+router.post('/register', access.unlogged, access.ajax, (req,res) => {
+ const name = req.body.name;
+ const email = req.body.email;
+ const notify = !!req.body.notify;
+ if (UserModel.checkNameEmail({name: name, email: email}))
+ {
+ UserModel.create(name, email, notify, (err,ret) => {
+ if (err)
+ {
+ const msg = err.code == "SQLITE_CONSTRAINT"
+ ? "User name or email already in use"
+ : "User creation failed. Try again";
+ res.json({errmsg: msg});
+ }
+ else
+ {
+ const user = {
+ id: ret.uid,
+ name: name,
+ email: email,
+ };
+ setAndSendLoginToken("Welcome to " + params.siteURL, user, res);
+ res.json({});
+ }
+ });
+ }
+});
+
+// NOTE: this method is safe because the sessionToken must be guessed
+router.get("/whoami", access.ajax, (req,res) => {
+ const callback = (user) => {
+ res.json({
+ name: user.name,
+ email: user.email,
+ id: user.id,
+ notify: user.notify,
+ });
+ };
+ const anonymous = {name:"", email:"", id:0, notify:false};
+ if (!req.cookies.token)
+ callback(anonymous);
+ else if (req.cookies.token.match(/^[a-z0-9]+$/))
+ {
+ UserModel.getOne("sessionToken", req.cookies.token, (err, user) => {
+ callback(user || anonymous);
+ });
+ }
+});
+
+// NOTE: this method is safe because only IDs and names are returned
+router.get("/users", access.ajax, (req,res) => {
+ const ids = req.query["ids"];
+ if (ids.match(/^([0-9]+,?)+$/)) //NOTE: slightly too permissive
+ {
+ UserModel.getByIds(ids, (err,users) => {
+ res.json({users:users});
+ });
+ }
+});
+
+router.put('/update', access.logged, access.ajax, (req,res) => {
+ const name = req.body.name;
+ const email = req.body.email;
+ if (UserModel.checkNameEmail({name: name, email: email}));
+ {
+ const user = {
+ id: req.userId,
+ name: name,
+ email: email,
+ notify: !!req.body.notify,
+ };
+ UserModel.updateSettings(user);
+ res.json({});
+ }
+});
+
+// Authentication-related methods: