Skip to content
Snippets Groups Projects
Commit 712ecfa1 authored by alec.schmidt's avatar alec.schmidt
Browse files

admin perms fix and routes more safe

parent 063fc1c8
No related branches found
No related tags found
No related merge requests found
No preview for this file type
......@@ -33,7 +33,6 @@ export type Answer_t = {
}
export type Category_t = {
id: number;
category: string;
};
......@@ -59,7 +58,7 @@ class DBHandler {
if (usernameInDB.length == 0)
return false;
return (usernameInDB[0].username == username);
return (usernameInDB[0].username === username);
}
async verifyQuestionExistence(question:string) : Promise<boolean> {
......@@ -76,6 +75,12 @@ class DBHandler {
return (password[0].password == user.password);
}
async getUserById(id: number) : Promise<User_t> {
const query = "SELECT username, password, admin FROM users WHERE id="+id;
const user = await asyncdb.get<User_t>(query);
return user;
}
async getUsers(res:express.Response) {
const query = "SELECT id, username, admin FROM users";
asyncdb.all(query)
......@@ -92,7 +97,7 @@ class DBHandler {
a.admin = false;
const query = "INSERT INTO users (username, password, admin) \
VALUES ('" + a.username + "','" + a.password + "','" + a.admin +"')";
VALUES ('" + a.username + "','" + a.password + "'," + a.admin +")";
asyncdb.all(query)
.then( () => res.status(StatusCodes.OK))
......@@ -103,7 +108,7 @@ class DBHandler {
const a = req.body as User_t;
const request = "UPDATE users \
SET username = '"+ a.username + "', admin = '" + a.admin + "' WHERE id = " + req.params.id;
SET username = '"+ a.username + "', admin =" + a.admin + " WHERE id = " + req.params.id;
asyncdb.all(request)
.then(() => res.status(StatusCodes.OK).end())
......@@ -158,7 +163,7 @@ class DBHandler {
let questions = await asyncdb.all(query);
let ans = await asyncdb.all(query_answers);
// let ans = await asyncdb.all(query_answers);
// let payload = {
// QUESTIONS: questions,
......@@ -205,7 +210,7 @@ class DBHandler {
async deleteCategory(req:express.Request, res:express.Response) {
const a = req.body as Category_t;
const request = "DELETE FROM category WHERE id = " + a.id;
const request = "DELETE FROM category WHERE title = '" + a.category + "'";
asyncdb.all(request)
.then(() => res.status(StatusCodes.OK).end())
.catch(e => console.log(e));
......
......@@ -10,7 +10,6 @@ import multer from 'multer';
import Config from '../config/Config';
import BaseRoutes from '../routes/BaseRoutes';
import ServerIO from '../socket.io/ServerIO';
import DBHandler from '../database/Database';
export class Server {
private readonly backend: Express;
......
......@@ -2,8 +2,8 @@ import express from 'express';
import { StatusCodes } from 'http-status-codes';
import DBHandler from '../database/Database';
import { User_t, Question_t } from '../database/Database';
import { Jwt } from 'jsonwebtoken';
import { userInfo } from 'os';
import { param } from 'express-validator';
const ROUTE:string = '/API/v1';
......@@ -21,8 +21,8 @@ function generateToken(user: User_t) {
return jwt.sign(payload, process.env.TOKEN_SECRET);
}
function isAdmin(token: string): Boolean {
let adminToken: Boolean;
function isAdmin(token: string): boolean {
let adminToken: boolean;
if (token == null) return false;
jwt.verify(token, process.env.TOKEN_SECRET, (err:any, user:User_t) => {
......@@ -41,7 +41,6 @@ function tokenDecode(req: express.Request): User_t {
const token = req.headers['authorization'] && req.headers['authorization'].split(' ')[1]
jwt.verify(token, process.env.TOKEN_SECRET, (err:any, user:User_t) => {
// console.log(err);
if (err) user_data = undefined;
else
......@@ -55,6 +54,10 @@ function tokenDecode(req: express.Request): User_t {
router.post(ROUTE+'/user', (req: express.Request, res: express.Response) => {
const a = req.body as User_t;
const token = req.headers['authorization'] && req.headers['authorization'].split(' ')[1]
if (a.admin && !isAdmin(token))
return res.status(StatusCodes.UNAUTHORIZED).end();
if (a.username === undefined ||
a.password === undefined) {
......@@ -87,36 +90,48 @@ router.get(ROUTE+'/user', (req: express.Request, res: express.Response) => {
router.patch(ROUTE+'/user/:id', (req: express.Request, res: express.Response) => {
const a = req.body as User_t;
const token = req.headers['authorization'] && req.headers['authorization'].split(' ')[1]
const id: number = +req.params.id;
// if (a.username === undefined ||
// a.password === undefined ||
// a.type === undefined) {
if (a.admin && !isAdmin(token))
res.status(StatusCodes.UNAUTHORIZED).end();
// res.statusMessage = "invalid JSON";
// res.status(StatusCodes.BAD_REQUEST).end();
// return;
// }
if (a.username === undefined ||
a.admin === undefined) {
console.log(a);
res.statusMessage = "invalid JSON";
res.status(StatusCodes.BAD_REQUEST).end();
return;
}
if (a.admin === true)
if (!isAdmin(req.headers['authorization'] && req.headers['authorization'].split(' ')[1]))
res.status(StatusCodes.UNAUTHORIZED).end();
const user = tokenDecode(req);
DBHandler.getUserById(id).then(user => {
if (!isAdmin(token))
user = tokenDecode(req);
if (a.username != user.username)
if (a.username !== user.username)
DBHandler.verifyUsernameExistence(a.username)
.then(exists => {
if(exists)
return res.status(StatusCodes.CONFLICT).end();
})
DBHandler.updateUser(req, res);
})
});
router.delete(ROUTE+"/user/:id", (req: express.Request, res: express.Response) => {
const token = req.headers['authorization'] && req.headers['authorization'].split(' ')[1];
const id: number = +req.params.id;
if(!isAdmin(token)) {
DBHandler.getUserById(id)
.then(user => {
if (user.username !== tokenDecode(req).username)
return res.status(StatusCodes.UNAUTHORIZED).end();
})
}
DBHandler.deleteUser(req, res);
})
......@@ -127,12 +142,11 @@ router.post(ROUTE+'/question', (req: express.Request, res: express.Response) =>
if (a.question === undefined ||
a.category === undefined) {
res.statusCode = 400;
res.statusMessage = "invalid JSON";
res.end();
return;
return res.status(StatusCodes.BAD_REQUEST).end();
}
DBHandler.verifyQuestionExistence(a.question)
.then(exists => {
if (exists) {
......@@ -151,10 +165,19 @@ router.get(ROUTE+'/question', (req: express.Request, res: express.Response) => {
})
router.patch(ROUTE+'/question/:id', (req: express.Request, res: express.Response) => {
const token = req.headers['authorization'] && req.headers['authorization'].split(' ')[1];
if(!isAdmin(token))
return res.status(StatusCodes.UNAUTHORIZED).end()
DBHandler.updateQuestion(req, res);
})
router.delete(ROUTE+'/question/:id', (req: express.Request, res: express.Response) => {
const token = req.headers['authorization'] && req.headers['authorization'].split(' ')[1];
if(!isAdmin(token))
return res.status(StatusCodes.UNAUTHORIZED).end();
DBHandler.deleteQuestion(req, res);
})
......@@ -165,12 +188,20 @@ router.get(ROUTE+'/answer/:questionId', (req: express.Request, res: express.Resp
})
router.post(ROUTE+'/answer', (req: express.Request, res: express.Response) => {
const token = req.headers['authorization'] && req.headers['authorization'].split(' ')[1];
if(!isAdmin(token))
return res.status(StatusCodes.UNAUTHORIZED).end();
DBHandler.postAnwsers(req, res);
})
// CATEGORIES CRUD
router.post(ROUTE+'/category', (req: express.Request, res: express.Response) => {
const token = req.headers['authorization'] && req.headers['authorization'].split(' ')[1];
if(!isAdmin(token))
return res.status(StatusCodes.UNAUTHORIZED).end();
DBHandler.postCategory(req, res);
})
......@@ -179,6 +210,10 @@ router.get(ROUTE+'/category', (req: express.Request, res: express.Response) => {
})
router.delete(ROUTE+"/category", (req: express.Request, res: express.Response) => {
const token = req.headers['authorization'] && req.headers['authorization'].split(' ')[1];
if(!isAdmin(token))
return res.status(StatusCodes.UNAUTHORIZED).end();
DBHandler.deleteCategory(req, res);
})
......
......@@ -4,6 +4,8 @@ import { Answer, QandA, Question, User } from '../Types/types';
import { UsersService } from '../services/users.service';
import { QuestionsService } from '../services/questions.service';
import { Subscription } from 'rxjs';
import { AuthenticationService } from '../services/authentication.service';
import { Router } from '@angular/router';
@Component({
selector: 'app-admin',
......@@ -15,8 +17,6 @@ export class AdminComponent implements OnInit {
public users!: User[];
public questions!: Question[];
public answers!: Answer[];
private usersSub!: Subscription;
private questionsSub!: Subscription;
userToEdit!: User;
modalUpdate: boolean = false;
......@@ -24,19 +24,22 @@ export class AdminComponent implements OnInit {
modalQuestionCreate: boolean = false;
constructor(
private http: HttpClient,
private router: Router,
private userController: UsersService,
private questionController: QuestionsService) { }
private questionController: QuestionsService,
private auth: AuthenticationService) { }
ngOnInit(): void {
if(!this.auth.isAdmin())
this.router.navigateByUrl("/");
this.usersSub = this.userController.users.subscribe(userList => {
this.userController.users.subscribe(userList => {
this.users = userList;
});
this.userController.fetchUsers();
this.questionsSub = this.questionController.questions.subscribe(questionList => {
this.questionController.questions.subscribe(questionList => {
this.questions = questionList;
})
......
......@@ -4,7 +4,7 @@
<h2 class="mr-6 border-2 border-transparent font-bold">Navbar</h2>
<div>
<button class="mr-4 border-2 border-transparent hover:border-solid hover:border-white hover:border-2 hover:rounded-lg px-2" (click)="router.navigateByUrl('/');">Home</button>
<button class="border-2 border-transparent hover:border-solid hover:border-white hover:border-2 hover:rounded-lg px-2" *ngIf="auth.isAdmin()" (click)="router.navigateByUrl('/admin')">Dashboard</button>
<button class="border-2 border-transparent hover:border-solid hover:border-white hover:border-2 hover:rounded-lg px-2" *ngIf="this.auth.isAdmin()" (click)="router.navigateByUrl('/admin')">Dashboard</button>
</div>
</div>
<div class="flex flex-row">
......
......@@ -13,4 +13,10 @@ export class AppComponent {
constructor(
public router: Router,
public auth: AuthenticationService) {}
dashboardButton(): boolean {
console.log(this.auth.isAdmin())
return this.auth.isAdmin();
}
}
......@@ -20,10 +20,6 @@ export class AuthenticationService {
username, password
}
const headers = new Headers({
'Content-Type': 'application/json'
});
this.http.post('http://0.0.0.0:30992/API/v1/login', body, {observe: 'response'})
.subscribe(res => {
if(res.ok) {
......@@ -54,7 +50,7 @@ export class AuthenticationService {
}
}
isAdmin(): Boolean {
isAdmin(): boolean {
const user = this.getDecodedAccessToken() as User;
if (user === null)
......
......@@ -24,6 +24,7 @@ export class UsersService {
}
addUser(user: User) {
this.http.post<User>(ROUTE, user).subscribe(() => {
this.auth.login(user.username, user.password);
});
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment