X-Git-Url: https://git.auder.net/?a=blobdiff_plain;f=server%2Froutes%2Fusers.js;h=1d553dba74ecba1e247f273c88b0821fc5dda68a;hb=5fde3a01497262862afc4cb4c9457d4e0ad69a4a;hp=4b142d71ca57c0dd6c56d5df6d44ece98193a354;hpb=a7f9f050e44080e8caf888e3b230660abffa2400;p=vchess.git

diff --git a/server/routes/users.js b/server/routes/users.js
index 4b142d71..1d553dba 100644
--- a/server/routes/users.js
+++ b/server/routes/users.js
@@ -7,6 +7,7 @@ var genToken = require("../utils/tokenGenerator");
 var access = require("../utils/access");
 var params = require("../config/parameters");
 
+// NOTE: this method is safe because the sessionToken must be guessed
 router.get("/whoami", access.ajax, (req,res) => {
   const callback = (user) => {
     return res.json({
@@ -17,17 +18,26 @@ router.get("/whoami", access.ajax, (req,res) => {
     });
   };
   const anonymous = {name:"", email:"", id:0, notify:false};
-  console.log(req.cookies); //TODO: cookie not found after authenticate ?
 	if (!req.cookies.token)
     return callback(anonymous);
   UserModel.getOne("sessionToken", req.cookies.token, function(err, user) {
     if (!!err || !user)
       callback(anonymous);
-    else (!!user)
+    else
       callback(user);
   });
 });
 
+// NOTE: this method is safe because only IDs and names are returned
+router.get("/users", access.ajax, (req,res) => {
+  const ids = req.query["ids"];
+  UserModel.getByIds(ids, (err,users) => {
+    if (!!err)
+      return res.json({errmsg: err.toString()});
+    return res.json({users:users});
+  });
+});
+
 // to: object user (to who we send an email)
 function setAndSendLoginToken(subject, to, res)
 {
@@ -37,14 +47,12 @@ function setAndSendLoginToken(subject, to, res)
 		if (!!err)
 			return res.json({errmsg: err.toString()});
 		const body =
-			"Hello " + to.name + "!\n" +
+			"Hello " + to.name + "!\\n" +
 			"Access your account here: " +
 			params.siteURL + "/#/authenticate/" + token + "\\n" +
 			"Token will expire in " + params.token.expire/(1000*60) + " minutes."
 		sendEmail(params.mail.noreply, to.email, subject, body, err => {
-      // "id" is generally the only info missing on client side,
-			// but the name is also unknown if log-in with the email.
-			res.json(err || {id: to.id, name: to.name});
+			res.json(err || {});
 		});
 	});
 }
@@ -84,7 +92,7 @@ router.get('/sendtoken', access.unlogged, access.ajax, (req,res) => {
 router.get('/authenticate', access.unlogged, access.ajax, (req,res) => {
   UserModel.getOne("loginToken", req.query.token, (err,user) => {
 		access.checkRequest(res, err, user, "Invalid token", () => {
-			// If token older than params.tokenExpire, do nothing
+      // If token older than params.tokenExpire, do nothing
 			if (Date.now() > user.loginTime + params.token.expire)
 				return res.json({errmsg: "Token expired"});
 			// Generate session token (if not exists) + destroy login token