From 4302684c5707768ebf5640b93172197cd7c3525a Mon Sep 17 00:00:00 2001
From: Mystikfluu <Mystikfluu@gmail.com>
Date: Sat, 4 Feb 2023 12:36:08 +0100
Subject: [PATCH] add test support for authentication tokens

---
 routes/api/all.js | 76 ++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 58 insertions(+), 18 deletions(-)

diff --git a/routes/api/all.js b/routes/api/all.js
index a9b920b..942ccbb 100644
--- a/routes/api/all.js
+++ b/routes/api/all.js
@@ -5,27 +5,69 @@ const config = JSON.parse(fs.readFileSync("server_config.json"));
 const HASHES_DB = config.cookies.server_hashes;
 const HASHES_COOKIE = config.cookies.client_hashes;
 const HASHES_DIFF = HASHES_DB - HASHES_COOKIE;
+
 export const setup = function (router, con, server) {
-    router.use("/*",  function (req, res, next) {
+    router.use("/*",  async function (req, res, next) {
         res.set("Access-Control-Allow-Origin", "*"); //we'll allow it for now
         let unsigned;
         if (req.body.user == undefined || req.body.pass == undefined) {
-            if(!req.cookies.AUTH_COOKIE) {
-                next()
-                return
-            }
-            unsigned = unsign(req.cookies.AUTH_COOKIE, req, res);
-            if (!unsigned){
-                next()
-                return
+            if(req.body.auth != undefined) {
+                if(
+                    typeof req.body.auth            !== "object" || 
+                    typeof req.body.auth.secret     !== "string" || 
+                    typeof req.body.auth.appid      !== "number" || 
+                    typeof req.body.auth.auth_token !== "string" || 
+                    req.body.auth.secret.length     !== 200      || 
+                    req.body.auth.auth_token.length !== 100      ||
+                    Buffer.from(req.body.auth.secret,"base64").length !== 150
+                ) {
+                    res.status(420).send("invalid authentication object")
+                    return;
+                } else {
+                    //secret    : string(200 chars)
+                    //appid     : number
+                    //auth_token: string(100 chars)
+                    let sql = "select User_ID,User_Name,User_Bio,User_Avatar,User_Settings from auth_tokens inner join application on auth_token_isfrom_application_id=application_id inner join users on auth_token_u_id=User_ID where auth_token=? and application_secret=? and application_id=?"
+                    con.query(sql,[SHA256(req.body.auth.auth_token,req.body.auth.appid, HASHES_DB),SHA256(req.body.auth.secret,req.body.auth.appid, HASHES_DB),req.body.auth.appid],(err,result) => {
+                        if(err) throw err;
+
+                        if(result.length != 1) {
+                            res.status(420).send("invalid authentication object (or server error?)")
+                            return;
+                        }
+
+                        res.locals.userid = result[0].User_ID;
+                        res.locals.username = result[0].User_Name;
+                        res.locals.bio = result[0].User_Bio || "";
+                        res.locals.avatar = result[0].User_Avatar || "";
+                        res.locals.settings = JSON.parse(result[0].User_Settings) || {};
+
+                        res.locals.isbot = true; //only apps/bots use auth tokens
+
+                        next()
+                    })
+                    return;
+                }
+            } else {
+                if(!req.cookies.AUTH_COOKIE) {
+                    next()
+                    return
+                }
+                unsigned = unsign(req.cookies.AUTH_COOKIE, req, res);
+                if (!unsigned){
+                    next()
+                    return
+                }
             }
+            
         }
         else {
             unsigned = `${req.body.user} ${SHA256(req.body.pass, req.body.user, HASHES_COOKIE)}`;
+            res.set("message","user+pass authentication is deprecated as of february 2023, consider switching to auth tokens")
             //basically we generate the unsigned cookie
             res.locals.isbot = true; //only bots use user+pass
         }
-        let sql = `select User_Name,User_Bio,User_Avatar,User_Settings from ipost.users where User_Name=? and User_PW=?;`;
+        let sql = `select User_ID,User_Name,User_Bio,User_Avatar,User_Settings from ipost.users where User_Name=? and User_PW=?;`;
         let values = unsigned.split(" ");
         values[1] = SHA256(values[1], values[0], HASHES_DIFF);
         res.locals.bio = "";
@@ -35,14 +77,12 @@ export const setup = function (router, con, server) {
             if (err)
                 throw err;
             if (result[0] && result[0].User_Name && result[0].User_Name == values[0]) {
-                res.locals.username = values[0];
-                res.locals.bio = result[0].User_Bio || "";
-                res.locals.avatar = result[0].User_Avatar || "";
-                res.locals.settings = JSON.parse(result[0].User_Settings);
-                if (res.locals.settings == "null")
-                    res.locals.settings = {};
-                if (res.locals.settings === null)
-                    res.locals.settings = {};
+
+                res.locals.userid   = result[0].User_ID;
+                res.locals.username = result[0].User_Name;
+                res.locals.bio      = result[0].User_Bio || "";
+                res.locals.avatar   = result[0].User_Avatar || "";
+                res.locals.settings = JSON.parse(result[0].User_Settings) || {};
                 
             }
             next()