From 3a6d2950e47769dcc11ec079c72f14527192a6ae Mon Sep 17 00:00:00 2001 From: JIBSIL <40243545+JIBSIL@users.noreply.github.com> Date: Wed, 25 Aug 2021 12:07:27 -0400 Subject: [PATCH 1/3] Clarify NOAUTH error message --- dist/v1.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dist/v1.js b/dist/v1.js index a7ec65f..a98e929 100644 --- a/dist/v1.js +++ b/dist/v1.js @@ -91,7 +91,7 @@ async function main() { res.send("NOAUTH"); } } else { - res.send("NOAUTH"); + res.send("NOUSER"); } } else { res.send({ error: "ERR_BAD_CHARACTERS" }); From 229b51c2fbbd789480d26f16fa9e7141418372cd Mon Sep 17 00:00:00 2001 From: JIBSIL <40243545+JIBSIL@users.noreply.github.com> Date: Wed, 25 Aug 2021 12:13:36 -0400 Subject: [PATCH 2/3] Fix 500 error on line 114 A possible spoof is not an internal server error --- dist/v1.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dist/v1.js b/dist/v1.js index a98e929..ebedcf8 100644 --- a/dist/v1.js +++ b/dist/v1.js @@ -111,7 +111,7 @@ async function main() { }); } catch (error) { if (error.message === "Cannot read property 'username' of undefined") { - res.status(500).send({ error: "NOAUTH_ERR_POSSIBLE_SPOOF" }); + res.send({ error: "NOAUTH_ERR_POSSIBLE_SPOOF" }); } else { res.status(500).send({ error: "NOAUTH_UNKNOWN_ERROR" }); } From c5e208fd5f6ee4dd15031797bdc7546673887ee7 Mon Sep 17 00:00:00 2001 From: JIBSIL <40243545+JIBSIL@users.noreply.github.com> Date: Thu, 26 Aug 2021 11:48:32 -0400 Subject: [PATCH 3/3] Update v1.js --- dist/v1.js | 118 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 118 insertions(+) diff --git a/dist/v1.js b/dist/v1.js index ebedcf8..d8dd1f0 100644 --- a/dist/v1.js +++ b/dist/v1.js @@ -26,6 +26,8 @@ async function main() { await client.connect(); const db = client.db(dbName); const collection = db.collection("dev"); + const tokens = db.collection("tokens"); + // Character limit const RegExpFilter = /^.{3,64}$/; const RegExpFilterPassword = /^.{7,64}$/; @@ -83,6 +85,11 @@ async function main() { expiresIn: 86400 } ); + await tokens.insertOne({ + username: req.body.username, + token, + isAdmin + }); res .cookie("token", token, { httpOnly: true }) .status(200) @@ -118,6 +125,117 @@ async function main() { } }); + app.put("/updateuser", async (req, res) => { + try { + const findUser = await collection.findOne({ + username: req.body.currentUsername + }); + if (findUser) { + jwt.verify(req.cookies.token, jwtsecret, async (error, decoded) => { + const isValid = error || decoded === undefined ? false : true; + if (isValid === true) { + if ( + decoded.username === req.body.currentUsername || + decoded.isAdmin === true + ) { + if (!req.body.currentPassword) { + var comparePassword = false; + } else if (req.body.currentPassword) { + var comparePassword = await bcrypt.compare( + req.body.currentPassword, + findUser.password + ); + } + + if (comparePassword || decoded.isAdmin === true) { + if ( + RegExpFilter.test(req.body.username) && + RegExpFilterPassword.test(req.body.password) === true + ) { + const newUsername = + req.body.username ?? req.body.currentUsername; + const newPassword = + req.body.password ?? req.body.currentPassword; + const hash = bcrypt.hashSync( + newPassword, + bcrypt.genSaltSync(10) + ); + await collection.updateOne( + { username: req.body.currentUsername }, + { + $set: { + username: newUsername, + password: hash + } + } + ); + res.send("Updated"); + } else { + res.send("ERR_BAD_CHARACTERS"); + } + } + } else { + res.send("ERR_UNAUTHORIZED"); + } + } else { + res.send("NOAUTH_ERR_POSSIBLE_SPOOF"); + } + }); + } else { + res.send("NOUSER"); + } + } catch (error) { + res.status(500).send({ error: "NOAUTH_UNKNOWN_ERR" }); + } + }); + + app.delete("/deleteuser", async (req, res) => { + try { + if ( + RegExpFilter.test(req.body.username) && + RegExpFilterPassword.test(req.body.password) === true + ) { + const findUser = await collection.findOne({ + username: req.body.username + }); + if (findUser) { + jwt.verify(req.cookies.token, jwtsecret, async (error, decoded) => { + const isValid = error || decoded === undefined ? false : true; + if (isValid === true) { + if ( + decoded.username === req.body.username || + decoded.isAdmin === true + ) { + if (!req.body.password) { + var comparePasswordForDeletion = false; + } else if (req.body.password) { + var comparePasswordForDeletion = await bcrypt.compare( + req.body.password, + findUser.password + ); + } + if (comparePasswordForDeletion || decoded.isAdmin === true) { + await collection.deleteOne({ username: req.body.username }); + res.send("User Deleted"); + } + } else { + res.send("ERR_UNAUTHORIZED"); + } + } else { + res.send("NOAUTH_ERR_POSSIBLE_SPOOF"); + } + }); + } else { + res.send("NOUSER"); + } + } else { + res.send("ERR_BAD_CHARACTERS"); + } + } catch (error) { + res.status(500).send({ error: "NOAUTH_UNKNOWN_ERR" }); + } + }); + app.listen(port, () => { console.log(`App listening at http://localhost:${port}`); });