added can_have_cloak assertion

src/middlewares/auth.js

@@ -2,6 +2,8 @@ import fs from 'fs';
 import dotenv from 'dotenv';
 import jwt from 'jsonwebtoken';
 
+import UserService from '../services/user.js';
+
 dotenv.config({path: ".env"});
 
 const authenticate = async (req, res, next) => {
@@ -29,4 +31,11 @@ const validateInviteToken = async (req, res, next) => {
     next();
 };
 
-export default {authenticate, validateInviteToken};
+const canHaveCloak = async (req, res, next) => {
+    const { username } = jwt.decode(req.session.jwt);
+    if (!(await UserService.canHaveCloak(username)))
+        return res.status(403).send("You cannot have cloak");
+    next();
+}
+
+export default {authenticate, validateInviteToken, canHaveCloak};

src/middlewares/existance.js

@@ -1,5 +1,10 @@
+import dotenv from 'dotenv';
+import jwt from 'jsonwebtoken';
+
 import UserService from '../services/user.js';
 
+dotenv.config({path: ".env"});
+
 const userDoesNotExist = async (req, res, next) => {
 
     const { username } = req.body;
@@ -11,7 +16,15 @@ const userDoesNotExist = async (req, res, next) => {
 };
 
 const userExist = async (req, res, next) => {
-    const { username } = req.body;
+    let username;
+    if (req.body.username) {
+        username = req.body.username;
+    } else if (req.session.jwt) {
+        if (!req.session.jwt || !jwt.verify(req.session.jwt, process.env.SECRET)) {
+            return res.status(403).send("Unauthorized");
+        }
+        username = jwt.decode(req.session.jwt).username;
+    }
 
     if (!(await UserService.exists(username))) {
         return res.status(401).send("Such user does not exists!");

src/routers/api.js

@@ -12,7 +12,7 @@ const ApiRouter = new Router();
 ApiRouter.post('/register', requiredParameters.requireUsername, requiredParameters.requirePassword, auth.validateInviteToken, existance.userDoesNotExist, UserController.register);
 ApiRouter.post('/login', requiredParameters.requireUsername, requiredParameters.requirePassword, existance.userExist, UserController.login);
 ApiRouter.get('/logout', auth.authenticate, UserController.logout);
-ApiRouter.post('/uploadSkin', auth.authenticate, utils.upload.single('file'), requiredParameters.requireFile, UserController.uploadSkin);
+ApiRouter.post('/uploadSkin', existance.userExist, auth.authenticate, utils.upload.single('file'), requiredParameters.requireFile, UserController.uploadSkin);
-ApiRouter.post('/uploadCape', auth.authenticate, utils.upload.single('file'), requiredParameters.requireFile, UserController.uploadCape);
+ApiRouter.post('/uploadCape', existance.userExist, auth.authenticate, auth.canHaveCloak, utils.upload.single('file'), requiredParameters.requireFile, UserController.uploadCape);
 
 export default ApiRouter;

src/routers/user.js

@@ -19,9 +19,12 @@ UserRouter.get('/register', async (req, res) => {
 });
 
 UserRouter.get(['/', '/login'], async (req, res) => {
-    if(req.session.jwt && jwt.verify(req.session.jwt, process.env.SECRET))
+    if(req.session.jwt && jwt.verify(req.session.jwt, process.env.SECRET)) {
+        console.log(req.session.jwt)
         return res.redirect("/index");
 
+    }
+
     return res.render("login.pug");
 });