Sanitize inputs on server side
[vchess.git] / server / models / Game.js
... / ...
CommitLineData
1var db = require("../utils/database");
2const UserModel = require("./User");
3
4/*
5 * Structure table Games:
6 * id: game id (int)
7 * vid: integer (variant id)
8 * fenStart: varchar (initial position)
9 * fen: varchar (current position)
10 * timeControl: string
11 * score: varchar (result)
12 * created: datetime
13 * drawOffer: boolean
14 *
15 * Structure table Players:
16 * gid: ref game id
17 * uid: ref user id
18 * color: character
19 *
20 * Structure table Moves:
21 * gid: ref game id
22 * squares: varchar (description)
23 * played: datetime
24 * idx: integer
25 *
26 * Structure table Chats:
27 * gid: game id (int)
28 * msg: varchar
29 * name: varchar
30 * sid: varchar (socket ID when sending message)
31 * added: datetime
32 */
33
34const GameModel =
35{
36 checkGameInfo: function(g) {
37 if (!g.id.toString().match(/^[0-9]+$/))
38 return "Wrong game ID";
39 if (!g.vid.toString().match(/^[0-9]+$/))
40 return "Wrong variant ID";
41 if (!g.vname.match(/^[a-zA-Z0-9]+$/))
42 return "Wrong variant name";
43 if (!g.timeControl.match(/^[0-9dhms +]+$/))
44 return "Wrong characters in time control";
45 if (!g.fen.match(/^[a-zA-Z0-9, /-]*$/))
46 return "Bad FEN string";
47 if (g.players.length != 2)
48 return "Need exactly 2 players";
49 if (g.players.some(p => !p.id.toString().match(/^[0-9]+$/)))
50 return "Wrong characters in player ID";
51 return "";
52 },
53
54 create: function(vid, fen, timeControl, players, cb)
55 {
56 db.serialize(function() {
57 let query =
58 "INSERT INTO Games"
59 + " (vid, fenStart, fen, score, timeControl, created, drawOffer)"
60 + " VALUES (" + vid + ",'" + fen + "','" + fen + "','*','"
61 + timeControl + "'," + Date.now() + "," + false + ")";
62 db.run(query, function(err) {
63 if (!!err)
64 return cb(err);
65 players.forEach((p,idx) => {
66 const color = (idx==0 ? "w" : "b");
67 query =
68 "INSERT INTO Players VALUES " +
69 "(" + this.lastID + "," + p.id + ",'" + color + "')";
70 db.run(query);
71 });
72 cb(null, {gid: this.lastID});
73 });
74 });
75 },
76
77 // TODO: queries here could be async, and wait for all to complete
78 getOne: function(id, cb)
79 {
80 db.serialize(function() {
81 // TODO: optimize queries?
82 let query =
83 "SELECT g.id, g.vid, g.fen, g.fenStart, g.timeControl, g.score, " +
84 "v.name AS vname " +
85 "FROM Games g " +
86 "JOIN Variants v " +
87 " ON g.vid = v.id " +
88 "WHERE g.id = " + id;
89 db.get(query, (err,gameInfo) => {
90 if (!!err)
91 return cb(err);
92 query =
93 "SELECT p.uid, p.color, u.name " +
94 "FROM Players p " +
95 "JOIN Users u " +
96 " ON p.uid = u.id " +
97 "WHERE p.gid = " + id;
98 db.all(query, (err2,players) => {
99 if (!!err2)
100 return cb(err2);
101 query =
102 "SELECT squares, played, idx " +
103 "FROM Moves " +
104 "WHERE gid = " + id;
105 db.all(query, (err3,moves) => {
106 if (!!err3)
107 return cb(err3);
108 query =
109 "SELECT msg, name, sid, added " +
110 "FROM Chats " +
111 "WHERE gid = " + id;
112 db.all(query, (err4,chats) => {
113 if (!!err4)
114 return cb(err4);
115 const game = Object.assign({},
116 gameInfo,
117 {
118 players: players,
119 moves: moves,
120 chats: chats,
121 }
122 );
123 return cb(null, game);
124 });
125 });
126 });
127 });
128 });
129 },
130
131 getByUser: function(uid, excluded, cb)
132 {
133 db.serialize(function() {
134 // Next query is fine because a player appear at most once in a game
135 const query =
136 "SELECT gid " +
137 "FROM Players " +
138 "WHERE uid " + (excluded ? "<>" : "=") + " " + uid;
139 db.all(query, (err,gameIds) => {
140 if (!!err)
141 return cb(err);
142 gameIds = gameIds || []; //might be empty
143 let gameArray = [];
144 for (let i=0; i<gameIds.length; i++)
145 {
146 GameModel.getOne(gameIds[i]["gid"], (err2,game) => {
147 if (!!err2)
148 return cb(err2);
149 gameArray.push(game);
150 // Call callback function only when gameArray is complete:
151 if (i == gameIds.length - 1)
152 return cb(null, gameArray);
153 });
154 }
155 });
156 });
157 },
158
159 getPlayers: function(id, cb)
160 {
161 db.serialize(function() {
162 const query =
163 "SELECT id " +
164 "FROM Players " +
165 "WHERE gid = " + id;
166 db.all(query, (err,players) => {
167 return cb(err, players);
168 });
169 });
170 },
171
172 checkGameUpdate: function(obj)
173 {
174 // Check all that is possible (required) in obj:
175 if (!!obj.move)
176 {
177 if (!obj.move.played.toString().match(/^[0-9]+$/))
178 return "Wrong move played time";
179 if (!obj.move.idx.toString().match(/^[0-9]+$/))
180 return "Wrong move index";
181 }
182 if (!!obj.fen && !obj.fen.match(/^[a-zA-Z0-9, /-]*$/))
183 return "Wrong FEN string";
184 if (!!obj.score && !obj.score.match(/^[012?*\/-]+$/))
185 return "Wrong characters in score";
186 if (!!obj.chat)
187 {
188 if (!obj.chat.sid.match(/^[a-zA-Z0-9]+$/))
189 return "Wrong user SID";
190 return UserModel.checkNameEmail({name: obj.chat.name});
191 }
192 return "";
193 },
194
195 // obj can have fields move, chat, fen, drawOffer and/or score
196 update: function(id, obj)
197 {
198 db.parallelize(function() {
199 let query =
200 "UPDATE Games " +
201 "SET ";
202 let modifs = "";
203 if (!!obj.message)
204 modifs += "message = message || ' ' || '" + obj.message + "',";
205 if ([true,false].includes(obj.drawOffer))
206 modifs += "drawOffer = " + obj.drawOffer + ",";
207 if (!!obj.fen)
208 modifs += "fen = '" + obj.fen + "',";
209 if (!!obj.score)
210 modifs += "score = '" + obj.score + "',";
211 modifs = modifs.slice(0,-1); //remove last comma
212 if (modifs.length > 0)
213 {
214 query += modifs + " WHERE id = " + id;
215 db.run(query);
216 }
217 if (!!obj.move)
218 {
219 const m = obj.move;
220 query =
221 "INSERT INTO Moves (gid, squares, played, idx) VALUES " +
222 "(" + id + ",?," + m.played + "," + m.idx + ")";
223 db.run(query, JSON.stringify(m.squares));
224 }
225 if (!!obj.chat)
226 {
227 query =
228 "INSERT INTO Chats (gid, msg, name, sid, added) VALUES " +
229 "(" + id + ",?,'" + obj.chat.name + "','"
230 + obj.chat.sid + "'," + Date.now() + ")";
231 db.run(query, obj.chat.msg);
232 }
233 });
234 },
235
236 remove: function(id)
237 {
238 db.parallelize(function() {
239 let query =
240 "DELETE FROM Games " +
241 "WHERE id = " + id;
242 db.run(query);
243 query =
244 "DELETE FROM Players " +
245 "WHERE gid = " + id;
246 db.run(query);
247 query =
248 "DELETE FROM Moves " +
249 "WHERE gid = " + id;
250 db.run(query);
251 query =
252 "DELETE FROM Chats " +
253 "WHERE gid = " + id;
254 db.run(query);
255 });
256 },
257
258 cleanGamesDb: function()
259 {
260 const tsNow = Date.now();
261 // 86400000 = 24 hours in milliseconds
262 const day = 86400000;
263 db.serialize(function() {
264 let query =
265 "SELECT id,score " +
266 "FROM Games ";
267 db.all(query, (err,games) => {
268 games.forEach(g => {
269 query =
270 "SELECT max(played) AS lastMaj " +
271 "FROM Moves " +
272 "WHERE gid = " + g.id;
273 db.get(query, (err2,updated) => {
274 if (!updated && tsNow - g.created > 7*day)
275 return GameModel.remove(g.id);
276 const lastMaj = updated.lastMaj;
277 if (g.score != "*" && tsNow - lastMaj > 7*day ||
278 g.score == "*" && tsNow - lastMaj > 91*day)
279 {
280 GameModel.remove(g.id);
281 }
282 });
283 });
284 });
285 });
286 },
287}
288
289module.exports = GameModel;