import { SHA256 } from '../extra_modules/SHA.js' import * as signature from 'cookie-signature' import getIP from '../extra_modules/getip.js' import { readFileSync } from 'fs' const cookiesecret = readFileSync('cookiesecret.txt').toString() export const setup = function (router, con, server) { const config = server.config const DID_I_FINALLY_ADD_HTTPS = server.DID_I_FINALLY_ADD_HTTPS const increaseAPICall = server.increaseAPICall const HASHES_DB = config.cookies.server_hashes const HASHES_COOKIE = config.cookies.client_hashes const HASHES_DIFF = HASHES_DB - HASHES_COOKIE router.post('/register', function (req, res) { for (let i = 0; i < 10; i++) { //don't want people spam registering if (!increaseAPICall(req, res)) return } res.status(200) if (typeof req.body.user !== 'string') { res.status(416) res.json({ error: 'incorrect username' }) return } if (typeof req.body.pass !== 'string') { res.status(417) res.json({ error: 'incorrect password' }) return } let username = req.body.user.toString() username = username.replace(/\s/gi, '') let password = req.body.pass.toString() if (!username) { res.status(410) res.redirect('/register?success=false&reason=username') return } if (username === '') { res.status(411) res.redirect('/register?success=false&reason=username') return } if (password.length < 10) { res.status(412) res.send('password is too short') return } if (username.length > 25) { res.status(413) res.send('username is too long') return } if (username.search('@') !== -1) { res.status(414) res.send("username can't contain @-characters") return } if (!password) { res.status(415) res.redirect('/register?success=false&reason=password') return } let userexistssql = `SELECT User_Name from ipost.users where User_Name = ?` con.query( userexistssql, [encodeURIComponent(username)], function (_error, result) { if (result && result[0] && result[0].User_Name) { res.status(418) res.redirect( '/register?success=false&reason=already_exists' ) return } let less_hashed_pw = SHA256(password, username, HASHES_DIFF) let hashed_pw = SHA256(less_hashed_pw, username, HASHES_COOKIE) let ip = getIP(req) let setTo = `${username} ${SHA256(password, username, HASHES_COOKIE)}` let cookiesigned = signature.sign(setTo, cookiesecret + ip) ip = SHA256(ip, setTo, HASHES_DB) const default_settings = {} let values = [ encodeURIComponent(username), hashed_pw, Date.now(), ip, ip, JSON.stringify(default_settings), ] let sql = `INSERT INTO ipost.users (User_Name, User_PW, User_CreationStamp, User_CreationIP, User_LastIP, User_Settings) VALUES (?, ?, ?, ?, ?, ?);` con.query(sql, values, function (err) { if (err) throw err res.cookie('AUTH_COOKIE', cookiesigned, { maxAge: Math.pow(10, 10), httpOnly: true, secure: DID_I_FINALLY_ADD_HTTPS, }) if (req.body.r !== undefined) { res.redirect(decodeURIComponent(req.body.r)) } else { res.redirect('/user') } }) } ) }) router.post('/login', function (req, res) { if (!increaseAPICall(req, res)) return if (typeof req.body.user !== 'string') { res.status(416) res.json({ error: 'incorrect username' }) return } if (typeof req.body.pass !== 'string') { res.status(417) res.json({ error: 'incorrect password' }) return } if (!req.body.user) { res.status(410) res.send('no username given') return } if (!req.body.pass) { res.status(411) res.send('no password given') return } let username = req.body.user.toString() username = username.replace(' ', '') let password = req.body.pass.toString() if (!username) { res.status(412) res.send('no username given') return } if (username.length > 25) { res.status(413) res.send('username is too long') return } if (password.length < 10) { res.status(414) res.send('password is too short') return } if (!password) { res.status(415) res.send('no password given') return } const no_ip_lock = username.endsWith('@unsafe') username = username.replace('@unsafe', '') let less_hashed_pw = SHA256(password, username, HASHES_DIFF) let hashed_pw = SHA256(less_hashed_pw, username, HASHES_COOKIE) let userexistssql = `SELECT * from ipost.users where User_Name = ? and User_PW = ?;` con.query( userexistssql, [encodeURIComponent(username), hashed_pw], function (_error, result) { if (result && result[0]) { let ip = getIP(req) let setTo = `${username} ${SHA256(password, username, HASHES_COOKIE)}` let cookiesigned = signature.sign( setTo, cookiesecret + (!no_ip_lock ? ip : '') ) res.cookie('AUTH_COOKIE', cookiesigned, { maxAge: Math.pow(10, 10), httpOnly: true, secure: DID_I_FINALLY_ADD_HTTPS, }) ip = SHA256(ip, setTo, HASHES_DB) if (result[0].User_LastIP !== ip) { let sql = `update ipost.users set User_LastIP = ? where User_Name = ?;` con.query( sql, [ip, encodeURIComponent(username)], function (error) { if (error) throw error } ) } if (req.body.r !== undefined) { res.redirect(decodeURIComponent(req.body.r)) } else { res.redirect('/user') } } else { console.log(5, 'login failed, username: ', username) res.redirect('/login?success=false?reason=noUser') } } ) }) }