Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- const jwt = require('jsonwebtoken')
- const express = require('express')
- const bodyParser = require('body-parser')
- const models = require('./models.js')
- const passport = require('passport')
- const crypto = require('crypto')
- const session = require('express-session')
- const FileStore = require('session-file-store')(session)
- const RedditStrategy = require('passport-reddit').Strategy
- const cors = require('cors')
- const settings = {
- 'mode': 'development',
- 'secret': '',
- 'admins': ['strideynet'],
- 'responses': {
- 'noPermissions' : {"error":{"name": "noPermissions", "message": "You don't have the permissions to do that!"}},
- '404' : {"error":{"name": "notFound", "message": "That resource can't be found!"}},
- 'invalidFormat': {"error":{"name": "invalidFormat", "message": "A required field may be of the wrong type or null!"}}
- },
- 'modifiableFields': ['description', 'public'],
- 'changing': {
- 'development': {
- 'key': 'Re92nrdP8kmd2g',
- 'secret': '',
- 'redirect': 'http://localhost/auth/reddit/callback',
- 'siteURL': 'test'
- }
- }
- }
- passport.serializeUser(function(user, done) {
- done(null, user);
- });
- passport.deserializeUser(function(obj, done) {
- done(null, obj);
- });
- passport.use(new RedditStrategy({
- clientID: settings.changing[settings.mode].key,
- clientSecret: settings.changing[settings.mode].secret,
- callbackURL: settings.changing[settings.mode].redirect
- },
- function(accessToken, refreshToken, profile, done) {
- // asynchronous verification, for effect...
- process.nextTick(function () {
- // To keep the example simple, the user's Reddit profile is returned to
- // represent the logged-in user. In a typical application, you would want
- // to associate the Reddit account with a user record in your database,
- // and return that user instead.
- return done(null, profile);
- });
- }
- ));
- let app = express()
- let api = express.Router()
- let auth = express.Router()
- app.use(session({
- store: new FileStore(),
- secret: '',
- resave: false,
- saveUninitialized: true
- }))
- auth.use(passport.initialize());
- auth.use(passport.session());
- auth.get('/key', function(req, res) {
- if (req.isAuthenticated()) {
- let data = {
- 'user': req.user.name,
- 'admin': false
- }
- if (settings.admins.indexOf(req.user.name) >= 0) {
- data.admin = true
- }
- data.JWT = jwt.sign(data, settings.secret)
- res.status(200).json(data)
- } else {
- res.status(401).json({"error": {"name": "loginRequired", "redirect": "/auth/login/"}})
- }
- })
- auth.get('/login', function(req, res) {
- if (req.isAuthenticated()) {
- res.redirect('http://localhost/')
- } else {
- res.send('<a href="/auth/reddit"> Click here to proceed with logging in</a>')
- }
- })
- auth.get('/reddit', function(req, res, next){
- req.session.state = crypto.randomBytes(32).toString('hex');
- passport.authenticate('reddit', {
- state: req.session.state,
- })(req, res, next);
- });
- // GET /auth/reddit/callback
- // Use passport.authenticate() as route middleware to authenticate the
- // request. If authentication fails, the user will be redirected back to the
- // login page. Otherwise, the primary route function function will be called,
- // which, in this example, will redirect the user to the home page.
- auth.get('/reddit/callback', function(req, res, next){
- // Check for origin via state token
- console.log(req.query.state)
- console.log('session')
- console.log(req.session.state)
- if (req.query.state == req.session.state){
- passport.authenticate('reddit', {
- successRedirect: 'http://panama.mhoc.co.uk/',
- failureRedirect: '/login'
- })(req, res, next);
- }
- else {
- next( new Error(403) );
- }
- });
- auth.get('/logout', function(req, res){
- req.logout();
- res.redirect('/auth/login');
- });
- //api
- //API Bodyparser
- api.use(bodyParser.json())
- //ensure authed
- api.use(function( req, res, next) {
- if (req.get('JWT')) {
- return jwt.verify(req.get('JWT'), settings.secret, function(err, decoded) {
- if (err) {
- return res.status(401).json({"error": err})
- }
- if (decoded.user) {
- req.decodedJWT = decoded
- req.decodedJWT.admin = false
- if (settings.admins.indexOf(req.decodedJWT.user) >= 0) {
- req.decodedJWT.admin = true
- }
- return next()
- } else {
- return res.status(401).json({"error":{"name": "JWTMissingInfo", "message": "The JWT is invalid!"}})
- }
- })
- } else {
- return res.status(401).json({"error":{"name": "noJWTHeader", "message": "You must include a JWT."}})
- }
- })
- // Simple endpoint. Sends what they sent.
- api.post('/test', function(req, res) {
- res.json(req.body)
- })
- //Autocomplete option :P
- api.get('/suggest', function(req, res){
- models['accountModel'].find({}).distinct('_id', function(err, documents){
- if (err) {
- return res.status(500).json({"error":{"name": "databaseError", "message": "Somethings gone horribly wrong!", "detail": err}})
- }
- return res.status(200).json(documents)
- })
- })
- //All accounts -> Admin Only
- api.get('/account/@all', function(req, res) {
- if (settings.admins.indexOf(req.decodedJWT.user) >= 0) {
- models['accountModel'].find({}, function(err, documents){
- if (err) {
- return res.status(500).json({"error":{"name": "databaseError", "message": "Somethings gone horribly wrong!", "detail": err}})
- }
- return res.status(200).json(documents)
- })
- } else {
- return res.status(403).json(settings.responses.noPermissions)
- }
- })
- //All accounts that are public
- api.get('/account/@public', function(req, res) {
- models['accountModel'].find({"public": true}, function(err, documents){
- if (err) {
- return res.status(500).json({"error":{"name": "databaseError", "message": "Somethings gone horribly wrong!", "detail": err}})
- }
- return res.status(200).json(documents)
- })
- })
- //All accounts you own TODO: Optimise this!
- api.get('/account/@mine', function(req, res) {
- models['accountModel'].find({}, function(err, documents){
- if (err) {
- return res.status(500).json({"error":{"name": "databaseError", "message": "Somethings gone horribly wrong!", "detail": err}})
- }
- let ownedAccounts = []
- documents.forEach(function(document, index){
- if (document.users[req.decodedJWT.user] >= 0) {
- ownedAccounts.push(document)
- }
- })
- return res.status(200).json(ownedAccounts)
- })
- })
- //Create account -> Admin Only TODO: More validation and add logging
- api.post('/account/', function(req, res) {
- if (req.decodedJWT.admin) {
- let newAccount = new models['accountModel']({
- "_id": req.body['_id'],
- public: req.body.public,
- description: req.body.description,
- accountType: req.body.accountType,
- users: req.body.users,
- wages: req.body.wages
- })
- newAccount.save(function(err, newAccount){
- if (err) {
- console.log(err)
- return res.status(500).json({"error":{"name": "databaseError", "message": "Somethings gone horribly wrong!", "detail": err}})
- }
- return res.status(201).json(newAccount)
- })
- } else {
- return res.status(403).json(settings.responses.noPermissions)
- }
- })
- //Get account info -> Users only
- api.get('/account/:accountID', function(req, res) {
- models['accountModel'].findOne({"_id": req.params.accountID}, function(err, document){
- if (err) {
- return res.status(500).json({"error":{"name": "databaseError", "message": "Somethings gone horribly wrong!", "detail": err}})
- }
- if (document) {
- if ((document.users[req.decodedJWT.user] > 2) || (req.decodedJWT.admin)) {
- return res.status(200).json(document)
- } else {
- return res.status(403).json(settings.responses.noPermissions)
- }
- } else {
- return res.status(404).json(settings.responses['404'])
- }
- })
- })
- //Modify account details -> Owners, Users and Staff? TODO:Logging!
- api.put('/account/:accountID', function(req, res) {
- models['accountModel'].findOne({"_id": req.params.accountID}, function(err, document){
- if (err) {
- return res.status(500).json({"error":{"name": "databaseError", "message": "Somethings gone horribly wrong!", "detail": err}})
- }
- if (document) {
- if ((document.users[req.decodedJWT.user] >= 3) || (req.decodedJWT.admin)) {
- if (req.body.changedFields) {
- let failedFields = []
- for (let key in req.body.changedFields) {
- if (settings.modifiableFields.indexOf(key) >= 0) {
- document[key] = req.body.changedFields[key]
- } else {
- failedFields.push(key)
- }
- }
- document.save(function (err, updatedDocument) {
- if (err) {
- return res.status(500).json({"error":{"name": "databaseError", "message": "Somethings gone horribly wrong!", "detail": err}})
- }
- res.status(200).json(updatedDocument)
- })
- } else {
- return res.status(400).json(settings.responses.invalidFormat)
- }
- } else {
- return res.status(403).json(settings.responses.noPermissions)
- }
- } else {
- return res.status(404).json(settings.responses['404'])
- }
- })
- })
- //Add new user or modify existing! -> account owners only
- api.post('/account/:accountID/users', function(req, res) {
- models['accountModel'].findOne({"_id": req.params.accountID}, function(err, document){
- if (err) {
- return res.status(500).json({"error":{"name": "databaseError", "message": "Somethings gone horribly wrong!", "detail": err}})
- }
- if (document) {
- if ((document.users[req.decodedJWT.user] >= 3) || (req.decodedJWT.admin)) {
- if (req.body.users) {
- let failedUsers = []
- for (let key in req.body.users) {
- if (((Number(req.body.users[key]) >= 3) && ((document.users[req.params.userID]) == 4)) || (Number(req.body.users[key]) < 3)) {
- document.users[key] = Number(req.body.users[key])
- } else {
- failedUsers.push(req.body.users[key])
- }
- }
- document.markModified('users')
- document.save(function (err, updatedDocument) {
- if (err) {
- return res.status(500).json({"error":{"name": "databaseError", "message": "Somethings gone horribly wrong!", "detail": err}})
- }
- res.status(200).json(updatedDocument)
- })
- } else {
- return res.status(400).json(settings.responses.invalidFormat)
- }
- } else {
- return res.status(403).json(settings.responses.noPermissions)
- }
- } else {
- return res.status(404).json(settings.responses['404'])
- }
- })
- })
- //Remove user -> account owners only
- api.delete('/account/:accountID/users/:userID', function(req, res) {
- models['accountModel'].findOne({"_id": req.params.accountID}, function(err, document){
- if (err) {
- return res.status(500).json({"error":{"name": "databaseError", "message": "Somethings gone horribly wrong!", "detail": err}})
- }
- if (document) {
- if (document.users[req.params.userID]) {
- if ((document.users[req.decodedJWT.user] > document.users[req.params.userID]) || (req.decodedJWT.admin)) {
- if (Object.keys(document.users).length > 1) {
- delete document.users[req.params.userID]
- document.markModified('users')
- document.save(function (err, updatedDocument) {
- if (err) {
- return res.status(500).json({"error":{"name": "databaseError", "message": "Somethings gone horribly wrong!", "detail": err}})
- }
- return res.status(200).json(updatedDocument)
- })
- } else {
- return res.status(400).json({"error":{"name": "lastElement", "message": "I won't let you remove the final person!"}})
- }
- } else {
- return res.status(403).json(settings.responses.noPermissions)
- }
- } else {
- return res.status(404).json(settings.responses['404'])
- }
- } else {
- return res.status(404).json(settings.responses['404'])
- }
- })
- })
- //Remove wage -> admin
- api.delete('/account/:accountID/wages/:wageID', function(req, res) {
- models['accountModel'].findOne({"_id": req.params.accountID}, function(err, document){
- if (err) {
- return res.status(500).json({"error":{"name": "databaseError", "message": "Somethings gone horribly wrong!", "detail": err}})
- }
- if (document) {
- if (document.wages.indexOf(req.params.wageID) != -1) {
- if (req.decodedJWT.admin) {
- document.wages.splice(document.wages.indexOf(req.params.wageID), 1)
- document.markModified('wages')
- document.save(function (err, updatedDocument) {
- if (err) {
- return res.status(500).json({"error":{"name": "databaseError", "message": "Somethings gone horribly wrong!", "detail": err}})
- }
- return res.status(200).json(updatedDocument)
- })
- } else {
- return res.status(403).json(settings.responses.noPermissions)
- }
- } else {
- return res.status(404).json(settings.responses['404'])
- }
- } else {
- return res.status(404).json(settings.responses['404'])
- }
- })
- })
- //Get all transactions -> Staff only
- api.get('/wages', function(req, res) {
- })
- //Get all transactions -> Staff only
- api.get('/wages/@suggest', function(req, res) {
- })
- //Get all transactions -> Staff only
- api.get('/transactions', function(req, res) {
- })
- //New transaction. Users can create transactions but only for their accounts!
- api.post('/transaction', function(req, res) {
- })
- //Info on that trans -> Staff
- api.get('/transaction/:transactionID', function(req, res) {
- })
- //Modify info on that trans -> Staff
- api.put('/transaction/:transactionID', function(req, res) {
- })
- //Delete transaction -> Staff Only
- api.delete('/transaction/:transactionID', function(req, res) {
- })
- //Staff audit log :O
- api.get('/logs', function(req, res) {
- })
- app.use('/api', api)
- app.use('/auth', auth)
- app.listen(8081, function () {
- console.log('Listening on 80')
- })
- var proxy = require('redbird')({port: 80});
- proxy.register('localhost/','http://127.0.0.1:8080')
- proxy.register('localhost/api', 'http://127.0.0.1:8081/api')
- proxy.register('localhost/auth','http://127.0.0.1:8081/auth')
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement