1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
const express = require("express");
const bcrypt = require("bcrypt");
const db = require("../db");
const app = express.Router();
// TODO: Change passwords
// TODO: Login (+ Frontend, cookie, etc)
function checkUser(req, res, next) {
if (req.session.loggedIn) next();
else res.redirect("/auth");
}
app.use(
"/",
(req, res, next) => {
// Very important, don't change :)
if (!req.session.loggedIn || req.path.startsWith("/api") || /.*?\.[html|js|css]/.test(req.path)) next();
else res.redirect("/");
},
express.static(__dirname + "/public"),
);
app.post("/api/login", async (req, res) => {
if (req.session.loggedIn) return res.redirect("/");
const { username, password } = req.body;
if (!(username && password)) return res.redirect("/auth");
const user = (await db.query("SELECT id, password FROM users WHERE username = ?", [username]))[0];
if (!user.password) return res.redirect("/auth");
const loggedIn = await bcrypt.compare(password, user.password);
if (loggedIn) {
req.session.loggedIn = true;
req.session.uid = user.id;
}
res.redirect("/auth");
});
app.use("/api/logout", (req, res) => req.session.destroy() & res.redirect("/"));
app.post("/api/password", checkUser, async (req, res) => {
const { oldPassword, newPassword, newPasswordRep } = req.body;
if (!(oldPassword && newPassword && newPasswordRep) || newPassword !== newPasswordRep) return res.send("error");
const user = (await db.query("SELECT id, password FROM users WHERE id = ?", [req.session.uid]))[0];
if (!user.password) return res.send("error");
if (req.session.loggedIn && user.id === req.session.uid) return res.redirect("/auth");
if (!(await bcrypt.compare(oldPassword, user.password))) return res.send("error");
try {
const newHash = await bcrypt.hash(newPassword, 12);
await db.query("UPDATE users SET password = ? WHERE id = ?", [newHash, req.session.uid]);
res.redirect("/");
} catch (e) {
console.error(e);
res.send("error");
}
});
app.get("/api/list", checkUser, async (req, res) => {
let users;
if (req.query.class === "all") {
users = await db.query("SELECT id, name, middlename, surname FROM users ORDER BY name");
} else {
users = await db.query(
"SELECT id, name, middlename, surname FROM users WHERE class_id = (SELECT class_id FROM users WHERE id = ?) ORDER BY name",
[req.session.uid],
);
}
res.json(users);
});
app.get("/api/status", (req, res) => res.json({ loggedIn: req.session.loggedIn }));
module.exports = { auth: app, checkUser };
|
