dbs289
/
dcumcTest


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422
							let bcrypt = require('bcryptjs')
let multer = require('multer')
let express = require('express')
let router = express.Router()

const Errors = require('../lib/errors.js')
let {
	User, Post, ProfilePicture, AdminToken, Thread, Category, Sequelize, Ip, Ban
} = require('../models')
let pagination = require('../lib/pagination.js')

function setUserSession(req, res, username, UserId, admin) {
	req.session.loggedIn = true
	req.session.username = username
	req.session.UserId = UserId

	res.cookie('username', username)
	//Not for security purposes, just so client side can determine
	//to show certain parts of ui or not (i.e. could trivially be spoofed
	//but the server would not accept any api requests)
	res.cookie('admin', !!admin)

	if(admin) { req.session.admin = true }
}
router.post('/', async (req, res) => {
	try {
		await Ban.isIpBanned(req.ip)

		let userParams = {
			username: req.body.username,
			hash: req.body.password,
			admin: false
		}

		if(req.body.admin && await User.canBeAdmin(req.body.token)) {
			userParams.admin = true
		}

		let user = await User.create(userParams)
		await Ip.createIfNotExists(req.ip, user)

		setUserSession(req, res, user.username, user.id, userParams.admin)
		res.json(user.toJSON())
	} catch (e) {
		if(e instanceof Sequelize.ValidationError) {
			res.status(400)
			res.json(e)
		} else if (e.name in Errors) {
			res.status(401)
			res.json({
				errors: [e]
			})
		} else {
			console.log(e)
			res.status(500)
			res.json({
				errors: [Errors.unknown]
			})
		}
	}
})

router.get('/:username', async (req, res) => {
	try {
		let queryObj = {
			attributes: { exclude: ['hash'] },
			where: { username: req.params.username }
		}

		if(req.query.posts) {
			
			let { from, limit } = pagination.getPaginationProps(req.query, true)

			let postInclude = {
				model: Post,
				include: Post.includeOptions(),
				limit,
				order: [['id', 'DESC']]
			}
			if(from !== null) {
				postInclude.where = { id: { $lte: from } }
			}
			queryObj.include = [postInclude]

			let user = await User.findOne(queryObj)
			if(!user) throw Errors.accountDoesNotExist

			let meta = await user.getMeta(limit)

			res.json(Object.assign( user.toJSON(limit), { meta } ))
		} else if(req.query.threads) {
			let queryString = ''

			Object.keys(req.query).forEach(query => {
				queryString += `&${query}=${req.query[query]}`
			})

			res.redirect('/api/v1/category/ALL?username=' + req.params.username + queryString)
		} else {
			let user = await User.findOne(queryObj)
			if(!user) throw Errors.accountDoesNotExist

			res.json(user.toJSON())
		}

		
	} catch (err) {
		if(err === Errors.accountDoesNotExist) {
			res.status(400)
			res.json({ errors: [err] })
		} else {
			console.log(err)
			res.status(500)
			res.json({
				errors: [Errors.unknown]
			})
		}
	}
})

router.post('/:username/login', async (req, res) => {
	try {
		await Ban.isIpBanned(req.ip, req.params.username)

		let user = await User.findOne({ where: {
			username: req.params.username
		}})

		if(user) {
			if(await user.comparePassword(req.body.password)) {
				await Ip.createIfNotExists(req.ip, user)

				setUserSession(req, res, user.username, user.id, user.admin)
				res.json({
					username: user.username,
					admin: user.admin,
					success: true
				})
			} else {
				res.status(401)
				res.json({
					errors: [Errors.invalidLoginCredentials]
				})
			}
		} else {
			res.status(401)
			res.json({
				errors: [Errors.invalidLoginCredentials]
			})
		}

	} catch (err) {
		if(err instanceof Sequelize.ValidationError) {
			res.status(400)
			res.json(err)
		} else {
			console.log(err)

			res.status(500)
			res.json({
				errors: [Errors.unknown]
			})
		}

	}
})

router.post('/:username/logout', async (req, res) => {
	req.session.destroy(() => {
		res.clearCookie('username')
		res.clearCookie('admin')
		res.json({
			success: true
		})
	})
})

router.get('/:username/picture', async (req, res) => {
	try {
		let user = await User.findOne({
			where: {
				username: req.params.username
			}
		})
		if(!user) throw Errors.accountDoesNotExist

		let picture = await ProfilePicture.findOne({
			where: {
				UserId: user.id
			}
		})

		if(!picture) {
			res.status(404)
			res.end('')
		} else {
			res.writeHead(200, {
				'Content-Type': picture.mimetype,
				'Content-disposition': 'attachment;filename=profile',
				'Content-Length': picture.file.length
			})
			res.end(new Buffer(picture.file, 'binary'))
		}
	} catch (e) {
		if(e === Errors.accountDoesNotExist) {
			res.status(400)
			res.json({ errors: [e] })
		} else {
			console.log(e)
			res.status(500)
			res.json({
				errors: [Errors.unknown]
			})
		}
	}
})

router.all('*', (req, res, next) => {
	if(req.session.username) {
		next()
	} else {
		res.status(401)
		res.json({
			errors: [Errors.requestNotAuthorized]
		})
	}
})

let upload = multer({ storage: multer.memoryStorage() })
router.post('/:username/picture', upload.single('picture'), async (req, res) => {
	try {
		if(req.session.username !== req.params.username) {
			throw Errors.requestNotAuthorized
		} else {
			let user = await User.findById(req.session.UserId)
			let picture = await ProfilePicture.findOne({
				where: { UserId: user.id}
			})

			let pictureObj = {
				file: req.file.buffer,
				mimetype: req.file.mimetype
			}
			
			//No picture set yet
			if(!picture) {
				picture = await ProfilePicture.create(pictureObj)
				await picture.setUser(user)
			} else {
				await picture.update(pictureObj)
			}

			//Add random query to end to force browser to reload background images
			await user.update({
				picture: '/api/v1/user/' + req.session.username + '/picture?rand=' + Date.now()
			})

			res.json(user.toJSON())
		}
	} catch (e) {
		if(e === Errors.requestNotAuthorized) {
			res.status(401)
			res.json({
				errors: [e]
			})
		} else if(e instanceof Sequelize.ValidationError) {
			res.status(400)
			res.json(e)
		} else {
			console.log(e)

			res.status(500)
			res.json({
				errors: [Errors.unknown]
			})
		}
	}
})

router.delete('/:username/picture', async (req, res) => {
	try {
		if(req.session.username !== req.params.username) {
			throw Errors.requestNotAuthorized
		} else {
			let user = await User.findById(req.session.UserId)
			let picture = await ProfilePicture.findOne({
				where: { UserId: user.id}
			})

			await user.update({
				picture: null
			})
			await picture.destroy()

			res.json(user.toJSON())
		}
	} catch (e) {
		if(e === Errors.requestNotAuthorized) {
			res.status(401)
			res.json({
				errors: [e]
			})
		} else {
			console.log(e)

			res.status(500)
			res.json({
				errors: [Errors.unknown]
			})
		}
	}
})


router.put('/:username', async (req, res) => {
	try {
		if(req.session.username !== req.params.username) {
			throw Errors.requestNotAuthorized
		}

		if(req.body.description !== undefined) {
			let user = await User.update({ description: req.body.description }, { where: {
				username: req.session.username
			}})

			res.json({ success: true })

		} else if(
			req.body.currentPassword !== undefined &&
			req.body.newPassword !== undefined
		) {
			let user = await User.findOne({where: {
				username: req.session.username
			}})

			await user.updatePassword(req.body.currentPassword, req.body.newPassword)
			res.json({ success: true })

		} else {
			res.json({ success: false })
		}
	} catch (e) {
		if(e.name in Errors) {
			res.status(400)
			res.json({ errors: [e] })
		} else if(e instanceof Sequelize.ValidationError) {
			res.status(400)
			res.json(e)
		} else {
			console.log(e)

			res.status(500)
			res.json({errors: Errors.unknown })
		}
	}
})

router.delete('/:username', async (req, res) => {
	try {
		if(req.session.username !== req.params.username) {
			throw Errors.requestNotAuthorized
		}

		let user = await User.findOne({ where: {
			username: req.session.username
		}})

		await user.destroy()

		req.session.destroy(() => {
			res.clearCookie('username')
			res.clearCookie('admin')
			res.json({ success: true })
		})

	} catch (e) {
		if(e.name in Errors) {
			res.status(400)
			res.json({ errors: [e] })
		} else {
			console.log(e)

			res.status(500)
			res.json({errors: Errors.unknown })
		}
	}
})

router.all('*', (req, res, next) => {
	if(req.session.admin) {
		next()
	} else {
		res.status(401)
		res.json({
			errors: [Errors.requestNotAuthorized]
		})
	}
})

router.get('/', async (req, res) => {
	try {
		if(req.query.admin) {
			let admins = await User.findAll({
				where: { admin: true },
				attributes: {
					exclude: ['hash']
				}
			})

			res.json(admins)
		} else {
			res.json({})
		}
	} catch (e) {
		console.log(e)
		res.json({
			errors: [Errors.unknown]
		})
	}
})

module.exports = router