f0ckv2/src/inc/routes/admin.mjs

import router from "../router.mjs";
import sql from "../sql.mjs";
import tpl from "../tpl.mjs";
import lib from "../lib.mjs";
import util from "util";
import crypto from "crypto";
import cfg from "../../../config.json";

const scrypt = util.promisify(crypto.scrypt);

const hash = async str => {
  const salt = crypto.randomBytes(16).toString("hex");
  const derivedKey = await scrypt(str, salt, 64);
  return "$f0ck$" + salt + ":" + derivedKey.toString("hex");
};

const verify = async (str, hash) => {
  const [ salt, key ] = hash.substring(6).split(":");
  const keyBuffer = Buffer.from(key, "hex");
  const derivedKey = await scrypt(str, salt, 64);
  return crypto.timingSafeEqual(keyBuffer, derivedKey);
};

const createID = () => crypto.randomBytes(16).toString("hex") + Date.now().toString(24);

router.get(/^\/login(\/)?$/, async (req, res) => {
  if(req.cookies.session)
    return res.reply({ body: "du bist schon eingeloggt lol<pre>"+util.inspect(req.session)+"</pre>" });
  res.reply({
    body: tpl.render("views/login", {}, req)
  });
});

router.post(/^\/login(\/)?$/, async (req, res) => {
  const user = await sql("user").where("login", req.post.username.toLowerCase()).limit(1);
  if(user.length === 0)
    return res.reply({ body: "user doesn't exist or wrong password" });
  if(!(await verify(req.post.password, user[0].password)))
    return res.reply({ body: "user doesn't exist or wrong password" });
  const stamp = Date.now() / 1e3;

  const session = lib.md5(createID());
  await sql("user_sessions").insert({
    user_id: user[0].id,
    session: lib.md5(session),
    browser: req.headers["user-agent"],
    created_at: stamp,
    last_used: stamp
  });

  return res.writeHead(301, {
    "Cache-Control": "no-cache, public",
    "Set-Cookie": `session=${session}; Path=/`,
    "Location": "/"
  }).end();
});

router.get(/^\/logout$/, async (req, res) => {
  if(!req.session)
    return res.redirect("/");
  
  const usersession = await sql("user_sessions").where("id", req.session.sess_id);
  if(usersession.length === 0)
    return res.reply({ body: "nope 2" });
  
  await sql("user_sessions").where("id", req.session.sess_id).del();
  return res.writeHead(301, {
    "Cache-Control": "no-cache, public",
    "Set-Cookie": "session=; Path=/;  expires=Thu, 01 Jan 1970 00:00:00 GMT",
    "Location": "/login"
  }).end();
});

router.get(/^\/login\/pwdgen$/, async (req, res) => {
  res.reply({
    body: "<form action=\"/login/pwdgen\" method=\"post\"><input type=\"text\" name=\"pwd\" placeholder=\"pwd\" /><input type=\"submit\" value=\"f0ck it\" /></form>"
  });
});
router.post(/^\/login\/pwdgen$/, async (req, res) => {
  res.reply({
    body: await hash(req.post.pwd)
  });
});

router.get(/^\/login\/test$/, async (req, res) => {
  res.reply({
    body: "<pre>" + util.inspect(req) + "</pre>"
  });
});

router.get(/^\/admin(\/)?$/, async (req, res) => {
  if(!req.session)
    return res.redirect("/");

  res.reply({
    body: tpl.render("views/admin", {}, req)
  });
});
admin stuff 2021-05-19 14:19:26 +02:00			`import router from "../router.mjs";`
			`import sql from "../sql.mjs";`
			`import tpl from "../tpl.mjs";`
			`import lib from "../lib.mjs";`
			`import util from "util";`
			`import crypto from "crypto";`
			`import cfg from "../../../config.json";`

			`const scrypt = util.promisify(crypto.scrypt);`

			`const hash = async str => {`
			`const salt = crypto.randomBytes(16).toString("hex");`
			`const derivedKey = await scrypt(str, salt, 64);`
			`return "$f0ck$" + salt + ":" + derivedKey.toString("hex");`
			`};`

			`const verify = async (str, hash) => {`
			`const [ salt, key ] = hash.substring(6).split(":");`
			`const keyBuffer = Buffer.from(key, "hex");`
			`const derivedKey = await scrypt(str, salt, 64);`
			`return crypto.timingSafeEqual(keyBuffer, derivedKey);`
			`};`

			`const createID = () => crypto.randomBytes(16).toString("hex") + Date.now().toString(24);`

			`router.get(/^\/login(\/)?$/, async (req, res) => {`
			`if(req.cookies.session)`
			`return res.reply({ body: "du bist schon eingeloggt lol<pre>"+util.inspect(req.session)+"</pre>" });`
			`res.reply({`
			`body: tpl.render("views/login", {}, req)`
			`});`
			`});`

			`router.post(/^\/login(\/)?$/, async (req, res) => {`
			`const user = await sql("user").where("login", req.post.username.toLowerCase()).limit(1);`
			`if(user.length === 0)`
			`return res.reply({ body: "user doesn't exist or wrong password" });`
			`if(!(await verify(req.post.password, user[0].password)))`
			`return res.reply({ body: "user doesn't exist or wrong password" });`
			`const stamp = Date.now() / 1e3;`

			`const session = lib.md5(createID());`
			`await sql("user_sessions").insert({`
			`user_id: user[0].id,`
			`session: lib.md5(session),`
			`browser: req.headers["user-agent"],`
			`created_at: stamp,`
			`last_used: stamp`
			`});`

			`return res.writeHead(301, {`
			`"Cache-Control": "no-cache, public",`
			"Set-Cookie": `session=${session}; Path=/`,
			`"Location": "/"`
			`}).end();`
			`});`

			`router.get(/^\/logout$/, async (req, res) => {`
			`if(!req.session)`
			`return res.redirect("/");`

			`const usersession = await sql("user_sessions").where("id", req.session.sess_id);`
			`if(usersession.length === 0)`
			`return res.reply({ body: "nope 2" });`

			`await sql("user_sessions").where("id", req.session.sess_id).del();`
			`return res.writeHead(301, {`
			`"Cache-Control": "no-cache, public",`
			`"Set-Cookie": "session=; Path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT",`
			`"Location": "/login"`
			`}).end();`
			`});`

			`router.get(/^\/login\/pwdgen$/, async (req, res) => {`
			`res.reply({`
			`body: "<form action=\"/login/pwdgen\" method=\"post\"><input type=\"text\" name=\"pwd\" placeholder=\"pwd\" /><input type=\"submit\" value=\"f0ck it\" /></form>"`
			`});`
			`});`
			`router.post(/^\/login\/pwdgen$/, async (req, res) => {`
			`res.reply({`
			`body: await hash(req.post.pwd)`
			`});`
			`});`

			`router.get(/^\/login\/test$/, async (req, res) => {`
			`res.reply({`
			`body: "<pre>" + util.inspect(req) + "</pre>"`
			`});`
			`});`

			`router.get(/^\/admin(\/)?$/, async (req, res) => {`
			`if(!req.session)`
			`return res.redirect("/");`

			`res.reply({`
			`body: tpl.render("views/admin", {}, req)`
			`});`
			`});`