164 lines
6.4 KiB
JavaScript
164 lines
6.4 KiB
JavaScript
import {SHA256} from "../extra_modules/SHA.js";
|
|
import * as signature from "cookie-signature";
|
|
import getIP from "../extra_modules/getip.js";
|
|
import {readFileSync} from "fs"
|
|
|
|
const cookiesecret = readFileSync("cookiesecret.txt").toString();
|
|
|
|
export const setup = function (router, con, server) {
|
|
const config = server.config
|
|
const DID_I_FINALLY_ADD_HTTPS = server.DID_I_FINALLY_ADD_HTTPS
|
|
const increaseAPICall = server.increaseAPICall
|
|
const HASHES_DB = config.cookies.server_hashes;
|
|
const HASHES_COOKIE = config.cookies.client_hashes;
|
|
const HASHES_DIFF = HASHES_DB - HASHES_COOKIE;
|
|
|
|
router.post("/register", function (req, res) {
|
|
for (let i = 0; i < 10; i++) { //don't want people spam registering
|
|
if (!increaseAPICall(req, res))
|
|
return;
|
|
}
|
|
res.status(200);
|
|
if ((typeof req.body.user) != "string") {
|
|
res.status(416);
|
|
res.json({ "error": "incorrect username" });
|
|
return;
|
|
}
|
|
if ((typeof req.body.pass) != "string") {
|
|
res.status(417);
|
|
res.json({ "error": "incorrect password" });
|
|
return;
|
|
}
|
|
let username = req.body.user.toString();
|
|
username = username.replace(/\s/gi, "");
|
|
let password = req.body.pass.toString();
|
|
if (!username) {
|
|
res.status(410);
|
|
res.redirect("/register?success=false&reason=username");
|
|
return;
|
|
}
|
|
if (username == "") {
|
|
res.status(411);
|
|
res.redirect("/register?success=false&reason=username");
|
|
return;
|
|
}
|
|
if (password.length < 10) {
|
|
res.status(412);
|
|
res.send("password is too short");
|
|
return;
|
|
}
|
|
if (username.length > 25) {
|
|
res.status(413);
|
|
res.send("username is too long");
|
|
return;
|
|
}
|
|
if (username.search("@") != -1) {
|
|
res.status(414);
|
|
res.send("username can't contain @-characters");
|
|
return;
|
|
}
|
|
if (!password) {
|
|
res.status(415);
|
|
res.redirect("/register?success=false&reason=password");
|
|
return;
|
|
}
|
|
let userexistssql = `SELECT User_Name from ipost.users where User_Name = ?`;
|
|
con.query(userexistssql, [encodeURIComponent(username)], function (_error, result) {
|
|
if (result && result[0] && result[0].User_Name) {
|
|
res.status(418);
|
|
res.redirect("/register?success=false&reason=already_exists");
|
|
return;
|
|
}
|
|
let less_hashed_pw = SHA256(password, username, HASHES_DIFF);
|
|
let hashed_pw = SHA256(less_hashed_pw, username, HASHES_COOKIE);
|
|
let ip = getIP(req);
|
|
let setTo = `${username} ${SHA256(password, username, HASHES_COOKIE)}`
|
|
let cookiesigned = signature.sign(setTo, cookiesecret + ip);
|
|
ip = SHA256(ip, setTo, HASHES_DB);
|
|
const default_settings = {};
|
|
let values = [encodeURIComponent(username), hashed_pw, Date.now(), ip, ip, JSON.stringify(default_settings)];
|
|
let sql = `INSERT INTO ipost.users (User_Name, User_PW, User_CreationStamp, User_CreationIP, User_LastIP, User_Settings) VALUES (?, ?, ?, ?, ?, ?);`;
|
|
con.query(sql, values, function (err) {
|
|
if (err)
|
|
throw err;
|
|
res.cookie('AUTH_COOKIE', cookiesigned, { maxAge: Math.pow(10, 10), httpOnly: true, secure: DID_I_FINALLY_ADD_HTTPS });
|
|
res.redirect("/user?success=true");
|
|
});
|
|
});
|
|
});
|
|
router.post("/login", function (req, res) {
|
|
if (!increaseAPICall(req, res))
|
|
return;
|
|
if ((typeof req.body.user) != "string") {
|
|
res.status(416);
|
|
res.json({ "error": "incorrect username" });
|
|
return;
|
|
}
|
|
if ((typeof req.body.pass) != "string") {
|
|
res.status(417);
|
|
res.json({ "error": "incorrect password" });
|
|
return;
|
|
}
|
|
if (!req.body.user) {
|
|
res.status(410);
|
|
res.send("no username given");
|
|
return;
|
|
}
|
|
if (!req.body.pass) {
|
|
res.status(411);
|
|
res.send("no password given");
|
|
return;
|
|
}
|
|
let username = req.body.user.toString();
|
|
username = username.replace(" ", "");
|
|
let password = req.body.pass.toString();
|
|
if (!username) {
|
|
res.status(412);
|
|
res.send("no username given");
|
|
return;
|
|
}
|
|
if (username.length > 25) {
|
|
res.status(413);
|
|
res.send("username is too long");
|
|
return;
|
|
}
|
|
if (password.length < 10) {
|
|
res.status(414);
|
|
res.send("password is too short");
|
|
return;
|
|
}
|
|
if (!password) {
|
|
res.status(415);
|
|
res.send("no password given");
|
|
return;
|
|
}
|
|
|
|
const no_ip_lock = username.endsWith("@unsafe")
|
|
username = username.replace("@unsafe","")
|
|
|
|
let less_hashed_pw = SHA256(password, username, HASHES_DIFF);
|
|
let hashed_pw = SHA256(less_hashed_pw, username, HASHES_COOKIE);
|
|
let userexistssql = `SELECT * from ipost.users where User_Name = ? and User_PW = ?;`;
|
|
con.query(userexistssql, [encodeURIComponent(username), hashed_pw], function (_error, result) {
|
|
if (result && result[0]) {
|
|
let ip = getIP(req);
|
|
let setTo = `${username} ${SHA256(password, username, HASHES_COOKIE)}`
|
|
let cookiesigned = signature.sign(setTo, cookiesecret + (!no_ip_lock ? ip : ""));
|
|
res.cookie('AUTH_COOKIE', cookiesigned, { maxAge: Math.pow(10, 10), httpOnly: true, secure: DID_I_FINALLY_ADD_HTTPS });
|
|
ip = SHA256(ip, setTo, HASHES_DB);
|
|
if (result[0].User_LastIP != ip) {
|
|
let sql = `update ipost.users set User_LastIP = ? where User_Name = ?;`;
|
|
con.query(sql, [ip, encodeURIComponent(username)], function (error) {
|
|
if (error)
|
|
throw error;
|
|
});
|
|
}
|
|
res.redirect("/user?success=true");
|
|
}
|
|
else {
|
|
console.log(5,"login failed, username: ", username);
|
|
res.redirect("/login?success=false?reason=noUser");
|
|
}
|
|
});
|
|
});
|
|
} |