[vchess.git] / server / routes / users.js

let router = require("express").Router();
const UserModel = require('../models/User');
const sendEmail = require('../utils/mailer');
const genToken = require("../utils/tokenGenerator");
const access = require("../utils/access");
const params = require("../config/parameters");
const sanitizeHtml_pkg = require('sanitize-html');
const { exec } = require("child_process");

const allowedTags = [
  'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol', 'li', 'b',
  'i', 'strong', 'em', 'strike', 'code', 'hr', 'br', 'div', 'table',
  'thead', 'caption', 'tbody', 'tr', 'th', 'td', 'pre'
];
function sanitizeHtml(text) {
  return sanitizeHtml_pkg(text, { allowedTags: allowedTags });
}

router.get("/userbio", access.ajax, (req,res) => {
  const uid = req.query["id"];
  if (!!(uid.toString().match(/^[0-9]+$/))) {
    UserModel.getBio(uid, (err, bio) => {
      res.json(bio);
    });
  }
});

router.put('/userbio', access.logged, access.ajax, (req,res) => {
  const bio = sanitizeHtml(req.body.bio);
  UserModel.setBio(req.userId, bio);
  res.json({});
});

router.post('/register', access.unlogged, access.ajax, (req,res) => {
  const name = req.body.name;
  const email = req.body.email;
  const notify = !!req.body.notify;
  if (UserModel.checkNameEmail({ name: name, email: email })) {
    UserModel.create(name, email, notify, (err, ret) => {
      if (!!err) {
        const msg = err.code == "SQLITE_CONSTRAINT"
          ? "User name or email already in use"
          : "User creation failed. Try again";
        res.json({ errmsg: msg });
      }
      else {
        const user = {
          id: ret.id,
          name: name,
          email: email
        };
        setAndSendLoginToken("Welcome to " + params.siteURL, user);
        res.json({});
      }
    });
  }
});

// NOTE: this method is safe because the sessionToken must be guessed
router.get("/whoami", access.ajax, (req,res) => {
  const callback = (user) => {
    res.json({
      name: user.name,
      email: user.email,
      id: user.id,
      notify: user.notify
    });
  };
  const anonymous = {
    name: "",
    email: "",
    id: 0,
    notify: false
  };
  if (!req.cookies.token) callback(anonymous);
  else if (req.cookies.token.match(/^[a-z0-9]+$/)) {
    UserModel.getOne(
      "sessionToken", req.cookies.token, "name, email, id, notify",
      (err, user) => callback(user || anonymous)
    );
  }
});

// NOTE: this method is safe because only IDs and names are returned
router.get("/users", access.ajax, (req,res) => {
  const ids = req.query["ids"];
  // NOTE: slightly too permissive RegExp
  if (!!ids && !!ids.match(/^([0-9]+,?)+$/)) {
    UserModel.getByIds(ids, (err, users) => {
      res.json({ users: users });
    });
  }
});

router.put('/update', access.logged, access.ajax, (req,res) => {
  const name = req.body.name;
  const email = req.body.email;
  if (UserModel.checkNameEmail({ name: name, email: email })) {
    const user = {
      id: req.userId,
      name: name,
      email: email,
      notify: !!req.body.notify,
    };
    UserModel.updateSettings(user);
    res.json({});
  }
});

// Authentication-related methods:

// to: object user (to who we send an email)
function setAndSendLoginToken(subject, to) {
  // Set login token and send welcome(back) email with auth link
  const token = genToken(params.token.length);
  UserModel.setLoginToken(token, to.id);
  const body =
    "Hello " + to.name + " !" + `
` +
    "Access your account here: " +
    params.siteURL + "/#/authenticate/" + token + `
` +
    "Token will expire in " + params.token.expire/(1000*60) + " minutes."
  sendEmail(params.mail.noreply, to.email, subject, body);
}

router.get('/sendtoken', access.unlogged, access.ajax, (req,res) => {
  const nameOrEmail = decodeURIComponent(req.query.nameOrEmail);
  const type = (nameOrEmail.indexOf('@') >= 0 ? "email" : "name");
  if (UserModel.checkNameEmail({ [type]: nameOrEmail })) {
    UserModel.getOne(type, nameOrEmail, "id, name, email", (err, user) => {
      access.checkRequest(res, err, user, "Unknown user", () => {
        setAndSendLoginToken("Token for " + params.siteURL, user);
        res.json({});
      });
    });
  }
});

router.get('/authenticate', access.unlogged, access.ajax, (req,res) => {
  if (!req.query.token.match(/^[a-z0-9]+$/))
    return res.json({ errmsg: "Bad token" });
  UserModel.getOne(
    "loginToken", req.query.token, "id, name, email, notify",
    (err,user) => {
      access.checkRequest(res, err, user, "Invalid token", () => {
        // If token older than params.tokenExpire, do nothing
        if (Date.now() > user.loginTime + params.token.expire)
          res.json({ errmsg: "Token expired" });
        else {
          // Generate session token (if not exists) + destroy login token
          UserModel.trySetSessionToken(user.id, (token) => {
            res.cookie("token", token, {
              httpOnly: true,
              secure: !!params.siteURL.match(/^https/),
              maxAge: params.cookieExpire,
            });
            res.json(user);
          });
        }
      });
    }
  );
});

router.get('/logout', access.logged, access.ajax, (req,res) => {
  res.clearCookie("token");
  res.json({});
});

module.exports = router;
Commit	Line	Data
	1	let router = require("express").Router();
	2	const UserModel = require('../models/User');
	3	const sendEmail = require('../utils/mailer');
	4	const genToken = require("../utils/tokenGenerator");
	5	const access = require("../utils/access");
	6	const params = require("../config/parameters");
	7	const sanitizeHtml_pkg = require('sanitize-html');
	8	const { exec } = require("child_process");
	9
	10	const allowedTags = [
	11	'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol', 'li', 'b',
	12	'i', 'strong', 'em', 'strike', 'code', 'hr', 'br', 'div', 'table',
	13	'thead', 'caption', 'tbody', 'tr', 'th', 'td', 'pre'
	14	];
	15	function sanitizeHtml(text) {
	16	return sanitizeHtml_pkg(text, { allowedTags: allowedTags });
	17	}
	18
	19	router.get("/userbio", access.ajax, (req,res) => {
	20	const uid = req.query["id"];
	21	if (!!(uid.toString().match(/^[0-9]+$/))) {
	22	UserModel.getBio(uid, (err, bio) => {
	23	res.json(bio);
	24	});
	25	}
	26	});
	27
	28	router.put('/userbio', access.logged, access.ajax, (req,res) => {
	29	const bio = sanitizeHtml(req.body.bio);
	30	UserModel.setBio(req.userId, bio);
	31	res.json({});
	32	});
	33
	34	router.post('/register', access.unlogged, access.ajax, (req,res) => {
	35	const name = req.body.name;
	36	const email = req.body.email;
	37	const notify = !!req.body.notify;
	38	if (UserModel.checkNameEmail({ name: name, email: email })) {
	39	UserModel.create(name, email, notify, (err, ret) => {
	40	if (!!err) {
	41	const msg = err.code == "SQLITE_CONSTRAINT"
	42	? "User name or email already in use"
	43	: "User creation failed. Try again";
	44	res.json({ errmsg: msg });
	45	}
	46	else {
	47	const user = {
	48	id: ret.id,
	49	name: name,
	50	email: email
	51	};
	52	setAndSendLoginToken("Welcome to " + params.siteURL, user);
	53	res.json({});
	54	}
	55	});
	56	}
	57	});
	58
	59	// NOTE: this method is safe because the sessionToken must be guessed
	60	router.get("/whoami", access.ajax, (req,res) => {
	61	const callback = (user) => {
	62	res.json({
	63	name: user.name,
	64	email: user.email,
	65	id: user.id,
	66	notify: user.notify
	67	});
	68	};
	69	const anonymous = {
	70	name: "",
	71	email: "",
	72	id: 0,
	73	notify: false
	74	};
	75	if (!req.cookies.token) callback(anonymous);
	76	else if (req.cookies.token.match(/^[a-z0-9]+$/)) {
	77	UserModel.getOne(
	78	"sessionToken", req.cookies.token, "name, email, id, notify",
	79	(err, user) => callback(user \|\| anonymous)
	80	);
	81	}
	82	});
	83
	84	// NOTE: this method is safe because only IDs and names are returned
	85	router.get("/users", access.ajax, (req,res) => {
	86	const ids = req.query["ids"];
	87	// NOTE: slightly too permissive RegExp
	88	if (!!ids && !!ids.match(/^([0-9]+,?)+$/)) {
	89	UserModel.getByIds(ids, (err, users) => {
	90	res.json({ users: users });
	91	});
	92	}
	93	});
	94
	95	router.put('/update', access.logged, access.ajax, (req,res) => {
	96	const name = req.body.name;
	97	const email = req.body.email;
	98	if (UserModel.checkNameEmail({ name: name, email: email })) {
	99	const user = {
	100	id: req.userId,
	101	name: name,
	102	email: email,
	103	notify: !!req.body.notify,
	104	};
	105	UserModel.updateSettings(user);
	106	res.json({});
	107	}
	108	});
	109
	110	// Authentication-related methods:
	111
	112	// to: object user (to who we send an email)
	113	function setAndSendLoginToken(subject, to) {
	114	// Set login token and send welcome(back) email with auth link
	115	const token = genToken(params.token.length);
	116	UserModel.setLoginToken(token, to.id);
	117	const body =
	118	"Hello " + to.name + " !" + `
	119	` +
	120	"Access your account here: " +
	121	params.siteURL + "/#/authenticate/" + token + `
	122	` +
	123	"Token will expire in " + params.token.expire/(1000*60) + " minutes."
	124	sendEmail(params.mail.noreply, to.email, subject, body);
	125	}
	126
	127	router.get('/sendtoken', access.unlogged, access.ajax, (req,res) => {
	128	const nameOrEmail = decodeURIComponent(req.query.nameOrEmail);
	129	const type = (nameOrEmail.indexOf('@') >= 0 ? "email" : "name");
	130	if (UserModel.checkNameEmail({ [type]: nameOrEmail })) {
	131	UserModel.getOne(type, nameOrEmail, "id, name, email", (err, user) => {
	132	access.checkRequest(res, err, user, "Unknown user", () => {
	133	setAndSendLoginToken("Token for " + params.siteURL, user);
	134	res.json({});
	135	});
	136	});
	137	}
	138	});
	139
	140	router.get('/authenticate', access.unlogged, access.ajax, (req,res) => {
	141	if (!req.query.token.match(/^[a-z0-9]+$/))
	142	return res.json({ errmsg: "Bad token" });
	143	UserModel.getOne(
	144	"loginToken", req.query.token, "id, name, email, notify",
	145	(err,user) => {
	146	access.checkRequest(res, err, user, "Invalid token", () => {
	147	// If token older than params.tokenExpire, do nothing
	148	if (Date.now() > user.loginTime + params.token.expire)
	149	res.json({ errmsg: "Token expired" });
	150	else {
	151	// Generate session token (if not exists) + destroy login token
	152	UserModel.trySetSessionToken(user.id, (token) => {
	153	res.cookie("token", token, {
	154	httpOnly: true,
	155	secure: !!params.siteURL.match(/^https/),
	156	maxAge: params.cookieExpire,
	157	});
	158	res.json(user);
	159	});
	160	}
	161	});
	162	}
	163	);
	164	});
	165
	166	router.get('/logout', access.logged, access.ajax, (req,res) => {
	167	res.clearCookie("token");
	168	res.json({});
	169	});
	170
	171	module.exports = router;