[vchess.git] / models / User.js

var db = require("../utils/database");
var maild = require("../utils/mailer.js");
var TokenGen = require("../utils/tokenGenerator");
var params = require("../config/parameters");

/*
 * Structure:
 *   _id: integer
 *   name: varchar
 *   email: varchar
 *   loginToken: token on server only
 *   loginTime: datetime (validity)
 *   sessionToken: token in cookies for authentication
 *   notify: boolean (send email notifications for corr games)
 */

// TODO: consider sanitizing http://www.unixwiz.net/techtips/sql-injection.html
// But parameters are supposed to already be cleaned (in controller).

// User creation
exports.create = function(name, email, notify, callback)
{
	db.serialize(function() {
		const insertQuery =
			"INSERT INTO Users " +
			"(name, email, notify) VALUES " +
			"('" + name + "', '" + email + "', " + notify + ")";
		db.run(insertQuery, err => {
			if (!!err)
				return callback(err);
			db.get("SELECT last_insert_rowid() AS rowid", callback);
		});
	});
}

// Find one user (by id, name, email, or token)
exports.getOne = function(by, value, cb)
{
	const delimiter = (typeof value === "string" ? "'" : "");
	db.serialize(function() {
		const query =
			"SELECT * " +
			"FROM Users " +
			"WHERE " + by + " = " + delimiter + value + delimiter;
		db.get(query, cb);
	});
}

/////////
// MODIFY

exports.setLoginToken = function(token, uid, cb)
{
	db.serialize(function() {
		const query =
			"UPDATE Users " +
			"SET loginToken = '" + token + "', loginTime = " + Date.now() + " " +
			"WHERE id = " + uid;
		db.run(query, cb);
	});
}

// Set session token only if empty (first login)
// TODO: weaker security (but avoid to re-login everywhere after each logout)
exports.trySetSessionToken = function(uid, cb)
{
	// Also empty the login token to invalidate future attempts
	db.serialize(function() {
		const querySessionToken =
			"SELECT sessionToken " +
			"FROM Users " +
			"WHERE id = " + uid;
		db.get(querySessionToken, (err,ret) => {
			if (!!err)
				return cb(err);
			const token = ret.sessionToken || TokenGen.generate(params.token.length);
			const queryUpdate =
				"UPDATE Users " +
				"SET loginToken = NULL" +
				(!ret.sessionToken ? (", sessionToken = '" + token + "'") : "") + " " +
				"WHERE id = " + uid;
			db.run(queryUpdate);
			cb(null, token);
		});
	});
}

exports.updateSettings = function(user, cb)
{
	db.serialize(function() {
		const query =
			"UPDATE Users " +
			"SET name = '" + user.name + "'" +
			", email = '" + user.email + "'" +
			", notify = " + user.notify + " " +
			"WHERE id = " + user.id;
		db.run(query, cb);
	});
}
Commit	Line	Data
	1	var db = require("../utils/database");
	2	var maild = require("../utils/mailer.js");
	3	var TokenGen = require("../utils/tokenGenerator");
	4	var params = require("../config/parameters");
	5
	6	/*
	7	* Structure:
	8	* _id: integer
	9	* name: varchar
	10	* email: varchar
	11	* loginToken: token on server only
	12	* loginTime: datetime (validity)
	13	* sessionToken: token in cookies for authentication
	14	* notify: boolean (send email notifications for corr games)
	15	*/
	16
	17	// TODO: consider sanitizing http://www.unixwiz.net/techtips/sql-injection.html
	18	// But parameters are supposed to already be cleaned (in controller).
	19
	20	// User creation
	21	exports.create = function(name, email, notify, callback)
	22	{
	23	db.serialize(function() {
	24	const insertQuery =
	25	"INSERT INTO Users " +
	26	"(name, email, notify) VALUES " +
	27	"('" + name + "', '" + email + "', " + notify + ")";
	28	db.run(insertQuery, err => {
	29	if (!!err)
	30	return callback(err);
	31	db.get("SELECT last_insert_rowid() AS rowid", callback);
	32	});
	33	});
	34	}
	35
	36	// Find one user (by id, name, email, or token)
	37	exports.getOne = function(by, value, cb)
	38	{
	39	const delimiter = (typeof value === "string" ? "'" : "");
	40	db.serialize(function() {
	41	const query =
	42	"SELECT * " +
	43	"FROM Users " +
	44	"WHERE " + by + " = " + delimiter + value + delimiter;
	45	db.get(query, cb);
	46	});
	47	}
	48
	49	/////////
	50	// MODIFY
	51
	52	exports.setLoginToken = function(token, uid, cb)
	53	{
	54	db.serialize(function() {
	55	const query =
	56	"UPDATE Users " +
	57	"SET loginToken = '" + token + "', loginTime = " + Date.now() + " " +
	58	"WHERE id = " + uid;
	59	db.run(query, cb);
	60	});
	61	}
	62
	63	// Set session token only if empty (first login)
	64	// TODO: weaker security (but avoid to re-login everywhere after each logout)
	65	exports.trySetSessionToken = function(uid, cb)
	66	{
	67	// Also empty the login token to invalidate future attempts
	68	db.serialize(function() {
	69	const querySessionToken =
	70	"SELECT sessionToken " +
	71	"FROM Users " +
	72	"WHERE id = " + uid;
	73	db.get(querySessionToken, (err,ret) => {
	74	if (!!err)
	75	return cb(err);
	76	const token = ret.sessionToken \|\| TokenGen.generate(params.token.length);
	77	const queryUpdate =
	78	"UPDATE Users " +
	79	"SET loginToken = NULL" +
	80	(!ret.sessionToken ? (", sessionToken = '" + token + "'") : "") + " " +
	81	"WHERE id = " + uid;
	82	db.run(queryUpdate);
	83	cb(null, token);
	84	});
	85	});
	86	}
	87
	88	exports.updateSettings = function(user, cb)
	89	{
	90	db.serialize(function() {
	91	const query =
	92	"UPDATE Users " +
	93	"SET name = '" + user.name + "'" +
	94	", email = '" + user.email + "'" +
	95	", notify = " + user.notify + " " +
	96	"WHERE id = " + user.id;
	97	db.run(query, cb);
	98	});
	99	}