[vchess.git] / models / User.js

var db = require("../utils/database");
var maild = require("../utils/mailer.js");
var TokenGen = require("../utils/tokenGenerator");
var params = require("../config/parameters");

/*
 * Structure:
 *   _id: integer
 *   name: varchar
 *   email: varchar
 *   loginToken: token on server only
 *   loginTime: datetime (validity)
 *   sessionToken: token in cookies for authentication
 *   notify: boolean (send email notifications for corr games)
 */

// TODO: consider sanitizing http://www.unixwiz.net/techtips/sql-injection.html
// But parameters are supposed to already be cleaned (in controller).

// User creation
exports.create = function(name, email, notify, callback)
{
	db.serialize(function() {
		const insertQuery =
			"INSERT INTO Users " +
			"(name, email, notify) VALUES " +
			"('" + name + "', '" + email + "', " + notify + ")";
		db.run(insertQuery, err => {
			if (!!err)
				return callback(err);
			db.get("SELECT last_insert_rowid() AS rowid", callback);
		});
	});
}

// Find one user (by id, name, email, or token)
exports.getOne = function(by, value, cb)
{
	const delimiter = (typeof value === "string" ? "'" : "");
	db.serialize(function() {
		const query =
			"SELECT * " +
			"FROM Users " +
			"WHERE " + by + " = " + delimiter + value + delimiter;
		db.get(query, cb);
	});
}

/////////
// MODIFY

exports.setLoginToken = function(token, uid, cb)
{
	db.serialize(function() {
		const query =
			"UPDATE Users " +
			"SET loginToken = '" + token + "', loginTime = " + Date.now() + " " +
			"WHERE id = " + uid;
		db.run(query, cb);
	});
}

// Set session token only if empty (first login)
// TODO: weaker security (but avoid to re-login everywhere after each logout)
exports.trySetSessionToken = function(uid, cb)
{
	// Also empty the login token to invalidate future attempts
	db.serialize(function() {
		const querySessionToken =
			"SELECT sessionToken " +
			"FROM Users " +
			"WHERE id = " + uid;
		db.get(querySessionToken, (err,ret) => {
			if (!!err)
				return cb(err);
			const token = ret.sessionToken || TokenGen.generate(params.token.length);
			const queryUpdate =
				"UPDATE Users " +
				"SET loginToken = NULL" +
				(!ret.sessionToken ? (", sessionToken = '" + token + "'") : "") + " " +
				"WHERE id = " + uid;
			db.run(queryUpdate);
			cb(null, token);
		});
	});
}

exports.updateSettings = function(user, cb)
{
	db.serialize(function() {
		const query =
			"UPDATE Users " +
			"SET name = '" + user.name + "'" +
			", email = '" + user.email + "'" +
			", notify = " + user.notify + " " +
			"WHERE id = " + user.id;
		db.run(query, cb);
	});
}
Commit	Line	Data
8d7e2786 BA	1	var db = require("../utils/database");
8d7e2786 BA	2	var maild = require("../utils/mailer.js");
0bd5933d	3	var TokenGen = require("../utils/tokenGenerator");
c018b304	4	var params = require("../config/parameters");
8d7e2786 BA	5
	6	/*
	7	* Structure:
	8	* _id: integer
	9	* name: varchar
	10	* email: varchar
	11	* loginToken: token on server only
	12	* loginTime: datetime (validity)
	13	* sessionToken: token in cookies for authentication
	14	* notify: boolean (send email notifications for corr games)
	15	*/
	16
8ef618ef BA	17	// TODO: consider sanitizing http://www.unixwiz.net/techtips/sql-injection.html
	18	// But parameters are supposed to already be cleaned (in controller).
	19
8d7e2786 BA	20	// User creation
	21	exports.create = function(name, email, notify, callback)
	22	{
8d7e2786	23	db.serialize(function() {
c018b304	24	const insertQuery =
8d7e2786 BA	25	"INSERT INTO Users " +
8d7e2786 BA	26	"(name, email, notify) VALUES " +
8a477a7e	27	"('" + name + "', '" + email + "', " + notify + ")";
c018b304 BA	28	db.run(insertQuery, err => {
	29	if (!!err)
	30	return callback(err);
	31	db.get("SELECT last_insert_rowid() AS rowid", callback);
	32	});
8d7e2786 BA	33	});
	34	}
	35
	36	// Find one user (by id, name, email, or token)
	37	exports.getOne = function(by, value, cb)
	38	{
	39	const delimiter = (typeof value === "string" ? "'" : "");
	40	db.serialize(function() {
8a477a7e	41	const query =
c018b304 BA	42	"SELECT * " +
c018b304 BA	43	"FROM Users " +
8a477a7e BA	44	"WHERE " + by + " = " + delimiter + value + delimiter;
8a477a7e BA	45	db.get(query, cb);
8d7e2786 BA	46	});
	47	}
	48
	49	/////////
	50	// MODIFY
	51
	52	exports.setLoginToken = function(token, uid, cb)
	53	{
	54	db.serialize(function() {
8a477a7e	55	const query =
8d7e2786	56	"UPDATE Users " +
c018b304	57	"SET loginToken = '" + token + "', loginTime = " + Date.now() + " " +
8a477a7e BA	58	"WHERE id = " + uid;
8a477a7e BA	59	db.run(query, cb);
8d7e2786 BA	60	});
	61	}
	62
0bd5933d BA	63	// Set session token only if empty (first login)
	64	// TODO: weaker security (but avoid to re-login everywhere after each logout)
	65	exports.trySetSessionToken = function(uid, cb)
8d7e2786 BA	66	{
	67	// Also empty the login token to invalidate future attempts
	68	db.serialize(function() {
c018b304	69	const querySessionToken =
0bd5933d BA	70	"SELECT sessionToken " +
0bd5933d BA	71	"FROM Users " +
8a477a7e	72	"WHERE id = " + uid;
c018b304	73	db.get(querySessionToken, (err,ret) => {
8a477a7e BA	74	if (!!err)
8a477a7e BA	75	return cb(err);
c018b304	76	const token = ret.sessionToken \|\| TokenGen.generate(params.token.length);
8a477a7e BA	77	const queryUpdate =
8a477a7e BA	78	"UPDATE Users " +
c018b304 BA	79	"SET loginToken = NULL" +
c018b304 BA	80	(!ret.sessionToken ? (", sessionToken = '" + token + "'") : "") + " " +
8a477a7e BA	81	"WHERE id = " + uid;
8a477a7e BA	82	db.run(queryUpdate);
c018b304	83	cb(null, token);
0bd5933d	84	});
8d7e2786 BA	85	});
	86	}
	87
0bd5933d	88	exports.updateSettings = function(user, cb)
8d7e2786 BA	89	{
8d7e2786 BA	90	db.serialize(function() {
8a477a7e	91	const query =
8d7e2786	92	"UPDATE Users " +
c018b304 BA	93	"SET name = '" + user.name + "'" +
	94	", email = '" + user.email + "'" +
	95	", notify = " + user.notify + " " +
	96	"WHERE id = " + user.id;
8a477a7e	97	db.run(query, cb);
8d7e2786 BA	98	});
8d7e2786 BA	99	}