foreign key (vid) references Variants(id)
);
--- NOTE: no need for a "created" field, it's deduced from first move playing time
create table Games (
id integer primary key,
vid integer,
var db = require("../utils/database");
+const UserModel = require("./User");
/*
* Structure:
return "Wrong characters in time control";
if (!c.fen.match(/^[a-zA-Z0-9, /-]*$/))
return "Bad FEN string";
+ if (!!c.to)
+ return UserModel.checkNameEmail({name: c.to});
return "";
},
});
},
- // all challenges except where target is defined and not me
+ // All challenges except where target is defined and not me
getByUser: function(uid, cb)
{
db.serialize(function() {
var db = require("../utils/database");
+const UserModel = require("./User");
/*
* Structure table Games:
* timeControl: string
* score: varchar (result)
* created: datetime
+ * drawOffer: boolean
*
* Structure table Players:
* gid: ref game id
const GameModel =
{
+ checkGameInfo: function(g) {
+ if (!g.id.toString().match(/^[0-9]+$/))
+ return "Wrong game ID";
+ if (!g.vid.toString().match(/^[0-9]+$/))
+ return "Wrong variant ID";
+ if (!g.vname.match(/^[a-zA-Z0-9]+$/))
+ return "Wrong variant name";
+ if (!g.timeControl.match(/^[0-9dhms +]+$/))
+ return "Wrong characters in time control";
+ if (!g.fen.match(/^[a-zA-Z0-9, /-]*$/))
+ return "Bad FEN string";
+ if (g.players.length != 2)
+ return "Need exactly 2 players";
+ if (g.players.some(p => !p.id.toString().match(/^[0-9]+$/)))
+ return "Wrong characters in player ID";
+ return "";
+ },
+
create: function(vid, fen, timeControl, players, cb)
{
db.serialize(function() {
});
},
+ checkGameUpdate: function(obj)
+ {
+ // Check all that is possible (required) in obj:
+ if (!!obj.move)
+ {
+ if (!obj.move.played.toString().match(/^[0-9]+$/))
+ return "Wrong move played time";
+ if (!obj.move.idx.toString().match(/^[0-9]+$/))
+ return "Wrong move index";
+ }
+ if (!!obj.fen && !obj.fen.match(/^[a-zA-Z0-9, /-]*$/))
+ return "Wrong FEN string";
+ if (!!obj.score && !obj.score.match(/^[012?*\/-]+$/))
+ return "Wrong characters in score";
+ if (!!obj.chat)
+ {
+ if (!obj.chat.sid.match(/^[a-zA-Z0-9]+$/))
+ return "Wrong user SID";
+ return UserModel.checkNameEmail({name: obj.chat.name});
+ }
+ return "";
+ },
+
// obj can have fields move, chat, fen, drawOffer and/or score
update: function(id, obj)
{
let modifs = "";
if (!!obj.message)
modifs += "message = message || ' ' || '" + obj.message + "',";
- if (!!obj.drawOffer)
+ if ([true,false].includes(obj.drawOffer))
modifs += "drawOffer = " + obj.drawOffer + ",";
if (!!obj.fen)
modifs += "fen = '" + obj.fen + "',";
const m = obj.move;
query =
"INSERT INTO Moves (gid, squares, played, idx) VALUES " +
- "(" + id + ",'" + JSON.stringify(m.squares) + "',"
- + m.played + "," + m.idx + ")";
- db.run(query);
+ "(" + id + ",?," + m.played + "," + m.idx + ")";
+ db.run(query, JSON.stringify(m.squares));
}
if (!!obj.chat)
{
query =
"INSERT INTO Chats (gid, msg, name, sid, added) VALUES " +
- "(" + id + ",'" + obj.chat.msg + "','" + obj.chat.name +
- "','" + obj.chat.sid + "'," + Date.now() + ")";
- db.run(query);
+ "(" + id + ",?,'" + obj.chat.name + "','"
+ + obj.chat.sid + "'," + Date.now() + ")";
+ db.run(query, obj.chat.msg);
}
});
},
if (!o.email.match(/^[\w.+-]+@[\w.+-]+$/))
return "Bad characters in email";
}
+ return ""; //NOTE: not required, but more consistent... (?!)
},
// NOTE: parameters are already cleaned (in controller), thus no sanitization here
},
// Set session token only if empty (first login)
- // TODO: weaker security (but avoid to re-login everywhere after each logout)
- trySetSessionToken: function(uid, cb)
+ // NOTE: weaker security (but avoid to re-login everywhere after each logout)
+ // TODO: option would be to reset all tokens periodically, e.g. every 3 months
+ trySetSessionToken: function(uid, cb)
{
// Also empty the login token to invalidate future attempts
db.serialize(function() {
// From main hall, start game between players 0 and 1
router.post("/games", access.logged, access.ajax, (req,res) => {
const gameInfo = req.body.gameInfo;
- if (!gameInfo.players.some(p => p.id == req.userId))
+ if (!Array.isArray(gameInfo.players) ||
+ !gameInfo.players.some(p => p.id == req.userId))
+ {
return res.json({errmsg: "Cannot start someone else's game"});
+ }
const cid = req.body.cid;
+ // Check all entries of gameInfo + cid:
+ let error = GameModel.checkGameInfo(gameInfo);
+ if (!error)
+ {
+ if (!cid.toString().match(/^[0-9]+$/))
+ error = "Wrong challenge ID";
+ }
+ if (!!error)
+ return res.json({errmsg:error});
ChallengeModel.remove(cid);
- const fen = req.body.fen;
GameModel.create(
gameInfo.vid, gameInfo.fen, gameInfo.timeControl, gameInfo.players,
(err,ret) => {
// TODO: if newmove fail, takeback in GUI
router.put("/games", access.logged, access.ajax, (req,res) => {
const gid = req.body.gid;
- const obj = req.body.newObj;
+ let error = "";
+ if (!gid.toString().match(/^[0-9]+$/))
+ error = "Wrong game ID";
+ const obj = req.body.newObj;
+ error = GameModel.checkGameUpdate(obj);
+ if (!!error)
+ return res.json({errmsg: error});
GameModel.update(gid, obj, (err) => {
if (!!err)
return res.json(err);
router.post("/messages", (req,res,next) => {
if (!req.xhr)
return res.json({errmsg: "Unauthorized access"});
- console.log(req.body);
const from = req.body["email"];
const subject = req.body["subject"];
const body = req.body["content"];
var access = require("../utils/access");
var params = require("../config/parameters");
+// NOTE: this method is safe because the sessionToken must be guessed
router.get("/whoami", access.ajax, (req,res) => {
const callback = (user) => {
return res.json({
});
});
+// NOTE: this method is safe because only IDs and names are returned
router.get("/users", access.ajax, (req,res) => {
const ids = req.query["ids"];
UserModel.getByIds(ids, (err,users) => {
// Setup email data with unicode symbols
const mailOptions = {
- from: from, //note: some SMTP serves might forbid this
+ from: params.mail.noreply,
to: to,
subject: subject,
text: body,
+ replyTo: from,
};
// Send mail with the defined transport object
projects / vchess.git / commitdiff