From 4c2c617b960387c90177f36f50a98f6b7acad927 Mon Sep 17 00:00:00 2001
From: MrFry <mrfry@airmail.cc>
Date: Mon, 6 Apr 2020 21:34:33 +0200
Subject: [PATCH] Handling sessions, json response if not logged in

---
 modules/api/api.js             | 77 ++++++++++++++++++++++++++++------
 modules/api/apiDBStruct.json   |  7 ++++
 modules/api/auth.middleware.js | 30 +++++++++++--
 modules/qmining/qmining-page   |  2 +-
 server.js                      |  2 +-
 utils/dbtools.js               |  7 ++--
 utils/logger.js                |  8 +++-
 7 files changed, 110 insertions(+), 23 deletions(-)

diff --git a/modules/api/api.js b/modules/api/api.js
index 7a4f434..e7a6259 100644
--- a/modules/api/api.js
+++ b/modules/api/api.js
@@ -54,16 +54,18 @@ function CreateDB () {
   // TODO: check if path exists, create it if not
   authDB = dbtools.GetDB(usersDBPath)
 
+  // TODO: foreign key
   Object.keys(dbStruct).forEach((tableName) => {
     const tableData = dbStruct[tableName]
     dbtools.CreateTable(authDB, tableName, tableData.tableStruct)
   })
 
-  // dbtools.Insert(authDB, 'users', {
-  //   pw: 2,
-  //   id: 1,
-  //   notes: 'hemnlo'
-  // })
+  // TODO: fill with data
+  dbtools.Insert(authDB, 'users', {
+    pw: 2,
+    id: 1,
+    notes: 'hemnlo'
+  })
   // console.log(dbtools.TableInfo(authDB, 'users'))
 }
 CreateDB()
@@ -82,12 +84,15 @@ CreateDB()
 //
 // app.use(session(sess))
 
+const cookieSecret = uuidv4()
 app.use(session({
-  secret: uuidv4(),
+  secret: cookieSecret,
   resave: false,
   saveUninitialized: true
 }))
-app.use(cookieParser())
+app.use(cookieParser({
+  secret: cookieSecret
+}))
 app.use(bodyParser.urlencoded({
   limit: '10mb',
   extended: true
@@ -141,7 +146,9 @@ Load()
 // -------------------------------------------------------------
 
 app.post('/login', (req, res) => {
+  // TODO: user.logincount update in db
   logger.LogReq(req)
+  const isScript = req.body.script
   const pw = req.body.pw
   const user = dbtools.Select(authDB, 'users', {
     pw: pw
@@ -149,15 +156,48 @@ app.post('/login', (req, res) => {
 
   if (user) {
     const sessionID = uuidv4()
+
+    // Setting session
     req.session.user = user
+    req.session.sessionID = sessionID
+
+    // FIXME: Users now can only log in in one session, this might be too strict.
+    const existingSessions = dbtools.Select(authDB, 'sessions', {
+      userID: user.id
+    })
+
+    if (existingSessions.length > 0) {
+      logger.Log(`Multiple sessions ( ${existingSessions.length} ) for #${user.id}, deleting olds`, logger.GetColor('cyan'))
+      existingSessions.forEach((sess) => {
+        dbtools.Delete(authDB, 'sessions', {
+          id: sess.id
+        })
+      })
+    }
+
     dbtools.Insert(authDB, 'sessions', {
       id: sessionID,
       ip: req.headers['cf-connecting-ip'] || req.connection.remoteAddress,
-      userID: user.id
+      userID: user.id,
+      createDate: new Date().toString()
     })
-    // FIXME: redirect to original url
-    res.cookie('sessionID', sessionID).redirect('/')
+
+    // TODO: cookie age
+    res.cookie('sessionID', sessionID)
+
+    if (isScript) {
+      res.json({
+        result: 'success',
+        sessionID: sessionID
+      })
+    } else {
+      // FIXME: redirect to original url
+      res.redirect('/')
+    }
+
+    logger.Log(`Successfull login with user ID: #${user.id}`, logger.GetColor('cyan'))
   } else {
+    logger.Log(`Login attempt with invalid pw: ${pw}`, logger.GetColor('cyan'))
     res.json({
       msg: 'invalid pw'
     })
@@ -166,11 +206,20 @@ app.post('/login', (req, res) => {
 
 app.post('/logout', (req, res) => {
   logger.LogReq(req)
-  // FIXME: redirect to original url
+  const sessionID = req.cookies.sessionID
   const userID = req.session.user.id
+
+  // destroying session
   req.session.destroy(function () {
-    logger.Log(`User ${userID} logout`)
+    logger.Log(`User ${userID} logout`, logger.GetColor('cyan'))
   })
+
+  // removing session from db
+  dbtools.Delete(authDB, 'sessions', {
+    id: sessionID
+  })
+  // TODO: remove old sessions every once in a while
+  // FIXME: redirect to original url
   res.clearCookie('sessionID').redirect('/')
 })
 
@@ -402,7 +451,9 @@ app.get('/datacount', function (req, res) {
 })
 
 app.get('/infos', function (req, res) {
-  let result = {}
+  let result = {
+    result: 'success'
+  }
   if (req.query.subjinfo) {
     result.subjinfo = getSimplreRes()
   }
diff --git a/modules/api/apiDBStruct.json b/modules/api/apiDBStruct.json
index 18a9166..e66c2b6 100644
--- a/modules/api/apiDBStruct.json
+++ b/modules/api/apiDBStruct.json
@@ -34,6 +34,13 @@
       "userID": {
         "type": "number",
         "notNull": true
+      },
+      "createDate": {
+        "type": "text",
+        "notNull": true
+      },
+      "lastAccess": {
+        "type": "text"
       }
     }
   },
diff --git a/modules/api/auth.middleware.js b/modules/api/auth.middleware.js
index 948acef..cb152a7 100644
--- a/modules/api/auth.middleware.js
+++ b/modules/api/auth.middleware.js
@@ -6,12 +6,11 @@ const exceptions = [
   '/login'
 ]
 
-// TODO: session table, dont store pw in cookie
-
 module.exports = function (options) {
   const { authDB } = options
 
   return function (req, res, next) {
+    const sessionID = req.cookies.sessionID || req.session.id
     const isException = exceptions.some((exc) => {
       return req.url === exc
     })
@@ -22,14 +21,32 @@ module.exports = function (options) {
       return
     }
 
-    const user = req.session.user || GetUserBySessionID(authDB, req.cookies.sessionID, req)
+    const user = req.session.user || GetUserBySessionID(authDB, sessionID, req)
+    console.log(req.session)
+
+    // update 'sessiosn' table 'lastAccess' stuff
+    if (sessionID) {
+      dbtools.Update(authDB, 'sessions', {
+        lastAccess: new Date().toString()
+      }, {
+        id: sessionID
+      })
+    }
+
+    console.log(dbtools.SelectAll(authDB, 'sessions'))
+
+    // FIXME: invalidate when new ip or something
 
     if (user) {
       logger.DebugLog(`ID #${user.id}: ${req.url}`, 'auth', 1)
       next()
     } else {
       logger.DebugLog(`No user:${req.url}`, 'auth', 1)
-      res.render('login')
+      // res.render('login')
+      res.json({
+        result: 'nouser',
+        msg: 'You are not logged in'
+      })
     }
   }
 }
@@ -44,12 +61,17 @@ function GetUserBySessionID (db, sessionID, req) {
     id: sessionID
   })[0]
 
+  if (!session) {
+    return
+  }
+
   const user = dbtools.Select(db, 'users', {
     id: session.userID
   })[0]
 
   if (user) {
     req.session.user = user
+    req.session.id = sessionID
     return user
   }
 }
diff --git a/modules/qmining/qmining-page b/modules/qmining/qmining-page
index 86b01f4..72ea24c 160000
--- a/modules/qmining/qmining-page
+++ b/modules/qmining/qmining-page
@@ -1 +1 @@
-Subproject commit 86b01f443a306695a9a17f29785ba20b7f08f810
+Subproject commit 72ea24c07133d02a983152b4416ff98eb5dc4369
diff --git a/server.js b/server.js
index de918cf..56a6a11 100755
--- a/server.js
+++ b/server.js
@@ -17,6 +17,7 @@
  along with this program. If not, see <https://www.gnu.org/licenses/>.
 
  ------------------------------------------------------------------------- */
+console.clear()
 
 const startHTTPS = true
 const port = 8080
@@ -38,7 +39,6 @@ const loggableKeywords = [
 ]
 let modules = JSON.parse(utils.ReadFile(modulesFile))
 
-console.clear()
 logger.Load()
 
 try {
diff --git a/utils/dbtools.js b/utils/dbtools.js
index f1eed3d..f5622a8 100644
--- a/utils/dbtools.js
+++ b/utils/dbtools.js
@@ -5,7 +5,7 @@ module.exports = {
   GetDB,
   AddColumn,
   TableInfo,
-  UpdateRecord,
+  Update,
   Delete,
   CreateTable,
   SelectAll,
@@ -83,7 +83,7 @@ function TableInfo (db, table) {
   }
 }
 
-function UpdateRecord (db, table, newData, conditions) {
+function Update (db, table, newData, conditions) {
   try {
     const s = `UPDATE ${table} SET ${GetSqlQuerry(newData)} WHERE ${GetSqlQuerry(conditions)}`
     DebugLog(s)
@@ -118,7 +118,8 @@ function CreateTable (db, name, columns) {
       return acc
     }, []).join(', ')
 
-    const s = `CREATE TABLE IF NOT EXISTS ${name}(${cols})`
+    // IF NOT EXISTS  // TODO
+    const s = `CREATE TABLE ${name}(${cols})`
     DebugLog(s)
 
     const stmt = db.prepare(s)
diff --git a/utils/logger.js b/utils/logger.js
index 58f8913..8f1aff3 100755
--- a/utils/logger.js
+++ b/utils/logger.js
@@ -118,7 +118,13 @@ function LogReq (req, toFile, sc) {
       dl += C('red')
     }
 
-    const hostname = req.hostname.replace('www.', '').split('.')[0]
+    let hostname
+    if (req.hostname) {
+      hostname = req.hostname.replace('www.', '').split('.')[0]
+    } else {
+      hostname = 'NOHOST'
+      Log('req.hostname is undefined! req.hostname: ' + req.hostname, GetColor('redbg'))
+    }
     logEntry += dl + hostname + dl + req.headers['user-agent'] + dl + req.method + dl
 
     logEntry += GetRandomColor(req.url.split('?')[0]) + req.url