From 7b3c2621401b8af53c8900551eddcae1c7cc45fd Mon Sep 17 00:00:00 2001 From: Oliver Boehlk Date: Fri, 15 May 2020 21:52:51 +0200 Subject: [PATCH 1/6] create endpoint for changing username #68 --- backend/index.js | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/backend/index.js b/backend/index.js index 8b79510..1a6a679 100644 --- a/backend/index.js +++ b/backend/index.js @@ -277,4 +277,19 @@ app.get('/API/resourcelist', function (req, res) { return res.send(resourceList); }); +app.post("/API/user/setname", function (req, res) { + let { email } = req.body; + if (email) { + if (DEBUG) return res.status(status.OK).send(); + connection.query(`UPDATE user SET email = ${mysql.escape(email)} WHERE email = ${mysql.escape(req.user.email)}`, function (err, rows) { + if (err) + return res.status(status.INTERNAL_SERVER_ERROR).send("the username seems invalid or already taken - if you think this is an error contact the sys admin"); + req.user.email = email; + return res.status(status.OK).send("username changed"); + }); + } else { + return res.status(status.BAD_REQUEST).send("invalid data supplied"); + } +}); + app.listen(3001); -- 2.49.1 From 7c67c39ca78a5b0ace8f3c44e1c5c59abb23bfe6 Mon Sep 17 00:00:00 2001 From: Oliver Boehlk Date: Fri, 15 May 2020 22:57:32 +0200 Subject: [PATCH 2/6] add external validatepassword function --- backend/index.js | 38 +++++++++++++++++++++++++++----------- 1 file changed, 27 insertions(+), 11 deletions(-) diff --git a/backend/index.js b/backend/index.js index 1a6a679..f4047b6 100644 --- a/backend/index.js +++ b/backend/index.js @@ -91,11 +91,28 @@ app.all("/*", function (req, res, next) { } else return next(); }); +const validatePassword = (email, password) => { + return new Promise(function (resolve, reject) { + connection.query(`SELECT * from user WHERE email = ${mysql.escape(email)} AND deactivated = 0`, function (err, rows) { + if (err) { + return reject("error querying the database - Please contact sys admin"); + } + if (!rows.length) { + return resolve(false); + } + if (!bcrypt.compareSync(password, rows[0].password)) { + return resolve(false); + } + return resolve(rows[0]); + }); + }); +} + passport.use('local-login', new LocalStrategy({ usernameField: "email", passwordField: "password", passReqToCallback: true -}, function (req, email, password, done) { +}, async function (req, email, password, done) { if (DEBUG) { if (email === "test" && password === "test") { return done(null, { @@ -107,19 +124,18 @@ passport.use('local-login', new LocalStrategy({ }); } else return done(null, false); } - email = mysql.escape(email); - connection.query(`SELECT * from user WHERE email = ${email} AND deactivated = 0`, function (err, rows) { - if (err) { - return res.status(static.INTERNAL_SERVER_ERROR).send("error querying the database - Please contact sys admin"); + try { + let user = await validatePassword(email, password); + if (user) { + return done(null, user); } - if (!rows.length) { + else { return done(null, false); } - if (!bcrypt.compareSync(password, rows[0].password)) { - return done(null, false); - } - return done(null, rows[0]); - }) + } catch (e) { + console.log(e); + return done(null, false); + } } )); -- 2.49.1 From 6591cf877a72b9d689a2ab3ade52483fabbae8ad Mon Sep 17 00:00:00 2001 From: Oliver Boehlk Date: Fri, 15 May 2020 23:00:23 +0200 Subject: [PATCH 3/6] require password for username change --- backend/index.js | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/backend/index.js b/backend/index.js index f4047b6..abe8cde 100644 --- a/backend/index.js +++ b/backend/index.js @@ -294,9 +294,15 @@ app.get('/API/resourcelist', function (req, res) { }); app.post("/API/user/setname", function (req, res) { - let { email } = req.body; + let { email, password } = req.body; if (email) { if (DEBUG) return res.status(status.OK).send(); + try { + if (!await validatePassword(req.user.email, passport)) + return res.status(status.UNAUTHORIZED).send("wrong password supplied"); + } catch (e) { + return res.status(status.INTERNAL_SERVER_ERROR).send(e); + } connection.query(`UPDATE user SET email = ${mysql.escape(email)} WHERE email = ${mysql.escape(req.user.email)}`, function (err, rows) { if (err) return res.status(status.INTERNAL_SERVER_ERROR).send("the username seems invalid or already taken - if you think this is an error contact the sys admin"); -- 2.49.1 From 07d601ea360c6eb303eab7055162cba0d9f7b0a5 Mon Sep 17 00:00:00 2001 From: Oliver Boehlk Date: Fri, 15 May 2020 23:03:04 +0200 Subject: [PATCH 4/6] bugfix password validation --- backend/index.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/backend/index.js b/backend/index.js index abe8cde..e373d35 100644 --- a/backend/index.js +++ b/backend/index.js @@ -295,10 +295,10 @@ app.get('/API/resourcelist', function (req, res) { app.post("/API/user/setname", function (req, res) { let { email, password } = req.body; - if (email) { + if (email && password) { if (DEBUG) return res.status(status.OK).send(); try { - if (!await validatePassword(req.user.email, passport)) + if (!await validatePassword(req.user.email, password)) return res.status(status.UNAUTHORIZED).send("wrong password supplied"); } catch (e) { return res.status(status.INTERNAL_SERVER_ERROR).send(e); -- 2.49.1 From ab7b2d907d2c92180184b10e790d84bb85e04bfe Mon Sep 17 00:00:00 2001 From: Oliver Boehlk Date: Fri, 15 May 2020 23:15:49 +0200 Subject: [PATCH 5/6] add setpassword function backend is #68 ready --- backend/index.js | 54 +++++++++++++++++++++++++++++++++--------------- 1 file changed, 37 insertions(+), 17 deletions(-) diff --git a/backend/index.js b/backend/index.js index e373d35..faddb94 100644 --- a/backend/index.js +++ b/backend/index.js @@ -168,23 +168,23 @@ app.post("/API/user/login", passport.authenticate('local-login'), function (req, app.delete("/API/user/logout", function (req, res) { req.logout(); return res.status(status.OK).send("logout success"); -}); +}); !! -app.put("/API/user/create", function (req, res) { - let { email, password } = req.body; - if (email && password) { - email = mysql.escape(email); - password = mysql.escape(bcrypt.hashSync(password, saltRounds)); - if (DEBUG) return res.status(status.OK).send(); - connection.query(`INSERT INTO user (deactivated, email, password) values (1, ${email}, ${password})`, function (err, rows) { - if (err) - return res.status(status.INTERNAL_SERVER_ERROR).send("the user seems to exist already - if you think this is an error contact the sys admin"); - return res.status(status.OK).send("account successfully created"); - }); - } else { - return res.status(status.BAD_REQUEST).send("invalid data supplied"); - } -}); + app.put("/API/user/create", function (req, res) { + let { email, password } = req.body; + if (email && password) { + email = mysql.escape(email); + password = mysql.escape(bcrypt.hashSync(password, saltRounds)); + if (DEBUG) return res.status(status.OK).send(); + connection.query(`INSERT INTO user (deactivated, email, password) values (1, ${email}, ${password})`, function (err, rows) { + if (err) + return res.status(status.INTERNAL_SERVER_ERROR).send("the user seems to exist already - if you think this is an error contact the sys admin"); + return res.status(status.OK).send("account successfully created"); + }); + } else { + return res.status(status.BAD_REQUEST).send("invalid data supplied"); + } + }); app.all("*", function (req, res, next) { if (req.isAuthenticated()) { @@ -293,7 +293,7 @@ app.get('/API/resourcelist', function (req, res) { return res.send(resourceList); }); -app.post("/API/user/setname", function (req, res) { +app.post("/API/user/setname", async function (req, res) { let { email, password } = req.body; if (email && password) { if (DEBUG) return res.status(status.OK).send(); @@ -314,4 +314,24 @@ app.post("/API/user/setname", function (req, res) { } }); +app.post("/API/user/setpassword", async function (req, res) { + let { oldpassword, newpassword } = req.body; + if (oldpassword && newpassword) { + if (DEBUG) return res.status(status.OK).send(); + try { + if (!await validatePassword(req.user.email, oldpassword)) + return res.status(status.UNAUTHORIZED).send("wrong password supplied"); + } catch (e) { + return res.status(status.INTERNAL_SERVER_ERROR).send(e); + } + connection.query(`UPDATE user SET password = ${mysql.escape(bcrypt.hashSync(newpassword, saltRounds))} WHERE email = ${mysql.escape(req.user.email)}`, function (err, rows) { + if (err) + return res.status(status.INTERNAL_SERVER_ERROR).send("the username seems invalid or already taken - if you think this is an error contact the sys admin"); + return res.status(status.OK).send("username changed"); + }); + } else { + return res.status(status.BAD_REQUEST).send("invalid data supplied"); + } +}); + app.listen(3001); -- 2.49.1 From babc2c8ea8b775945fe69f7307a66d1723ef8247 Mon Sep 17 00:00:00 2001 From: Oliver Boehlk Date: Fri, 15 May 2020 23:21:47 +0200 Subject: [PATCH 6/6] limit logout function to logged in users --- backend/index.js | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/backend/index.js b/backend/index.js index faddb94..be7b6f5 100644 --- a/backend/index.js +++ b/backend/index.js @@ -165,26 +165,21 @@ app.post("/API/user/login", passport.authenticate('local-login'), function (req, return res.status(status.OK).send("login success"); }); -app.delete("/API/user/logout", function (req, res) { - req.logout(); - return res.status(status.OK).send("logout success"); -}); !! - - app.put("/API/user/create", function (req, res) { - let { email, password } = req.body; - if (email && password) { - email = mysql.escape(email); - password = mysql.escape(bcrypt.hashSync(password, saltRounds)); - if (DEBUG) return res.status(status.OK).send(); - connection.query(`INSERT INTO user (deactivated, email, password) values (1, ${email}, ${password})`, function (err, rows) { - if (err) - return res.status(status.INTERNAL_SERVER_ERROR).send("the user seems to exist already - if you think this is an error contact the sys admin"); - return res.status(status.OK).send("account successfully created"); - }); - } else { - return res.status(status.BAD_REQUEST).send("invalid data supplied"); - } - }); +app.put("/API/user/create", function (req, res) { + let { email, password } = req.body; + if (email && password) { + email = mysql.escape(email); + password = mysql.escape(bcrypt.hashSync(password, saltRounds)); + if (DEBUG) return res.status(status.OK).send(); + connection.query(`INSERT INTO user (deactivated, email, password) values (1, ${email}, ${password})`, function (err, rows) { + if (err) + return res.status(status.INTERNAL_SERVER_ERROR).send("the user seems to exist already - if you think this is an error contact the sys admin"); + return res.status(status.OK).send("account successfully created"); + }); + } else { + return res.status(status.BAD_REQUEST).send("invalid data supplied"); + } +}); app.all("*", function (req, res, next) { if (req.isAuthenticated()) { @@ -199,6 +194,11 @@ app.get("/API/testlogin", function (req, res) { return res.status(status.OK).send(req.user["email"]); }); +app.delete("/API/user/logout", function (req, res) { + req.logout(); + return res.status(status.OK).send("logout success"); +}); + app.get('/API/day', function (req, res) { const kind = parseInt(req.query.kind); if (Number.isInteger(kind)) { -- 2.49.1