Handling sessions, json response if not logged in

2025-04-01 20:24:18 +02:00 · 2020-04-06 21:34:33 +02:00 · 2020-04-06 21:34:33 +02:00 · 4c2c617b96
commit 4c2c617b96
parent 52ae2828e5
7 changed files with 110 additions and 23 deletions
--- a/modules/api/api.js
+++ b/modules/api/api.js
@ -54,16 +54,18 @@ function CreateDB () {
  // TODO: check if path exists, create it if not
  authDB = dbtools.GetDB(usersDBPath)

+  // TODO: foreign key
  Object.keys(dbStruct).forEach((tableName) => {
    const tableData = dbStruct[tableName]
    dbtools.CreateTable(authDB, tableName, tableData.tableStruct)
  })

-  // dbtools.Insert(authDB, 'users', {
-  //   pw: 2,
-  //   id: 1,
-  //   notes: 'hemnlo'
-  // })
+  // TODO: fill with data
+  dbtools.Insert(authDB, 'users', {
+    pw: 2,
+    id: 1,
+    notes: 'hemnlo'
+  })
  // console.log(dbtools.TableInfo(authDB, 'users'))
 }
 CreateDB()
@ -82,12 +84,15 @@ CreateDB()
 //
 // app.use(session(sess))

+const cookieSecret = uuidv4()
 app.use(session({
-  secret: uuidv4(),
+  secret: cookieSecret,
  resave: false,
  saveUninitialized: true
 }))
-app.use(cookieParser())
+app.use(cookieParser({
+  secret: cookieSecret
+}))
 app.use(bodyParser.urlencoded({
  limit: '10mb',
  extended: true
@ -141,7 +146,9 @@ Load()
 // -------------------------------------------------------------

 app.post('/login', (req, res) => {
+  // TODO: user.logincount update in db
  logger.LogReq(req)
+  const isScript = req.body.script
  const pw = req.body.pw
  const user = dbtools.Select(authDB, 'users', {
    pw: pw
@ -149,15 +156,48 @@ app.post('/login', (req, res) => {

  if (user) {
    const sessionID = uuidv4()
+
+    // Setting session
    req.session.user = user
+    req.session.sessionID = sessionID
+
+    // FIXME: Users now can only log in in one session, this might be too strict.
+    const existingSessions = dbtools.Select(authDB, 'sessions', {
+      userID: user.id
+    })
+
+    if (existingSessions.length > 0) {
+      logger.Log(`Multiple sessions ( ${existingSessions.length} ) for #${user.id}, deleting olds`, logger.GetColor('cyan'))
+      existingSessions.forEach((sess) => {
+        dbtools.Delete(authDB, 'sessions', {
+          id: sess.id
+        })
+      })
+    }
+
    dbtools.Insert(authDB, 'sessions', {
      id: sessionID,
      ip: req.headers['cf-connecting-ip'] || req.connection.remoteAddress,
-      userID: user.id
+      userID: user.id,
+      createDate: new Date().toString()
+    })
+
+    // TODO: cookie age
+    res.cookie('sessionID', sessionID)
+
+    if (isScript) {
+      res.json({
+        result: 'success',
+        sessionID: sessionID
      })
-    // FIXME: redirect to original url
-    res.cookie('sessionID', sessionID).redirect('/')
    } else {
+      // FIXME: redirect to original url
+      res.redirect('/')
+    }
+
+    logger.Log(`Successfull login with user ID: #${user.id}`, logger.GetColor('cyan'))
+  } else {
+    logger.Log(`Login attempt with invalid pw: ${pw}`, logger.GetColor('cyan'))
    res.json({
      msg: 'invalid pw'
    })
@ -166,11 +206,20 @@ app.post('/login', (req, res) => {

 app.post('/logout', (req, res) => {
  logger.LogReq(req)
-  // FIXME: redirect to original url
+  const sessionID = req.cookies.sessionID
  const userID = req.session.user.id
+
+  // destroying session
  req.session.destroy(function () {
-    logger.Log(`User ${userID} logout`)
+    logger.Log(`User ${userID} logout`, logger.GetColor('cyan'))
  })
+
+  // removing session from db
+  dbtools.Delete(authDB, 'sessions', {
+    id: sessionID
+  })
+  // TODO: remove old sessions every once in a while
+  // FIXME: redirect to original url
  res.clearCookie('sessionID').redirect('/')
 })

@ -402,7 +451,9 @@ app.get('/datacount', function (req, res) {
 })

 app.get('/infos', function (req, res) {
-  let result = {}
+  let result = {
+    result: 'success'
+  }
  if (req.query.subjinfo) {
    result.subjinfo = getSimplreRes()
  }
--- a/modules/api/apiDBStruct.json
+++ b/modules/api/apiDBStruct.json
@ -34,6 +34,13 @@
      "userID": {
        "type": "number",
        "notNull": true
+      },
+      "createDate": {
+        "type": "text",
+        "notNull": true
+      },
+      "lastAccess": {
+        "type": "text"
      }
    }
  },
--- a/modules/api/auth.middleware.js
+++ b/modules/api/auth.middleware.js
@ -6,12 +6,11 @@ const exceptions = [
  '/login'
 ]

-// TODO: session table, dont store pw in cookie
-
 module.exports = function (options) {
  const { authDB } = options

  return function (req, res, next) {
+    const sessionID = req.cookies.sessionID || req.session.id
    const isException = exceptions.some((exc) => {
      return req.url === exc
    })
@ -22,14 +21,32 @@ module.exports = function (options) {
      return
    }

-    const user = req.session.user || GetUserBySessionID(authDB, req.cookies.sessionID, req)
+    const user = req.session.user || GetUserBySessionID(authDB, sessionID, req)
+    console.log(req.session)
+
+    // update 'sessiosn' table 'lastAccess' stuff
+    if (sessionID) {
+      dbtools.Update(authDB, 'sessions', {
+        lastAccess: new Date().toString()
+      }, {
+        id: sessionID
+      })
+    }
+
+    console.log(dbtools.SelectAll(authDB, 'sessions'))
+
+    // FIXME: invalidate when new ip or something

    if (user) {
      logger.DebugLog(`ID #${user.id}: ${req.url}`, 'auth', 1)
      next()
    } else {
      logger.DebugLog(`No user:${req.url}`, 'auth', 1)
-      res.render('login')
+      // res.render('login')
+      res.json({
+        result: 'nouser',
+        msg: 'You are not logged in'
+      })
    }
  }
 }
@ -44,12 +61,17 @@ function GetUserBySessionID (db, sessionID, req) {
    id: sessionID
  })[0]

+  if (!session) {
+    return
+  }
+
  const user = dbtools.Select(db, 'users', {
    id: session.userID
  })[0]

  if (user) {
    req.session.user = user
+    req.session.id = sessionID
    return user
  }
 }
--- a/modules/qmining/qmining-page
+++ b/modules/qmining/qmining-page
@ -1 +1 @@
-Subproject commit 86b01f443a306695a9a17f29785ba20b7f08f810
+Subproject commit 72ea24c07133d02a983152b4416ff98eb5dc4369
--- a/server.js
+++ b/server.js
@ -17,6 +17,7 @@
 along with this program. If not, see <https://www.gnu.org/licenses/>.

 ------------------------------------------------------------------------- */
+console.clear()

 const startHTTPS = true
 const port = 8080
@ -38,7 +39,6 @@ const loggableKeywords = [
 ]
 let modules = JSON.parse(utils.ReadFile(modulesFile))

-console.clear()
 logger.Load()

 try {
--- a/utils/dbtools.js
+++ b/utils/dbtools.js
@ -5,7 +5,7 @@ module.exports = {
  GetDB,
  AddColumn,
  TableInfo,
-  UpdateRecord,
+  Update,
  Delete,
  CreateTable,
  SelectAll,
@ -83,7 +83,7 @@ function TableInfo (db, table) {
  }
 }

-function UpdateRecord (db, table, newData, conditions) {
+function Update (db, table, newData, conditions) {
  try {
    const s = `UPDATE ${table} SET ${GetSqlQuerry(newData)} WHERE ${GetSqlQuerry(conditions)}`
    DebugLog(s)
@ -118,7 +118,8 @@ function CreateTable (db, name, columns) {
      return acc
    }, []).join(', ')

-    const s = `CREATE TABLE IF NOT EXISTS ${name}(${cols})`
+    // IF NOT EXISTS  // TODO
+    const s = `CREATE TABLE ${name}(${cols})`
    DebugLog(s)

    const stmt = db.prepare(s)
--- a/utils/logger.js
+++ b/utils/logger.js
@ -118,7 +118,13 @@ function LogReq (req, toFile, sc) {
      dl += C('red')
    }

-    const hostname = req.hostname.replace('www.', '').split('.')[0]
+    let hostname
+    if (req.hostname) {
+      hostname = req.hostname.replace('www.', '').split('.')[0]
+    } else {
+      hostname = 'NOHOST'
+      Log('req.hostname is undefined! req.hostname: ' + req.hostname, GetColor('redbg'))
+    }
    logEntry += dl + hostname + dl + req.headers['user-agent'] + dl + req.method + dl

    logEntry += GetRandomColor(req.url.split('?')[0]) + req.url