From 8e269f1a8e4d2639538fa8b53252fec094b047f8 Mon Sep 17 00:00:00 2001 From: leca Date: Thu, 23 Jan 2025 11:48:59 +0300 Subject: [PATCH] added can_have_cloak assertion --- src/middlewares/auth.js | 11 ++++++++++- src/middlewares/existance.js | 15 ++++++++++++++- src/routers/api.js | 4 ++-- src/routers/user.js | 5 ++++- 4 files changed, 30 insertions(+), 5 deletions(-) diff --git a/src/middlewares/auth.js b/src/middlewares/auth.js index 46c751c..44e67a2 100644 --- a/src/middlewares/auth.js +++ b/src/middlewares/auth.js @@ -2,6 +2,8 @@ import fs from 'fs'; import dotenv from 'dotenv'; import jwt from 'jsonwebtoken'; +import UserService from '../services/user.js'; + dotenv.config({path: ".env"}); const authenticate = async (req, res, next) => { @@ -29,4 +31,11 @@ const validateInviteToken = async (req, res, next) => { next(); }; -export default {authenticate, validateInviteToken}; \ No newline at end of file +const canHaveCloak = async (req, res, next) => { + const { username } = jwt.decode(req.session.jwt); + if (!(await UserService.canHaveCloak(username))) + return res.status(403).send("You cannot have cloak"); + next(); +} + +export default {authenticate, validateInviteToken, canHaveCloak}; \ No newline at end of file diff --git a/src/middlewares/existance.js b/src/middlewares/existance.js index d834f91..6b0b3c3 100644 --- a/src/middlewares/existance.js +++ b/src/middlewares/existance.js @@ -1,5 +1,10 @@ +import dotenv from 'dotenv'; +import jwt from 'jsonwebtoken'; + import UserService from '../services/user.js'; +dotenv.config({path: ".env"}); + const userDoesNotExist = async (req, res, next) => { const { username } = req.body; @@ -11,7 +16,15 @@ const userDoesNotExist = async (req, res, next) => { }; const userExist = async (req, res, next) => { - const { username } = req.body; + let username; + if (req.body.username) { + username = req.body.username; + } else if (req.session.jwt) { + if (!req.session.jwt || !jwt.verify(req.session.jwt, process.env.SECRET)) { + return res.status(403).send("Unauthorized"); + } + username = jwt.decode(req.session.jwt).username; + } if (!(await UserService.exists(username))) { return res.status(401).send("Such user does not exists!"); diff --git a/src/routers/api.js b/src/routers/api.js index 683a893..1b0219a 100644 --- a/src/routers/api.js +++ b/src/routers/api.js @@ -12,7 +12,7 @@ const ApiRouter = new Router(); ApiRouter.post('/register', requiredParameters.requireUsername, requiredParameters.requirePassword, auth.validateInviteToken, existance.userDoesNotExist, UserController.register); ApiRouter.post('/login', requiredParameters.requireUsername, requiredParameters.requirePassword, existance.userExist, UserController.login); ApiRouter.get('/logout', auth.authenticate, UserController.logout); -ApiRouter.post('/uploadSkin', auth.authenticate, utils.upload.single('file'), requiredParameters.requireFile, UserController.uploadSkin); -ApiRouter.post('/uploadCape', auth.authenticate, utils.upload.single('file'), requiredParameters.requireFile, UserController.uploadCape); +ApiRouter.post('/uploadSkin', existance.userExist, auth.authenticate, utils.upload.single('file'), requiredParameters.requireFile, UserController.uploadSkin); +ApiRouter.post('/uploadCape', existance.userExist, auth.authenticate, auth.canHaveCloak, utils.upload.single('file'), requiredParameters.requireFile, UserController.uploadCape); export default ApiRouter; \ No newline at end of file diff --git a/src/routers/user.js b/src/routers/user.js index 0d8ead3..d5122fc 100644 --- a/src/routers/user.js +++ b/src/routers/user.js @@ -19,9 +19,12 @@ UserRouter.get('/register', async (req, res) => { }); UserRouter.get(['/', '/login'], async (req, res) => { - if(req.session.jwt && jwt.verify(req.session.jwt, process.env.SECRET)) + if(req.session.jwt && jwt.verify(req.session.jwt, process.env.SECRET)) { + console.log(req.session.jwt) return res.redirect("/index"); + } + return res.render("login.pug"); });