const express = require('express'); const crypto = require('crypto'); const fetch = require('node-fetch'); const Config = require('./config.js'); const Database = require('./db_interface.js'); const Mail = require('./mail.js'); let router = express.Router(); router.use(express.json()); let session_entropy = {}; user_cache = {}; email_cache = {}; discord_cache = {}; discord_user_cache = {}; async function fetch_user(where) { let user = await Database.schemas.user.findOne({ where: where }); if (user === null) { return undefined; } user_cache[user.id] = { id: user.id, email: user.email, discord_id: user.discord_id, password_hash: user.password_hash }; email_cache[user.email] = user.id; if (user.discord_id) { discord_cache[user.discord_id] = user.id } return user_cache[user.id] } async function fetch_discord_user(auth) { const result = await fetch(`https://discord.com/api/v8/users/@me`, { headers: { 'Authorization': auth.token_type + ' ' + auth.access_token } }); const json = result.json(); discord_user_cache[json.id] = { user: json, auth: auth, expires: (new Date().getTime()) + (json.expires_in * 1000) } return discord_user_cache[id]; } async function acquire_discord_token(code, redirect) { let data = { client_id: Config.config.discord_id, client_secret: Config.config.discord_secret, grant_type: 'authorization_code', code: code, redirect_uri: redirect } const result = await fetch(`https://discord.com/api/oauth2/token`, { method: 'POST', body: data, headers: { 'Content-Type': 'application/x-www-form-urlencoded' } }).catch(err => console.error(err)); if (!result.ok) { return res.status(500).json({error: "could not fetch user details"}) } const json = result.json(); return fetch_discord_user(json); } async function refresh_discord_token(id) { let data = { client_id: Config.config.discord_id, client_secret: Config.config.discord_secret, grant_type: 'refresh_token', refresh_token: discord_user_cache[id].auth.refresh_token } const result = await fetch(`https://discord.com/api/oauth2/token`, { method: 'POST', body: data, headers: { 'Content-Type': 'application/x-www-form-urlencoded' } }).catch(err => console.error(err)); if (!result.ok) { return false; } const json = result.json(); discord_user_cache[id].auth.access_token = json.access_token; discord_user_cache[id].expires = (new Date().getTime()) + (json.expires_in * 1000); return true; } async function get_user_details(id) { if (!id || id === 'undefined') { return undefined; } console.log(`search for user with id ${id}`); if (!user_cache[id]) { return await fetch_user({ id: id }) } // console.log(`returning ${JSON.stringify(user_cache[id])}`); return user_cache[id]; } async function get_user_details_by_email(email) { if (!email || email === 'undefined') { return undefined; } console.log(`search for user with email ${email}}`); if (!email_cache[email] || !user_cache[email_cache[email]]) { return await fetch_user({ email: email }) } // console.log(`returning ${JSON.stringify(user_cache[email_cache[email]])}`); return user_cache[email_cache[email]]; } async function get_user_details_by_discord_id(id) { if (!id || id === 'undefined') { return undefined; } if (!discord_cache[id] || !user_cache[discord_cache[id]]) { return await fetch_user({ discord_id: id }) } return user_cache[discord_cache[id]]; } function hash(secret, password, base64 = true) { let pw_hash = crypto.pbkdf2Sync( password, secret, Config.config.key?.iterations || 1000, Config.config.key?.length || 64, 'sha512' ); return pw_hash.toString(base64 ? 'base64' : 'hex'); } function verify(secret, password, hash) { let pw_hash = crypto.pbkdf2Sync( password, secret, Config.config.key?.iterations || 1000, Config.config.key?.length || 64, 'sha512' ); return hash === pw_hash.toString('base64'); } function hash_password(password) { return hash(Config.config.secret, password); } function verify_password(password, hash) { return verify(Config.config.secret, password, hash); } function get_session_token(id, password_hash, base64 = true) { session_entropy[id] = crypto.randomBytes(Config.config.session_entropy || 32); return hash(session_entropy[id], password_hash, base64); } function verify_session_token(id, hash, token) { if (session_entropy[id]) { return verify(session_entropy[id], hash, token); } else { return false; } } async function enforce_session_login(req, res, next) { let userid = req.get('id'); let session_token = req.get('authorization'); console.log('a', userid, session_token); if (!userid || !session_token) { return res.sendStatus(401); } let user = await get_user_details(userid); if (!user) { return res.sendStatus(401); } let verified_session = verify_session_token(userid, user.password_hash, session_token); if (!verified_session) { return res.sendStatus(401); } return next(); } router.post('/signup', async (req, res) => { if (!req.body?.email || !req.body?.password) { return res.status(400).json({ error: 'must have email and password fields' }); } let user = await get_user_details_by_email(req.body?.email); if (user !== undefined && user !== {}) { console.warn(`user already found: ${JSON.stringify(user)}`); return res.status(403).json({ error: `email ${req.body.email} is already in use.` }); } else { let match = await Database.schemas.unverifiedUser.findOne({ where: { email: req.body.email } }); if (!!match) { await Database.schemas.unverifiedUser.destroy({ where: { email: match.email } }); } let randomString = 'Signup'; for (let i = 0; i < 16; i++) { randomString += Math.floor(Math.random() * 10); } let password_hash = hash_password(req.body.password); let user = await Database.schemas.unverifiedUser.create({ email: String(req.body.email), password_hash: password_hash, verificationToken: get_session_token(randomString, password_hash, false) }); const link = `${Config.config.https ? 'https://' : 'http://'}${req.headers.host}/api/user/verify?verification=${user.verificationToken }`; const content = `Click here to verify your sign-up: ${link}`; const contentHtml = `