var access = require("../utils/access");
var params = require("../config/parameters");
+// NOTE: this method is safe because the sessionToken must be guessed
router.get("/whoami", access.ajax, (req,res) => {
const callback = (user) => {
return res.json({
UserModel.getOne("sessionToken", req.cookies.token, function(err, user) {
if (!!err || !user)
callback(anonymous);
- else (!!user)
+ else
callback(user);
});
});
+// NOTE: this method is safe because only IDs and names are returned
+router.get("/users", access.ajax, (req,res) => {
+ const ids = req.query["ids"];
+ UserModel.getByIds(ids, (err,users) => {
+ if (!!err)
+ return res.json({errmsg: err.toString()});
+ return res.json({users:users});
+ });
+});
+
// to: object user (to who we send an email)
function setAndSendLoginToken(subject, to, res)
{
if (!!err)
return res.json({errmsg: err.toString()});
const body =
- "Hello " + to.name + "!\n" +
+ "Hello " + to.name + "!\\n" +
"Access your account here: " +
params.siteURL + "/#/authenticate/" + token + "\\n" +
"Token will expire in " + params.token.expire/(1000*60) + " minutes."