code002lover/IPost
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

fixed error

Browse Source 
made constants for hashes
This commit is contained in:
Mystikfluu 2022-04-22 20:14:39 +02:00
parent 6c2edafd0f
commit fbf7895487
1 changed files with 16 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
server.js
View File

@ -16,6 +16,10 @@ const csurf = require("csurf");
const csrfProtection = csurf({ cookie: true }) const csrfProtection = csurf({ cookie: true })
const HASHES_DB = 10000
const HASHES_COOKIE = 10
const HASHES_DIFF = HASHES_DB - HASHES_COOKIE
const DID_I_FINALLY_ADD_HTTPS = false const DID_I_FINALLY_ADD_HTTPS = false
const con = mysql.createConnection({ const con = mysql.createConnection({
@ -162,13 +166,14 @@ router.use("/api/*",async function(req,res,next) {
let unsigned = unsign(cookie,req,res) let unsigned = unsign(cookie,req,res)
let sql = `select * from zerotwohub.users where User_Name=? and User_PW=?;` let sql = `select * from zerotwohub.users where User_Name=? and User_PW=?;`
let values = unsigned.split(" ") let values = unsigned.split(" ")
values[1] = SHA256(values[1],values[0],HASHES_DIFF)
con.query(sql, values, function (err, result) { con.query(sql, values, function (err, result) {
if (err) throw err; if (err) throw err;
if(result[0] && result[0].User_Name && result[0].User_Name == username) { if(result[0] && result[0].User_Name && result[0].User_Name == values[0]) {
res.locals.username = username; res.locals.username = values[0];
next() next()
} else { } else {
res.json({"error":"you are not logged in! (invalid cookie)"}) res.json({"error":"you cannot access the api without being logged in"})
} }
}); });
}) })
@ -186,7 +191,7 @@ router.get("/api/getuser",async function(req,res) {
let values = unsigned.split(" ") let values = unsigned.split(" ")
let username = values[0] let username = values[0]
values[1] = SHA256(values[1],username,10000-10) values[1] = SHA256(values[1],username,HASHES_DIFF)
let sql = `select * from zerotwohub.users where User_Name=? and User_PW=?;` let sql = `select * from zerotwohub.users where User_Name=? and User_PW=?;`
let sent_res = false let sent_res = false
@ -207,12 +212,13 @@ router.post("/api/post", async function(req,res) {
let values = [res.locals.username,req.body.message] let values = [res.locals.username,req.body.message]
con.query(sql, values, function (err, result) { con.query(sql, values, function (err, result) {
if (err) throw err; if (err) throw err;
res.json({"post_id":result[0].post_id}) console.log(result);
res.send("success")
}); });
}) })
router.get("/api/getPosts/*", async function(req,res) { router.get("/api/getPosts/*", async function(req,res) {
let sql = `select post_user_name,post_text from zerotwohub.posts where post_id > ? and post_id < ? order by post_id desc;` let sql = `select post_user_name,post_text from zerotwohub.posts where post_id >= ? and post_id <= ? order by post_id desc;`
let id = parseInt(req.originalUrl.replace("/api/getPosts/")) let id = parseInt(req.originalUrl.replace("/api/getPosts/"))
if(isNaN(id))id=0 if(isNaN(id))id=0
let values = [id,id+10] let values = [id,id+10]
@ -292,13 +298,13 @@ router.post("/register",async function(req,res) {
res.redirect("/register?success=false&reason=already_exists") res.redirect("/register?success=false&reason=already_exists")
return return
} }
let hashed_pw = SHA256(password,username,10000) let hashed_pw = SHA256(password,username,HASHES_DB)
let values = [username,hashed_pw] let values = [username,hashed_pw]
let sql = `INSERT INTO zerotwohub.users (User_Name, User_PW) VALUES (?, ?);` let sql = `INSERT INTO zerotwohub.users (User_Name, User_PW) VALUES (?, ?);`
con.query(sql, values, function (err, result) { con.query(sql, values, function (err, result) {
if (err) throw err; if (err) throw err;
let ip = req.headers['x-forwarded-for'] || req.socket.remoteAddress let ip = req.headers['x-forwarded-for'] || req.socket.remoteAddress
let setTo = username + " " + SHA256(password,username,10) let setTo = username + " " + SHA256(password,username,HASHES_COOKIE)
let cookiesigned = signature.sign(setTo, cookiesecret+ip); let cookiesigned = signature.sign(setTo, cookiesecret+ip);
res.cookie('AUTH_COOKIE',cookiesigned, { maxAge: Math.pow(10,10), httpOnly: true, secure: DID_I_FINALLY_ADD_HTTPS }); res.cookie('AUTH_COOKIE',cookiesigned, { maxAge: Math.pow(10,10), httpOnly: true, secure: DID_I_FINALLY_ADD_HTTPS });
res.redirect("/user?success=true") res.redirect("/user?success=true")
@ -334,13 +340,13 @@ router.post("/login",async function(req,res) {
return return
} }
let hashed_pw = SHA256(password,username,10000) let hashed_pw = SHA256(password,username,HASHES_DB)
let userexistssql = `SELECT * from zerotwohub.users where User_Name = ? and User_PW = ?` let userexistssql = `SELECT * from zerotwohub.users where User_Name = ? and User_PW = ?`
con.query(userexistssql,[username,hashed_pw],function(error,result) { con.query(userexistssql,[username,hashed_pw],function(error,result) {
if(result && result[0] && result[0].User_Name && result[0].User_Name==username && result[0].User_PW && result[0].User_PW == hashed_pw) { if(result && result[0] && result[0].User_Name && result[0].User_Name==username && result[0].User_PW && result[0].User_PW == hashed_pw) {
let ip = req.headers['x-forwarded-for'] || req.socket.remoteAddress let ip = req.headers['x-forwarded-for'] || req.socket.remoteAddress
let setTo = username + " " + SHA256(password,username,10) let setTo = username + " " + SHA256(password,username,HASHES_COOKIE)
let cookiesigned = signature.sign(setTo, cookiesecret+ip); let cookiesigned = signature.sign(setTo, cookiesecret+ip);
res.cookie('AUTH_COOKIE',cookiesigned, { maxAge: Math.pow(10,10), httpOnly: true, secure: DID_I_FINALLY_ADD_HTTPS }); res.cookie('AUTH_COOKIE',cookiesigned, { maxAge: Math.pow(10,10), httpOnly: true, secure: DID_I_FINALLY_ADD_HTTPS });
res.redirect("/user?success=true") res.redirect("/user?success=true")