return fn(err);
+					if (Array.isArray(include) ? include.indexOf("user") !== -1 : include === "user") token.__data.user = user;
+					fn(err, token);
+				}
+				if (err) {
+					debug("An error is reported from User.findOne: %j", err);
+					fn(defaultError);
+				} else if (user) user.hasPassword(credentials.password, function(err, isMatch) {
+					if (err) {
+						debug("An error is reported from User.hasPassword: %j", err);
+						fn(defaultError);
+					} else if (isMatch) if (self.settings.emailVerificationRequired && !user.emailVerified) {
+						debug("User email has not been verified");
+						err = new Error(g.f("login failed as the email has not been verified"));
+						err.statusCode = 401;
+						err.code = "LOGIN_FAILED_EMAIL_NOT_VERIFIED";
+						err.details = { userId: user.id };
+						fn(err);
+					} else if (user.createAccessToken.length === 2) user.createAccessToken(credentials.ttl, tokenHandler);
+					else user.createAccessToken(credentials.ttl, credentials, tokenHandler);
+					else {
+						debug("The password is invalid for user %s", query.email || query.username);
+						fn(defaultError);
+					}
+				});
+				else {
+					debug("No matching record is found for user %s", query.email || query.username);
+					fn(defaultError);
+				}
+			});
+			return fn.promise;
+		};
+		User.logout = function(tokenId, fn) {
+			fn = fn || utils.createPromiseCallback();
+			let err;
+			if (!tokenId) {
+				err = new Error(g.f("{{accessToken}} is required to logout"));
+				err.statusCode = 401;
+				process.nextTick(fn, err);
+				return fn.promise;
+			}
+			this.relations.accessTokens.modelTo.destroyById(tokenId, function(err, info) {
+				if (err) fn(err);
+				else if ("count" in info && info.count === 0) {
+					err = new Error(g.f("Could not find {{accessToken}}"));
+					err.statusCode = 401;
+					fn(err);
+				} else fn();
+			});
+			return fn.promise;
+		};
+		User.observe("before delete", function(ctx, next) {
+			if (!ctx.Model.relations.accessTokens) return next();
+			const AccessToken = ctx.Model.relations.accessTokens.modelTo;
+			const pkName = ctx.Model.definition.idName() || "id";
+			ctx.Model.find({
+				where: ctx.where,
+				fields: [pkName]
+			}, function(err, list) {
+				if (err) return next(err);
+				const ids = new Array(list.length);
+				for (let i = 0; i < list.length; i++) ids[i] = list[i][pkName];
+				ctx.where = {};
+				ctx.where[pkName] = { inq: ids };
+				AccessToken.destroyAll({ userId: { inq: ids } }, next);
+			});
+		});
+		User.prototype.hasPassword = function(plain, fn) {
+			fn = fn || utils.createPromiseCallback();
+			if (this.password && plain) bcrypt.compare(plain, this.password, function(err, isMatch) {
+				if (err) return fn(err);
+				fn(null, isMatch);
+			});
+			else fn(null, false);
+			return fn.promise;
+		};
+		User.changePassword = function(userId, oldPassword, newPassword, options, cb) {
+			if (cb === void 0 && typeof options === "function") {
+				cb = options;
+				options = void 0;
+			}
+			cb = cb || utils.createPromiseCallback();
+			this.findById(userId, options, (err, inst) => {
+				if (err) return cb(err);
+				if (!inst) {
+					const err = /* @__PURE__ */ new Error(`User ${userId} not found`);
+					Object.assign(err, {
+						code: "USER_NOT_FOUND",
+						statusCode: 401
+					});
+					return cb(err);
+				}
+				inst.changePassword(oldPassword, newPassword, options, cb);
+			});
+			return cb.promise;
+		};
+		User.prototype.changePassword = function(oldPassword, newPassword, options, cb) {
+			if (cb === void 0 && typeof options === "function") {
+				cb = options;
+				options = void 0;
+			}
+			cb = cb || utils.createPromiseCallback();
+			this.hasPassword(oldPassword, (err, isMatch) => {
+				if (err) return cb(err);
+				if (!isMatch) {
+					const err = /* @__PURE__ */ new Error("Invalid current password");
+					Object.assign(err, {
+						code: "INVALID_PASSWORD",
+						statusCode: 400
+					});
+					return cb(err);
+				}
+				this.setPassword(newPassword, options, cb);
+			});
+			return cb.promise;
+		};
+		User.setPassword = function(userId, newPassword, options, cb) {
+			assert(userId != null && userId !== "", "userId is a required argument");
+			assert(!!newPassword, "newPassword is a required argument");
+			if (cb === void 0 && typeof options === "function") {
+				cb = options;
+				options = void 0;
+			}
+			cb = cb || utils.createPromiseCallback();
+			this.findById(userId, options, (err, inst) => {
+				if (err) return cb(err);
+				if (!inst) {
+					const err = /* @__PURE__ */ new Error(`User ${userId} not found`);
+					Object.assign(err, {
+						code: "USER_NOT_FOUND",
+						statusCode: 401
+					});
+					return cb(err);
+				}
+				inst.setPassword(newPassword, options, cb);
+			});
+			return cb.promise;
+		};
+		User.prototype.setPassword = function(newPassword, options, cb) {
+			assert(!!newPassword, "newPassword is a required argument");
+			if (cb === void 0 && typeof options === "function") {
+				cb = options;
+				options = void 0;
+			}
+			cb = cb || utils.createPromiseCallback();
+			try {
+				this.constructor.validatePassword(newPassword);
+			} catch (err) {
+				cb(err);
+				return cb.promise;
+			}
+			options = Object.assign({}, options);
+			options.setPassword = true;
+			const delta = { password: newPassword };
+			this.patchAttributes(delta, options, function(err) {
+				cb(err);
+			});
+			return cb.promise;
+		};
+		User.getVerifyOptions = function() {
+			return Object.assign({}, this.settings.verifyOptions || {
+				type: "email",
+				from: "noreply@example.com"
+			});
+		};
+		User.prototype.verify = function(verifyOptions, options, cb) {
+			if (cb === void 0 && typeof options === "function") {
+				cb = options;
+				options = void 0;
+			}
+			cb = cb || utils.createPromiseCallback();
+			const user = this;
+			const userModel = this.constructor;
+			const loopback = runtime.loopback;
+			const registry = userModel.registry;
+			verifyOptions = Object.assign({}, verifyOptions);
+			assert(typeof verifyOptions === "object", "verifyOptions object param required when calling user.verify()");
+			verifyOptions = Object.assign({}, verifyOptions);
+			verifyOptions.templateFn = verifyOptions.templateFn || createVerificationEmailBody;
+			verifyOptions.generateVerificationToken = verifyOptions.generateVerificationToken || User.generateVerificationToken;
+			verifyOptions.mailer = verifyOptions.mailer || userModel.email || registry.getModelByType(loopback.Email);
+			const pkName = userModel.definition.idName() || "id";
+			verifyOptions.redirect = verifyOptions.redirect || "/";
+			const defaultTemplate = path.join(__dirname, "..", "..", "..", "templates", "verify.ejs");
+			verifyOptions.template = path.resolve(verifyOptions.template || defaultTemplate);
+			verifyOptions.user = user;
+			verifyOptions.protocol = verifyOptions.protocol || "http";
+			const app = userModel.app;
+			verifyOptions.host = verifyOptions.host || app && app.get("host") || "localhost";
+			verifyOptions.port = verifyOptions.port || app && app.get("port") || 3e3;
+			verifyOptions.restApiRoot = verifyOptions.restApiRoot || app && app.get("restApiRoot") || "/api";
+			const displayPort = verifyOptions.protocol === "http" && verifyOptions.port == "80" || verifyOptions.protocol === "https" && verifyOptions.port == "443" ? "" : ":" + verifyOptions.port;
+			if (!verifyOptions.verifyHref) {
+				const confirmMethod = userModel.sharedClass.findMethodByName("confirm");
+				if (!confirmMethod) throw new Error("Cannot build user verification URL, the default confirm method is not public. Please provide the URL in verifyOptions.verifyHref.");
+				const urlPath = joinUrlPath(verifyOptions.restApiRoot, userModel.http.path, confirmMethod.http.path);
+				verifyOptions.verifyHref = verifyOptions.protocol + "://" + verifyOptions.host + displayPort + urlPath + "?" + qs.stringify({
+					uid: "" + verifyOptions.user[pkName],
+					redirect: verifyOptions.redirect
+				});
+			}
+			verifyOptions.to = verifyOptions.to || user.email;
+			verifyOptions.subject = verifyOptions.subject || g.f("Thanks for Registering");
+			verifyOptions.headers = verifyOptions.headers || {};
+			assertVerifyOptions(verifyOptions);
+			const tokenGenerator = verifyOptions.generateVerificationToken;
+			if (tokenGenerator.length == 3) tokenGenerator(user, options, addTokenToUserAndSave);
+			else tokenGenerator(user, addTokenToUserAndSave);
+			function addTokenToUserAndSave(err, token) {
+				if (err) return cb(err);
+				user.verificationToken = token;
+				user.save(options, function(err) {
+					if (err) return cb(err);
+					sendEmail(user);
+				});
+			}
+			function sendEmail(user) {
+				verifyOptions.verifyHref += verifyOptions.verifyHref.indexOf("?") === -1 ? "?" : "&";
+				verifyOptions.verifyHref += "token=" + user.verificationToken;
+				verifyOptions.verificationToken = user.verificationToken;
+				verifyOptions.text = verifyOptions.text || g.f("Please verify your email by opening this link in a web browser:\n	%s", verifyOptions.verifyHref);
+				verifyOptions.text = verifyOptions.text.replace(/\{href\}/g, verifyOptions.verifyHref);
+				const templateFn = verifyOptions.templateFn;
+				if (templateFn.length == 3) templateFn(verifyOptions, options, setHtmlContentAndSend);
+				else templateFn(verifyOptions, setHtmlContentAndSend);
+				function setHtmlContentAndSend(err, html) {
+					if (err) return cb(err);
+					verifyOptions.html = html;
+					delete verifyOptions.template;
+					const Email = verifyOptions.mailer;
+					if (Email.send.length == 3) Email.send(verifyOptions, options, handleAfterSend);
+					else Email.send(verifyOptions, handleAfterSend);
+					function handleAfterSend(err, email) {
+						if (err) return cb(err);
+						cb(null, {
+							email,
+							token: user.verificationToken,
+							uid: user[pkName]
+						});
+					}
+				}
+			}
+			return cb.promise;
+		};
+		function assertVerifyOptions(verifyOptions) {
+			assert(verifyOptions.type, "You must supply a verification type (verifyOptions.type)");
+			assert(verifyOptions.type === "email", "Unsupported verification type");
+			assert(verifyOptions.to, "Must include verifyOptions.to when calling user.verify() or the user must have an email property");
+			assert(verifyOptions.from, "Must include verifyOptions.from when calling user.verify()");
+			assert(typeof verifyOptions.templateFn === "function", "templateFn must be a function");
+			assert(typeof verifyOptions.generateVerificationToken === "function", "generateVerificationToken must be a function");
+			assert(verifyOptions.mailer, "A mailer function must be provided");
+			assert(typeof verifyOptions.mailer.send === "function", "mailer.send must be a function ");
+		}
+		function createVerificationEmailBody(verifyOptions, options, cb) {
+			cb(null, runtime.loopback.template(verifyOptions.template)(verifyOptions));
+		}
+		User.generateVerificationToken = function(user, options, cb) {
+			crypto.randomBytes(64, function(err, buf) {
+				cb(err, buf && buf.toString("hex"));
+			});
+		};
+		User.confirm = function(uid, token, redirect, fn) {
+			fn = fn || utils.createPromiseCallback();
+			this.findById(uid, function(err, user) {
+				if (err) fn(err);
+				else if (user && user.verificationToken === token) {
+					user.verificationToken = null;
+					user.emailVerified = true;
+					user.save(function(err) {
+						if (err) fn(err);
+						else fn();
+					});
+				} else {
+					if (user) {
+						err = new Error(g.f("Invalid token: %s", token));
+						err.statusCode = 400;
+						err.code = "INVALID_TOKEN";
+					} else {
+						err = new Error(g.f("User not found: %s", uid));
+						err.statusCode = 404;
+						err.code = "USER_NOT_FOUND";
+					}
+					fn(err);
+				}
+			});
+			return fn.promise;
+		};
+		User.resetPassword = function(options, cb) {
+			cb = cb || utils.createPromiseCallback();
+			const UserModel = this;
+			const ttl = UserModel.settings.resetPasswordTokenTTL || DEFAULT_RESET_PW_TTL;
+			options = options || {};
+			if (typeof options.email !== "string") {
+				const err = new Error(g.f("Email is required"));
+				err.statusCode = 400;
+				err.code = "EMAIL_REQUIRED";
+				cb(err);
+				return cb.promise;
+			}
+			try {
+				if (options.password) UserModel.validatePassword(options.password);
+			} catch (err) {
+				return cb(err);
+			}
+			const where = { email: options.email };
+			if (options.realm) where.realm = options.realm;
+			UserModel.findOne({ where }, function(err, user) {
+				if (err) return cb(err);
+				if (!user) {
+					err = new Error(g.f("Email not found"));
+					err.statusCode = 404;
+					err.code = "EMAIL_NOT_FOUND";
+					return cb(err);
+				}
+				if (UserModel.settings.emailVerificationRequired && !user.emailVerified) {
+					err = new Error(g.f("Email has not been verified"));
+					err.statusCode = 401;
+					err.code = "RESET_FAILED_EMAIL_NOT_VERIFIED";
+					return cb(err);
+				}
+				if (UserModel.settings.restrictResetPasswordTokenScope) {
+					const tokenData = {
+						ttl,
+						scopes: ["reset-password"]
+					};
+					user.createAccessToken(tokenData, options, onTokenCreated);
+				} else user.createAccessToken(ttl, onTokenCreated);
+				function onTokenCreated(err, accessToken) {
+					if (err) return cb(err);
+					cb();
+					UserModel.emit("resetPasswordRequest", {
+						email: options.email,
+						accessToken,
+						user,
+						options
+					});
+				}
+			});
+			return cb.promise;
+		};
+		User.hashPassword = function(plain) {
+			this.validatePassword(plain);
+			const salt = bcrypt.genSaltSync(this.settings.saltWorkFactor || SALT_WORK_FACTOR);
+			return bcrypt.hashSync(plain, salt);
+		};
+		User.validatePassword = function(plain) {
+			let err;
+			if (!plain || typeof plain !== "string") {
+				err = new Error(g.f("Invalid password."));
+				err.code = "INVALID_PASSWORD";
+				err.statusCode = 422;
+				throw err;
+			}
+			const len = Buffer.byteLength(plain, "utf8");
+			if (len > MAX_PASSWORD_LENGTH) {
+				err = new Error(g.f("The password entered was too long. Max length is %d (entered %d)", MAX_PASSWORD_LENGTH, len));
+				err.code = "PASSWORD_TOO_LONG";
+				err.statusCode = 422;
+				throw err;
+			}
+		};
+		User._invalidateAccessTokensOfUsers = function(userIds, options, cb) {
+			if (typeof options === "function" && cb === void 0) {
+				cb = options;
+				options = {};
+			}
+			if (!Array.isArray(userIds) || !userIds.length) return process.nextTick(cb);
+			const accessTokenRelation = this.relations.accessTokens;
+			if (!accessTokenRelation) return process.nextTick(cb);
+			const AccessToken = accessTokenRelation.modelTo;
+			const query = { userId: { inq: userIds } };
+			const tokenPK = AccessToken.definition.idName() || "id";
+			if (options.accessToken && tokenPK in options.accessToken) query[tokenPK] = { neq: options.accessToken[tokenPK] };
+			const relatedUser = AccessToken.relations.user;
+			if (relatedUser && relatedUser.polymorphic && !relatedUser.modelTo) query.principalType = this.modelName;
+			AccessToken.deleteAll(query, options, cb);
+		};
+		User.setup = function() {
+			User.base.setup.call(this);
+			const UserModel = this;
+			const loopback = runtime.loopback;
+			this.settings.maxTTL = this.settings.maxTTL || DEFAULT_MAX_TTL;
+			this.settings.ttl = this.settings.ttl || DEFAULT_TTL;
+			UserModel.setter.email = function(value) {
+				if (!UserModel.settings.caseSensitiveEmail && typeof value === "string") this.$email = value.toLowerCase();
+				else this.$email = value;
+			};
+			UserModel.setter.password = function(plain) {
+				if (typeof plain !== "string") return;
+				if ((plain.indexOf("$2a$") === 0 || plain.indexOf("$2b$") === 0) && plain.length === 60) this.$password = plain;
+				else this.$password = this.constructor.hashPassword(plain);
+			};
+			UserModel.beforeRemote("create", function(ctx, user, next) {
+				const body = ctx.req.body;
+				if (body && body.emailVerified) body.emailVerified = false;
+				next();
+			});
+			UserModel.remoteMethod("login", {
+				description: "Login a user with username/email and password.",
+				accepts: [{
+					arg: "credentials",
+					type: "object",
+					required: true,
+					http: { source: "body" }
+				}, {
+					arg: "include",
+					type: ["string"],
+					http: { source: "query" },
+					description: "Related objects to include in the response. See the description of return value for more details."
+				}],
+				returns: {
+					arg: "accessToken",
+					type: "object",
+					root: true,
+					description: g.f("The response body contains properties of the {{AccessToken}} created on login.\nDepending on the value of `include` parameter, the body may contain additional properties:\n\n  - `user` - `U+007BUserU+007D` - Data of the currently logged in user. {{(`include=user`)}}\n\n")
+				},
+				http: { verb: "post" }
+			});
+			UserModel.remoteMethod("logout", {
+				description: "Logout a user with access token.",
+				accepts: [{
+					arg: "access_token",
+					type: "string",
+					http: function(ctx) {
+						const req = ctx && ctx.req;
+						const accessToken = req && req.accessToken;
+						return accessToken ? accessToken.id : void 0;
+					},
+					description: "Do not supply this argument, it is automatically extracted from request headers."
+				}],
+				http: { verb: "all" }
+			});
+			UserModel.remoteMethod("prototype.verify", {
+				description: "Trigger user's identity verification with configured verifyOptions",
+				accepts: [{
+					arg: "verifyOptions",
+					type: "object",
+					http: (ctx) => this.getVerifyOptions()
+				}, {
+					arg: "options",
+					type: "object",
+					http: "optionsFromRequest"
+				}],
+				http: { verb: "post" }
+			});
+			UserModel.remoteMethod("confirm", {
+				description: "Confirm a user registration with identity verification token.",
+				accepts: [
+					{
+						arg: "uid",
+						type: "string",
+						required: true
+					},
+					{
+						arg: "token",
+						type: "string",
+						required: true
+					},
+					{
+						arg: "redirect",
+						type: "string"
+					}
+				],
+				http: {
+					verb: "get",
+					path: "/confirm"
+				}
+			});
+			UserModel.remoteMethod("resetPassword", {
+				description: "Reset password for a user with email.",
+				accepts: [{
+					arg: "options",
+					type: "object",
+					required: true,
+					http: { source: "body" }
+				}],
+				http: {
+					verb: "post",
+					path: "/reset"
+				}
+			});
+			UserModel.remoteMethod("changePassword", {
+				description: "Change a user's password.",
+				accepts: [
+					{
+						arg: "id",
+						type: "any",
+						http: getUserIdFromRequestContext
+					},
+					{
+						arg: "oldPassword",
+						type: "string",
+						required: true,
+						http: { source: "form" }
+					},
+					{
+						arg: "newPassword",
+						type: "string",
+						required: true,
+						http: { source: "form" }
+					},
+					{
+						arg: "options",
+						type: "object",
+						http: "optionsFromRequest"
+					}
+				],
+				http: {
+					verb: "POST",
+					path: "/change-password"
+				}
+			});
+			const setPasswordScopes = UserModel.settings.restrictResetPasswordTokenScope ? ["reset-password"] : void 0;
+			UserModel.remoteMethod("setPassword", {
+				description: "Reset user's password via a password-reset token.",
+				accepts: [
+					{
+						arg: "id",
+						type: "any",
+						http: getUserIdFromRequestContext
+					},
+					{
+						arg: "newPassword",
+						type: "string",
+						required: true,
+						http: { source: "form" }
+					},
+					{
+						arg: "options",
+						type: "object",
+						http: "optionsFromRequest"
+					}
+				],
+				accessScopes: setPasswordScopes,
+				http: {
+					verb: "POST",
+					path: "/reset-password"
+				}
+			});
+			function getUserIdFromRequestContext(ctx) {
+				const token = ctx.req.accessToken;
+				if (!token) return;
+				if ("principalType" in token && token.principalType !== UserModel.modelName) {
+					const err = new Error(g.f("Access Denied"));
+					err.statusCode = 403;
+					throw err;
+				}
+				return token.userId;
+			}
+			UserModel.afterRemote("confirm", function(ctx, inst, next) {
+				if (ctx.args.redirect !== void 0) {
+					if (!ctx.res) return next(new Error(g.f("The transport does not support HTTP redirects.")));
+					ctx.res.location(ctx.args.redirect);
+					ctx.res.status(302);
+				}
+				next();
+			});
+			assert(loopback.Email, "Email model must be defined before User model");
+			UserModel.email = loopback.Email;
+			assert(loopback.AccessToken, "AccessToken model must be defined before User model");
+			UserModel.accessToken = loopback.AccessToken;
+			UserModel.validate("email", emailValidator, { message: g.f("Must provide a valid email") });
+			if (UserModel.settings.realmRequired && UserModel.settings.realmDelimiter) {
+				UserModel.validatesUniquenessOf("email", {
+					message: "Email already exists",
+					scopedTo: ["realm"]
+				});
+				UserModel.validatesUniquenessOf("username", {
+					message: "User already exists",
+					scopedTo: ["realm"]
+				});
+			} else {
+				UserModel.validatesUniquenessOf("email", { message: "Email already exists" });
+				UserModel.validatesUniquenessOf("username", { message: "User already exists" });
+			}
+			return UserModel;
+		};
+		User.setup();
+		User.observe("access", function normalizeEmailCase(ctx, next) {
+			if (!ctx.Model.settings.caseSensitiveEmail && ctx.query.where && ctx.query.where.email && typeof ctx.query.where.email === "string") ctx.query.where.email = ctx.query.where.email.toLowerCase();
+			next();
+		});
+		User.observe("before save", function rejectInsecurePasswordChange(ctx, next) {
+			if (!ctx.Model.settings.rejectPasswordChangesViaPatchOrReplace) return next();
+			if (ctx.isNewInstance) return next();
+			const data = ctx.data || ctx.instance;
+			const isPasswordChange = "password" in data;
+			if (ctx.options.setPassword) {
+				if (hasMoreThanOneOwnEnumerableKey(data) || !isPasswordChange) return next(/* @__PURE__ */ new Error("Invalid use of \"options.setPassword\". Only \"password\" can be changed when using this option."));
+				return next();
+			}
+			if (!isPasswordChange) return next();
+			const err = /* @__PURE__ */ new Error("Changing user password via patch/replace API is not allowed. Use changePassword() or setPassword() instead.");
+			err.statusCode = 401;
+			err.code = "PASSWORD_CHANGE_NOT_ALLOWED";
+			next(err);
+		});
+		User.observe("before save", function prepareForTokenInvalidation(ctx, next) {
+			if (ctx.isNewInstance) return next();
+			if (!ctx.where && !ctx.instance) return next();
+			const pkName = ctx.Model.definition.idName() || "id";
+			let where = ctx.where;
+			if (!where) {
+				where = {};
+				where[pkName] = ctx.instance[pkName];
+			}
+			ctx.Model.find({ where }, ctx.options, function(err, userInstances) {
+				if (err) return next(err);
+				const originalUserData = new Array(userInstances.length);
+				for (let i = 0; i < userInstances.length; i++) {
+					const u = userInstances[i];
+					const user = {};
+					user[pkName] = u[pkName];
+					user.email = u.email;
+					user.password = u.password;
+					originalUserData[i] = user;
+				}
+				ctx.hookState.originalUserData = originalUserData;
+				let emailChanged;
+				if (ctx.instance) {
+					if (ctx.hookState.originalUserData.length > 0) emailChanged = ctx.instance.email !== ctx.hookState.originalUserData[0].email;
+					else emailChanged = true;
+					if (emailChanged && ctx.Model.settings.emailVerificationRequired) ctx.instance.emailVerified = false;
+				} else if (ctx.data.email) {
+					emailChanged = ctx.hookState.originalUserData.some(function(data) {
+						return data.email != ctx.data.email;
+					});
+					if (emailChanged && ctx.Model.settings.emailVerificationRequired) ctx.data.emailVerified = false;
+				}
+				next();
+			});
+		});
+		User.observe("after save", function invalidateOtherTokens(ctx, next) {
+			if (!ctx.instance && !ctx.data) return next();
+			if (!ctx.hookState.originalUserData) return next();
+			const pkName = ctx.Model.definition.idName() || "id";
+			const newEmail = (ctx.instance || ctx.data).email;
+			const newPassword = (ctx.instance || ctx.data).password;
+			if (!newEmail && !newPassword) return next();
+			if (ctx.options.preserveAccessTokens) return next();
+			const userIdsToExpire = [];
+			for (let i = 0; i < ctx.hookState.originalUserData.length; i++) {
+				const u = ctx.hookState.originalUserData[i];
+				if (newEmail && u.email !== newEmail || newPassword && u.password !== newPassword) userIdsToExpire.push(u[pkName]);
+			}
+			ctx.Model._invalidateAccessTokensOfUsers(userIdsToExpire, ctx.options, next);
+		});
+	}
+	function hasMoreThanOneOwnEnumerableKey(object) {
+		let count = 0;
+		for (const key in object) if (hasOwnProperty.call(object, key)) {
+			count++;
+			if (count > 1) return true;
+		}
+		return false;
+	}
+	function emailValidator(err, done) {
+		const value = this.email;
+		if (value == null) return;
+		if (typeof value !== "string") return err("string");
+		if (value === "") return;
+		if (!isEmail.validate(value)) return err("email");
+	}
+	function joinUrlPath(args) {
+		let result = arguments[0];
+		for (let ix = 1; ix < arguments.length; ix++) {
+			const next = arguments[ix];
+			result += result[result.length - 1] === "/" && next[0] === "/" ? next.slice(1) : next;
+		}
+		return result;
+	}
+	module.exports = configureUser;
+}));
+//#endregion
+module.exports = require_user();