1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
const express = require("express");
const bcrypt = require("bcrypt");
const db = require("../db");
const app = express.Router();
function checkUser(req, res, next) {
if (req.session.loggedIn) next();
else res.redirect("/auth");
}
function checkAdmin(req, res, next) {
if (req.session.loggedIn && req.session.isAdmin) next();
else if (req.session.loggedIn) return res.redirect("/");
else return res.redirect("/auth");
}
function checkSuperAdmin(req, res, next) {
if (req.session.loggedIn && req.session.isAdmin && req.session.isSuperAdmin) next();
else if (req.session.loggedIn) return res.redirect("/");
else return res.redirect("/auth");
}
app.use(
"/",
(req, res, next) => {
// Very important, don't change :)
if (!req.session.loggedIn || req.path.startsWith("/api") || /.*?\.[html|js|css]/.test(req.path)) next();
else res.redirect("/");
},
express.static(__dirname + "/public"),
);
app.post("/api/login", async (req, res) => {
if (req.session.loggedIn) return res.redirect("/");
const { username, password } = req.body;
if (!(username && password)) return res.redirect("/auth");
const user = (
await db.query("SELECT id, password, is_admin, class_id FROM users WHERE username = ?", [username])
)[0];
if (!user || !user.password) return res.redirect("/auth");
const loggedIn = await bcrypt.compare(password, user.password);
if (loggedIn) {
console.log("LOGIN: " + user.id);
req.session.loggedIn = true;
req.session.isAdmin = user.is_admin;
// Hardcoding ftw lol
req.session.isSuperAdmin = username == "bornerma" || username == "krönnela" ? user.is_admin : false;
req.session.uid = user.id;
req.session.cid = user.class_id;
}
res.redirect("/auth");
});
app.use("/api/logout", checkUser, (req, res) => {
console.log("LOGOUT: " + req.session.uid);
req.session.destroy();
res.redirect("/");
});
app.post("/api/password", checkUser, async (req, res) => {
const { oldPassword, newPassword, newPasswordRep } = req.body;
if (!oldPassword || !newPassword || !newPasswordRep || newPassword !== newPasswordRep || newPassword.length < 8)
return res.send("error");
const user = (await db.query("SELECT id, password FROM users WHERE id = ?", [req.session.uid]))[0];
if (!user || !user.password) return res.send("error");
if (!(await bcrypt.compare(oldPassword, user.password))) return res.send("error");
try {
console.log("PASSWORD CHANGE: " + user.id);
const newHash = await bcrypt.hash(newPassword, 12);
await db.query("UPDATE users SET password = ? WHERE id = ?", [newHash, req.session.uid]);
res.redirect("/");
} catch (e) {
console.error(e);
res.send("error");
}
});
app.get("/api/list", checkUser, async (req, res) => {
let users;
try {
if (req.query.class === "all") {
users = await db.query("SELECT id, name, middlename, surname, class_id FROM users ORDER BY class_id, name");
} else if (req.query.class === "teacher") {
users = await db.query(
"SELECT id, name, middlename, surname, class_id FROM users WHERE type_id = 2 ORDER BY class_id, name",
);
} else {
users = await db.query(
"SELECT id, name, middlename, surname, class_id FROM users WHERE class_id = (SELECT class_id FROM users WHERE id = ?) AND id != ? ORDER BY name",
[req.session.uid, req.session.uid],
);
}
} catch (e) {
console.error(e);
return res.send("error");
}
res.json(users);
});
app.get("/api/status", (req, res) => {
res.json({
loggedIn: req.session.loggedIn,
admin: req.session.isAdmin,
superAdmin: req.session.isSuperAdmin || false,
});
});
app.get("/api/self", checkUser, async (req, res) => {
try {
const user = await db.query(
"SELECT id, username, name, middlename, surname, class_id, type_id, is_admin FROM users WHERE id = ?",
[req.session.uid],
);
res.json(user[0]);
} catch (e) {
console.error(e);
return res.send("error");
}
});
module.exports = { auth: app, checkUser, checkAdmin };
|
