2021-02-24 07:49:39 -05:00
|
|
|
|
defmodule Bones73k.Accounts.User do
|
2020-09-12 20:07:02 -04:00
|
|
|
|
use Ecto.Schema
|
|
|
|
|
import Ecto.Changeset
|
2020-09-12 20:14:06 -04:00
|
|
|
|
import EctoEnum
|
|
|
|
|
|
2021-03-04 22:03:27 -05:00
|
|
|
|
@roles [
|
|
|
|
|
user: "Basic user level",
|
|
|
|
|
manager: "Can create users, update user emails & passwords",
|
|
|
|
|
admin: "Can delete users and change user roles"
|
|
|
|
|
]
|
|
|
|
|
|
|
|
|
|
defenum(RolesEnum, :role, Keyword.keys(@roles))
|
2020-09-12 20:07:02 -04:00
|
|
|
|
|
2021-02-27 08:17:30 -05:00
|
|
|
|
@max_email 254
|
|
|
|
|
@min_password 6
|
|
|
|
|
@max_password 80
|
|
|
|
|
|
2020-09-12 20:07:02 -04:00
|
|
|
|
@derive {Inspect, except: [:password]}
|
2021-03-05 12:59:41 -05:00
|
|
|
|
@primary_key {:id, :binary_id, autogenerate: true}
|
2021-03-05 15:32:01 -05:00
|
|
|
|
# @foreign_key_type :binary_id
|
2020-09-12 20:07:02 -04:00
|
|
|
|
schema "users" do
|
|
|
|
|
field :email, :string
|
|
|
|
|
field :password, :string, virtual: true
|
|
|
|
|
field :hashed_password, :string
|
|
|
|
|
field :confirmed_at, :naive_datetime
|
|
|
|
|
|
2020-09-12 20:14:06 -04:00
|
|
|
|
field :role, RolesEnum, default: :user
|
2020-09-12 20:07:02 -04:00
|
|
|
|
timestamps()
|
|
|
|
|
end
|
|
|
|
|
|
2021-02-27 08:17:30 -05:00
|
|
|
|
def max_email, do: @max_email
|
|
|
|
|
def min_password, do: @min_password
|
|
|
|
|
def max_password, do: @max_password
|
2021-03-04 22:03:27 -05:00
|
|
|
|
def roles, do: @roles
|
2021-02-27 08:17:30 -05:00
|
|
|
|
|
2020-09-12 20:07:02 -04:00
|
|
|
|
@doc """
|
|
|
|
|
A user changeset for registration.
|
|
|
|
|
|
|
|
|
|
It is important to validate the length of both email and password.
|
|
|
|
|
Otherwise databases may truncate the email without warnings, which
|
|
|
|
|
could lead to unpredictable or insecure behaviour. Long passwords may
|
|
|
|
|
also be very expensive to hash for certain algorithms.
|
2021-02-27 08:17:30 -05:00
|
|
|
|
|
|
|
|
|
## Options
|
|
|
|
|
|
|
|
|
|
* `:hash_password` - Hashes the password so it can be stored securely
|
|
|
|
|
in the database and ensures the password field is cleared to prevent
|
|
|
|
|
leaks in the logs. If password hashing is not needed and clearing the
|
|
|
|
|
password field is not desired (like when using this changeset for
|
|
|
|
|
validations on a LiveView form), this option can be set to `false`.
|
|
|
|
|
Defaults to `true`.
|
2020-09-12 20:07:02 -04:00
|
|
|
|
"""
|
2021-02-27 08:17:30 -05:00
|
|
|
|
def registration_changeset(user, attrs, opts \\ []) do
|
2020-09-12 20:07:02 -04:00
|
|
|
|
user
|
2021-02-27 08:17:30 -05:00
|
|
|
|
|> cast(attrs, [:email, :password, :role])
|
|
|
|
|
|> validate_role()
|
2020-09-12 20:07:02 -04:00
|
|
|
|
|> validate_email()
|
2021-02-27 08:17:30 -05:00
|
|
|
|
|> validate_password(opts)
|
2020-09-12 20:07:02 -04:00
|
|
|
|
end
|
|
|
|
|
|
2021-03-04 22:03:27 -05:00
|
|
|
|
# def update_changeset(user, attrs, opts \\ [])
|
|
|
|
|
|
|
|
|
|
# def update_changeset(user, %{"password" => ""} = attrs, _),
|
|
|
|
|
# do: update_changeset_no_pw(user, attrs)
|
|
|
|
|
|
|
|
|
|
# def update_changeset(user, %{password: ""} = attrs, _), do: update_changeset_no_pw(user, attrs)
|
|
|
|
|
|
|
|
|
|
def update_changeset(user, attrs, opts) do
|
|
|
|
|
user
|
|
|
|
|
|> cast(attrs, [:email, :password, :role])
|
|
|
|
|
|> validate_role()
|
|
|
|
|
|> validate_email()
|
|
|
|
|
|> validate_password_not_required(opts)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# def update_changeset_no_pw(user, attrs) do
|
|
|
|
|
# user
|
|
|
|
|
# |> cast(attrs, [:email, :role])
|
|
|
|
|
# |> validate_role()
|
|
|
|
|
# |> validate_email()
|
|
|
|
|
# end
|
|
|
|
|
|
2021-02-27 08:17:30 -05:00
|
|
|
|
defp role_validator(:role, role) do
|
|
|
|
|
(RolesEnum.valid_value?(role) && []) || [role: "invalid user role"]
|
2020-09-12 20:37:05 -04:00
|
|
|
|
end
|
|
|
|
|
|
2021-02-27 08:17:30 -05:00
|
|
|
|
defp validate_role(changeset) do
|
|
|
|
|
changeset
|
|
|
|
|
|> validate_required([:role])
|
|
|
|
|
|> validate_change(:role, &role_validator/2)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
defp validate_email_format(changeset) do
|
|
|
|
|
r_email = ~r/^[\w.!#$%&’*+\-\/=?\^`{|}~]+@[a-z0-9-]+(\.[a-z0-9-]+)*$/i
|
|
|
|
|
|
2020-09-12 20:07:02 -04:00
|
|
|
|
changeset
|
|
|
|
|
|> validate_required([:email])
|
2021-02-27 08:17:30 -05:00
|
|
|
|
|> validate_format(:email, r_email, message: "must be a valid email address")
|
|
|
|
|
|> validate_length(:email, max: @max_email)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
defp validate_email(changeset) do
|
|
|
|
|
changeset
|
|
|
|
|
|> validate_email_format()
|
2021-02-24 07:49:39 -05:00
|
|
|
|
|> unsafe_validate_unique(:email, Bones73k.Repo)
|
2020-09-12 20:07:02 -04:00
|
|
|
|
|> unique_constraint(:email)
|
|
|
|
|
end
|
|
|
|
|
|
2021-02-27 08:17:30 -05:00
|
|
|
|
defp validate_password(changeset, opts) do
|
2020-09-12 20:07:02 -04:00
|
|
|
|
changeset
|
|
|
|
|
|> validate_required([:password])
|
2021-03-04 22:03:27 -05:00
|
|
|
|
|> validate_password_not_required(opts)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
defp validate_password_not_required(changeset, opts) do
|
|
|
|
|
changeset
|
2021-02-27 08:17:30 -05:00
|
|
|
|
|> validate_length(:password, min: @min_password, max: @max_password)
|
2020-09-12 20:07:02 -04:00
|
|
|
|
# |> validate_format(:password, ~r/[a-z]/, message: "at least one lower case character")
|
|
|
|
|
# |> validate_format(:password, ~r/[A-Z]/, message: "at least one upper case character")
|
|
|
|
|
# |> validate_format(:password, ~r/[!?@#$%^&*_0-9]/, message: "at least one digit or punctuation character")
|
2021-02-27 08:17:30 -05:00
|
|
|
|
|> maybe_hash_password(opts)
|
2020-09-12 20:07:02 -04:00
|
|
|
|
end
|
|
|
|
|
|
2021-02-27 08:17:30 -05:00
|
|
|
|
defp maybe_hash_password(changeset, opts) do
|
|
|
|
|
hash_password? = Keyword.get(opts, :hash_password, true)
|
2020-09-12 20:07:02 -04:00
|
|
|
|
password = get_change(changeset, :password)
|
|
|
|
|
|
2021-02-27 08:17:30 -05:00
|
|
|
|
if hash_password? && password && changeset.valid? do
|
|
|
|
|
changeset
|
|
|
|
|
|> put_change(:hashed_password, Bcrypt.hash_pwd_salt(password))
|
|
|
|
|
|> delete_change(:password)
|
|
|
|
|
else
|
|
|
|
|
changeset
|
|
|
|
|
end
|
2020-09-12 20:37:05 -04:00
|
|
|
|
end
|
|
|
|
|
|
2020-09-12 20:07:02 -04:00
|
|
|
|
@doc """
|
|
|
|
|
A user changeset for changing the email.
|
|
|
|
|
|
|
|
|
|
It requires the email to change otherwise an error is added.
|
|
|
|
|
"""
|
|
|
|
|
def email_changeset(user, attrs) do
|
|
|
|
|
user
|
|
|
|
|
|> cast(attrs, [:email])
|
|
|
|
|
|> validate_email()
|
|
|
|
|
|> case do
|
|
|
|
|
%{changes: %{email: _}} = changeset -> changeset
|
|
|
|
|
%{} = changeset -> add_error(changeset, :email, "did not change")
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
@doc """
|
|
|
|
|
A user changeset for changing the password.
|
|
|
|
|
"""
|
2021-02-27 08:17:30 -05:00
|
|
|
|
def password_changeset(user, attrs, opts \\ []) do
|
2020-09-12 20:07:02 -04:00
|
|
|
|
user
|
|
|
|
|
|> cast(attrs, [:password])
|
|
|
|
|
|> validate_confirmation(:password, message: "does not match password")
|
2021-02-27 08:17:30 -05:00
|
|
|
|
|> validate_password(opts)
|
2020-09-12 20:07:02 -04:00
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
@doc """
|
|
|
|
|
Confirms the account by setting `confirmed_at`.
|
|
|
|
|
"""
|
|
|
|
|
def confirm_changeset(user) do
|
|
|
|
|
now = NaiveDateTime.utc_now() |> NaiveDateTime.truncate(:second)
|
|
|
|
|
change(user, confirmed_at: now)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
@doc """
|
|
|
|
|
Verifies the password.
|
|
|
|
|
|
|
|
|
|
If there is no user or the user doesn't have a password, we call
|
|
|
|
|
`Bcrypt.no_user_verify/0` to avoid timing attacks.
|
|
|
|
|
"""
|
2021-02-24 07:49:39 -05:00
|
|
|
|
def valid_password?(%Bones73k.Accounts.User{hashed_password: hashed_password}, password)
|
2020-09-12 20:07:02 -04:00
|
|
|
|
when is_binary(hashed_password) and byte_size(password) > 0 do
|
|
|
|
|
Bcrypt.verify_pass(password, hashed_password)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def valid_password?(_, _) do
|
|
|
|
|
Bcrypt.no_user_verify()
|
|
|
|
|
false
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
@doc """
|
|
|
|
|
Validates the current password otherwise adds an error to the changeset.
|
|
|
|
|
"""
|
|
|
|
|
def validate_current_password(changeset, password) do
|
|
|
|
|
if valid_password?(changeset.data, password) do
|
|
|
|
|
changeset
|
|
|
|
|
else
|
|
|
|
|
add_error(changeset, :current_password, "is not valid")
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|