move API routes as cleanup

2023-07-22 13:08:41 +02:00
parent 9c1002bc5e
commit 04827b1a39
36 changed files with 482 additions and 35 deletions
--- a/src/routes/api/user/admin/users/+server.ts
+++ b/src/routes/api/user/admin/users/+server.ts
@ -0,0 +1,23 @@
+import type { RequestHandler } from '@sveltejs/kit';
+import { error } from '@sveltejs/kit';
+
+import { dbConnect, dbDisconnect } from '../../../../../utils/db';
+import { User } from '../../../../../models/User';
+import { get_username } from '$lib/js/get_username';
+
+// header: use for bearer token for now
+// recipe json in body
+export const POST: RequestHandler = async ({cookies}) => {
+	const requesting_user = await get_username(cookies)
+	await dbConnect()
+	let res = await User.findOne({username: requesting_user}, 'access').lean()
+	if(!res.access.contains("admin")){
+		await dbDisconnect()
+		throw error(401, {message: "Your user does not have the permissions to do this"})
+	}
+	else{
+		let res = await User.find({}, 'username access').lean()
+		await dbDisconnect()
+		return { res }
+	}
+};
--- a/src/routes/api/user/change_pw/+server.ts
+++ b/src/routes/api/user/change_pw/+server.ts
@ -0,0 +1,40 @@
+import type { RequestHandler } from '@sveltejs/kit';
+import { error } from '@sveltejs/kit';
+import { hash }  from 'argon2';
+
+import { PEPPER } from '$env/static/private';
+
+import { User } from '../../../../models/User';
+import { dbConnect, dbDisconnect } from '../../../../utils/db';
+
+// header: use for bearer token for now
+// recipe json in body
+export const POST: RequestHandler = async ({request}) => {
+	const {username, old_password, new_password} = await request.json()
+	await dbConnect();
+	const salt = await User.findOne({username: username}, 'salt');
+	const pass_hash =  await hashPassword(old_password + PEPPER, salt)
+	try{
+		await User.updateOne({
+				username: username,
+				pass_hash: pass_hash,
+		})
+	}catch(e){
+		await dbDisconnect();
+		throw error(400, e);
+	}
+	await dbDisconnect();
+	return new Response(JSON.stringify({message: "User added successfully"}),
+			    	{status: 200}
+		);
+	}
+};
+
+async function hashPassword(password, salt) {
+  try {
+    const hashedPassword = await hash(password, salt); // Hash the password with the salt and pepper
+    return hashedPassword;
+  } catch (error) {
+    console.error('Error hashing password:', error);
+  }
+}
--- a/src/routes/api/user/login/+server.ts
+++ b/src/routes/api/user/login/+server.ts
@ -0,0 +1,46 @@
+import type { RequestHandler } from '@sveltejs/kit';
+import { error } from '@sveltejs/kit';
+import pkg from 'jsonwebtoken';
+const { sign } = pkg;
+import { verify} from 'argon2';
+import { COOKIE_SECRET } from '$env/static/private'
+import { PEPPER } from '$env/static/private'
+
+import { dbConnect, dbDisconnect } from '../../../../utils/db';
+import { User } from '../../../../models/User';
+
+// header: use for bearer token for now
+// recipe json in body
+export const POST: RequestHandler = async ({request}) => {
+	const {username, password} = await request.json()
+	await dbConnect()
+	let res = await User.findOne({username: username}, 'pass_hash salt').lean()
+	await dbDisconnect()
+	if(!res){
+		console.log("NOT FOUND")
+		throw error(401, {message: "wrong password or user does not exist"})
+	}
+
+	const stored_pw = res.pass_hash
+	const salt = res.salt
+
+	const isMatch = await verify(stored_pw, password + PEPPER, {salt})
+	if(!isMatch){
+		throw error(401, {message: "wrong password or user does not exist"})
+	}
+
+	res = await createJWT(username)
+	return new Response(JSON.stringify(res))
+};
+
+async function createJWT(username) {
+	const payload = {
+  	  username: username,
+  	};
+
+  	const masterSecret = COOKIE_SECRET;
+  	const secretKey = masterSecret;
+  	const jwt = sign(payload, secretKey);
+	console.log(jwt)
+  	return jwt
+}
--- a/src/routes/api/user/register/+server.ts
+++ b/src/routes/api/user/register/+server.ts
@ -0,0 +1,50 @@
+import type { RequestHandler } from '@sveltejs/kit';
+import { error } from '@sveltejs/kit';
+import { hash }  from 'argon2';
+import { randomBytes } from 'crypto';
+import { ALLOW_REGISTRATION } from '$env/static/private';
+import { PEPPER } from '$env/static/private';
+
+import { User } from '../../../../models/User';
+import { dbConnect, dbDisconnect } from '../../../../utils/db';
+
+// header: use for bearer token for now
+// recipe json in body
+export const POST: RequestHandler = async ({request}) => {
+	if(ALLOW_REGISTRATION){
+		const {username, password} = await request.json()
+		const salt = randomBytes(32).toString('hex'); // Generate a random salt
+
+		const pass_hash =  await hashPassword(password + PEPPER, salt)
+		await dbConnect();
+		try{
+			await User.create({
+					username: username,
+					pass_hash: pass_hash,
+					salt: salt,
+					access: [],
+			})
+		}catch(e){
+			await dbDisconnect();
+			throw error(400, e);
+		}
+		await dbDisconnect();
+		return new Response(JSON.stringify({message: "User added successfully"}),
+				    	{status: 200}
+			);
+	}
+	else{
+		throw error(401, "user registration currently closed")
+	}
+
+
+};
+
+async function hashPassword(password, salt) {
+  try {
+    const hashedPassword = await hash(password, salt); // Hash the password with the salt and pepper
+    return hashedPassword;
+  } catch (error) {
+    console.error('Error hashing password:', error);
+  }
+}