Skip to content

Commit

Permalink
Add: missing auth
Browse files Browse the repository at this point in the history 
- fixed status codes yet again
- added auth to things
  • Loading branch information
@FifthZoner
FifthZoner committed Nov 5, 2024
1 parent 38bdc0e commit 269a981
Show file tree
Hide file tree
Showing 5 changed files with 193 additions and 6 deletions.
56 changes: 56 additions & 0 deletions server/articles.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,20 @@ module.exports = function (app: Express) {
app.post(
"/api/articles/:userId", bodyParser.json(), async (req: any, res) => {
try {
if (req.session == null || req.session.user == null || req.session.authenticated == false) {
res.status(401).json({ response: "User session is not valid!" });
return;
}
{
const result = await pool.query(
"SELECT id_uzytkownika FROM public.uzytkownik WHERE email = $1",
[req.session.user]
);
if (result.rowCount != 1 || req.params.userId != result.rows[0].id_uzytkownika){
res.status(401).json({ response: "User session is not valid!" });
return;
}
}
let id = await pool.query(`SELECT max(id_artykulu) FROM artykul`);
id = id.rows[0].max + 1;
if (id == null) {
Expand Down Expand Up @@ -163,6 +177,29 @@ module.exports = function (app: Express) {

app.delete("/api/articles/:articleId", bodyParser.json(), async (req: any, res) => {
try {
if (req.session == null || req.session.user == null || req.session.authenticated == false) {
res.status(401).json({ response: "User session is not valid!" });
return;
}
{
const result = await pool.query(
"SELECT id_uzytkownika FROM public.uzytkownik WHERE email = $1",
[req.session.user]
);
if (result.rowCount != 1){
res.status(401).json({ response: "User session is not valid!" });
return;
}
// new check if the article actually belongs to this person
const articleCheck = await pool.query(
"SELECT * FROM public.artykul WHERE id_artykulu = $1",
[req.params.articleId]
);
if (articleCheck.rowCount != 1 || articleCheck.rows[0].autor != result.rows[0].id_uzytkownika){
res.status(401).json({ response: "User session is not valid!" });
return;
}
}
await pool.query(
`DELETE FROM komentarz WHERE id_artykulu = ${req.params.articleId}`
);
Expand Down Expand Up @@ -190,6 +227,25 @@ module.exports = function (app: Express) {
bodyParser.json(),
async (req: any, res) => {
try {
{
const result = await pool.query(
"SELECT id_uzytkownika FROM public.uzytkownik WHERE email = $1",
[req.session.user]
);
if (result.rowCount != 1){
res.status(401).json({ response: "User session is not valid!" });
return;
}
// new check if the article actually belongs to this person
const articleCheck = await pool.query(
"SELECT * FROM public.artykul WHERE id_artykulu = $1",
[req.params.articleId]
);
if (articleCheck.rowCount != 1 || articleCheck.rows[0].autor != result.rows[0].id_uzytkownika){
res.status(401).json({ response: "User session is not valid!" });
return;
}
}
await pool.query(
`UPDATE artykul SET tytul = '${req.body.tytul}', opis = '${req.body.opis}' WHERE id_artykulu = ${req.params.articleId}`
);
Expand Down
4 changes: 2 additions & 2 deletions server/auth.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ module.exports = function(app : Express) {
console.log("Logged in successfully!")
req.session.user = email;
req.session.authenticated = true;
res.status(201).json( {"response": "Logged in successfully!"} );
res.status(200).json( {"response": "Logged in successfully!"} );

}
catch (err) {
Expand Down Expand Up @@ -87,7 +87,7 @@ module.exports = function(app : Express) {
req.session.destroy()
req.session = null;
console.log("Logged out!");
res.status(201).json( {"response": "Logged out successfully!"} );
res.status(200).json( {"response": "Logged out successfully!"} );
}
catch (err) {
console.error("Error when logging out:", err);
Expand Down
45 changes: 45 additions & 0 deletions server/mealplanner.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,21 @@ module.exports = function (app: Express) {
bodyParser.json(),
async (req: any, res) => {
try {
{
if (req.session == null || req.session.user == null || req.session.authenticated == false) {
res.status(401).json({response: "User session is not valid!"});
return;
}

const result = await pool.query(
"SELECT id_uzytkownika FROM public.uzytkownik WHERE email = $1",
[req.session.user]
);
if (result.rowCount != 1 || req.params.userId != result.rows[0].id_uzytkownika) {
res.status(401).json({response: "User session is not valid!"});
return;
}
}
await pool.query(
`INSERT INTO plan VALUES (${req.params.userId}, '${req.body.date}', ${req.body.id_przepisu} )`
);
Expand Down Expand Up @@ -54,6 +69,21 @@ module.exports = function (app: Express) {

app.get("/api/mealplanner/:userId/:dayFrom/:dayTo", bodyParser.json(), async (req: any, res) => {
try {
{
if (req.session == null || req.session.user == null || req.session.authenticated == false) {
res.status(401).json({response: "User session is not valid!"});
return;
}

const result = await pool.query(
"SELECT id_uzytkownika FROM public.uzytkownik WHERE email = $1",
[req.session.user]
);
if (result.rowCount != 1 || req.params.userId != result.rows[0].id_uzytkownika) {
res.status(401).json({response: "User session is not valid!"});
return;
}
}
//let result: any[] = []
const result = await pool.query(
`SELECT plan.id_przepisu, przepis.tytul, plan.data FROM plan JOIN przepis on plan.id_przepisu = przepis.id_przepisu WHERE plan.id_uzytkownika = ${req.params.userId} AND plan.data BETWEEN '${req.params.dayFrom}' AND '${req.params.dayTo}'`
Expand Down Expand Up @@ -83,6 +113,21 @@ module.exports = function (app: Express) {

app.delete("/api/mealplanner/:userId", bodyParser.json(), async (req: any, res) => {
try {
{
if (req.session == null || req.session.user == null || req.session.authenticated == false) {
res.status(401).json({response: "User session is not valid!"});
return;
}

const result = await pool.query(
"SELECT id_uzytkownika FROM public.uzytkownik WHERE email = $1",
[req.session.user]
);
if (result.rowCount != 1 || req.params.userId != result.rows[0].id_uzytkownika) {
res.status(401).json({response: "User session is not valid!"});
return;
}
}
console.log(req.body.id_przepisu, req.body.date, req.params.userId )
const result = await pool.query(
`DELETE FROM plan WHERE id_uzytkownika = ${req.params.userId} and id_przepisu = ${req.body.id_przepisu} and data = '${req.body.date}'`)
Expand Down
86 changes: 86 additions & 0 deletions server/recipes.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,20 @@ module.exports = function (app: Express) {

app.post("/api/recipes/:userId", bodyParser.json(), async (req: any, res) => {
try {
if (req.session == null || req.session.user == null || req.session.authenticated == false) {
res.status(401).json({ response: "User session is not valid!" });
return;
}
{
const result = await pool.query(
"SELECT id_uzytkownika FROM public.uzytkownik WHERE email = $1",
[req.session.user]
);
if (result.rowCount != 1 || req.params.userId != result.rows[0].id_uzytkownika){
res.status(401).json({ response: "User session is not valid!" });
return;
}
}
let id = await pool.query(`SELECT max(id_przepisu) FROM przepis`);
console.log(id);
id = id.rows[0].max + 1;
Expand Down Expand Up @@ -153,6 +167,20 @@ module.exports = function (app: Express) {
bodyParser.json(),
async (req: any, res) => {
try {
{
if (req.session == null || req.session.user == null || req.session.authenticated == false) {
res.status(401).json({ response: "User session is not valid!" });
return;
}
const result = await pool.query(
"SELECT id_uzytkownika FROM public.uzytkownik WHERE email = $1",
[req.session.user]
);
if (result.rowCount != 1 || req.params.userId != result.rows[0].id_uzytkownika){
res.status(401).json({ response: "User session is not valid!" });
return;
}
}
const valid = await pool.query(
`SELECT * FROM przepis WHERE id_przepisu = ${req.params.recipeId}`
);
Expand Down Expand Up @@ -183,6 +211,28 @@ module.exports = function (app: Express) {
bodyParser.json(),
async (req: any, res) => {
try {
if (req.session == null || req.session.user == null || req.session.authenticated == false) {
res.status(401).json({ response: "User session is not valid!" });
return;
}
{
const result = await pool.query(
"SELECT id_uzytkownika FROM public.uzytkownik WHERE email = $1",
[req.session.user]
);
if (result.rowCount != 1){
res.status(401).json({ response: "User session is not valid!" });
return;
}
const fav = await pool.query(
"SELECT * FROM public.ulubione WHERE id_uzytkownika = $1 AND id_przepisu = $2",
[req.params.userId, req.params.recipeId]
);
if (fav.rowCount != 1){
res.status(401).json({ response: "Invalid favourite/user combination!" });
return;
}
}
await pool.query(
`DELETE FROM ulubione WHERE id_uzytkownika = ${req.params.userId} and id_przepisu = ${req.params.recipeId}`
);
Expand Down Expand Up @@ -310,6 +360,24 @@ module.exports = function (app: Express) {
bodyParser.json(),
async (req: any, res) => {
try {
{
const result = await pool.query(
"SELECT id_uzytkownika FROM public.uzytkownik WHERE email = $1",
[req.session.user]
);
if (result.rowCount != 1){
res.status(401).json({ response: "User session is not valid!" });
return;
}
const rec = await pool.query(
"SELECT * FROM public.przepis WHERE id_przepisu = $1",
[req.params.recipeId]
);
if (rec.rowCount != 1 || rec.rows[0].autor != result.rows[0].id_uzytkownika){
res.status(401).json({ response: "Recipe does not exist or belong to the user!" });
return;
}
}
await pool.query(
`UPDATE przepis SET tytul = '${req.body.tytul}', opis = '${req.body.opis}', czas_przygotowania = ${req.body.czas_przygotowania}, cena = ${req.body.cena} WHERE id_przepisu = ${req.params.recipeId}`
);
Expand Down Expand Up @@ -363,6 +431,24 @@ module.exports = function (app: Express) {

app.delete("/api/recipes/:recipeId", bodyParser.json(), async (req: any, res) => {
try {
{
const result = await pool.query(
"SELECT id_uzytkownika FROM public.uzytkownik WHERE email = $1",
[req.session.user]
);
if (result.rowCount != 1){
res.status(401).json({ response: "User session is not valid!" });
return;
}
const rec = await pool.query(
"SELECT * FROM public.przepis WHERE id_przepisu = $1",
[req.params.recipeId]
);
if (rec.rowCount != 1 || rec.rows[0].autor != result.rows[0].id_uzytkownika){
res.status(401).json({ response: "Recipe does not exist or belong to the user!" });
return;
}
}
await pool.query(
`DELETE FROM ulubione WHERE id_przepisu = ${req.params.recipeId}`
);
Expand Down
8 changes: 4 additions & 4 deletions server/user.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ module.exports = function(app : Express) {
}
const result = pool.query("UPDATE public.uzytkownik SET email = $1 WHERE id_uzytkownika = $2;", [email, user.rows[0].id_uzytkownika]);
req.session.user = email
res.status(201).json( {"response": "Changed email successfully!"} );
res.status(200).json( {"response": "Changed email successfully!"} );
}
catch (err) {
console.error("Error when changing email:", err);
Expand All @@ -40,7 +40,7 @@ module.exports = function(app : Express) {
}
const result = pool.query("UPDATE public.uzytkownik SET imie = $1 WHERE id_uzytkownika = $2;", [name, user.rows[0].id_uzytkownika]);

res.status(201).json( {"response": "Changed name successfully!"} );
res.status(200).json( {"response": "Changed name successfully!"} );
}
catch (err) {
console.error("Error when changing name:", err);
Expand All @@ -62,7 +62,7 @@ module.exports = function(app : Express) {
}
const result = pool.query("UPDATE public.uzytkownik SET nazwisko = $1 WHERE id_uzytkownika = $2;", [lastName, user.rows[0].id_uzytkownika]);

res.status(201).json( {"response": "Changed last name successfully!"} );
res.status(200).json( {"response": "Changed last name successfully!"} );
}
catch (err) {
console.error("Error when changing last name:", err);
Expand Down Expand Up @@ -90,7 +90,7 @@ module.exports = function(app : Express) {
const hpass = await hashPassword(password);
const result = pool.query("UPDATE public.uzytkownik SET haslo = $1 WHERE id_uzytkownika = $2;", [hpass, user.rows[0].id_uzytkownika]);

res.status(201).json( {"response": "Changed password successfully!"} );
res.status(200).json( {"response": "Changed password successfully!"} );
}
catch (err) {
console.error("Error when changing password:", err);
Expand Down

0 comments on commit 269a981

Please sign in to comment.