fair-web/modules/api.js

/*
 *  This file is part of SYZOJ.
 *
 *  Copyright (c) 2016 Menci <huanghaorui301@gmail.com>
 *
 *  SYZOJ is free software: you can redistribute it and/or modify
 *  it under the terms of the GNU Affero General Public License as
 *  published by the Free Software Foundation, either version 3 of the
 *  License, or (at your option) any later version.
 *
 *  SYZOJ is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU Affero General Public License for more details.
 *
 *  You should have received a copy of the GNU Affero General Public
 *  License along with SYZOJ. If not, see <http://www.gnu.org/licenses/>.
 */

'use strict';

let User = syzoj.model('user');
let Problem = syzoj.model('problem');
let File = syzoj.model('file');
const Email = require('../libs/email');
const jwt = require('jsonwebtoken');

function setLoginCookie(username, password, res) {
  res.cookie('login', JSON.stringify([username, password]));
}

// Login
app.post('/api/login', async (req, res) => {
  try {
    res.setHeader('Content-Type', 'application/json');
    let user = await User.fromName(req.body.username);

    if (!user) res.send({ error_code: 1001 });
    else if (user.password == null || user.password === '') res.send({ error_code: 1003 });
    else if (user.password !== req.body.password) res.send({ error_code: 1002 });
    else {
      req.session.user_id = user.id;
      setLoginCookie(user.username, user.password, res);
      res.send({ error_code: 1 });
    }
  } catch (e) {
    syzoj.log(e);
    res.send({ error_code: e });
  }
});

app.post('/api/forget', async (req, res) => {
  try {
    res.setHeader('Content-Type', 'application/json');
    let user = await User.fromEmail(req.body.email);
    if (!user) res.send({ error_code: 1001 });
    let sendObj = {
      userId: user.id,
    };

    const token = jwt.sign(sendObj, syzoj.config.email.key, {
      subject: 'forget',
      expiresIn: '12h'
    });

    const vurl = req.protocol + '://' + req.get('host') + syzoj.utils.makeUrl(['api', 'forget_confirm'], { token: token });
    try {
      await Email.send(user.email,
        `${user.username} 的 ${syzoj.config.title} 密码重置邮件`,
        `<p>请点击该链接来重置密码：</p><p><a href="${vurl}">${vurl}</a></p><p>链接有效期为 12h。如果您不是 ${user.username}，请忽略此邮件。</p>`
      );
    } catch (e) {
      return res.send({
        error_code: 2010,
        message: require('util').inspect(e)
      });
    }

    throw 123;
    res.send({ error_code: 1 });
  } catch (e) {
    syzoj.log(e);
    res.send(JSON.stringify({ error_code: e }));
  }
});

// Sign up
app.post('/api/sign_up', async (req, res) => {
  try {
    res.setHeader('Content-Type', 'application/json');
    let user = await User.fromName(req.body.username);
    if (user) throw 2008;
    user = await User.findOne({ where: { email: req.body.email } });
    if (user) throw 2009;


    // Because the salt is "syzoj2_xxx" and the "syzoj2_xxx" 's md5 is"59cb..."
    // the empty password 's md5 will equal "59cb.."
    let syzoj2_xxx_md5 = '59cb65ba6f9ad18de0dcd12d5ae11bd2';
    if (req.body.password === syzoj2_xxx_md5) throw 2007;
    if (!(req.body.email = req.body.email.trim())) throw 2006;
    if (!syzoj.utils.isValidUsername(req.body.username)) throw 2002;

    if (syzoj.config.register_mail) {
      let sendObj = {
        username: req.body.username,
        password: req.body.password,
        email: req.body.email,
      };

      const token = jwt.sign(sendObj, syzoj.config.email.key, {
        subject: 'register',
        expiresIn: '2d'
      });

      const vurl = req.protocol + '://' + req.get('host') + syzoj.utils.makeUrl(['api', 'sign_up_confirm'], { token: token });
      try {
        await Email.send(req.body.email,
          `${req.body.username} 的 ${syzoj.config.title} 注册验证邮件`,
          `<p>请点击该链接完成您在 ${syzoj.config.title} 的注册：</p><p><a href="${vurl}">${vurl}</a></p><p>如果您不是 ${req.body.username}，请忽略此邮件。</p>`
        );
      } catch (e) {
        return res.send({
          error_code: 2010,
          message: require('util').inspect(e)
        });
      }

      res.send(JSON.stringify({ error_code: 2 }));
    } else {
      user = await User.create({
        username: req.body.username,
        password: req.body.password,
        email: req.body.email,
        public_email: true
      });
      await user.save();

      req.session.user_id = user.id;
      setLoginCookie(user.username, user.password, res);

      res.send(JSON.stringify({ error_code: 1 }));
    }
  } catch (e) {
    syzoj.log(e);
    res.send(JSON.stringify({ error_code: e }));
  }
});

app.get('/api/forget_confirm', async (req, res) => {
  try {
    try {
      jwt.verify(req.query.token, syzoj.config.email.key, { subject: 'forget' });
    } catch (e) {
      throw new ErrorMessage("Token 不正确。");
    }
    res.render('forget_confirm', {
      token: req.query.token
    });
  } catch (e) {
    syzoj.log(e);
    res.render('error', {
      err: e
    });
  }
});

app.post('/api/reset_password', async (req, res) => {
  try {
    res.setHeader('Content-Type', 'application/json');
    let obj;
    try {
      obj = jwt.verify(req.body.token, syzoj.config.email.key, { subject: 'forget' });
    } catch (e) {
      throw 3001;
    }

    let syzoj2_xxx_md5 = '59cb65ba6f9ad18de0dcd12d5ae11bd2';
    if (req.body.password === syzoj2_xxx_md5) throw new ErrorMessage('密码不能为空。');
    const user = await User.fromID(obj.userId);
    user.password = req.body.password;
    await user.save();

    res.send(JSON.stringify({ error_code: 1 }));
  } catch (e) {
    syzoj.log(e);
    if (typeof e === 'number') {
      res.send(JSON.stringify({ error_code: e }));
    } else {
      res.send(JSON.stringify({ error_code: 1000 }));
    }
  }
});

app.get('/api/sign_up_confirm', async (req, res) => {
  try {
    let obj;
    try {
      obj = jwt.verify(req.query.token, syzoj.config.email.key, { subject: 'register' });
    } catch (e) {
      throw new ErrorMessage('无效的注册验证链接: ' + e.toString());
    }

    let user = await User.fromName(obj.username);
    if (user) throw new ErrorMessage('用户名已被占用。');
    user = await User.findOne({ where: { email: obj.email } });
    if (user) throw new ErrorMessage('邮件地址已被占用。');

    // Because the salt is "syzoj2_xxx" and the "syzoj2_xxx" 's md5 is"59cb..."
    // the empty password 's md5 will equal "59cb.."
    let syzoj2_xxx_md5 = '59cb65ba6f9ad18de0dcd12d5ae11bd2';
    if (obj.password === syzoj2_xxx_md5) throw new ErrorMessage('密码不能为空。');
    if (!(obj.email = obj.email.trim())) throw new ErrorMessage('邮件地址不能为空。');
    if (!syzoj.utils.isValidUsername(obj.username)) throw new ErrorMessage('用户名不合法。');

    user = await User.create({
      username: obj.username,
      password: obj.password,
      email: obj.email,
      public_email: true
    });
    await user.save();

    req.session.user_id = user.id;
    setLoginCookie(user.username, user.password, res);

    res.redirect(obj.prevUrl || '/');
  } catch (e) {
    syzoj.log(e);
    res.render('error', {
      err: e
    });
  }
});

// Obslete!!!
app.get('/api/sign_up/:token', async (req, res) => {
  try {
    let obj;
    try {
      let decrypted = syzoj.utils.decrypt(Buffer.from(req.params.token, 'base64'), syzoj.config.email.key).toString();
      obj = JSON.parse(decrypted);
    } catch (e) {
      throw new ErrorMessage('无效的注册验证链接。');
    }

    let user = await User.fromName(obj.username);
    if (user) throw new ErrorMessage('用户名已被占用。');
    user = await User.findOne({ where: { email: obj.email } });
    if (user) throw new ErrorMessage('邮件地址已被占用。');

    // Because the salt is "syzoj2_xxx" and the "syzoj2_xxx" 's md5 is"59cb..."
    // the empty password 's md5 will equal "59cb.."
    let syzoj2_xxx_md5 = '59cb65ba6f9ad18de0dcd12d5ae11bd2';
    if (obj.password === syzoj2_xxx_md5) throw new ErrorMessage('密码不能为空。');
    if (!(obj.email = obj.email.trim())) throw new ErrorMessage('邮件地址不能为空。');
    if (!syzoj.utils.isValidUsername(obj.username)) throw new ErrorMessage('用户名不合法。');

    user = await User.create({
      username: obj.username,
      password: obj.password,
      email: obj.email,
      public_email: true
    });
    await user.save();

    req.session.user_id = user.id;
    setLoginCookie(user.username, user.password, res);

    res.redirect(obj.prevUrl || '/');
  } catch (e) {
    syzoj.log(e);
    res.render('error', {
      err: e
    });
  }
});

// Markdown
app.post('/api/markdown', async (req, res) => {
  try {
    let s = await syzoj.utils.markdown(req.body.s.toString());
    res.send(s);
  } catch (e) {
    syzoj.log(e);
    res.send(e);
  }
});

app.get('/static/uploads/answer/:md5', async (req, res) => {
  try {
    res.sendFile(File.resolvePath('answer', req.params.md5));
  } catch (e) {
    res.status(500).send(e);
  }
});
Initial commit 8 years ago			`/*`
			`* This file is part of SYZOJ.`
			`*`
			`* Copyright (c) 2016 Menci <huanghaorui301@gmail.com>`
			`*`
			`* SYZOJ is free software: you can redistribute it and/or modify`
			`* it under the terms of the GNU Affero General Public License as`
			`* published by the Free Software Foundation, either version 3 of the`
			`* License, or (at your option) any later version.`
			`*`
			`* SYZOJ is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU Affero General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU Affero General Public`
			`* License along with SYZOJ. If not, see <http://www.gnu.org/licenses/>.`
			`*/`

			`'use strict';`

			`let User = syzoj.model('user');`
			`let Problem = syzoj.model('problem');`
Add non-traditional problem support; add problem additional_file 7 years ago			`let File = syzoj.model('file');`
Implement forget password. 7 years ago			`const Email = require('../libs/email');`
			`const jwt = require('jsonwebtoken');`
Initial commit 8 years ago
Fix login will expire 8 years ago			`function setLoginCookie(username, password, res) {`
			`res.cookie('login', JSON.stringify([username, password]));`
			`}`

Initial commit 8 years ago			`// Login`
			`app.post('/api/login', async (req, res) => {`
			`try {`
			`res.setHeader('Content-Type', 'application/json');`
			`let user = await User.fromName(req.body.username);`

			`if (!user) res.send({ error_code: 1001 });`
Show a notice when the user doesn't have a password. 7 years ago			`else if (user.password == null \|\| user.password === '') res.send({ error_code: 1003 });`
Initial commit 8 years ago			`else if (user.password !== req.body.password) res.send({ error_code: 1002 });`
			`else {`
			`req.session.user_id = user.id;`
Fix login will expire 8 years ago			`setLoginCookie(user.username, user.password, res);`
Initial commit 8 years ago			`res.send({ error_code: 1 });`
			`}`
			`} catch (e) {`
			`syzoj.log(e);`
			`res.send({ error_code: e });`
			`}`
			`});`

Implement forget password. 7 years ago			`app.post('/api/forget', async (req, res) => {`
			`try {`
			`res.setHeader('Content-Type', 'application/json');`
			`let user = await User.fromEmail(req.body.email);`
			`if (!user) res.send({ error_code: 1001 });`
			`let sendObj = {`
			`userId: user.id,`
			`};`

Finish email. 7 years ago			`const token = jwt.sign(sendObj, syzoj.config.email.key, {`
Implement forget password. 7 years ago			`subject: 'forget',`
			`expiresIn: '12h'`
			`});`

			`const vurl = req.protocol + '://' + req.get('host') + syzoj.utils.makeUrl(['api', 'forget_confirm'], { token: token });`
			`try {`
Finish email. 7 years ago			`await Email.send(user.email,`
			`${user.username} 的 ${syzoj.config.title} 密码重置邮件`,
			`<p>请点击该链接来重置密码：</p><p><a href="${vurl}">${vurl}</a></p><p>链接有效期为 12h。如果您不是 ${user.username}，请忽略此邮件。</p>`
Implement forget password. 7 years ago			`);`
			`} catch (e) {`
			`return res.send({`
			`error_code: 2010,`
			`message: require('util').inspect(e)`
			`});`
			`}`

Finish email. 7 years ago			`throw 123;`
			`res.send({ error_code: 1 });`
Implement forget password. 7 years ago			`} catch (e) {`
			`syzoj.log(e);`
			`res.send(JSON.stringify({ error_code: e }));`
			`}`
			`});`

Initial commit 8 years ago			`// Sign up`
			`app.post('/api/sign_up', async (req, res) => {`
			`try {`
			`res.setHeader('Content-Type', 'application/json');`
			`let user = await User.fromName(req.body.username);`
			`if (user) throw 2008;`
Add optional email address verification 7 years ago			`user = await User.findOne({ where: { email: req.body.email } });`
			`if (user) throw 2009;`

Initial commit 8 years ago
			`// Because the salt is "syzoj2_xxx" and the "syzoj2_xxx" 's md5 is"59cb..."`
			`// the empty password 's md5 will equal "59cb.."`
			`let syzoj2_xxx_md5 = '59cb65ba6f9ad18de0dcd12d5ae11bd2';`
			`if (req.body.password === syzoj2_xxx_md5) throw 2007;`
			`if (!(req.body.email = req.body.email.trim())) throw 2006;`
Allow admin to edit username 8 years ago			`if (!syzoj.utils.isValidUsername(req.body.username)) throw 2002;`
Initial commit 8 years ago
Finish email. 7 years ago			`if (syzoj.config.register_mail) {`
Add optional email address verification 7 years ago			`let sendObj = {`
			`username: req.body.username,`
			`password: req.body.password,`
			`email: req.body.email,`
			`};`
Implement forget password. 7 years ago
Finish email. 7 years ago			`const token = jwt.sign(sendObj, syzoj.config.email.key, {`
Implement forget password. 7 years ago			`subject: 'register',`
			`expiresIn: '2d'`
			`});`

			`const vurl = req.protocol + '://' + req.get('host') + syzoj.utils.makeUrl(['api', 'sign_up_confirm'], { token: token });`
Add optional email address verification 7 years ago			`try {`
Implement forget password. 7 years ago			`await Email.send(req.body.email,`
			`${req.body.username} 的 ${syzoj.config.title} 注册验证邮件`,
			`<p>请点击该链接完成您在 ${syzoj.config.title} 的注册：</p><p><a href="${vurl}">${vurl}</a></p><p>如果您不是 ${req.body.username}，请忽略此邮件。</p>`
			`);`
Add optional email address verification 7 years ago			`} catch (e) {`
Add register mail send error message 7 years ago			`return res.send({`
			`error_code: 2010,`
			`message: require('util').inspect(e)`
			`});`
Add optional email address verification 7 years ago			`}`

			`res.send(JSON.stringify({ error_code: 2 }));`
			`} else {`
			`user = await User.create({`
			`username: req.body.username,`
			`password: req.body.password,`
Add public_email option for user 7 years ago			`email: req.body.email,`
			`public_email: true`
Add optional email address verification 7 years ago			`});`
			`await user.save();`

			`req.session.user_id = user.id;`
			`setLoginCookie(user.username, user.password, res);`

			`res.send(JSON.stringify({ error_code: 1 }));`
			`}`
			`} catch (e) {`
			`syzoj.log(e);`
			`res.send(JSON.stringify({ error_code: e }));`
			`}`
			`});`

Implement forget password. 7 years ago			`app.get('/api/forget_confirm', async (req, res) => {`
			`try {`
Finish email. 7 years ago			`try {`
			`jwt.verify(req.query.token, syzoj.config.email.key, { subject: 'forget' });`
			`} catch (e) {`
			`throw new ErrorMessage("Token 不正确。");`
			`}`
Implement forget password. 7 years ago			`res.render('forget_confirm', {`
			`token: req.query.token`
			`});`
			`} catch (e) {`
			`syzoj.log(e);`
			`res.render('error', {`
			`err: e`
			`});`
			`}`
			`});`

			`app.post('/api/reset_password', async (req, res) => {`
			`try {`
Finish email. 7 years ago			`res.setHeader('Content-Type', 'application/json');`
Implement forget password. 7 years ago			`let obj;`
			`try {`
Finish email. 7 years ago			`obj = jwt.verify(req.body.token, syzoj.config.email.key, { subject: 'forget' });`
Implement forget password. 7 years ago			`} catch (e) {`
			`throw 3001;`
			`}`

			`let syzoj2_xxx_md5 = '59cb65ba6f9ad18de0dcd12d5ae11bd2';`
Finish email. 7 years ago			`if (req.body.password === syzoj2_xxx_md5) throw new ErrorMessage('密码不能为空。');`
			`const user = await User.fromID(obj.userId);`
			`user.password = req.body.password;`
Implement forget password. 7 years ago			`await user.save();`

			`res.send(JSON.stringify({ error_code: 1 }));`
			`} catch (e) {`
			`syzoj.log(e);`
Finish email. 7 years ago			`if (typeof e === 'number') {`
			`res.send(JSON.stringify({ error_code: e }));`
			`} else {`
			`res.send(JSON.stringify({ error_code: 1000 }));`
			`}`
Implement forget password. 7 years ago			`}`
			`});`

			`app.get('/api/sign_up_confirm', async (req, res) => {`
			`try {`
			`let obj;`
			`try {`
Finish email. 7 years ago			`obj = jwt.verify(req.query.token, syzoj.config.email.key, { subject: 'register' });`
Implement forget password. 7 years ago			`} catch (e) {`
Finish email. 7 years ago			`throw new ErrorMessage('无效的注册验证链接: ' + e.toString());`
Implement forget password. 7 years ago			`}`

			`let user = await User.fromName(obj.username);`
			`if (user) throw new ErrorMessage('用户名已被占用。');`
			`user = await User.findOne({ where: { email: obj.email } });`
			`if (user) throw new ErrorMessage('邮件地址已被占用。');`

			`// Because the salt is "syzoj2_xxx" and the "syzoj2_xxx" 's md5 is"59cb..."`
			`// the empty password 's md5 will equal "59cb.."`
			`let syzoj2_xxx_md5 = '59cb65ba6f9ad18de0dcd12d5ae11bd2';`
			`if (obj.password === syzoj2_xxx_md5) throw new ErrorMessage('密码不能为空。');`
			`if (!(obj.email = obj.email.trim())) throw new ErrorMessage('邮件地址不能为空。');`
			`if (!syzoj.utils.isValidUsername(obj.username)) throw new ErrorMessage('用户名不合法。');`

			`user = await User.create({`
			`username: obj.username,`
			`password: obj.password,`
			`email: obj.email,`
			`public_email: true`
			`});`
			`await user.save();`

			`req.session.user_id = user.id;`
			`setLoginCookie(user.username, user.password, res);`

			`res.redirect(obj.prevUrl \|\| '/');`
			`} catch (e) {`
			`syzoj.log(e);`
			`res.render('error', {`
			`err: e`
			`});`
			`}`
			`});`

			`// Obslete!!!`
Add optional email address verification 7 years ago			`app.get('/api/sign_up/:token', async (req, res) => {`
			`try {`
			`let obj;`
			`try {`
Finish email. 7 years ago			`let decrypted = syzoj.utils.decrypt(Buffer.from(req.params.token, 'base64'), syzoj.config.email.key).toString();`
Add optional email address verification 7 years ago			`obj = JSON.parse(decrypted);`
			`} catch (e) {`
			`throw new ErrorMessage('无效的注册验证链接。');`
			`}`

			`let user = await User.fromName(obj.username);`
			`if (user) throw new ErrorMessage('用户名已被占用。');`
			`user = await User.findOne({ where: { email: obj.email } });`
			`if (user) throw new ErrorMessage('邮件地址已被占用。');`

			`// Because the salt is "syzoj2_xxx" and the "syzoj2_xxx" 's md5 is"59cb..."`
			`// the empty password 's md5 will equal "59cb.."`
			`let syzoj2_xxx_md5 = '59cb65ba6f9ad18de0dcd12d5ae11bd2';`
			`if (obj.password === syzoj2_xxx_md5) throw new ErrorMessage('密码不能为空。');`
			`if (!(obj.email = obj.email.trim())) throw new ErrorMessage('邮件地址不能为空。');`
			`if (!syzoj.utils.isValidUsername(obj.username)) throw new ErrorMessage('用户名不合法。');`

Initial commit 8 years ago			`user = await User.create({`
Add optional email address verification 7 years ago			`username: obj.username,`
			`password: obj.password,`
Add public_email option for user 7 years ago			`email: obj.email,`
			`public_email: true`
Initial commit 8 years ago			`});`
			`await user.save();`

			`req.session.user_id = user.id;`
Fix login will expire 8 years ago			`setLoginCookie(user.username, user.password, res);`

Add optional email address verification 7 years ago			`res.redirect(obj.prevUrl \|\| '/');`
Initial commit 8 years ago			`} catch (e) {`
			`syzoj.log(e);`
Add optional email address verification 7 years ago			`res.render('error', {`
			`err: e`
			`});`
Initial commit 8 years ago			`}`
			`});`

			`// Markdown`
			`app.post('/api/markdown', async (req, res) => {`
			`try {`
			`let s = await syzoj.utils.markdown(req.body.s.toString());`
			`res.send(s);`
			`} catch (e) {`
			`syzoj.log(e);`
			`res.send(e);`
			`}`
			`});`

Add non-traditional problem support; add problem additional_file 7 years ago			`app.get('/static/uploads/answer/:md5', async (req, res) => {`
Initial commit 8 years ago			`try {`
Add non-traditional problem support; add problem additional_file 7 years ago			`res.sendFile(File.resolvePath('answer', req.params.md5));`
Initial commit 8 years ago			`} catch (e) {`
			`res.status(500).send(e);`
			`}`
Add lock on somewhere 7 years ago			`});`