f0ckv2/src/inc/routes/admin.mjs

import router from "../router.mjs";
import sql from "../sql.mjs";
import tpl from "../tpl.mjs";
import lib from "../lib.mjs";
import util from "util";
import crypto from "crypto";
import { auth } from "../meddlware.mjs";
import search from "./inc/search.mjs";

const scrypt = util.promisify(crypto.scrypt);

const hash = async str => {
  const salt = crypto.randomBytes(16).toString("hex");
  const derivedKey = await scrypt(str, salt, 64);
  return "$f0ck$" + salt + ":" + derivedKey.toString("hex");
};

const verify = async (str, hash) => {
  const [ salt, key ] = hash.substring(6).split(":");
  const keyBuffer = Buffer.from(key, "hex");
  const derivedKey = await scrypt(str, salt, 64);
  return crypto.timingSafeEqual(keyBuffer, derivedKey);
};

const createID = () => crypto.randomBytes(16).toString("hex") + Date.now().toString(24);

router.get(/^\/login(\/)?$/, async (req, res) => {
  if(req.cookies.session)
    return res.reply({ body: "du bist schon eingeloggt lol<pre>"+util.inspect(req.session)+"</pre>" });
  res.reply({
    body: tpl.render("views/login", {}, req)
  });
});

router.post(/^\/login(\/)?$/, async (req, res) => {
  const user = await sql("user").where("login", req.post.username.toLowerCase()).limit(1);
  if(user.length === 0)
    return res.reply({ body: "user doesn't exist or wrong password" });
  if(!(await verify(req.post.password, user[0].password)))
    return res.reply({ body: "user doesn't exist or wrong password" });
  const stamp = Date.now() / 1e3;

  const session = lib.md5(createID());
  await sql("user_sessions").insert({
    user_id: user[0].id,
    session: lib.md5(session),
    browser: req.headers["user-agent"],
    created_at: stamp,
    last_used: stamp,
    last_action: "/login"
  });

  return res.writeHead(301, {
    "Cache-Control": "no-cache, public",
    "Set-Cookie": `session=${session}; Path=/; Expires=Fri, 31 Dec 9999 23:59:59 GMT`,
    "Location": "/"
  }).end();
});

router.get(/^\/logout$/, auth, async (req, res) => {
  const usersession = await sql("user_sessions").where("id", req.session.sess_id);
  if(usersession.length === 0)
    return res.reply({ body: "nope 2" });
  
  await sql("user_sessions").where("id", req.session.sess_id).del();
  return res.writeHead(301, {
    "Cache-Control": "no-cache, public",
    "Set-Cookie": "session=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT",
    "Location": "/login"
  }).end();
});

router.get(/^\/login\/pwdgen$/, async (req, res) => {
  res.reply({
    body: "<form action=\"/login/pwdgen\" method=\"post\"><input type=\"text\" name=\"pwd\" placeholder=\"pwd\" /><input type=\"submit\" value=\"f0ck it\" /></form>"
  });
});
router.post(/^\/login\/pwdgen$/, async (req, res) => {
  res.reply({
    body: await hash(req.post.pwd)
  });
});

router.get(/^\/login\/test$/, async (req, res) => {
  res.reply({
    body: "<pre>" + util.inspect(req) + "</pre>"
  });
});

router.get(/^\/admin(\/)?$/, auth, async (req, res) => { // frontpage
  const totals = await sql("items")
    .select(
      sql.raw("(select count(*) from items) total"),
      sql.raw("sum(if(ifnull(tags_assign.item_id, 0) = 0, 1, 0)) untagged"),
      sql.raw("sum(if(ifnull(tags_assign.item_id, 1) = 1, 0, 1)) tagged"))
    .leftJoin("tags_assign", "tags_assign.item_id", "items.id");

  res.reply({
    body: tpl.render("views/admin", { totals: totals[0] }, req)
  });
});

router.get(/^\/admin\/sessions(\/)?$/, auth, async (req, res) => {
  const rows = await sql("user_sessions")
    .leftJoin("user", "user.id", "user_sessions.user_id")
    .select("user_sessions.*", "user.user")
    .orderBy("user.id");

  const totals = await sql("items")
    .select(
      sql.raw("(select count(*) from items) total"),
      sql.raw("sum(if(ifnull(tags_assign.item_id, 0) = 0, 1, 0)) untagged"),
      sql.raw("sum(if(ifnull(tags_assign.item_id, 1) = 1, 0, 1)) tagged"))
    .leftJoin("tags_assign", "tags_assign.item_id", "items.id");

  res.reply({
    body: tpl.render("views/admin_sessions", {
      sessions: rows,
      totals: totals[0]
    }, req)
  });
});

router.get(/^\/admin\/test(\/)?$/, auth, async (req, res) => {
  let ret;
  const totals = await sql("items")
    .select(
      sql.raw("(select count(*) from items) total"),
      sql.raw("sum(if(ifnull(tags_assign.item_id, 0) = 0, 1, 0)) untagged"),
      sql.raw("sum(if(ifnull(tags_assign.item_id, 1) = 1, 0, 1)) tagged"))
    .leftJoin("tags_assign", "tags_assign.item_id", "items.id");

  if(Object.keys(req.url.qs).length > 0) {
    const tag = req.url.qs.tag;

    const rows = await sql("tags")
      .select("items.id", "items.username", "tags.tag")
      .leftJoin("tags_assign", "tags_assign.tag_id", "tags.id")
      .leftJoin("items", "items.id", "tags_assign.item_id")
      .where("tags.tag", "regexp", tag);

    ret = search(rows, tag);
  }

  res.reply({
    body: tpl.render("views/admin_search", {
      result: ret,
      totals: totals[0]
    }, req)
  });
});
admin stuff 2021-05-19 14:19:26 +02:00			`import router from "../router.mjs";`
			`import sql from "../sql.mjs";`
			`import tpl from "../tpl.mjs";`
			`import lib from "../lib.mjs";`
			`import util from "util";`
			`import crypto from "crypto";`
sirx: und weg damit :D 2021-05-25 14:44:35 +02:00			`import { auth } from "../meddlware.mjs";`
			`import search from "./inc/search.mjs";`
admin stuff 2021-05-19 14:19:26 +02:00
			`const scrypt = util.promisify(crypto.scrypt);`

			`const hash = async str => {`
			`const salt = crypto.randomBytes(16).toString("hex");`
			`const derivedKey = await scrypt(str, salt, 64);`
			`return "$f0ck$" + salt + ":" + derivedKey.toString("hex");`
			`};`

			`const verify = async (str, hash) => {`
			`const [ salt, key ] = hash.substring(6).split(":");`
			`const keyBuffer = Buffer.from(key, "hex");`
			`const derivedKey = await scrypt(str, salt, 64);`
			`return crypto.timingSafeEqual(keyBuffer, derivedKey);`
			`};`

			`const createID = () => crypto.randomBytes(16).toString("hex") + Date.now().toString(24);`

			`router.get(/^\/login(\/)?$/, async (req, res) => {`
			`if(req.cookies.session)`
			`return res.reply({ body: "du bist schon eingeloggt lol<pre>"+util.inspect(req.session)+"</pre>" });`
			`res.reply({`
			`body: tpl.render("views/login", {}, req)`
			`});`
			`});`

			`router.post(/^\/login(\/)?$/, async (req, res) => {`
			`const user = await sql("user").where("login", req.post.username.toLowerCase()).limit(1);`
			`if(user.length === 0)`
			`return res.reply({ body: "user doesn't exist or wrong password" });`
			`if(!(await verify(req.post.password, user[0].password)))`
			`return res.reply({ body: "user doesn't exist or wrong password" });`
			`const stamp = Date.now() / 1e3;`

			`const session = lib.md5(createID());`
			`await sql("user_sessions").insert({`
			`user_id: user[0].id,`
			`session: lib.md5(session),`
			`browser: req.headers["user-agent"],`
			`created_at: stamp,`
... 2021-06-24 05:10:55 +02:00			`last_used: stamp,`
			`last_action: "/login"`
admin stuff 2021-05-19 14:19:26 +02:00			`});`

			`return res.writeHead(301, {`
			`"Cache-Control": "no-cache, public",`
sirx: und weg damit :D 2021-05-25 14:44:35 +02:00			"Set-Cookie": `session=${session}; Path=/; Expires=Fri, 31 Dec 9999 23:59:59 GMT`,
admin stuff 2021-05-19 14:19:26 +02:00			`"Location": "/"`
			`}).end();`
			`});`

sirx: und weg damit :D 2021-05-25 14:44:35 +02:00			`router.get(/^\/logout$/, auth, async (req, res) => {`
admin stuff 2021-05-19 14:19:26 +02:00			`const usersession = await sql("user_sessions").where("id", req.session.sess_id);`
			`if(usersession.length === 0)`
			`return res.reply({ body: "nope 2" });`

			`await sql("user_sessions").where("id", req.session.sess_id).del();`
			`return res.writeHead(301, {`
			`"Cache-Control": "no-cache, public",`
sirx: und weg damit :D 2021-05-25 14:44:35 +02:00			`"Set-Cookie": "session=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT",`
admin stuff 2021-05-19 14:19:26 +02:00			`"Location": "/login"`
			`}).end();`
			`});`

			`router.get(/^\/login\/pwdgen$/, async (req, res) => {`
			`res.reply({`
			`body: "<form action=\"/login/pwdgen\" method=\"post\"><input type=\"text\" name=\"pwd\" placeholder=\"pwd\" /><input type=\"submit\" value=\"f0ck it\" /></form>"`
			`});`
			`});`
			`router.post(/^\/login\/pwdgen$/, async (req, res) => {`
			`res.reply({`
			`body: await hash(req.post.pwd)`
			`});`
			`});`

			`router.get(/^\/login\/test$/, async (req, res) => {`
			`res.reply({`
			`body: "<pre>" + util.inspect(req) + "</pre>"`
			`});`
			`});`

sirx: und weg damit :D 2021-05-25 14:44:35 +02:00			`router.get(/^\/admin(\/)?$/, auth, async (req, res) => { // frontpage`
... 2021-06-24 05:10:55 +02:00			`const totals = await sql("items")`
			`.select(`
			`sql.raw("(select count(*) from items) total"),`
			`sql.raw("sum(if(ifnull(tags_assign.item_id, 0) = 0, 1, 0)) untagged"),`
			`sql.raw("sum(if(ifnull(tags_assign.item_id, 1) = 1, 0, 1)) tagged"))`
			`.leftJoin("tags_assign", "tags_assign.item_id", "items.id");`

admin stuff 2021-05-19 14:19:26 +02:00			`res.reply({`
... 2021-06-24 05:10:55 +02:00			`body: tpl.render("views/admin", { totals: totals[0] }, req)`
admin stuff 2021-05-19 14:19:26 +02:00			`});`
			`});`
sirx: und weg damit :D 2021-05-25 14:44:35 +02:00
			`router.get(/^\/admin\/sessions(\/)?$/, auth, async (req, res) => {`
			`const rows = await sql("user_sessions")`
			`.leftJoin("user", "user.id", "user_sessions.user_id")`
			`.select("user_sessions.*", "user.user")`
			`.orderBy("user.id");`

... 2021-06-24 05:10:55 +02:00			`const totals = await sql("items")`
			`.select(`
			`sql.raw("(select count(*) from items) total"),`
			`sql.raw("sum(if(ifnull(tags_assign.item_id, 0) = 0, 1, 0)) untagged"),`
			`sql.raw("sum(if(ifnull(tags_assign.item_id, 1) = 1, 0, 1)) tagged"))`
			`.leftJoin("tags_assign", "tags_assign.item_id", "items.id");`

sirx: und weg damit :D 2021-05-25 14:44:35 +02:00			`res.reply({`
			`body: tpl.render("views/admin_sessions", {`
... 2021-06-24 05:10:55 +02:00			`sessions: rows,`
			`totals: totals[0]`
sirx: und weg damit :D 2021-05-25 14:44:35 +02:00			`}, req)`
			`});`
			`});`

			`router.get(/^\/admin\/test(\/)?$/, auth, async (req, res) => {`
			`let ret;`
... 2021-06-24 05:10:55 +02:00			`const totals = await sql("items")`
			`.select(`
			`sql.raw("(select count(*) from items) total"),`
			`sql.raw("sum(if(ifnull(tags_assign.item_id, 0) = 0, 1, 0)) untagged"),`
			`sql.raw("sum(if(ifnull(tags_assign.item_id, 1) = 1, 0, 1)) tagged"))`
			`.leftJoin("tags_assign", "tags_assign.item_id", "items.id");`

sirx: und weg damit :D 2021-05-25 14:44:35 +02:00			`if(Object.keys(req.url.qs).length > 0) {`
			`const tag = req.url.qs.tag;`

			`const rows = await sql("tags")`
			`.select("items.id", "items.username", "tags.tag")`
			`.leftJoin("tags_assign", "tags_assign.tag_id", "tags.id")`
			`.leftJoin("items", "items.id", "tags_assign.item_id")`
			`.where("tags.tag", "regexp", tag);`

			`ret = search(rows, tag);`
			`}`

			`res.reply({`
			`body: tpl.render("views/admin_search", {`
... 2021-06-24 05:10:55 +02:00			`result: ret,`
			`totals: totals[0]`
sirx: und weg damit :D 2021-05-25 14:44:35 +02:00			`}, req)`
			`});`
			`});`