Commit Graph

85 Commits

Author SHA1 Message Date
Egon Elbre
8beb78ec3f {satellite,multinode}/console: fix WriteHeader
w.Header().Set needs to be called before WriteHeader,
because WriteHeader sends all the headers and calls to
Set won't have any effect afterwards.

Change-Id: Ia6b1c5e2cd54201a6c3980d63de04a0095b2db9a
2023-05-08 18:18:30 +00:00
Wilfred Asomani
bf05040dd6 satellite/{console,db}: allow passphrasepromt toggling
This change adds the user's passphrase prompt setting to the
/account/settings endpoints.

Issue: https://github.com/storj/storj/issues/5616

Change-Id: I48d470d49e82096fd090b74da323b279e342546e
2023-05-04 19:26:54 +00:00
Wilfred Asomani
9ac5183c7e satellite/consoleweb: improve freeze-status endpoint
This change adds a freeze status endpoint that gets whether a user is
frozen or warned.

Change-Id: I0bc498a128af969177c2cfcfda9b9ee3d8968305
2023-04-18 19:57:05 +00:00
Wilfred Asomani
771d2269ab satellite/analytics: separate hubspot form for personal vs business
This change separates hubspot form submission for personal and business
accounts, with new company name and storage needs fields.

Issue: https://github.com/storj/storj-private/issues/220

Change-Id: Ieb0fb64f87614c7327dc5f894140fb8a54ededa0
2023-04-17 16:28:56 +00:00
Wilfred Asomani
5b65e10563 satellite/console: enable session timeout configuration
This another account endpoint; patch /auth/account/settings. to handle
changing a user's settings, including their session timeout config.

Issue: https://github.com/storj/storj/issues/5560

Change-Id: I747b4e919cf7cef7c867ac9d282837ef51bed67e
2023-04-07 21:05:36 +00:00
Wilfred Asomani
41bfbbe772 satellite/console: add endpoint to get user settings
This change adds an endpoint that gets a user's settings. It will
create a new settings entry if no settings exists. There's also a new
endpoint to change a user's onboarding status.

Issue: https://github.com/storj/storj/issues/5661

Change-Id: I9941bb9d61994af46244003f3ef4fcfe7d36918e
2023-03-24 22:19:08 +00:00
Jeremy Wharton
31ec4fae9e web/satellite: add pricing plan selection to onboarding tour
A pricing plan selection step for users with a recognized partner has
been added to the beginning of the onboarding tour. Once visited, users
have the option of purchasing the pricing plan associated with their
partner or proceeding as a paid or free tier user.

Resolves storj-private#118
Resolves storj-private#126

Change-Id: I3b423194d96deaf87cf9807a766bf4d04fbcf86d
2023-02-28 20:49:59 -06:00
Jeremy Wharton
3fa31c2077 satellite/console/consoleweb: remove trailing slash from URLs
This change removes the trailing slash from the account activation and
password recovery URLs, making them consistent with the rest. The URLs'
previous forms are still supported, however, in order to not invalidate
emails containing them.

Resolves storj/customer-issues#491

Change-Id: Ie774a87698d8e9edd1836611968fc3911c6cc56f
2023-02-21 19:15:36 +00:00
Wilfred Asomani
8ec3bc5803 web/satellite: move banners into page content
The banners on the web satellite previously hovered over the page
and overlapped other content as a result. This change moves them
into the page content so it overlaps nothing and is scrollable off-screen
This change also makes the upgrade banner only show on the dashboard and
only if the user joined more than seven days ago.

Issue: https://github.com/storj/storj/issues/5525

Change-Id: I7278c31201f09d3515d907b833622b04c6de8557
2023-02-08 09:22:58 +00:00
Jeremy Wharton
897de167a6 satellite/console,web/satellite: remove user input from welcome and invite emails
Emails should not contain user input that could be used by malicious
agents to deliver a message. Usernames have been removed from
account activation emails, and project names have been removed from
project invitation emails.

References storj-private#133

Change-Id: Ic05921149b409145df109c0966ea5dfd86d86eb1
2023-02-01 16:29:57 +00:00
Wilfred Asomani
3a714cefcf satellite: remove rewards package
Affected packages admin,attribution,console,metainfo,satellitedb,web,payments
This change removes the satellite/rewards package and its related usages.
It removes references to APIKeyInfo/PartnerID, Project/PartnerID
 and User/PartnerID.

Issue: https://github.com/storj/storj/issues/5432

Change-Id: Ieaa352ee848db45e94f85556febdbcf1444d8c3e
2023-01-31 11:46:50 +00:00
Moby von Briesen
7c152f7ea0 satellite/console: Filter new characters out of user input
HTML and JS escape user input for create and update user.

Change-Id: I91d972f454341a5a7f333d006a87c6f854595490
2023-01-25 22:52:37 +00:00
Vitalii
2ebdc5ff2f web/satellite: unauthorized error (401) interception for http requests
Implemented interception for http requests.
We redirect user to login page on every 401 response.

Issue:
https://github.com/storj/storj/issues/5339

Change-Id: Icba4fc0031cb2b4e682a1be078cdcf95b7fa6bfe
2022-12-20 07:14:17 +00:00
Lizzy Thomson
678bb12d4b satellite/admin: create an endpoint for isAccountFrozen
Endpoint checks if an account is frozen or unfrozen.

relates to https://github.com/storj/storj/issues/5398

Change-Id: I8ff44063870327e05cf729eaaaed1da6c5fa9217
2022-12-16 22:53:44 +00:00
Lizzy Thomson
9fedc21fea satellite/console account session management for enabling/disabling MFA
Adds DeleteAllSessionsByUserIDExcept which removes all sessions except the specified session from the database and applies this function to enableMFA and disableMFA

addresses https://github.com/storj/storj-private/issues/15

Change-Id: I5d8c620dadbbda4a1b430ccf8a6121e167dd0761
2022-12-08 18:32:35 +00:00
Cameron
a3ff3eb193 satellite/nodeevents: validate emails before notifying
Simple email validation before attempting to send notifications. If the
email is not valid, skip sending notifications and go to update
email_sent so we don't try it again. Also, move ValidateEmail function
into new package so it can be used in nodeevents without import cycle.

Change-Id: I63ce0fc84f7b1d964f7cc6da61206f54baaf1a21
2022-12-06 09:59:45 -05:00
Jeremy Wharton
54a64e1e50 satellite/console: remove error type for incorrect password
This change removes the error type that is returned when a token
request contains an incorrect password. Instead, the generic error
type for invalid login credentials is used.

Change-Id: Ia7dbc38f4a08aeaeeac7ff5b5a801233e349b8b3
2022-11-30 17:04:35 +00:00
Wilfred Asomani
2442ba415f satellite/{web,console}: token links expiry changes
This change reduces the token links expiry time from 24h to 30m and improves the UI to promt users of the expiration.

see: https://github.com/storj/storj-private/issues/17

Change-Id: Iac00f5740fa84069937fdf9bd30a739b6db2a9e0
2022-11-29 21:44:42 +00:00
Jeremy Wharton
7a2be3e6f6 private/web,satellite/console/.../consoleapi: serve rate limiting errors as JSON
This change causes rate limiting errors to be returned to the client
as JSON objects rather than plain text to prevent the satellite UI from
encountering issues when trying to parse them.

Resolves storj/customer-issues#88

Change-Id: I11abd19068927a22f1c28d18fc99e7dad8461834
2022-11-23 17:56:07 +00:00
Jeremy Wharton
b7ae52fb35 web/satellite: add captcha verification to forgot password form
This change adds the option of requiring users to pass a captcha
verification before password recovery emails can be sent to them.
The captcha for the Forgot Password form shares a configuration with
the one for the login form.

Change-Id: I27fdb4ed42cd9da1b4b8b1e80357892dc4091765
2022-09-22 15:20:04 +00:00
Jeremy Wharton
3f26cc599f satellite/console,web/satellite: invalidate sessions after inactivity
Sessions now expire after a much shorter amount of time, requiring
clients to issue API requests for session extension. This is handled
behind the scenes as the user interacts with the page, but once session
expiration is imminent, a modal appears which informs the user of his
inactivity and presents him with the choice of loging out or preserving
his session.

Change-Id: I68008d45859c814a835d65d882ad5ad2199d618e
2022-08-23 15:51:05 +00:00
kimbotsao
3afd7bcc8b satellite/console: Reset passwords invalidates all current user sessions.
Logs out all current user sessions when a password is changed through both the
forgot password and change password methods.

Change-Id: Iaf9b4969aa45441591524906af326b9dec17939f
2022-08-08 14:49:51 +00:00
Vitalii
d76acda27e satellite/{web, console}: removed account locked statuses
Removed all the account locked messages.
Removed toast notification for login screen.
Updated wrong login credentials message.

Issues:
https://github.com/storj/storj/issues/4910
https://github.com/storj/storj/issues/4953

Change-Id: I1ac0ce16d3c1317204c28a509c21ebf3686a145e
2022-08-04 16:19:23 +00:00
Vitalii
ec72adb2a6 satellite/console: send email when user's account gets locked
We send an email when user's account gets locked.

Issue: https://github.com/storj/storj/issues/4967

Change-Id: I68beceda0ac09128755c0333dfa014bd5a186317
2022-08-04 10:39:20 +00:00
Vitalii
f562277344 satellite/{web,console}: added string length limits for signup partner and promo params
Added string length limits for registration partner and promo params.
Limitation added both on client and server sides.

Issue: https://github.com/storj/storj-private/issues/44

Change-Id: Ifae04caad1775e0a8ca72ae7f9abcf0ea5fb564b
2022-08-04 07:40:33 +00:00
Moby von Briesen
78fa0c11a3 satellite/analytics: Add user agent to TrackCreateUser
Send UserAgent (as "signup_partner") to Segment and Hubspot.

Change-Id: I3313eb902e87b429e7fa8e18afd397a63a3ed07d
2022-07-29 17:27:24 -04:00
Cameron
b4ea1bac42 satellite/console/consoleweb: send email when account already exists
When a someone tries to create an account with an email that is already
associated with a verified account, send them an email with options to
sign in, create an account on another satellite, or reset password.

Change-Id: I844144d88b7356bd7064c4840c9441347a5368b0
2022-07-28 15:29:16 +00:00
Vitalii
69dc9a4731 satellite/console: added new email which is sent on unknown password reset
Added new email html template.
It is sent when user tries to reset password with unknown or unverified account.
Made a couple of minor config changes.

Issue: https://github.com/storj/storj/issues/4913

Change-Id: I730f48b3478e302d1e38e1f8a27c75f66a8ba6fd
2022-07-14 14:32:59 +00:00
Jeremy Wharton
58c5d44f44 satellite/console: integrate sessions into satellite UI
This change integrates the session management database functionality
with the web application. Claim-based authentication has been removed
in favor of session token-based authentication.

Change-Id: I62a4f5354a3ed8ca80272814aad2448f901eab1b
2022-06-13 08:02:02 +00:00
Malcolm Bouzi
087e57d037 web/satellite: create chore that will resend verification emails to unverified users
We want to remind unverified users to verify their emails:
once after 24 hours has passed and again after 5 days has passed.

Add mailservice.Service to satellite core because it is needed by the
chore for sending emails. To add the mailservice.Service to the core,
we create a helper function in satellite/peer.go to avoid duplicating
the code in both api.go and core.go. In addition to the chore, this
change adds methods to users.DB to get unverified users in need of
reminder.

Change-Id: I4e515bdf43f922788b4f965b2efb34fa32288bd1
2022-05-18 08:08:33 +00:00
Moby von Briesen
763bfc0913 satellite/console,web/satellite: Implement hCaptcha
Adds a new configuration for hcaptcha enabled, secretkey, and sitekey.
If both reCAPTCHA and hCaptcha are configured as "enabled", reCAPTCHA
will be used.

Change-Id: I73cc6e133d8da3555e0ed8b2b377cf9eb263e6dc
2022-05-13 14:57:45 +00:00
Vitalii
dedccbd2e4 satellite/console, web/satellite: limit failed login attempts
Added account locking on 3 or more login attempts.
Includes both password and MFA failed attempts on login.
Unlock account on successful password reset.

Change-Id: If4899b40ab4a77d531c1f18bfe22cee2cffa72e0
2022-05-11 14:49:11 +00:00
Vitalii
9b695525c6 satellite/console: fixed small email validation issues
Moved invalid email testing to separate test.
Made all the emails used to have .test domain.
Added links to regex resources.

Change-Id: I26920ba7360064528256a6aeaea947bbe56ef618
2022-04-04 09:43:33 +00:00
Moby von Briesen
0018d62837 satellite/analytics: Associate Hubspot token with new user
If a visitor has accepted cookies on www.storj.io, there might be a
"hubspotutk" cookie in their browser upon account creation. This allows
Hubspot to link website activity with a newly created user.

Change-Id: If06c67fb4d2e5dd3cf46c1fe80a0e9d7f25d6e58
2022-03-29 16:25:33 -04:00
Vitalii Shpital
60b209e47d web/satellite, satellite/console: reworked registration email validation
Reworked email validation for new users (for old users trying to login or reset password validation remains the same).
Regular expression was built according to RFC 5322 and then extended to include international characters.

Change-Id: Id0224fee21a1ec0f8a2dcca5b8431197dee6b9d3
2022-03-16 09:40:53 +00:00
Jeremy Wharton
66e6a75e2a satellite/console,web/satellite: Add MFA to password reset
Users will be required to enter a MFA passcode or recovery code
upon attempting a password reset for an account with MFA enabled.

Change-Id: I08d07597035d5a25849dbc70f7fd686753530610
2022-03-03 17:27:04 +00:00
Malcolm Bouzi
3451162583 web/console: Save timestamp when creating users to mark their first email verification notification.
This value will be updated whenever we send a reminder for a user to verify their email.

Change-Id: I7f08b16eccc6633b8eb3662eb7efed1f1f780f44
2022-01-24 16:53:51 +00:00
Malcolm Bouzi
c30c7def44 satellite/{console,payments},web/satellite: save signup promo code to newly registered users
Users signing up through a url containing a promo code will have that code applied to their stripe account instead of the free tier coupon.

Change-Id: I071041b0934648ef3f5bdb05b6ec97c400f89ae4
2022-01-21 15:02:22 +00:00
Moby von Briesen
464b4b02fa satellite/console/consoleweb: Only replace some kinds of characters in name
The previous change (59648dc272) ends up removing a lot of characters
for valid non-English names. Instead, only replace URL characters such
as slashes, colons, and periods. Since someone may use these characters
to separate two parts of a name, e.g. Name1/Name2, replace these
characters with a hyphen.

Change-Id: I4cc3d1bdb05d525a83970cf1b42479414c9678e7
2022-01-20 11:13:26 -05:00
Moby von Briesen
59648dc272 satellite/console: Filter special characters out of name
When a user is created, but before verification or forgot password email
is sent, remove any special characters in the provided name. This
protects us against certain phishing attacks.

Change-Id: Ieddd3479da20eb80b9f1b56eb86c8f46bca2642c
2022-01-20 00:18:56 +00:00
Moby von Briesen
5351c43757 satellite/analytics: track origin header and referer on signup
This allows us to distinguish between accounts created from the signup
page vs. from www.storj.io.
Also set a field `account_created=true` when we send so
that we can see when existing leads have created an account.

Change-Id: Ibef34825a08b6c68b8f2869625e576bb837520e5
2022-01-03 17:47:48 +00:00
Jeremy Wharton
9d13c649a2 satellite/{console,satellitedb}: Forbid creating users with used email
This change disallows creation of users possessing the same email.
If a user attempts to create an account with an email address
that's already used - whether it belongs to an active account or not -
he will be notified of unsuccessful account creation. If he attempts to
log in using an email address belonging to an inactive account,
he will be presented with a link allowing him to re-send the
verification email. Attempting to register with an email address
belonging to an existing account triggers a password reset email.

Change-Id: Iefd8c3bef00ecb1dd9e8504594607aa0dca7d82e
2021-12-15 17:24:35 +00:00
dlamarmorgan
4bbf667ad1 satellite/{satellitedb,attribution,console}: value attribution changes that add userAgent field to buckets table and all tables that have partner_id
Change-Id: I36a13bb651b86bfc14fe5a0a2258f719e6cd2b48
2021-10-18 13:56:19 +00:00
Moby von Briesen
7b4a09c1ea satellite/console: Allow basic headers in CORS preflight
Currently, post requests originating from www.storj.io are failing
because the content-type header is not permitted for the /register
endpoint.

Change-Id: I14f21c2a27d8f0c8bae3609a5bf4b1e69a72c119
2021-08-25 12:47:14 -04:00
Jeremy Wharton
96e39018c7 satellite/console,web/satellite: Allow disabling MFA with recovery code
This change allows users to disable multi-factor authentication
with a recovery code. Previously, users could only disable MFA
with a passcode.

Change-Id: Iec20bf7d8f6781182b81d1f17d9641491dbc8460
2021-08-18 14:34:17 +00:00
Jeremy Wharton
24b39b7559 web/satellite: Warn user if number of MFA recovery codes is low
Adds a banner at the top of the dashboard warning the user if he
has 3 or less MFA recovery codes.

Change-Id: I3271f1fe33501eaeeeca343bf60ca899e80f0fa1
2021-08-18 13:18:34 +00:00
Moby von Briesen
1fa0cfbfe0 satellite/console: Add CORS headers for register endpoint
Set the Access-Control-Allow-Origin header if a request is made to the
registration endpoint from storj.io or www.storj.io. This allows the
client to make the request with no issues.

Change-Id: I0cd747ececfe877fb5f834d8292307fc14e3db5c
2021-08-16 17:46:08 -04:00
Jeremy Wharton
51ebc564d9 web/satellite,satellite/console: Overhaul password reset
Updates the password reset page to use the new theme.
Adds new endpoint '/api/v0/auth/reset-password'
for password reset.

Additionally, updates the link-clicking mail simulator to only
click links with a specified attribute. Otherwise, the password reset
cancellation link would be clicked before the password reset link
could be accessed, rendering testing impossible.

Change-Id: I8fde74ef7ad980880a7bf6558e3b9ed31509a393
2021-08-12 17:40:53 +00:00
Vitalii Shpital
c6c2a1daf9 web/satellite: added MFA login step
Added Enter MFA passcode step to login after first attempt.
Connected client-side and server-side.

Change-Id: I4482afde50172bbf2c598aa01bbd220763b4f6d1
2021-07-30 08:50:19 +00:00
Jeremy Wharton
dae6ed7d03 satellite/console: Implement MFA backend
Added MFA passcode and recovery code field for token requests.
Added endpoints for MFA-related activity: enabling MFA,
disabling MFA, generating a new MFA secret key, and
generating new MFA recovery codes.

Change-Id: Ia1443f05d3a2fecaa7f170f56d73c7a4e9b69ad5
2021-07-26 16:37:05 +00:00