juice-shop

1
/*
2
 * Copyright (c) 2014-2024 Bjoern Kimminich & the OWASP Juice Shop contributors.
3
 * SPDX-License-Identifier: MIT
4
 */
5
import { type Request, type Response, type NextFunction } from 'express'
6
import { UserModel } from '../models/user'
7
import { decode } from 'jsonwebtoken'
8
import * as security from '../lib/insecurity'
9

10
async function retrieveUserList (req: Request, res: Response, next: NextFunction) {
11
  try {
12
    const users = await UserModel.findAll()
13

14
    res.json({
15
      status: 'success',
16
      data: users.map((user) => {
17
        const userToken = security.authenticatedUsers.tokenOf(user)
18
        let lastLoginTime: number | null = null
19
        if (userToken) {
20
          const parsedToken = decode(userToken, { json: true })
21
          lastLoginTime = parsedToken ? Math.floor(new Date(parsedToken?.iat ?? 0 * 1000).getTime()) : null
22
        }
23

24
        return {
25
          ...user.dataValues,
26
          password: user.password?.replace(/./g, '*'),
27
          totpSecret: user.totpSecret?.replace(/./g, '*'),
28
          lastLoginTime
29
        }
30
      })
31
    })
32
  } catch (error) {
33
    next(error)
34
  }
35
}
36

37
export default () => retrieveUserList
38