models/User.js

   1 var db = require("../utils/database");
   2 var maild = require("../utils/mailer.js");
   3 var TokenGen = require("../utils/tokenGenerator");
   4 var params = require("../config/parameters");
   5
   6 /*
   7  * Structure:
   8  *   _id: integer
   9  *   name: varchar
  10  *   email: varchar
  11  *   loginToken: token on server only
  12  *   loginTime: datetime (validity)
  13  *   sessionToken: token in cookies for authentication
  14  *   notify: boolean (send email notifications for corr games)
  15  */
  16
  17 // TODO: consider sanitizing http://www.unixwiz.net/techtips/sql-injection.html
  18 // But parameters are supposed to already be cleaned (in controller).
  19
  20 // User creation
  21 exports.create = function(name, email, notify, callback)
  22 {
  23     db.serialize(function() {
  24         const insertQuery =
  25             "INSERT INTO Users " +
  26             "(name, email, notify) VALUES " +
  27             "('" + name + "', '" + email + "', " + notify + ")";
  28         db.run(insertQuery, err => {
  29             if (!!err)
  30                 return callback(err);
  31             db.get("SELECT last_insert_rowid() AS rowid", callback);
  32         });
  33     });
  34 }
  35
  36 // Find one user (by id, name, email, or token)
  37 exports.getOne = function(by, value, cb)
  38 {
  39     const delimiter = (typeof value === "string" ? "'" : "");
  40     db.serialize(function() {
  41         const query =
  42             "SELECT * " +
  43             "FROM Users " +
  44             "WHERE " + by + " = " + delimiter + value + delimiter;
  45         db.get(query, cb);
  46     });
  47 }
  48
  49 /////////
  50 // MODIFY
  51
  52 exports.setLoginToken = function(token, uid, cb)
  53 {
  54     db.serialize(function() {
  55         const query =
  56             "UPDATE Users " +
  57             "SET loginToken = '" + token + "', loginTime = " + Date.now() + " " +
  58             "WHERE id = " + uid;
  59         db.run(query, cb);
  60     });
  61 }
  62
  63 // Set session token only if empty (first login)
  64 // TODO: weaker security (but avoid to re-login everywhere after each logout)
  65 exports.trySetSessionToken = function(uid, cb)
  66 {
  67     // Also empty the login token to invalidate future attempts
  68     db.serialize(function() {
  69         const querySessionToken =
  70             "SELECT sessionToken " +
  71             "FROM Users " +
  72             "WHERE id = " + uid;
  73         db.get(querySessionToken, (err,ret) => {
  74             if (!!err)
  75                 return cb(err);
  76             const token = ret.sessionToken || TokenGen.generate(params.token.length);
  77             const queryUpdate =
  78                 "UPDATE Users " +
  79                 "SET loginToken = NULL" +
  80                 (!ret.sessionToken ? (", sessionToken = '" + token + "'") : "") + " " +
  81                 "WHERE id = " + uid;
  82             db.run(queryUpdate);
  83             cb(null, token);
  84         });
  85     });
  86 }
  87
  88 exports.updateSettings = function(user, cb)
  89 {
  90     db.serialize(function() {
  91         const query =
  92             "UPDATE Users " +
  93             "SET name = '" + user.name + "'" +
  94             ", email = '" + user.email + "'" +
  95             ", notify = " + user.notify + " " +
  96             "WHERE id = " + user.id;
  97         db.run(query, cb);
  98     });
  99 }