diff --git a/packages/backend/migration/1697580470000-approvalSignup.js b/packages/backend/migration/1697580470000-approvalSignup.js new file mode 100644 index 0000000000..c5f8255d49 --- /dev/null +++ b/packages/backend/migration/1697580470000-approvalSignup.js @@ -0,0 +1,22 @@ +/* + * SPDX-FileCopyrightText: syuilo and other misskey contributors + * SPDX-License-Identifier: AGPL-3.0-only + */ + +export class ApprovalSignup1697580470000 { + name = 'ApprovalSignup1697580470000' + + async up(queryRunner) { + await queryRunner.query(`ALTER TABLE "meta" ADD "approvalRequiredForSignup" boolean DEFAULT false NOT NULL`); + await queryRunner.query(`ALTER TABLE "user" ADD "approved" boolean DEFAULT false NOT NULL`); + await queryRunner.query(`ALTER TABLE "user" ADD "signupReason" character varying(1000) NULL`); + await queryRunner.query(`ALTER TABLE "user_pending" ADD "reason" character varying(1000) NULL`); + } + + async down(queryRunner) { + await queryRunner.query(`ALTER TABLE "meta" DROP COLUMN "approvalRequiredForSignup"`); + await queryRunner.query(`ALTER TABLE "user" DROP COLUMN "approved"`); + await queryRunner.query(`ALTER TABLE "user" DROP COLUMN "signupReason"`); + await queryRunner.query(`ALTER TABLE "user_pending" DROP COLUMN "reason"`); + } +} diff --git a/packages/backend/src/core/SignupService.ts b/packages/backend/src/core/SignupService.ts index 359957cd52..32e3dee937 100644 --- a/packages/backend/src/core/SignupService.ts +++ b/packages/backend/src/core/SignupService.ts @@ -48,10 +48,12 @@ export class SignupService { password?: string | null; passwordHash?: MiUserProfile['password'] | null; host?: string | null; + reason?: string | null; ignorePreservedUsernames?: boolean; }) { - const { username, password, passwordHash, host } = opts; + const { username, password, passwordHash, host, reason } = opts; let hash = passwordHash; + const instance = await this.metaService.fetch(true); // Validate username if (!this.userEntityService.validateLocalUsername(username)) { @@ -85,7 +87,6 @@ export class SignupService { const isTheFirstUser = (await this.usersRepository.countBy({ host: IsNull() })) === 0; if (!opts.ignorePreservedUsernames && !isTheFirstUser) { - const instance = await this.metaService.fetch(true); const isPreserved = instance.preservedUsernames.map(x => x.toLowerCase()).includes(username.toLowerCase()); if (isPreserved) { throw new Error('USED_USERNAME'); @@ -110,6 +111,9 @@ export class SignupService { )); let account!: MiUser; + let defaultApproval = false; + + if (!instance.approvalRequiredForSignup) defaultApproval = true; // Start transaction await this.db.transaction(async transactionalEntityManager => { @@ -127,6 +131,8 @@ export class SignupService { host: this.utilityService.toPunyNullable(host), token: secret, isRoot: isTheFirstUser, + approved: defaultApproval, + signupReason: reason, })); await transactionalEntityManager.save(new MiUserKeypair({ diff --git a/packages/backend/src/core/entities/UserEntityService.ts b/packages/backend/src/core/entities/UserEntityService.ts index 3de95129fc..a24319c45a 100644 --- a/packages/backend/src/core/entities/UserEntityService.ts +++ b/packages/backend/src/core/entities/UserEntityService.ts @@ -489,6 +489,8 @@ export class UserEntityService implements OnModuleInit { ...(opts.includeSecrets ? { email: profile!.email, emailVerified: profile!.emailVerified, + approved: user.approved, + signupReason: user.signupReason, securityKeysList: profile!.twoFactorEnabled ? this.userSecurityKeysRepository.find({ where: { diff --git a/packages/backend/src/models/Meta.ts b/packages/backend/src/models/Meta.ts index e4abe42de5..e34c51a69b 100644 --- a/packages/backend/src/models/Meta.ts +++ b/packages/backend/src/models/Meta.ts @@ -174,6 +174,11 @@ export class MiMeta { }) public emailRequiredForSignup: boolean; + @Column('boolean', { + default: false, + }) + public approvalRequiredForSignup: boolean; + @Column('boolean', { default: false, }) diff --git a/packages/backend/src/models/User.ts b/packages/backend/src/models/User.ts index 4704c607a8..81b46d5436 100644 --- a/packages/backend/src/models/User.ts +++ b/packages/backend/src/models/User.ts @@ -272,6 +272,16 @@ export class MiUser { }) public token: string | null; + @Column('boolean', { + default: false, + }) + public approved: boolean; + + @Column('varchar', { + length: 1000, nullable: true, + }) + public signupReason: string | null; + constructor(data: Partial) { if (data == null) return; diff --git a/packages/backend/src/models/UserPending.ts b/packages/backend/src/models/UserPending.ts index 8b1f8f617f..6b26bd228c 100644 --- a/packages/backend/src/models/UserPending.ts +++ b/packages/backend/src/models/UserPending.ts @@ -31,4 +31,9 @@ export class MiUserPending { length: 128, }) public password: string; + + @Column('varchar', { + length: 1000, + }) + public reason: string; } diff --git a/packages/backend/src/server/api/EndpointsModule.ts b/packages/backend/src/server/api/EndpointsModule.ts index 9aa75b0af8..079040b85f 100644 --- a/packages/backend/src/server/api/EndpointsModule.ts +++ b/packages/backend/src/server/api/EndpointsModule.ts @@ -62,6 +62,7 @@ import * as ep___admin_showModerationLogs from './endpoints/admin/show-moderatio import * as ep___admin_showUser from './endpoints/admin/show-user.js'; import * as ep___admin_showUsers from './endpoints/admin/show-users.js'; import * as ep___admin_suspendUser from './endpoints/admin/suspend-user.js'; +import * as ep___admin_approveUser from './endpoints/admin/approve-user.js'; import * as ep___admin_unsuspendUser from './endpoints/admin/unsuspend-user.js'; import * as ep___admin_updateMeta from './endpoints/admin/update-meta.js'; import * as ep___admin_deleteAccount from './endpoints/admin/delete-account.js'; @@ -415,6 +416,7 @@ const $admin_showModerationLogs: Provider = { provide: 'ep:admin/show-moderation const $admin_showUser: Provider = { provide: 'ep:admin/show-user', useClass: ep___admin_showUser.default }; const $admin_showUsers: Provider = { provide: 'ep:admin/show-users', useClass: ep___admin_showUsers.default }; const $admin_suspendUser: Provider = { provide: 'ep:admin/suspend-user', useClass: ep___admin_suspendUser.default }; +const $admin_approveUser: Provider = { provide: 'ep:admin/approve-user', useClass: ep___admin_approveUser.default }; const $admin_unsuspendUser: Provider = { provide: 'ep:admin/unsuspend-user', useClass: ep___admin_unsuspendUser.default }; const $admin_updateMeta: Provider = { provide: 'ep:admin/update-meta', useClass: ep___admin_updateMeta.default }; const $admin_deleteAccount: Provider = { provide: 'ep:admin/delete-account', useClass: ep___admin_deleteAccount.default }; @@ -772,6 +774,7 @@ const $sponsors: Provider = { provide: 'ep:sponsors', useClass: ep___sponsors.de $admin_showUser, $admin_showUsers, $admin_suspendUser, + $admin_approveUser, $admin_unsuspendUser, $admin_updateMeta, $admin_deleteAccount, @@ -1123,6 +1126,7 @@ const $sponsors: Provider = { provide: 'ep:sponsors', useClass: ep___sponsors.de $admin_showUser, $admin_showUsers, $admin_suspendUser, + $admin_approveUser, $admin_unsuspendUser, $admin_updateMeta, $admin_deleteAccount, diff --git a/packages/backend/src/server/api/SigninApiService.ts b/packages/backend/src/server/api/SigninApiService.ts index 2d4de605ea..fd247df22a 100644 --- a/packages/backend/src/server/api/SigninApiService.ts +++ b/packages/backend/src/server/api/SigninApiService.ts @@ -21,6 +21,7 @@ import { IdService } from '@/core/IdService.js'; import { bindThis } from '@/decorators.js'; import { WebAuthnService } from '@/core/WebAuthnService.js'; import { UserAuthService } from '@/core/UserAuthService.js'; +import { MetaService } from '@/core/MetaService.js'; import { RateLimiterService } from './RateLimiterService.js'; import { SigninService } from './SigninService.js'; import type { AuthenticationResponseJSON } from '@simplewebauthn/typescript-types'; @@ -46,6 +47,7 @@ export class SigninApiService { private signinService: SigninService, private userAuthService: UserAuthService, private webAuthnService: WebAuthnService, + private metaService: MetaService, ) { } @@ -64,6 +66,8 @@ export class SigninApiService { reply.header('Access-Control-Allow-Origin', this.config.url); reply.header('Access-Control-Allow-Credentials', 'true'); + const instance = await this.metaService.fetch(true); + const body = request.body; const username = body['username']; const password = body['password']; @@ -123,6 +127,17 @@ export class SigninApiService { const profile = await this.userProfilesRepository.findOneByOrFail({ userId: user.id }); + if (!user.approved && instance.approvalRequiredForSignup) { + reply.code(403); + return { + error: { + message: 'The account has not been approved by an admin yet. Try again later.', + code: 'NOT_APPROVED', + id: '22d05606-fbcf-421a-a2db-b32241faft1b', + }, + }; + } + // Compare password const same = await argon2.verify(profile.password!, password) || bcrypt.compareSync(password, profile.password!); @@ -147,6 +162,8 @@ export class SigninApiService { password: newHash }); } + if (!instance.approvalRequiredForSignup && !user.approved) this.usersRepository.update(user.id, { approved: true }); + return this.signinService.signin(request, reply, user); } else { return await fail(403, { @@ -176,6 +193,8 @@ export class SigninApiService { }); } + if (!instance.approvalRequiredForSignup && !user.approved) this.usersRepository.update(user.id, { approved: true }); + return this.signinService.signin(request, reply, user); } else if (body.credential) { if (!same && !profile.usePasswordLessLogin) { @@ -187,6 +206,7 @@ export class SigninApiService { const authorized = await this.webAuthnService.verifyAuthentication(user.id, body.credential); if (authorized) { + if (!instance.approvalRequiredForSignup && !user.approved) this.usersRepository.update(user.id, { approved: true }); return this.signinService.signin(request, reply, user); } else { return await fail(403, { diff --git a/packages/backend/src/server/api/SignupApiService.ts b/packages/backend/src/server/api/SignupApiService.ts index 02e5cd4fdf..53f770e172 100644 --- a/packages/backend/src/server/api/SignupApiService.ts +++ b/packages/backend/src/server/api/SignupApiService.ts @@ -22,6 +22,7 @@ import { bindThis } from '@/decorators.js'; import { L_CHARS, secureRndstr } from '@/misc/secure-rndstr.js'; import { SigninService } from './SigninService.js'; import type { FastifyRequest, FastifyReply } from 'fastify'; +import instance from './endpoints/charts/instance.js'; @Injectable() export class SignupApiService { @@ -63,6 +64,7 @@ export class SignupApiService { host?: string; invitationCode?: string; emailAddress?: string; + reason?: string; 'hcaptcha-response'?: string; 'g-recaptcha-response'?: string; 'turnstile-response'?: string; @@ -100,6 +102,7 @@ export class SignupApiService { const password = body['password']; const host: string | null = process.env.NODE_ENV === 'test' ? (body['host'] ?? null) : null; const invitationCode = body['invitationCode']; + const reason = body['reason']; const emailAddress = body['emailAddress']; if (instance.emailRequiredForSignup) { @@ -115,6 +118,13 @@ export class SignupApiService { } } + if (instance.approvalRequiredForSignup) { + if (reason == null || typeof reason !== 'string') { + reply.code(400); + return; + } + } + let ticket: MiRegistrationTicket | null = null; if (instance.disableRegistration) { @@ -170,6 +180,7 @@ export class SignupApiService { email: emailAddress!, username: username, password: hash, + reason: reason, }).then(x => this.userPendingsRepository.findOneByOrFail(x.identifiers[0])); const link = `${this.config.url}/signup-complete/${code}`; @@ -185,6 +196,19 @@ export class SignupApiService { }); } + reply.code(204); + return; + } else if (instance.approvalRequiredForSignup) { + await this.signupService.signup({ + username, password, host, reason, + }); + + if (emailAddress) { + this.emailService.sendEmail(emailAddress, 'Approval pending', + 'Congratulations! Your account is now pending approval. You will get notified when you have been accepted.', + 'Congratulations! Your account is now pending approval. You will get notified when you have been accepted.'); + } + reply.code(204); return; } else { @@ -222,12 +246,15 @@ export class SignupApiService { const code = body['code']; + const instance = await this.metaService.fetch(true); + try { const pendingUser = await this.userPendingsRepository.findOneByOrFail({ code }); const { account, secret } = await this.signupService.signup({ username: pendingUser.username, passwordHash: pendingUser.password, + reason: pendingUser.reason, }); this.userPendingsRepository.delete({ @@ -250,6 +277,11 @@ export class SignupApiService { pendingUserId: null, }); } + + if (instance.approvalRequiredForSignup) { + reply.code(204); + return; + } return this.signinService.signin(request, reply, account as MiLocalUser); } catch (err) { diff --git a/packages/backend/src/server/api/endpoints.ts b/packages/backend/src/server/api/endpoints.ts index d7f5611f55..e978093364 100644 --- a/packages/backend/src/server/api/endpoints.ts +++ b/packages/backend/src/server/api/endpoints.ts @@ -62,6 +62,7 @@ import * as ep___admin_showModerationLogs from './endpoints/admin/show-moderatio import * as ep___admin_showUser from './endpoints/admin/show-user.js'; import * as ep___admin_showUsers from './endpoints/admin/show-users.js'; import * as ep___admin_suspendUser from './endpoints/admin/suspend-user.js'; +import * as ep___admin_approveUser from './endpoints/admin/approve-user.js'; import * as ep___admin_unsuspendUser from './endpoints/admin/unsuspend-user.js'; import * as ep___admin_updateMeta from './endpoints/admin/update-meta.js'; import * as ep___admin_deleteAccount from './endpoints/admin/delete-account.js'; @@ -413,6 +414,7 @@ const eps = [ ['admin/show-user', ep___admin_showUser], ['admin/show-users', ep___admin_showUsers], ['admin/suspend-user', ep___admin_suspendUser], + ['admin/approve-user', ep___admin_approveUser], ['admin/unsuspend-user', ep___admin_unsuspendUser], ['admin/update-meta', ep___admin_updateMeta], ['admin/delete-account', ep___admin_deleteAccount], diff --git a/packages/backend/src/server/api/endpoints/admin/approve-user.ts b/packages/backend/src/server/api/endpoints/admin/approve-user.ts new file mode 100644 index 0000000000..0ea656ddaf --- /dev/null +++ b/packages/backend/src/server/api/endpoints/admin/approve-user.ts @@ -0,0 +1,61 @@ +import { Inject, Injectable } from '@nestjs/common'; +import { Endpoint } from '@/server/api/endpoint-base.js'; +import type { UserProfilesRepository, UsersRepository } from '@/models/_.js'; +import { ModerationLogService } from '@/core/ModerationLogService.js'; +import { DI } from '@/di-symbols.js'; +import { EmailService } from '@/core/EmailService.js'; + +export const meta = { + tags: ['admin'], + + requireCredential: true, + requireModerator: true, +} as const; + +export const paramDef = { + type: 'object', + properties: { + userId: { type: 'string', format: 'misskey:id' }, + }, + required: ['userId'], +} as const; + +@Injectable() +export default class extends Endpoint { // eslint-disable-line import/no-default-export + constructor( + @Inject(DI.usersRepository) + private usersRepository: UsersRepository, + + @Inject(DI.userProfilesRepository) + private userProfilesRepository: UserProfilesRepository, + + private moderationLogService: ModerationLogService, + private emailService: EmailService, + ) { + super(meta, paramDef, async (ps, me) => { + const user = await this.usersRepository.findOneBy({ id: ps.userId }); + + if (user == null) { + throw new Error('user not found'); + } + + const profile = await this.userProfilesRepository.findOneBy({ userId: ps.userId }); + + await this.usersRepository.update(user.id, { + approved: true, + }); + + if (profile?.email) { + this.emailService.sendEmail(profile.email, 'Account Approved', + 'Your Account has been approved have fun socializing!', + 'Your Account has been approved have fun socializing!'); + } + + this.moderationLogService.log(me, 'approve', { + userId: user.id, + userUsername: user.username, + userHost: user.host, + }); + }); + } +} diff --git a/packages/backend/src/server/api/endpoints/admin/meta.ts b/packages/backend/src/server/api/endpoints/admin/meta.ts index 88725ddbbf..763c4ea807 100644 --- a/packages/backend/src/server/api/endpoints/admin/meta.ts +++ b/packages/backend/src/server/api/endpoints/admin/meta.ts @@ -32,6 +32,10 @@ export const meta = { type: 'boolean', optional: false, nullable: false, }, + approvalRequiredForSignup: { + type: 'boolean', + optional: false, nullable: false, + }, enableHcaptcha: { type: 'boolean', optional: false, nullable: false, @@ -353,6 +357,7 @@ export default class extends Endpoint { // eslint- privacyPolicyUrl: instance.privacyPolicyUrl, disableRegistration: instance.disableRegistration, emailRequiredForSignup: instance.emailRequiredForSignup, + approvalRequiredForSignup: instance.approvalRequiredForSignup, enableHcaptcha: instance.enableHcaptcha, hcaptchaSiteKey: instance.hcaptchaSiteKey, enableRecaptcha: instance.enableRecaptcha, diff --git a/packages/backend/src/server/api/endpoints/admin/show-user.ts b/packages/backend/src/server/api/endpoints/admin/show-user.ts index f550c4fd28..5ad90f48b4 100644 --- a/packages/backend/src/server/api/endpoints/admin/show-user.ts +++ b/packages/backend/src/server/api/endpoints/admin/show-user.ts @@ -73,6 +73,8 @@ export default class extends Endpoint { // eslint- return { email: profile.email, emailVerified: profile.emailVerified, + approved: user.approved, + signupReason: user.signupReason, autoAcceptFollowed: profile.autoAcceptFollowed, noCrawle: profile.noCrawle, preventAiLearning: profile.preventAiLearning, diff --git a/packages/backend/src/server/api/endpoints/admin/update-meta.ts b/packages/backend/src/server/api/endpoints/admin/update-meta.ts index 40cc50fe7c..be14037a76 100644 --- a/packages/backend/src/server/api/endpoints/admin/update-meta.ts +++ b/packages/backend/src/server/api/endpoints/admin/update-meta.ts @@ -59,6 +59,7 @@ export const paramDef = { cacheRemoteFiles: { type: 'boolean' }, cacheRemoteSensitiveFiles: { type: 'boolean' }, emailRequiredForSignup: { type: 'boolean' }, + approvalRequiredForSignup: { type: 'boolean' }, enableHcaptcha: { type: 'boolean' }, hcaptchaSiteKey: { type: 'string', nullable: true }, hcaptchaSecretKey: { type: 'string', nullable: true }, @@ -249,6 +250,10 @@ export default class extends Endpoint { // eslint- set.emailRequiredForSignup = ps.emailRequiredForSignup; } + if (ps.approvalRequiredForSignup !== undefined) { + set.approvalRequiredForSignup = ps.approvalRequiredForSignup; + } + if (ps.enableHcaptcha !== undefined) { set.enableHcaptcha = ps.enableHcaptcha; } diff --git a/packages/backend/src/server/api/endpoints/meta.ts b/packages/backend/src/server/api/endpoints/meta.ts index d37919b474..dbd72763bf 100644 --- a/packages/backend/src/server/api/endpoints/meta.ts +++ b/packages/backend/src/server/api/endpoints/meta.ts @@ -100,6 +100,10 @@ export const meta = { type: 'boolean', optional: false, nullable: false, }, + approvalRequiredForSignup: { + type: 'boolean', + optional: false, nullable: false, + }, enableHcaptcha: { type: 'boolean', optional: false, nullable: false, @@ -308,6 +312,7 @@ export default class extends Endpoint { // eslint- privacyPolicyUrl: instance.privacyPolicyUrl, disableRegistration: instance.disableRegistration, emailRequiredForSignup: instance.emailRequiredForSignup, + approvalRequiredForSignup: instance.approvalRequiredForSignup, enableHcaptcha: instance.enableHcaptcha, hcaptchaSiteKey: instance.hcaptchaSiteKey, enableRecaptcha: instance.enableRecaptcha, diff --git a/packages/backend/src/types.ts b/packages/backend/src/types.ts index 316073c992..dfc6bcba9c 100644 --- a/packages/backend/src/types.ts +++ b/packages/backend/src/types.ts @@ -30,6 +30,7 @@ export const ffVisibility = ['public', 'followers', 'private'] as const; export const moderationLogTypes = [ 'updateServerSettings', 'suspend', + 'approve', 'unsuspend', 'updateUserNote', 'addCustomEmoji', @@ -72,6 +73,11 @@ export type ModerationLogPayloads = { userUsername: string; userHost: string | null; }; + approve: { + userId: string; + userUsername: string; + userHost: string | null; + }; unsuspend: { userId: string; userUsername: string; diff --git a/packages/frontend/src/components/MkSignupDialog.form.vue b/packages/frontend/src/components/MkSignupDialog.form.vue index 174b042649..8975842c63 100644 --- a/packages/frontend/src/components/MkSignupDialog.form.vue +++ b/packages/frontend/src/components/MkSignupDialog.form.vue @@ -61,6 +61,10 @@ SPDX-License-Identifier: AGPL-3.0-only {{ i18n.ts.passwordNotMatched }} + + + + @@ -97,6 +101,7 @@ const props = withDefaults(defineProps<{ const emit = defineEmits<{ (ev: 'signup', user: Record): void; (ev: 'signupEmailPending'): void; + (ev: 'approvalPending'): void; }>(); const host = toUnicode(config.host); @@ -109,6 +114,7 @@ let username: string = $ref(''); let password: string = $ref(''); let retypedPassword: string = $ref(''); let invitationCode: string = $ref(''); +let reason: string = $ref(''); let email = $ref(''); let usernameState: null | 'wait' | 'ok' | 'unavailable' | 'error' | 'invalid-format' | 'min-range' | 'max-range' = $ref(null); let emailState: null | 'wait' | 'ok' | 'unavailable:used' | 'unavailable:format' | 'unavailable:disposable' | 'unavailable:mx' | 'unavailable:smtp' | 'unavailable' | 'error' = $ref(null); @@ -249,6 +255,7 @@ async function onSubmit(): Promise { password, emailAddress: email, invitationCode, + reason, 'hcaptcha-response': hCaptchaResponse, 'g-recaptcha-response': reCaptchaResponse, 'turnstile-response': turnstileResponse, @@ -260,6 +267,13 @@ async function onSubmit(): Promise { text: i18n.t('_signup.emailSent', { email }), }); emit('signupEmailPending'); + } else if (instance.approvalRequiredForSignup) { + os.alert({ + type: 'success', + title: i18n.ts._signup.almostThere, + text: i18n.t('_signup.emailSent', { email }), + }); + emit('approvalPending'); } else { const res = await os.api('signin', { username, diff --git a/packages/frontend/src/components/MkSignupDialog.vue b/packages/frontend/src/components/MkSignupDialog.vue index d860ba5fe6..20b7cb6348 100644 --- a/packages/frontend/src/components/MkSignupDialog.vue +++ b/packages/frontend/src/components/MkSignupDialog.vue @@ -25,7 +25,7 @@ SPDX-License-Identifier: AGPL-3.0-only @@ -64,6 +64,9 @@ function onSignup(res) { function onSignupEmailPending() { dialog.close(); } +function onApprovalPending() { + dialog.close(); +}