Storing session id in cookies, and db

2025-04-01 20:24:18 +02:00 · 2020-04-03 10:36:53 +02:00 · 2020-04-03 10:36:53 +02:00 · 52ae2828e5
commit 52ae2828e5
parent 840f64c66b
3 changed files with 56 additions and 19 deletions
--- a/modules/api/api.js
+++ b/modules/api/api.js
@ -143,12 +143,25 @@ Load()
 app.post('/login', (req, res) => {
  logger.LogReq(req)
  const pw = req.body.pw
-  // FIXME: redirect to original url
-  const user = 'u'
-  // TODO: get user
-  // TODO: check if pw is correct
-  res.cookie('pw', pw).redirect('/')
-  req.session.user = user
+  const user = dbtools.Select(authDB, 'users', {
+    pw: pw
+  })[0]
+
+  if (user) {
+    const sessionID = uuidv4()
+    req.session.user = user
+    dbtools.Insert(authDB, 'sessions', {
+      id: sessionID,
+      ip: req.headers['cf-connecting-ip'] || req.connection.remoteAddress,
+      userID: user.id
+    })
+    // FIXME: redirect to original url
+    res.cookie('sessionID', sessionID).redirect('/')
+  } else {
+    res.json({
+      msg: 'invalid pw'
+    })
+  }
 })

 app.post('/logout', (req, res) => {
@ -158,7 +171,7 @@ app.post('/logout', (req, res) => {
  req.session.destroy(function () {
    logger.Log(`User ${userID} logout`)
  })
-  res.clearCookie('pw').redirect('/')
+  res.clearCookie('sessionID').redirect('/')
 })

 // --------------------------------------------------------------
--- a/modules/api/apiDBStruct.json
+++ b/modules/api/apiDBStruct.json
@ -20,6 +20,23 @@
      }
    }
  },
+  "sessions": {
+    "tableStruct": {
+      "id": {
+        "type": "text",
+        "primary": true,
+        "notNull": true
+      },
+      "ip": {
+        "type": "text",
+        "notNull": true
+      },
+      "userID": {
+        "type": "number",
+        "notNull": true
+      }
+    }
+  },
  "acesses": {
    "tableStruct": {
      "accessId": {
--- a/modules/api/auth.middleware.js
+++ b/modules/api/auth.middleware.js
@ -1,48 +1,55 @@
 const logger = require('../../utils/logger.js')
 const dbtools = require('../../utils/dbtools.js')

-const usersDBName = 'users'
-
 const exceptions = [
  'favicon',
  '/login'
 ]

-// TODO: session
+// TODO: session table, dont store pw in cookie

 module.exports = function (options) {
  const { authDB } = options

  return function (req, res, next) {
-    logger.DebugLog(`AUTH: ${req.url}`, 'auth', 1)
    const isException = exceptions.some((exc) => {
      return req.url === exc
    })

    if (isException) {
+      logger.DebugLog(`EXCEPTION: ${req.url}`, 'auth', 1)
      next()
      return
    }

-    const user = GetUserByPW(authDB, req.cookies.pw)
+    const user = req.session.user || GetUserBySessionID(authDB, req.cookies.sessionID, req)

    if (user) {
+      logger.DebugLog(`ID #${user.id}: ${req.url}`, 'auth', 1)
      next()
    } else {
+      logger.DebugLog(`No user:${req.url}`, 'auth', 1)
      res.render('login')
    }
  }
 }

-function GetUserByPW (db, password) {
-  if (password === undefined) {
+function GetUserBySessionID (db, sessionID, req) {
+  logger.DebugLog(`Getting user from db`, 'auth', 2)
+  if (sessionID === undefined) {
    return
  }

-  const res = dbtools.Select(db, usersDBName, {
-    pw: password
-  })
-  if (res) {
-    return res[0]
+  const session = dbtools.Select(db, 'sessions', {
+    id: sessionID
+  })[0]
+
+  const user = dbtools.Select(db, 'users', {
+    id: session.userID
+  })[0]
+
+  if (user) {
+    req.session.user = user
+    return user
  }
 }