[vchess.git] / server / routes / users.js

let router = require("express").Router();
const UserModel = require('../models/User');
const sendEmail = require('../utils/mailer');
const genToken = require("../utils/tokenGenerator");
const access = require("../utils/access");
const params = require("../config/parameters");

router.post('/register', access.unlogged, access.ajax, (req,res) => {
  const name = req.body.name;
  const email = req.body.email;
  const notify = !!req.body.notify;
  if (UserModel.checkNameEmail({name: name, email: email}))
  {
    UserModel.create(name, email, notify, (err,ret) => {
      if (err)
        res.json({errmsg: "User creation failed. Try again"});
      else
      {
        const user = {
          id: ret.uid,
          name: name,
          email: email,
        };
        setAndSendLoginToken("Welcome to " + params.siteURL, user, res);
        res.json({});
      }
    });
  }
});

// NOTE: this method is safe because the sessionToken must be guessed
router.get("/whoami", access.ajax, (req,res) => {
  const callback = (user) => {
    res.json({
      name: user.name,
      email: user.email,
      id: user.id,
      notify: user.notify,
    });
  };
  const anonymous = {name:"", email:"", id:0, notify:false};
  if (!req.cookies.token)
    callback(anonymous);
  else if (req.cookies.token.match(/^[a-z0-9]+$/))
  {
    UserModel.getOne("sessionToken", req.cookies.token, (err, user) => {
      callback(user || anonymous);
    });
  }
});

// NOTE: this method is safe because only IDs and names are returned
router.get("/users", access.ajax, (req,res) => {
  const ids = req.query["ids"];
  if (ids.match(/^([0-9]+,?)+$/)) //NOTE: slightly too permissive
  {
    UserModel.getByIds(ids, (err,users) => {
      res.json({users:users});
    });
  }
});

router.put('/update', access.logged, access.ajax, (req,res) => {
  const name = req.body.name;
  const email = req.body.email;
  if (UserModel.checkNameEmail({name: name, email: email}));
  {
    const user = {
      id: req.userId,
      name: name,
      email: email,
      notify: !!req.body.notify,
    };
    UserModel.updateSettings(user);
    res.json({});
  }
});

// Authentication-related methods:

// to: object user (to who we send an email)
function setAndSendLoginToken(subject, to, res)
{
  // Set login token and send welcome(back) email with auth link
  const token = genToken(params.token.length);
  UserModel.setLoginToken(token, to.id);
  const body =
    "Hello " + to.name + "!" + `
` +
    "Access your account here: " +
    params.siteURL + "/#/authenticate/" + token + `
` +
    "Token will expire in " + params.token.expire/(1000*60) + " minutes."
  sendEmail(params.mail.noreply, to.email, subject, body);
}

router.get('/sendtoken', access.unlogged, access.ajax, (req,res) => {
  const nameOrEmail = decodeURIComponent(req.query.nameOrEmail);
  const type = (nameOrEmail.indexOf('@') >= 0 ? "email" : "name");
  if (UserModel.checkNameEmail({[type]: nameOrEmail}))
  {
    UserModel.getOne(type, nameOrEmail, (err,user) => {
      access.checkRequest(res, err, user, "Unknown user", () => {
        setAndSendLoginToken("Token for " + params.siteURL, user, res);
        res.json({});
      });
    });
  }
});

router.get('/authenticate', access.unlogged, access.ajax, (req,res) => {
  if (!req.query.token.match(/^[a-z0-9]+$/))
    return res.json({errmsg: "Bad token"});
  UserModel.getOne("loginToken", req.query.token, (err,user) => {
    access.checkRequest(res, err, user, "Invalid token", () => {
      // If token older than params.tokenExpire, do nothing
      if (Date.now() > user.loginTime + params.token.expire)
        res.json({errmsg: "Token expired"});
      else
      {
        // Generate session token (if not exists) + destroy login token
        UserModel.trySetSessionToken(user.id, (token) => {
          res.cookie("token", token, {
            httpOnly: true,
            secure: !!params.siteURL.match(/^https/),
            maxAge: params.cookieExpire,
          });
          res.json({
            id: user.id,
            name: user.name,
            email: user.email,
            notify: user.notify,
          });
        });
      }
    });
  });
});

router.get('/logout', access.logged, access.ajax, (req,res) => {
  res.clearCookie("token");
  res.json({});
});

module.exports = router;
Commit	Line	Data
fe4c7e67 BA	1	let router = require("express").Router();
	2	const UserModel = require('../models/User');
	3	const sendEmail = require('../utils/mailer');
	4	const genToken = require("../utils/tokenGenerator");
	5	const access = require("../utils/access");
	6	const params = require("../config/parameters");
8d7e2786	7
866842c3 BA	8	router.post('/register', access.unlogged, access.ajax, (req,res) => {
	9	const name = req.body.name;
	10	const email = req.body.email;
	11	const notify = !!req.body.notify;
	12	if (UserModel.checkNameEmail({name: name, email: email}))
	13	{
	14	UserModel.create(name, email, notify, (err,ret) => {
	15	if (err)
	16	res.json({errmsg: "User creation failed. Try again"});
	17	else
	18	{
	19	const user = {
	20	id: ret.uid,
	21	name: name,
	22	email: email,
	23	};
	24	setAndSendLoginToken("Welcome to " + params.siteURL, user, res);
	25	res.json({});
	26	}
	27	});
	28	}
	29	});
	30
58e7b94e	31	// NOTE: this method is safe because the sessionToken must be guessed
a7f9f050 BA	32	router.get("/whoami", access.ajax, (req,res) => {
a7f9f050 BA	33	const callback = (user) => {
866842c3	34	res.json({
a7f9f050 BA	35	name: user.name,
	36	email: user.email,
	37	id: user.id,
	38	notify: user.notify,
	39	});
	40	};
	41	const anonymous = {name:"", email:"", id:0, notify:false};
dac39588	42	if (!req.cookies.token)
866842c3 BA	43	callback(anonymous);
	44	else if (req.cookies.token.match(/^[a-z0-9]+$/))
	45	{
	46	UserModel.getOne("sessionToken", req.cookies.token, (err, user) => {
	47	callback(user \|\| anonymous);
	48	});
	49	}
a7f9f050 BA	50	});
a7f9f050 BA	51
58e7b94e	52	// NOTE: this method is safe because only IDs and names are returned
bebcc8d4	53	router.get("/users", access.ajax, (req,res) => {
ed9c9c37	54	const ids = req.query["ids"];
866842c3 BA	55	if (ids.match(/^([0-9]+,?)+$/)) //NOTE: slightly too permissive
	56	{
	57	UserModel.getByIds(ids, (err,users) => {
	58	res.json({users:users});
	59	});
	60	}
	61	});
	62
	63	router.put('/update', access.logged, access.ajax, (req,res) => {
	64	const name = req.body.name;
	65	const email = req.body.email;
	66	if (UserModel.checkNameEmail({name: name, email: email}));
	67	{
	68	const user = {
	69	id: req.userId,
	70	name: name,
	71	email: email,
	72	notify: !!req.body.notify,
	73	};
	74	UserModel.updateSettings(user);
	75	res.json({});
	76	}
bebcc8d4 BA	77	});
bebcc8d4 BA	78
866842c3 BA	79	// Authentication-related methods:
866842c3 BA	80
c018b304	81	// to: object user (to who we send an email)
8d7e2786 BA	82	function setAndSendLoginToken(subject, to, res)
8d7e2786 BA	83	{
dac39588 BA	84	// Set login token and send welcome(back) email with auth link
dac39588 BA	85	const token = genToken(params.token.length);
866842c3 BA	86	UserModel.setLoginToken(token, to.id);
	87	const body =
	88	"Hello " + to.name + "!" + `
a749972c	89	` +
866842c3 BA	90	"Access your account here: " +
866842c3 BA	91	params.siteURL + "/#/authenticate/" + token + `
a749972c	92	` +
866842c3 BA	93	"Token will expire in " + params.token.expire/(1000*60) + " minutes."
866842c3 BA	94	sendEmail(params.mail.noreply, to.email, subject, body);
8d7e2786 BA	95	}
8d7e2786 BA	96
8a477a7e	97	router.get('/sendtoken', access.unlogged, access.ajax, (req,res) => {
dac39588 BA	98	const nameOrEmail = decodeURIComponent(req.query.nameOrEmail);
dac39588 BA	99	const type = (nameOrEmail.indexOf('@') >= 0 ? "email" : "name");
866842c3 BA	100	if (UserModel.checkNameEmail({[type]: nameOrEmail}))
	101	{
	102	UserModel.getOne(type, nameOrEmail, (err,user) => {
	103	access.checkRequest(res, err, user, "Unknown user", () => {
	104	setAndSendLoginToken("Token for " + params.siteURL, user, res);
	105	res.json({});
	106	});
dac39588	107	});
866842c3	108	}
8d7e2786 BA	109	});
8d7e2786 BA	110
1aeed627	111	router.get('/authenticate', access.unlogged, access.ajax, (req,res) => {
99b7a14c BA	112	if (!req.query.token.match(/^[a-z0-9]+$/))
99b7a14c BA	113	return res.json({errmsg: "Bad token"});
1aeed627	114	UserModel.getOne("loginToken", req.query.token, (err,user) => {
dac39588	115	access.checkRequest(res, err, user, "Invalid token", () => {
98f48579	116	// If token older than params.tokenExpire, do nothing
dac39588	117	if (Date.now() > user.loginTime + params.token.expire)
866842c3 BA	118	res.json({errmsg: "Token expired"});
	119	else
	120	{
	121	// Generate session token (if not exists) + destroy login token
	122	UserModel.trySetSessionToken(user.id, (token) => {
	123	res.cookie("token", token, {
	124	httpOnly: true,
	125	secure: !!params.siteURL.match(/^https/),
	126	maxAge: params.cookieExpire,
	127	});
	128	res.json({
	129	id: user.id,
	130	name: user.name,
	131	email: user.email,
	132	notify: user.notify,
	133	});
a7f9f050	134	});
866842c3	135	}
dac39588 BA	136	});
dac39588 BA	137	});
8d7e2786 BA	138	});
8d7e2786 BA	139
1aeed627	140	router.get('/logout', access.logged, access.ajax, (req,res) => {
dac39588 BA	141	res.clearCookie("token");
dac39588 BA	142	res.json({});
8d7e2786 BA	143	});
	144
	145	module.exports = router;