diff --git a/js/posts.js b/js/posts.js index 347bc08..5c28fea 100644 --- a/js/posts.js +++ b/js/posts.js @@ -54,7 +54,7 @@ document.getElementById("post-btn").addEventListener("click",async function() { alert(`Error, your message cant contain more than 1000 characters! (${len})`) return } - let r = await post("/api/post",{"message":document.getElementById("post-text").value}) + let r = await post("/api/post",{"message":encodeURIComponent(document.getElementById("post-text").value)}) if(window.location.href.split("?mention=")[1])location.replace('/posts'); document.getElementById("post-text").value="" }) @@ -76,7 +76,7 @@ function spacerTextNode() { return document.createTextNode(" | ") } -function createPost(username,text,time,specialtext) { +function createPost(username,text,time,specialtext,postid) { if(!specialtext)specialtext="" const newDiv = document.createElement("div"); const newP = document.createElement("p"); @@ -115,7 +115,7 @@ function createPost(username,text,time,specialtext) { newDiv.appendChild(newP) newDiv.innerHTML += filterPost(text) - + newDiv.id = postid document.getElementById("posts").appendChild(newDiv) } @@ -132,7 +132,7 @@ async function main(){ if(!last_10_posts)return; document.getElementById("posts").innerHTML = "" last_10_posts.forEach((item, i) => { - createPost(item.post_user_name,item.post_text,item.post_time,item.post_special_text) + createPost(item.post_user_name,decodeURIComponent(atob(item.post_text)),item.post_time,item.post_special_text,item.post_id) }); let links = document.getElementsByClassName("insertedlink") diff --git a/server.js b/server.js index 4a94bd5..211d664 100644 --- a/server.js +++ b/server.js @@ -49,6 +49,11 @@ function SHA256(str,salt,num) { return ret; } +function b64(data) { + let buff = Buffer.from(data); + return buff.toString('base64'); +} + function RNG(seed) { if(!seed)seed = Date.now(); this.seed = seed @@ -214,34 +219,37 @@ router.use("/api/*",async function(req,res,next) { } let unsigned = unsign(cookie,req,res) if(!unsigned)return + unsigned = decodeURIComponent(unsigned) let sql = `select * from zerotwohub.users where User_Name=? and User_PW=?;` let values = unsigned.split(" ") values[1] = SHA256(values[1],values[0],HASHES_DIFF) + values[0] = b64(values[0]) con.query(sql, values, function (err, result) { if (err) throw err; if(result[0] && result[0].User_Name && result[0].User_Name == values[0]) { - res.locals.username = values[0]; + res.locals.username = atob(values[0]); res.locals.bio = result[0].User_Bio next() } else { + console.log(result[0],values[0],values[1]); res.json({"error":"you cannot access the api without being logged in"}) } }); }) router.get("/api/getuser",async function(req,res) { - res.json({"username":res.locals.username,"bio":res.locals.bio}) + res.json({"username":res.locals.username,"bio":atob(res.locals.bio)}) }) router.get("/api/getotheruser",async function(req,res) { //already counted due to the /api/* handler - let username = req.query.user + let username = b64(req.query.user) let sql = `select * from zerotwohub.users where User_Name=?;` con.query(sql, [username], function (err, result) { if (err) throw err; if(result[0] && result[0].User_Name && result[0].User_Name == username) { - res.json({"username":username,"bio":result[0].User_Bio}) + res.json({"username":atob(username),"bio":atob(result[0].User_Bio)}) } else { res.json({"error":"there is no such user!"}) } @@ -253,8 +261,9 @@ router.post("/api/post", async function(req,res) { res.json({"error":"no message to post"}) return } + let sql = `insert into zerotwohub.posts (post_user_name,post_text,post_time) values (?,?,?);` - let values = [res.locals.username,req.body.message,Date.now()] + let values = [res.locals.username,b64(req.body.message),Date.now()] con.query(sql, values, function (err, result) { if (err) throw err; console.log(result); @@ -278,7 +287,7 @@ router.post("/api/post", async function(req,res) { // }) router.get("/api/getPosts/*", async function(req,res) { - let sql = `select post_user_name,post_text,post_time,post_special_text from zerotwohub.posts order by post_id desc;` + let sql = `select post_user_name,post_text,post_time,post_special_text,post_id from zerotwohub.posts order by post_id desc;` con.query(sql, [], function (err, result) { if (err) throw err; res.json(result) @@ -293,7 +302,7 @@ router.post("/api/setBio", async function(req,res) { return } let sql = `update zerotwohub.users set User_Bio=? where User_Name=?` - con.query(sql, [bio,res.locals.username], function (err, result) { + con.query(sql, [b64(bio),b64(res.locals.username)], function (err, result) { if (err) throw err; res.json({"success":"updated bio"}) }); @@ -310,12 +319,12 @@ router.post("/api/changePW", async function(req,res) { let hashed_new_pw = SHA256(req.body.newPW,res.locals.username,HASHES_DB) let sql = `select * from zerotwohub.users where User_Name=? and User_PW=?;` - let values = [res.locals.username,hashed_pw] + let values = [b64(res.locals.username),hashed_pw] con.query(sql, values, function (err, result) { if (err) throw err; if(result[0] && result[0].User_Name && result[0].User_Name == res.locals.username) { let sql = `update zerotwohub.users set User_PW=? where User_Name=? and User_PW=?;` - let values = [hashed_new_pw,res.locals.username,hashed_pw] + let values = [hashed_new_pw,b64(res.locals.username),hashed_pw] con.query(sql, values, function (err, result) { if (err) throw err; let ip = req.socket.remoteAddress @@ -424,7 +433,7 @@ router.post("/register",async function(req,res) { return } let userexistssql = `SELECT User_Name from zerotwohub.users where User_Name = ?` - con.query(userexistssql,[username],function(error,result) { + con.query(userexistssql,[b64(username)],function(error,result) { if(result && result[0] && result[0].User_Name) { res.status(400) res.redirect("/register?success=false&reason=already_exists") @@ -432,7 +441,7 @@ router.post("/register",async function(req,res) { } let hashed_pw = SHA256(password,username,HASHES_DB) let ip = req.socket.remoteAddress - let values = [username,hashed_pw, Date.now(), ip, ip] + let values = [b64(username),hashed_pw, Date.now(), ip, ip] let sql = `INSERT INTO zerotwohub.users (User_Name, User_PW, User_CreationStamp, User_CreationIP, User_LastIP) VALUES (?, ?, ?, ? ,?);` con.query(sql, values, function (err, result) { if (err) throw err; @@ -475,8 +484,8 @@ router.post("/login",async function(req,res) { let hashed_pw = SHA256(password,username,HASHES_DB) let userexistssql = `SELECT User_Name,User_PW,User_LastIP from zerotwohub.users where User_Name = ? and User_PW = ?;` - con.query(userexistssql,[username,hashed_pw],function(error,result) { - if(result && result[0] && result[0].User_Name && result[0].User_Name==username && result[0].User_PW && result[0].User_PW == hashed_pw) { + con.query(userexistssql,[b64(username),hashed_pw],function(error,result) { + if(result && result[0] && result[0].User_Name && result[0].User_Name==b64(username) && result[0].User_PW && result[0].User_PW == hashed_pw) { let ip = req.socket.remoteAddress let setTo = username + " " + SHA256(password,username,HASHES_COOKIE) let cookiesigned = signature.sign(setTo, cookiesecret+ip); @@ -484,12 +493,12 @@ router.post("/login",async function(req,res) { res.redirect("/user?success=true") if(result[0].User_LastIP != ip) { let sql = `update zerotwohub.users set User_LastIP = ? where User_Name = ?;` - con.query(sql,[ip,username],function(error,result) { + con.query(sql,[ip,b64(username)],function(error,result) { if(error)throw error }) } } else { - res.redirect("/login?success=false") + res.redirect("/login?success=false?reason=noUser") } }); })