Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import express from 'express';
- import sqlite from 'sqlite';
- import { asyncMiddleware } from './utils/asyncMiddleware';
- import { generateRandomness, HMAC, KDF, checkPassword } from './utils/crypto';
- const router = express.Router();
- const dbPromise = sqlite.open('./db/database.sqlite', { cached: true });
- const key = generateRandomness();
- const token_key = generateRandomness();
- async function logDatabaseState() {
- const db = await dbPromise;
- const query = `SELECT * FROM Users`;
- const result = await db.all(query);
- console.log(result);
- }
- function render(req, res, next, page, title, errorMsg = false, result = null) {
- // logDatabaseState();
- res.render(
- 'layout/template', {
- page,
- title,
- loggedIn: req.session.loggedIn,
- account: req.session.account,
- errorMsg,
- result,
- }
- );
- }
- router.get('/', (req, res, next) => {
- if (req.session.signature !== '' && req.session.signature != null) {
- if(!checkSignature(req)) {
- render(req, res, next, 'login/form', 'Login', 'Invalid Session.');
- return;
- };
- }
- render(req, res, next, 'index', 'Bitbar Home');
- });
- router.post('/set_profile', asyncMiddleware(async (req, res, next) => {
- if(!checkSignature(req)) {
- render(req, res, next, 'login/form', 'Login', 'Invalid Session.');
- return;
- };
- req.session.account.profile = req.body.new_profile;
- req.session.account.profile = cleanInput(req.session.account.profile,['<script','</script>','<img','</img>','<iframe','</iframe>','<input','</input>','<audio','</audio>','<embed','</embed>','<source','</source>','<track','</track>','<video','</video>']);
- req.session.signature = HMAC(key, JSON.stringify(req.session.account));
- console.log('Updated HMAC in set_profile');
- const db = await dbPromise;
- const query = `UPDATE Users SET profile = ? WHERE username = ?;`;
- const result = await db.run(query, req.body.new_profile, req.session.account.username);
- render(req, res, next, 'index', 'Bitbar Home');
- }));
- function cleanInput(input,whitelist){
- for (var i = 0; i <whitelist.length; i++){
- var scrub = whitelist[i];
- var start = input.search(scrub);
- while(start !== -1){
- input = input.slice(0,start) + input.slice(start+scrub.length);
- start = input.search(scrub);
- }
- }
- return input;
- }
- function alphaNumericOnly(username){
- var re = /\w/;
- var cleanedUsername = '';
- for (var i = 0; i < username.length; i++){
- var char = username.charAt(i);
- if (re.test(char) === true){
- cleanedUsername += char;
- }
- }
- return cleanedUsername;
- }
- router.get('/login', (req, res, next) => {
- render(req, res, next, 'login/form', 'Login');
- });
- router.post('/post_login', asyncMiddleware(async (req, res, next) => {
- const db = await dbPromise;
- var oldUserName = req.body.username;
- req.body.username = alphaNumericOnly(req.body.username);
- if (req.body.username !== oldUserName){
- render(req, res, next, 'login/form', 'Login', 'Alphanumeric Characters Only (a-z,A-Z,0-9 And No Whitespaces)');
- return;
- }
- const query = `SELECT * FROM Users WHERE username == ?;`;
- const result = await db.get(query, req.body.username);
- if(result) { // if this username actually exists
- if(checkPassword(req.body.password, result)) { // if password is valid
- req.session.loggedIn = true;
- req.session.account = result;
- req.session.signature = HMAC(key, JSON.stringify(req.session.account));
- console.log('Updated HMAC in post_login');
- render(req, res, next, 'login/success', 'Bitbar Home');
- return;
- }
- }
- render(req, res, next, 'login/form', 'Login', 'This username and password combination does not exist!');
- }));
- router.get('/register', (req, res, next) => {
- render(req, res, next, 'register/form', 'Register');
- });
- router.post('/post_register', asyncMiddleware(async (req, res, next) => {
- const db = await dbPromise;
- var oldUserName = req.body.username;
- req.body.username = alphaNumericOnly(req.body.username);
- if (req.body.username !== oldUserName){
- render(req, res, next, 'register/form', 'Register', 'Alphanumeric Characters Only (a-z,A-Z,0-9 And No Whitespaces)');
- return;
- }
- let query = `SELECT * FROM Users WHERE username == ?;`;
- let result = await db.get(query, req.body.username);
- if(result) { // query returns results
- if(result.username === req.body.username) { // if username exists
- render(req, res, next, 'register/form', 'Register', 'This username already exists!');
- return;
- }
- }
- const salt = generateRandomness();
- const hashedPassword = KDF(req.body.password, salt);
- query = `INSERT INTO Users(username, hashedPassword, salt, profile, bitbars) VALUES(?, ?, ?, ?, ?)`;
- await db.run(query, [req.body.username, hashedPassword, salt, '', 100]);
- req.session.loggedIn = true;
- req.session.account = {
- username: req.body.username,
- hashedPassword,
- salt,
- profile: '',
- bitbars: 100,
- };
- req.session.signature = HMAC(key, JSON.stringify(req.session.account));
- console.log('Updated HMAC in post_register');
- render(req, res, next,'register/success', 'Bitbar Home');
- }));
- router.get('/close', asyncMiddleware(async (req, res, next) => {
- if(req.session.loggedIn == false) {
- render(req, res, next, 'login/form', 'Login', 'You must be logged in to use this feature!');
- return;
- };
- const db = await dbPromise;
- const query = `DELETE FROM Users WHERE username == ?;`;
- await db.get(query, req.session.account.username);
- req.session.loggedIn = false;
- req.session.account = {};
- req.session.signature = '';
- render(req, res, next, 'index', 'Bitbar Home', 'Deleted account successfully!');
- }));
- router.get('/logout', (req, res, next) => {
- req.session.loggedIn = false;
- req.session.account = {};
- req.session.signature = '';
- render(req, res, next, 'index', 'Bitbar Home', 'Logged out successfully!');
- });
- function checkSignature(req){
- return req.session.signature === HMAC(key, JSON.stringify(req.session.account));
- }
- router.get('/profile', asyncMiddleware(async (req, res, next) => {
- if(req.session.loggedIn == false) {
- render(req, res, next, 'login/form', 'Login', 'You must be logged in to use this feature!');
- return;
- };
- if(!checkSignature(req)) {
- render(req, res, next, 'login/form', 'Login', 'Invalid Session.');
- return;
- };
- if(req.query.username != null) { // if visitor makes a search query
- const db = await dbPromise;
- var oldUserName = req.query.username;
- req.query.username = alphaNumericOnly(req.query.username);
- if (req.query.username !== oldUserName){
- render(req, res, next, 'profile/view', 'View Profile', 'Alphanumeric Characters Only (a-z,A-Z,0-9 And No Whitespaces)', req.session.account);
- return;
- }
- const query = `SELECT * FROM Users WHERE username == ?;`;
- let result;
- try {
- result = await db.get(query, req.query.username);
- } catch(err) {
- result = false;
- }
- if(result) { // if user exists
- render(req, res, next, 'profile/view', 'View Profile', false, result);
- }
- else { // user does not exist
- render(req, res, next, 'profile/view', 'View Profile', `${req.query.username} does not exist!`, req.session.account);
- }
- } else { // visitor did not make query, show them their own profile
- render(req, res, next, 'profile/view', 'View Profile', false, req.session.account);
- }
- }));
- function generateToken(req){
- return HMAC(token_key, req.session.signature);
- }
- function checkToken(token, req){
- return token === generateToken(req);
- }
- router.get('/transfer', (req, res, next) => {
- if(req.session.loggedIn == false) {
- render(req, res, next, 'login/form', 'Login', 'You must be logged in to use this feature!');
- return;
- };
- if(!checkSignature(req)) {
- render(req, res, next, 'login/form', 'Login', 'Invalid Session.');
- return;
- };
- var secretToken = generateToken(req);
- render(req, res, next, 'transfer/form', 'Transfer Bitbars', false, {receiver:null, amount:null, secretToken});
- });
- router.post('/post_transfer', asyncMiddleware(async(req, res, next) => {
- if(req.session.loggedIn == false) {
- render(req, res, next, 'login/form', 'Login', 'You must be logged in to use this feature!');
- return;
- };
- if(!checkSignature(req)) {
- render(req, res, next, 'login/form', 'Login', 'Invalid Session.');
- return;
- };
- if(req.body.destination_username === req.session.account.username) {
- render(req, res, next, 'transfer/form', 'Transfer Bitbars', 'You cannot send money to yourself!', {receiver:null, amount:null});
- return;
- }
- var oldUserName = req.body.destination_username;
- req.body.destination_username = alphaNumericOnly(req.body.destination_username);
- if (req.body.destination_username !== oldUserName){
- render(req, res, next, 'transfer/form', 'Transfer Bitbars', 'Alphanumeric Characters Only (a-z,A-Z,0-9 And No Whitespaces)', {receiver:null, amount:null});
- return;
- }
- if(!checkToken(req.body.secretToken, req)) {
- console.log('Secret token validation failed');
- render(req, res, next, 'transfer/form', 'Transfer Bitbars', 'Invalid Token.', {receiver:null, amount:null});
- return;
- };
- const db = await dbPromise;
- let query = `SELECT * FROM Users WHERE username == ?;`;
- const receiver = await db.get(query, req.body.destination_username);
- if(receiver) { // if user exists
- const amount = parseInt(req.body.quantity);
- if(Number.isNaN(amount) || amount > req.session.account.bitbars || amount < 1) {
- render(req, res, next, 'transfer/form', 'Transfer Bitbars', 'Invalid transfer amount!', {receiver:null, amount:null});
- return;
- }
- req.session.account.bitbars -= amount;
- req.session.signature = HMAC(key, JSON.stringify(req.session.account));
- query = `UPDATE Users SET bitbars = "${req.session.account.bitbars}" WHERE username == "${req.session.account.username}";`;
- await db.exec(query);
- const receiverNewBal = receiver.bitbars + amount;
- query = `UPDATE Users SET bitbars = "${receiverNewBal}" WHERE username == "${receiver.username}";`;
- await db.exec(query);
- render(req, res, next, 'transfer/success', 'Transfer Complete', false, {receiver, amount});
- } else { // user does not exist
- render(req, res, next, 'transfer/form', 'Transfer Bitbars', 'This user does not exist!', {receiver:null, amount:null});
- }
- }));
- router.get('/steal_cookie', (req, res, next) => {
- let stolenCookie = req.query.cookie;
- console.log('\n\n' + stolenCookie + '\n\n');
- render(req, res, next, 'theft/view_stolen_cookie', 'Cookie Stolen!', false, stolenCookie);
- });
- module.exports = router;
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement