X-Git-Url: https://git.auder.net/pieces/Cwda/n_black_rook.svg?a=blobdiff_plain;f=models%2FUser.js;h=171dc2c2d0fb816ef684bbfcd3e49c10acd43819;hb=8ef618ef05070642849f50861399116c2d69a816;hp=6e91458eb310e3e798e6cb5483d005d5c1382ac8;hpb=8a477a7e1b781babc74d7935b80ac0b18ec04f86;p=vchess.git

diff --git a/models/User.js b/models/User.js
index 6e91458e..171dc2c2 100644
--- a/models/User.js
+++ b/models/User.js
@@ -1,6 +1,7 @@
 var db = require("../utils/database");
 var maild = require("../utils/mailer.js");
 var TokenGen = require("../utils/tokenGenerator");
+var params = require("../config/parameters");
 
 /*
  * Structure:
@@ -13,15 +14,22 @@ var TokenGen = require("../utils/tokenGenerator");
  *   notify: boolean (send email notifications for corr games)
  */
 
+// TODO: consider sanitizing http://www.unixwiz.net/techtips/sql-injection.html
+// But parameters are supposed to already be cleaned (in controller).
+
 // User creation
 exports.create = function(name, email, notify, callback)
 {
 	db.serialize(function() {
-		const query =
+		const insertQuery =
 			"INSERT INTO Users " +
 			"(name, email, notify) VALUES " +
 			"('" + name + "', '" + email + "', " + notify + ")";
-		db.run(query, callback); //TODO: need to get the inserted user (how ?)
+		db.run(insertQuery, err => {
+			if (!!err)
+				return callback(err);
+			db.get("SELECT last_insert_rowid() AS rowid", callback);
+		});
 	});
 }
 
@@ -31,7 +39,8 @@ exports.getOne = function(by, value, cb)
 	const delimiter = (typeof value === "string" ? "'" : "");
 	db.serialize(function() {
 		const query =
-			"SELECT * FROM Users " +
+			"SELECT * " +
+			"FROM Users " +
 			"WHERE " + by + " = " + delimiter + value + delimiter;
 		db.get(query, cb);
 	});
@@ -45,7 +54,7 @@ exports.setLoginToken = function(token, uid, cb)
 	db.serialize(function() {
 		const query =
 			"UPDATE Users " +
-			"SET loginToken = " + token + " AND loginTime = " + Date.now() + " " +
+			"SET loginToken = '" + token + "', loginTime = " + Date.now() + " " +
 			"WHERE id = " + uid;
 		db.run(query, cb);
 	});
@@ -57,21 +66,21 @@ exports.trySetSessionToken = function(uid, cb)
 {
 	// Also empty the login token to invalidate future attempts
 	db.serialize(function() {
-		const querySessionTOken =
+		const querySessionToken =
 			"SELECT sessionToken " +
 			"FROM Users " +
 			"WHERE id = " + uid;
-		db.get(querySessionToken, (err,token) => {
+		db.get(querySessionToken, (err,ret) => {
 			if (!!err)
 				return cb(err);
-			const newToken = token || TokenGen.generate(params.token.length);
+			const token = ret.sessionToken || TokenGen.generate(params.token.length);
 			const queryUpdate =
 				"UPDATE Users " +
-				"SET loginToken = NULL " +
-				(!token ? "AND sessionToken = " + newToken + " " : "") +
+				"SET loginToken = NULL" +
+				(!ret.sessionToken ? (", sessionToken = '" + token + "'") : "") + " " +
 				"WHERE id = " + uid;
 			db.run(queryUpdate);
-				cb(null, newToken);
+			cb(null, token);
 		});
 	});
 }
@@ -81,10 +90,10 @@ exports.updateSettings = function(user, cb)
 	db.serialize(function() {
 		const query =
 			"UPDATE Users " +
-			"SET name = " + user.name +
-			" AND email = " + user.email +
-			" AND notify = " + user.notify + " " +
-			"WHERE id = " + user._id;
+			"SET name = '" + user.name + "'" +
+			", email = '" + user.email + "'" +
+			", notify = " + user.notify + " " +
+			"WHERE id = " + user.id;
 		db.run(query, cb);
 	});
 }