var genToken = require("../utils/tokenGenerator");
var access = require("../utils/access");
var params = require("../config/parameters");
-var checkNameEmail = require("../data/userCheck")
+
+// NOTE: this method is safe because the sessionToken must be guessed
+router.get("/whoami", access.ajax, (req,res) => {
+ const callback = (user) => {
+ return res.json({
+ name: user.name,
+ email: user.email,
+ id: user.id,
+ notify: user.notify,
+ });
+ };
+ const anonymous = {name:"", email:"", id:0, notify:false};
+ if (!req.cookies.token)
+ return callback(anonymous);
+ UserModel.getOne("sessionToken", req.cookies.token, function(err, user) {
+ if (!!err || !user)
+ callback(anonymous);
+ else
+ callback(user);
+ });
+});
+
+// NOTE: this method is safe because only IDs and names are returned
+router.get("/users", access.ajax, (req,res) => {
+ const ids = req.query["ids"];
+ UserModel.getByIds(ids, (err,users) => {
+ if (!!err)
+ return res.json({errmsg: err.toString()});
+ return res.json({users:users});
+ });
+});
// to: object user (to who we send an email)
function setAndSendLoginToken(subject, to, res)
if (!!err)
return res.json({errmsg: err.toString()});
const body =
- "Hello " + to.name + "!\n" +
+ "Hello " + to.name + "!\\n" +
"Access your account here: " +
- params.siteURL + "/authenticate?token=" + token + "\\n" +
+ params.siteURL + "/#/authenticate/" + token + "\\n" +
"Token will expire in " + params.token.expire/(1000*60) + " minutes."
sendEmail(params.mail.noreply, to.email, subject, body, err => {
- // "id" is generally the only info missing on client side,
- // but the name is also unknown if log-in with the email.
- res.json(err || {id: to.id, name: to.name});
+ res.json(err || {});
});
});
}
const name = req.body.name;
const email = req.body.email;
const notify = !!req.body.notify;
- const error = checkNameEmail({name: name, email: email});
+ const error = UserModel.checkNameEmail({name: name, email: email});
if (!!error)
return res.json({errmsg: error});
UserModel.create(name, email, notify, (err,uid) => {
router.get('/sendtoken', access.unlogged, access.ajax, (req,res) => {
const nameOrEmail = decodeURIComponent(req.query.nameOrEmail);
const type = (nameOrEmail.indexOf('@') >= 0 ? "email" : "name");
- const error = checkNameEmail({[type]: nameOrEmail});
+ const error = UserModel.checkNameEmail({[type]: nameOrEmail});
if (!!error)
return res.json({errmsg: error});
UserModel.getOne(type, nameOrEmail, (err,user) => {
});
});
-router.get('/authenticate', access.unlogged, (req,res) => {
- UserModel.getOne("loginToken", req.query.token, (err,user) => {
+router.get('/authenticate', access.unlogged, access.ajax, (req,res) => {
+ UserModel.getOne("loginToken", req.query.token, (err,user) => {
access.checkRequest(res, err, user, "Invalid token", () => {
- // If token older than params.tokenExpire, do nothing
+ // If token older than params.tokenExpire, do nothing
if (Date.now() > user.loginTime + params.token.expire)
return res.json({errmsg: "Token expired"});
// Generate session token (if not exists) + destroy login token
if (!!err)
return res.json({errmsg: err.toString()});
// Set cookie
- res.cookie("token", token, {
+ res.cookie("token", token, {
httpOnly: true,
secure: !!params.siteURL.match(/^https/),
maxAge: params.cookieExpire,
});
- res.redirect("/");
+ res.json({
+ id: user.id,
+ name: user.name,
+ email: user.email,
+ notify: user.notify,
+ });
});
});
});
router.put('/update', access.logged, access.ajax, (req,res) => {
const name = req.body.name;
const email = req.body.email;
- const error = checkNameEmail({name: name, email: email});
+ const error = UserModel.checkNameEmail({name: name, email: email});
if (!!error)
return res.json({errmsg: error});
const user = {
});
});
-// Logout on server because the token cookie is httpOnly
-router.get('/logout', access.logged, (req,res) => {
+router.get('/logout', access.logged, access.ajax, (req,res) => {
res.clearCookie("token");
- res.redirect('/');
+ res.json({});
});
module.exports = router;