Revise server code + a few fixes in trnalsations and ComputerGame
[vchess.git] / server / routes / users.js
CommitLineData
fe4c7e67
BA
1let router = require("express").Router();
2const UserModel = require('../models/User');
3const sendEmail = require('../utils/mailer');
4const genToken = require("../utils/tokenGenerator");
5const access = require("../utils/access");
6const params = require("../config/parameters");
8d7e2786 7
866842c3
BA
8router.post('/register', access.unlogged, access.ajax, (req,res) => {
9 const name = req.body.name;
10 const email = req.body.email;
11 const notify = !!req.body.notify;
12 if (UserModel.checkNameEmail({name: name, email: email}))
13 {
14 UserModel.create(name, email, notify, (err,ret) => {
15 if (err)
16 res.json({errmsg: "User creation failed. Try again"});
17 else
18 {
19 const user = {
20 id: ret.uid,
21 name: name,
22 email: email,
23 };
24 setAndSendLoginToken("Welcome to " + params.siteURL, user, res);
25 res.json({});
26 }
27 });
28 }
29});
30
58e7b94e 31// NOTE: this method is safe because the sessionToken must be guessed
a7f9f050
BA
32router.get("/whoami", access.ajax, (req,res) => {
33 const callback = (user) => {
866842c3 34 res.json({
a7f9f050
BA
35 name: user.name,
36 email: user.email,
37 id: user.id,
38 notify: user.notify,
39 });
40 };
41 const anonymous = {name:"", email:"", id:0, notify:false};
dac39588 42 if (!req.cookies.token)
866842c3
BA
43 callback(anonymous);
44 else if (req.cookies.token.match(/^[a-z0-9]+$/))
45 {
46 UserModel.getOne("sessionToken", req.cookies.token, (err, user) => {
47 callback(user || anonymous);
48 });
49 }
a7f9f050
BA
50});
51
58e7b94e 52// NOTE: this method is safe because only IDs and names are returned
bebcc8d4 53router.get("/users", access.ajax, (req,res) => {
ed9c9c37 54 const ids = req.query["ids"];
866842c3
BA
55 if (ids.match(/^([0-9]+,?)+$/)) //NOTE: slightly too permissive
56 {
57 UserModel.getByIds(ids, (err,users) => {
58 res.json({users:users});
59 });
60 }
61});
62
63router.put('/update', access.logged, access.ajax, (req,res) => {
64 const name = req.body.name;
65 const email = req.body.email;
66 if (UserModel.checkNameEmail({name: name, email: email}));
67 {
68 const user = {
69 id: req.userId,
70 name: name,
71 email: email,
72 notify: !!req.body.notify,
73 };
74 UserModel.updateSettings(user);
75 res.json({});
76 }
bebcc8d4
BA
77});
78
866842c3
BA
79// Authentication-related methods:
80
c018b304 81// to: object user (to who we send an email)
8d7e2786
BA
82function setAndSendLoginToken(subject, to, res)
83{
dac39588
BA
84 // Set login token and send welcome(back) email with auth link
85 const token = genToken(params.token.length);
866842c3
BA
86 UserModel.setLoginToken(token, to.id);
87 const body =
88 "Hello " + to.name + "!" + `
a749972c 89` +
866842c3
BA
90 "Access your account here: " +
91 params.siteURL + "/#/authenticate/" + token + `
a749972c 92` +
866842c3
BA
93 "Token will expire in " + params.token.expire/(1000*60) + " minutes."
94 sendEmail(params.mail.noreply, to.email, subject, body);
8d7e2786
BA
95}
96
8a477a7e 97router.get('/sendtoken', access.unlogged, access.ajax, (req,res) => {
dac39588
BA
98 const nameOrEmail = decodeURIComponent(req.query.nameOrEmail);
99 const type = (nameOrEmail.indexOf('@') >= 0 ? "email" : "name");
866842c3
BA
100 if (UserModel.checkNameEmail({[type]: nameOrEmail}))
101 {
102 UserModel.getOne(type, nameOrEmail, (err,user) => {
103 access.checkRequest(res, err, user, "Unknown user", () => {
104 setAndSendLoginToken("Token for " + params.siteURL, user, res);
105 res.json({});
106 });
dac39588 107 });
866842c3 108 }
8d7e2786
BA
109});
110
1aeed627 111router.get('/authenticate', access.unlogged, access.ajax, (req,res) => {
99b7a14c
BA
112 if (!req.query.token.match(/^[a-z0-9]+$/))
113 return res.json({errmsg: "Bad token"});
1aeed627 114 UserModel.getOne("loginToken", req.query.token, (err,user) => {
dac39588 115 access.checkRequest(res, err, user, "Invalid token", () => {
98f48579 116 // If token older than params.tokenExpire, do nothing
dac39588 117 if (Date.now() > user.loginTime + params.token.expire)
866842c3
BA
118 res.json({errmsg: "Token expired"});
119 else
120 {
121 // Generate session token (if not exists) + destroy login token
122 UserModel.trySetSessionToken(user.id, (token) => {
123 res.cookie("token", token, {
124 httpOnly: true,
125 secure: !!params.siteURL.match(/^https/),
126 maxAge: params.cookieExpire,
127 });
128 res.json({
129 id: user.id,
130 name: user.name,
131 email: user.email,
132 notify: user.notify,
133 });
a7f9f050 134 });
866842c3 135 }
dac39588
BA
136 });
137 });
8d7e2786
BA
138});
139
1aeed627 140router.get('/logout', access.logged, access.ajax, (req,res) => {
dac39588
BA
141 res.clearCookie("token");
142 res.json({});
8d7e2786
BA
143});
144
145module.exports = router;