201 lines
7.3 KiB
JavaScript
201 lines
7.3 KiB
JavaScript
import { SHA256 } from '../extra_modules/SHA.js'
|
|
import * as signature from 'cookie-signature'
|
|
import getIP from '../extra_modules/getip.js'
|
|
import { readFileSync } from 'fs'
|
|
|
|
const cookiesecret = readFileSync('cookiesecret.txt').toString()
|
|
|
|
export const setup = function (router, con, server) {
|
|
const config = server.config
|
|
const DID_I_FINALLY_ADD_HTTPS = server.DID_I_FINALLY_ADD_HTTPS
|
|
const increaseAPICall = server.increaseAPICall
|
|
const HASHES_DB = config.cookies.server_hashes
|
|
const HASHES_COOKIE = config.cookies.client_hashes
|
|
const HASHES_DIFF = HASHES_DB - HASHES_COOKIE
|
|
|
|
router.post('/register', function (req, res) {
|
|
for (let i = 0; i < 10; i++) {
|
|
//don't want people spam registering
|
|
if (!increaseAPICall(req, res)) return
|
|
}
|
|
res.status(200)
|
|
if (typeof req.body.user !== 'string') {
|
|
res.status(416)
|
|
res.json({ error: 'incorrect username' })
|
|
return
|
|
}
|
|
if (typeof req.body.pass !== 'string') {
|
|
res.status(417)
|
|
res.json({ error: 'incorrect password' })
|
|
return
|
|
}
|
|
let username = req.body.user.toString()
|
|
username = username.replace(/\s/gi, '')
|
|
let password = req.body.pass.toString()
|
|
if (!username) {
|
|
res.status(410)
|
|
res.redirect('/register?success=false&reason=username')
|
|
return
|
|
}
|
|
if (username === '') {
|
|
res.status(411)
|
|
res.redirect('/register?success=false&reason=username')
|
|
return
|
|
}
|
|
if (password.length < 10) {
|
|
res.status(412)
|
|
res.send('password is too short')
|
|
return
|
|
}
|
|
if (username.length > 25) {
|
|
res.status(413)
|
|
res.send('username is too long')
|
|
return
|
|
}
|
|
if (username.search('@') !== -1) {
|
|
res.status(414)
|
|
res.send("username can't contain @-characters")
|
|
return
|
|
}
|
|
if (!password) {
|
|
res.status(415)
|
|
res.redirect('/register?success=false&reason=password')
|
|
return
|
|
}
|
|
let userexistssql = `SELECT User_Name from ipost.users where User_Name = ?`
|
|
con.query(
|
|
userexistssql,
|
|
[encodeURIComponent(username)],
|
|
function (_error, result) {
|
|
if (result && result[0] && result[0].User_Name) {
|
|
res.status(418)
|
|
res.redirect(
|
|
'/register?success=false&reason=already_exists'
|
|
)
|
|
return
|
|
}
|
|
let less_hashed_pw = SHA256(password, username, HASHES_DIFF)
|
|
let hashed_pw = SHA256(less_hashed_pw, username, HASHES_COOKIE)
|
|
let ip = getIP(req)
|
|
let setTo = `${username} ${SHA256(password, username, HASHES_COOKIE)}`
|
|
let cookiesigned = signature.sign(setTo, cookiesecret + ip)
|
|
ip = SHA256(ip, setTo, HASHES_DB)
|
|
const default_settings = {}
|
|
let values = [
|
|
encodeURIComponent(username),
|
|
hashed_pw,
|
|
Date.now(),
|
|
ip,
|
|
ip,
|
|
JSON.stringify(default_settings),
|
|
]
|
|
let sql = `INSERT INTO ipost.users (User_Name, User_PW, User_CreationStamp, User_CreationIP, User_LastIP, User_Settings) VALUES (?, ?, ?, ?, ?, ?);`
|
|
con.query(sql, values, function (err) {
|
|
if (err) throw err
|
|
res.cookie('AUTH_COOKIE', cookiesigned, {
|
|
maxAge: Math.pow(10, 10),
|
|
httpOnly: true,
|
|
secure: DID_I_FINALLY_ADD_HTTPS,
|
|
})
|
|
if (req.body.r !== undefined) {
|
|
res.redirect(decodeURIComponent(req.body.r))
|
|
} else {
|
|
res.redirect('/user')
|
|
}
|
|
})
|
|
}
|
|
)
|
|
})
|
|
router.post('/login', function (req, res) {
|
|
if (!increaseAPICall(req, res)) return
|
|
if (typeof req.body.user !== 'string') {
|
|
res.status(416)
|
|
res.json({ error: 'incorrect username' })
|
|
return
|
|
}
|
|
if (typeof req.body.pass !== 'string') {
|
|
res.status(417)
|
|
res.json({ error: 'incorrect password' })
|
|
return
|
|
}
|
|
if (!req.body.user) {
|
|
res.status(410)
|
|
res.send('no username given')
|
|
return
|
|
}
|
|
if (!req.body.pass) {
|
|
res.status(411)
|
|
res.send('no password given')
|
|
return
|
|
}
|
|
let username = req.body.user.toString()
|
|
username = username.replace(' ', '')
|
|
let password = req.body.pass.toString()
|
|
if (!username) {
|
|
res.status(412)
|
|
res.send('no username given')
|
|
return
|
|
}
|
|
if (username.length > 25) {
|
|
res.status(413)
|
|
res.send('username is too long')
|
|
return
|
|
}
|
|
if (password.length < 10) {
|
|
res.status(414)
|
|
res.send('password is too short')
|
|
return
|
|
}
|
|
if (!password) {
|
|
res.status(415)
|
|
res.send('no password given')
|
|
return
|
|
}
|
|
|
|
const no_ip_lock = username.endsWith('@unsafe')
|
|
username = username.replace('@unsafe', '')
|
|
|
|
let less_hashed_pw = SHA256(password, username, HASHES_DIFF)
|
|
let hashed_pw = SHA256(less_hashed_pw, username, HASHES_COOKIE)
|
|
let userexistssql = `SELECT * from ipost.users where User_Name = ? and User_PW = ?;`
|
|
con.query(
|
|
userexistssql,
|
|
[encodeURIComponent(username), hashed_pw],
|
|
function (_error, result) {
|
|
if (result && result[0]) {
|
|
let ip = getIP(req)
|
|
let setTo = `${username} ${SHA256(password, username, HASHES_COOKIE)}`
|
|
let cookiesigned = signature.sign(
|
|
setTo,
|
|
cookiesecret + (!no_ip_lock ? ip : '')
|
|
)
|
|
res.cookie('AUTH_COOKIE', cookiesigned, {
|
|
maxAge: Math.pow(10, 10),
|
|
httpOnly: true,
|
|
secure: DID_I_FINALLY_ADD_HTTPS,
|
|
})
|
|
ip = SHA256(ip, setTo, HASHES_DB)
|
|
if (result[0].User_LastIP !== ip) {
|
|
let sql = `update ipost.users set User_LastIP = ? where User_Name = ?;`
|
|
con.query(
|
|
sql,
|
|
[ip, encodeURIComponent(username)],
|
|
function (error) {
|
|
if (error) throw error
|
|
}
|
|
)
|
|
}
|
|
if (req.body.r !== undefined) {
|
|
res.redirect(decodeURIComponent(req.body.r))
|
|
} else {
|
|
res.redirect('/user')
|
|
}
|
|
} else {
|
|
console.log(5, 'login failed, username: ', username)
|
|
res.redirect('/login?success=false?reason=noUser')
|
|
}
|
|
}
|
|
)
|
|
})
|
|
}
|