/
index.js
91 lines (78 loc) · 2.95 KB
/
index.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
const fs = require('fs')
const ejs = require('ejs')
const path = require('path')
const crypto = require('crypto')
const express = require('express')
const cookieParser = require('cookie-parser')
const { db, createNewUser, getCsrf } = require('./db');
const app = express()
app.use('/', express.static(path.join(__dirname, 'public')))
app.use(express.urlencoded({extended: false}))
app.use(cookieParser())
function rand() { return crypto.randomBytes(20).toString('hex') }
app.use((req, res, next) => {
const { id } = req.cookies;
req.user = (id && db.cookies[id] && db.cookies[id].username) ? db.cookies[id].username : undefined;
const csp = (id && db.cookies[id] && db.cookies[id].nonce) ? `script-src 'nonce-${db.cookies[id].nonce}'` : '';
res.setHeader('Content-Security-Policy', `default-src 'self'; base-uri 'self'; ${csp}`)
next()
})
function shouldBeLoggedIn(req, res, next) { if (!req.user) res.redirect('/'); else next(); }
function shouldNotBeLoggedIn(req, res, next) { if (req.user) res.redirect('/profile'); else next(); }
function csrfCheck(req, res, next) {
const { csrf } = req.body
if (csrf !== getCsrf(req.cookies.id)) return res.redirect(`${req.path}?error=Wrong csrf`)
next()
}
app.get('/', shouldNotBeLoggedIn, (req, res) => {
res.render('auth.ejs')
})
app.post('/', shouldNotBeLoggedIn, csrfCheck, (req, res) => {
const { username, password } = req.body
try {
if (db.users[username]) {
if (db.users[username].password !== password) throw 'Wrong password';
} else createNewUser(username, password)
const newCookie = rand()
db.cookies[newCookie] = Object.create(null)
db.cookies[newCookie].username = username
db.cookies[newCookie].csrf = rand()
db.cookies[newCookie].nonce = rand()
res.setHeader('Set-Cookie', `id=${newCookie}; HttpOnly; SameSite=None; Secure`)
res.redirect('/profile')
} catch (err) {
res.redirect(`/?error=${err}`)
}
})
app.get('/csp.gif', shouldBeLoggedIn, (req, res) => {
db.cookies[req.cookies.id].nonce = rand()
res.setHeader('Content-Type', 'image/gif')
res.send('OK')
})
const settingsFile = fs.readFileSync('./views/getSettings.js', 'utf-8');
app.get('/getSettings.js', (req, res) => {
res.setHeader('Content-Type', 'text/javascript');
const response = ejs.render(settingsFile, {
csrf: getCsrf(req.cookies.id),
domain: process.env.DOMAIN,
});
res.end(response);
})
app.get('/profile', shouldBeLoggedIn, (req, res) => {
res.render('profile.ejs', {
name: db.users[req.user].name,
nonce: db.cookies[req.cookies.id].nonce,
});
})
app.post('/profile', shouldBeLoggedIn, csrfCheck, (req, res) => {
const { name } = req.body;
db.users[req.user].name = name;
res.redirect('/profile?message=Successfully updated name')
})
// For interacting with admin bot
app.use('/bot', shouldBeLoggedIn, require('./bot.js'));
const http = require('http');
const port = 4567
http.createServer(app).listen(port, () => {
console.log(`Server is runing at port ${port}`)
});