Commit Graph

95 Commits

Author SHA1 Message Date
Jeremy Wharton
7f9317aa48 satellite/console: fix account creation race condition
This change fixes an issue where multiple unverified users with the
same email address could be created if registration requests were
sent sufficiently close to one another.

Resolves #6156

Change-Id: If8b1a145bcab842ace718119183de59947430463
2023-08-21 16:52:11 +00:00
Wilfred Asomani
4ee647a951 satellite: add request id to requests
This change adds request IDs to requests, logs them as part of audit
logs and sends to the client on error. This is to improve debugging
of customer issues.

Issue: https://github.com/storj/storj/issues/5898

Change-Id: I801514b547d28d810552d91aa7c8502051e552bf
2023-07-13 09:22:43 +00:00
Cameron
7e03ccfa46 satellite/console: optional separate web app server
This change creates the ability to run a server separate from the
console web server to serve the front end app. You can run it with
`satellite run ui`. Since there are now potentially two servers instead
of one, the UI server has the option to act as a reverse proxy to the
api server for local development by setting `--console.address` to the
console backend address and `--console.backend-reverse-proxy` to the
console backend's http url. Also, a feature flag has been implemented
on the api server to retain the ability to serve the front end app. It
is toggled with `--console.frontend-enable`.

github issue: https://github.com/storj/storj/issues/5843

Change-Id: I0d30451a20636e3184110dbe28c8a2a8a9505804
2023-07-11 12:17:35 -04:00
Vitalii
5fc6eaab17 satellite/{console, web}: display accurate legacy free tier information in upgrade modal
Updated upgrade account modal to show user account free tier limits instead of hardcoded values.

Issue:
https://github.com/storj/storj/issues/5939

Change-Id: I26ffbe2571c5ca4b37f02bec5211bac986bedc6a
2023-07-07 09:23:36 +00:00
Jeremy Wharton
ec780003f0 web/satellite: add responsiveness to upgrade notification
The upgrade notification has been updated to adapt to mobile screens
accordance with our designs.

Additionally, an issue where the notification would display "0B free
included" when displayed in the All Projects Dashboard has been fixed.

Change-Id: Ic13b9426ab5d6529c9d7b2ad8446a17da74905b1
2023-06-28 09:34:53 -05:00
Moby von Briesen
7530a3a83d satellite/console: add CORS middleware to satellite UI and API
Add some basic handling to set cross-origin resource sharing headers for
the satellite UI app handler as well as API endpoints used by the
satellite UI.

This change also removes some no-longer-necessary CORS functionality on
the account registration endpoint. Previously, these CORS headers were
used to enable account registration cross-origin from www.storj.io.
However, we have since removed the ability to sign up via www.storj.io.

With these changes, browsers will prevent any requests to the affected
endpoints, unless the browser is making the request from the same host
as the satellite.

see https://github.com/storj/storj-private/issues/242

Change-Id: Ifd98be4a142a2e61e26392d97242d911e051fe8a
2023-06-23 17:46:44 +00:00
Jeremy Wharton
7d039364b9 satellite/console/.../consoleapi: keep special chars in registration info
We no longer use registration information in ways that could be
exploited by malicious agents, so filtering special characters is not
necessary and has been removed.

Resolves storj-private#133

Change-Id: I3eb4803c71ccb307b38f0288fe2af5eec70f8309
2023-06-07 01:52:50 +00:00
Wilfred Asomani
2e3ed973de satellite/{consoleapi,web}: limit user input
This change limits the length of user input fields like search, email,
username. It also limits the receivable size of request payloads.
This is to prevent potential DDoS attacks resulting from receiving
large payloads.
Improvements are also made to the accounts page and register success
pages to display long names/emails better.

Issue: https://github.com/storj/storj-private/issues/201

Change-Id: I5d36eb83609b3605335a8d150b275c89deaf3b43
2023-06-05 11:43:56 +00:00
Lizzy Thomson
f87772a0d3 satellite/console: bug fix for using a API key to retrieve a session
Change-Id: I0202f75fb78f42af9e7cb00bb3ac73839340c977
2023-05-16 14:06:32 -06:00
Lizzy Thomson
7e69b22dd4 satellite/console: retrieve a web UI session using a API key
retrieve a web UI session using a API key and add new test

Issue https://github.com/storj/storj/issues/5688

Change-Id: I0ad9c783f0573b87b212b8fb065cdbf7074b782c
2023-05-15 10:24:58 -06:00
Egon Elbre
8beb78ec3f {satellite,multinode}/console: fix WriteHeader
w.Header().Set needs to be called before WriteHeader,
because WriteHeader sends all the headers and calls to
Set won't have any effect afterwards.

Change-Id: Ia6b1c5e2cd54201a6c3980d63de04a0095b2db9a
2023-05-08 18:18:30 +00:00
Wilfred Asomani
bf05040dd6 satellite/{console,db}: allow passphrasepromt toggling
This change adds the user's passphrase prompt setting to the
/account/settings endpoints.

Issue: https://github.com/storj/storj/issues/5616

Change-Id: I48d470d49e82096fd090b74da323b279e342546e
2023-05-04 19:26:54 +00:00
Wilfred Asomani
9ac5183c7e satellite/consoleweb: improve freeze-status endpoint
This change adds a freeze status endpoint that gets whether a user is
frozen or warned.

Change-Id: I0bc498a128af969177c2cfcfda9b9ee3d8968305
2023-04-18 19:57:05 +00:00
Wilfred Asomani
771d2269ab satellite/analytics: separate hubspot form for personal vs business
This change separates hubspot form submission for personal and business
accounts, with new company name and storage needs fields.

Issue: https://github.com/storj/storj-private/issues/220

Change-Id: Ieb0fb64f87614c7327dc5f894140fb8a54ededa0
2023-04-17 16:28:56 +00:00
Wilfred Asomani
5b65e10563 satellite/console: enable session timeout configuration
This another account endpoint; patch /auth/account/settings. to handle
changing a user's settings, including their session timeout config.

Issue: https://github.com/storj/storj/issues/5560

Change-Id: I747b4e919cf7cef7c867ac9d282837ef51bed67e
2023-04-07 21:05:36 +00:00
Wilfred Asomani
41bfbbe772 satellite/console: add endpoint to get user settings
This change adds an endpoint that gets a user's settings. It will
create a new settings entry if no settings exists. There's also a new
endpoint to change a user's onboarding status.

Issue: https://github.com/storj/storj/issues/5661

Change-Id: I9941bb9d61994af46244003f3ef4fcfe7d36918e
2023-03-24 22:19:08 +00:00
Jeremy Wharton
31ec4fae9e web/satellite: add pricing plan selection to onboarding tour
A pricing plan selection step for users with a recognized partner has
been added to the beginning of the onboarding tour. Once visited, users
have the option of purchasing the pricing plan associated with their
partner or proceeding as a paid or free tier user.

Resolves storj-private#118
Resolves storj-private#126

Change-Id: I3b423194d96deaf87cf9807a766bf4d04fbcf86d
2023-02-28 20:49:59 -06:00
Jeremy Wharton
3fa31c2077 satellite/console/consoleweb: remove trailing slash from URLs
This change removes the trailing slash from the account activation and
password recovery URLs, making them consistent with the rest. The URLs'
previous forms are still supported, however, in order to not invalidate
emails containing them.

Resolves storj/customer-issues#491

Change-Id: Ie774a87698d8e9edd1836611968fc3911c6cc56f
2023-02-21 19:15:36 +00:00
Wilfred Asomani
8ec3bc5803 web/satellite: move banners into page content
The banners on the web satellite previously hovered over the page
and overlapped other content as a result. This change moves them
into the page content so it overlaps nothing and is scrollable off-screen
This change also makes the upgrade banner only show on the dashboard and
only if the user joined more than seven days ago.

Issue: https://github.com/storj/storj/issues/5525

Change-Id: I7278c31201f09d3515d907b833622b04c6de8557
2023-02-08 09:22:58 +00:00
Jeremy Wharton
897de167a6 satellite/console,web/satellite: remove user input from welcome and invite emails
Emails should not contain user input that could be used by malicious
agents to deliver a message. Usernames have been removed from
account activation emails, and project names have been removed from
project invitation emails.

References storj-private#133

Change-Id: Ic05921149b409145df109c0966ea5dfd86d86eb1
2023-02-01 16:29:57 +00:00
Wilfred Asomani
3a714cefcf satellite: remove rewards package
Affected packages admin,attribution,console,metainfo,satellitedb,web,payments
This change removes the satellite/rewards package and its related usages.
It removes references to APIKeyInfo/PartnerID, Project/PartnerID
 and User/PartnerID.

Issue: https://github.com/storj/storj/issues/5432

Change-Id: Ieaa352ee848db45e94f85556febdbcf1444d8c3e
2023-01-31 11:46:50 +00:00
Moby von Briesen
7c152f7ea0 satellite/console: Filter new characters out of user input
HTML and JS escape user input for create and update user.

Change-Id: I91d972f454341a5a7f333d006a87c6f854595490
2023-01-25 22:52:37 +00:00
Vitalii
2ebdc5ff2f web/satellite: unauthorized error (401) interception for http requests
Implemented interception for http requests.
We redirect user to login page on every 401 response.

Issue:
https://github.com/storj/storj/issues/5339

Change-Id: Icba4fc0031cb2b4e682a1be078cdcf95b7fa6bfe
2022-12-20 07:14:17 +00:00
Lizzy Thomson
678bb12d4b satellite/admin: create an endpoint for isAccountFrozen
Endpoint checks if an account is frozen or unfrozen.

relates to https://github.com/storj/storj/issues/5398

Change-Id: I8ff44063870327e05cf729eaaaed1da6c5fa9217
2022-12-16 22:53:44 +00:00
Lizzy Thomson
9fedc21fea satellite/console account session management for enabling/disabling MFA
Adds DeleteAllSessionsByUserIDExcept which removes all sessions except the specified session from the database and applies this function to enableMFA and disableMFA

addresses https://github.com/storj/storj-private/issues/15

Change-Id: I5d8c620dadbbda4a1b430ccf8a6121e167dd0761
2022-12-08 18:32:35 +00:00
Cameron
a3ff3eb193 satellite/nodeevents: validate emails before notifying
Simple email validation before attempting to send notifications. If the
email is not valid, skip sending notifications and go to update
email_sent so we don't try it again. Also, move ValidateEmail function
into new package so it can be used in nodeevents without import cycle.

Change-Id: I63ce0fc84f7b1d964f7cc6da61206f54baaf1a21
2022-12-06 09:59:45 -05:00
Jeremy Wharton
54a64e1e50 satellite/console: remove error type for incorrect password
This change removes the error type that is returned when a token
request contains an incorrect password. Instead, the generic error
type for invalid login credentials is used.

Change-Id: Ia7dbc38f4a08aeaeeac7ff5b5a801233e349b8b3
2022-11-30 17:04:35 +00:00
Wilfred Asomani
2442ba415f satellite/{web,console}: token links expiry changes
This change reduces the token links expiry time from 24h to 30m and improves the UI to promt users of the expiration.

see: https://github.com/storj/storj-private/issues/17

Change-Id: Iac00f5740fa84069937fdf9bd30a739b6db2a9e0
2022-11-29 21:44:42 +00:00
Jeremy Wharton
7a2be3e6f6 private/web,satellite/console/.../consoleapi: serve rate limiting errors as JSON
This change causes rate limiting errors to be returned to the client
as JSON objects rather than plain text to prevent the satellite UI from
encountering issues when trying to parse them.

Resolves storj/customer-issues#88

Change-Id: I11abd19068927a22f1c28d18fc99e7dad8461834
2022-11-23 17:56:07 +00:00
Jeremy Wharton
b7ae52fb35 web/satellite: add captcha verification to forgot password form
This change adds the option of requiring users to pass a captcha
verification before password recovery emails can be sent to them.
The captcha for the Forgot Password form shares a configuration with
the one for the login form.

Change-Id: I27fdb4ed42cd9da1b4b8b1e80357892dc4091765
2022-09-22 15:20:04 +00:00
Jeremy Wharton
3f26cc599f satellite/console,web/satellite: invalidate sessions after inactivity
Sessions now expire after a much shorter amount of time, requiring
clients to issue API requests for session extension. This is handled
behind the scenes as the user interacts with the page, but once session
expiration is imminent, a modal appears which informs the user of his
inactivity and presents him with the choice of loging out or preserving
his session.

Change-Id: I68008d45859c814a835d65d882ad5ad2199d618e
2022-08-23 15:51:05 +00:00
kimbotsao
3afd7bcc8b satellite/console: Reset passwords invalidates all current user sessions.
Logs out all current user sessions when a password is changed through both the
forgot password and change password methods.

Change-Id: Iaf9b4969aa45441591524906af326b9dec17939f
2022-08-08 14:49:51 +00:00
Vitalii
d76acda27e satellite/{web, console}: removed account locked statuses
Removed all the account locked messages.
Removed toast notification for login screen.
Updated wrong login credentials message.

Issues:
https://github.com/storj/storj/issues/4910
https://github.com/storj/storj/issues/4953

Change-Id: I1ac0ce16d3c1317204c28a509c21ebf3686a145e
2022-08-04 16:19:23 +00:00
Vitalii
ec72adb2a6 satellite/console: send email when user's account gets locked
We send an email when user's account gets locked.

Issue: https://github.com/storj/storj/issues/4967

Change-Id: I68beceda0ac09128755c0333dfa014bd5a186317
2022-08-04 10:39:20 +00:00
Vitalii
f562277344 satellite/{web,console}: added string length limits for signup partner and promo params
Added string length limits for registration partner and promo params.
Limitation added both on client and server sides.

Issue: https://github.com/storj/storj-private/issues/44

Change-Id: Ifae04caad1775e0a8ca72ae7f9abcf0ea5fb564b
2022-08-04 07:40:33 +00:00
Moby von Briesen
78fa0c11a3 satellite/analytics: Add user agent to TrackCreateUser
Send UserAgent (as "signup_partner") to Segment and Hubspot.

Change-Id: I3313eb902e87b429e7fa8e18afd397a63a3ed07d
2022-07-29 17:27:24 -04:00
Cameron
b4ea1bac42 satellite/console/consoleweb: send email when account already exists
When a someone tries to create an account with an email that is already
associated with a verified account, send them an email with options to
sign in, create an account on another satellite, or reset password.

Change-Id: I844144d88b7356bd7064c4840c9441347a5368b0
2022-07-28 15:29:16 +00:00
Vitalii
69dc9a4731 satellite/console: added new email which is sent on unknown password reset
Added new email html template.
It is sent when user tries to reset password with unknown or unverified account.
Made a couple of minor config changes.

Issue: https://github.com/storj/storj/issues/4913

Change-Id: I730f48b3478e302d1e38e1f8a27c75f66a8ba6fd
2022-07-14 14:32:59 +00:00
Jeremy Wharton
58c5d44f44 satellite/console: integrate sessions into satellite UI
This change integrates the session management database functionality
with the web application. Claim-based authentication has been removed
in favor of session token-based authentication.

Change-Id: I62a4f5354a3ed8ca80272814aad2448f901eab1b
2022-06-13 08:02:02 +00:00
Malcolm Bouzi
087e57d037 web/satellite: create chore that will resend verification emails to unverified users
We want to remind unverified users to verify their emails:
once after 24 hours has passed and again after 5 days has passed.

Add mailservice.Service to satellite core because it is needed by the
chore for sending emails. To add the mailservice.Service to the core,
we create a helper function in satellite/peer.go to avoid duplicating
the code in both api.go and core.go. In addition to the chore, this
change adds methods to users.DB to get unverified users in need of
reminder.

Change-Id: I4e515bdf43f922788b4f965b2efb34fa32288bd1
2022-05-18 08:08:33 +00:00
Moby von Briesen
763bfc0913 satellite/console,web/satellite: Implement hCaptcha
Adds a new configuration for hcaptcha enabled, secretkey, and sitekey.
If both reCAPTCHA and hCaptcha are configured as "enabled", reCAPTCHA
will be used.

Change-Id: I73cc6e133d8da3555e0ed8b2b377cf9eb263e6dc
2022-05-13 14:57:45 +00:00
Vitalii
dedccbd2e4 satellite/console, web/satellite: limit failed login attempts
Added account locking on 3 or more login attempts.
Includes both password and MFA failed attempts on login.
Unlock account on successful password reset.

Change-Id: If4899b40ab4a77d531c1f18bfe22cee2cffa72e0
2022-05-11 14:49:11 +00:00
Vitalii
9b695525c6 satellite/console: fixed small email validation issues
Moved invalid email testing to separate test.
Made all the emails used to have .test domain.
Added links to regex resources.

Change-Id: I26920ba7360064528256a6aeaea947bbe56ef618
2022-04-04 09:43:33 +00:00
Moby von Briesen
0018d62837 satellite/analytics: Associate Hubspot token with new user
If a visitor has accepted cookies on www.storj.io, there might be a
"hubspotutk" cookie in their browser upon account creation. This allows
Hubspot to link website activity with a newly created user.

Change-Id: If06c67fb4d2e5dd3cf46c1fe80a0e9d7f25d6e58
2022-03-29 16:25:33 -04:00
Vitalii Shpital
60b209e47d web/satellite, satellite/console: reworked registration email validation
Reworked email validation for new users (for old users trying to login or reset password validation remains the same).
Regular expression was built according to RFC 5322 and then extended to include international characters.

Change-Id: Id0224fee21a1ec0f8a2dcca5b8431197dee6b9d3
2022-03-16 09:40:53 +00:00
Jeremy Wharton
66e6a75e2a satellite/console,web/satellite: Add MFA to password reset
Users will be required to enter a MFA passcode or recovery code
upon attempting a password reset for an account with MFA enabled.

Change-Id: I08d07597035d5a25849dbc70f7fd686753530610
2022-03-03 17:27:04 +00:00
Malcolm Bouzi
3451162583 web/console: Save timestamp when creating users to mark their first email verification notification.
This value will be updated whenever we send a reminder for a user to verify their email.

Change-Id: I7f08b16eccc6633b8eb3662eb7efed1f1f780f44
2022-01-24 16:53:51 +00:00
Malcolm Bouzi
c30c7def44 satellite/{console,payments},web/satellite: save signup promo code to newly registered users
Users signing up through a url containing a promo code will have that code applied to their stripe account instead of the free tier coupon.

Change-Id: I071041b0934648ef3f5bdb05b6ec97c400f89ae4
2022-01-21 15:02:22 +00:00
Moby von Briesen
464b4b02fa satellite/console/consoleweb: Only replace some kinds of characters in name
The previous change (59648dc272) ends up removing a lot of characters
for valid non-English names. Instead, only replace URL characters such
as slashes, colons, and periods. Since someone may use these characters
to separate two parts of a name, e.g. Name1/Name2, replace these
characters with a hyphen.

Change-Id: I4cc3d1bdb05d525a83970cf1b42479414c9678e7
2022-01-20 11:13:26 -05:00
Moby von Briesen
59648dc272 satellite/console: Filter special characters out of name
When a user is created, but before verification or forgot password email
is sent, remove any special characters in the provided name. This
protects us against certain phishing attacks.

Change-Id: Ieddd3479da20eb80b9f1b56eb86c8f46bca2642c
2022-01-20 00:18:56 +00:00