First fully working user management, move to layout groups
This commit is contained in:
@ -1,28 +1,30 @@
|
||||
import type { RequestHandler } from '@sveltejs/kit';
|
||||
import { Recipe } from '../../../models/Recipe';
|
||||
import { dbConnect, dbDisconnect } from '../../../utils/db';
|
||||
import type {RecipeModelType} from '../../../types/types';
|
||||
import { BEARER_TOKEN } from '$env/static/private'
|
||||
import { error } from '@sveltejs/kit';
|
||||
import { authenticateUser } from '$lib/js/authenticate';;
|
||||
// header: use for bearer token for now
|
||||
// recipe json in body
|
||||
export const POST: RequestHandler = async ({request}) => {
|
||||
let message = await request.json()
|
||||
const recipe_json = message.recipe
|
||||
const bearer_token = message.headers.bearer
|
||||
if(bearer_token === BEARER_TOKEN){
|
||||
await dbConnect();
|
||||
try{
|
||||
await Recipe.create(recipe_json);
|
||||
} catch(e){
|
||||
throw error(400, e)
|
||||
}
|
||||
await dbDisconnect();
|
||||
return new Response(JSON.stringify({msg: "Added recipe successfully"}),{
|
||||
status: 200,
|
||||
});
|
||||
}
|
||||
else{
|
||||
throw error(403, "Password incorrect")
|
||||
}
|
||||
export const POST: RequestHandler = async ({request, cookies}) => {
|
||||
let message = await request.json()
|
||||
const recipe_json = message.recipe
|
||||
const user = await authenticateUser(cookies)
|
||||
if(!user){
|
||||
throw error(401, "Not logged in")
|
||||
}
|
||||
if(!user.access.includes("rezepte")){
|
||||
throw error(401, "This user does not have permissions to add recipes")
|
||||
}
|
||||
else{
|
||||
await dbConnect();
|
||||
try{
|
||||
await Recipe.create(recipe_json);
|
||||
} catch(e){
|
||||
throw error(400, e)
|
||||
}
|
||||
await dbDisconnect();
|
||||
return new Response(JSON.stringify({msg: "Added recipe successfully"}),{
|
||||
status: 200,
|
||||
});
|
||||
}
|
||||
};
|
||||
|
||||
@ -2,23 +2,22 @@ import type { RequestHandler } from '@sveltejs/kit';
|
||||
import { Recipe } from '../../../models/Recipe';
|
||||
import { dbConnect, dbDisconnect } from '../../../utils/db';
|
||||
import type {RecipeModelType} from '../../../types/types';
|
||||
import { BEARER_TOKEN } from '$env/static/private'
|
||||
import { error } from '@sveltejs/kit';
|
||||
import { authenticateUser } from '$lib/js/authenticate';
|
||||
// header: use for bearer token for now
|
||||
// recipe json in body
|
||||
export const POST: RequestHandler = async ({request}) => {
|
||||
let message = await request.json()
|
||||
const short_name = message.old_short_name
|
||||
const bearer_token = message.headers.bearer
|
||||
if(bearer_token === BEARER_TOKEN){
|
||||
await dbConnect();
|
||||
export const POST: RequestHandler = async ({request, cookies}) => {
|
||||
let message = await request.json()
|
||||
|
||||
const user = await authenticateUser(cookies)
|
||||
if(!user) throw error(401, "Need to be logged in")
|
||||
if(!user.access.includes("rezepte")) throw error(401, "Insufficient permissions")
|
||||
|
||||
const short_name = message.old_short_name
|
||||
await dbConnect();
|
||||
await Recipe.findOneAndDelete({short_name: short_name});
|
||||
await dbDisconnect();
|
||||
return new Response(JSON.stringify({msg: "Deleted recipe successfully"}),{
|
||||
status: 200,
|
||||
});
|
||||
}
|
||||
else{
|
||||
throw error(403, "Password incorrect")
|
||||
}
|
||||
}
|
||||
|
||||
@ -2,16 +2,23 @@ import type { RequestHandler } from '@sveltejs/kit';
|
||||
import { Recipe } from '../../../models/Recipe';
|
||||
import { dbConnect, dbDisconnect } from '../../../utils/db';
|
||||
import type {RecipeModelType} from '../../../types/types';
|
||||
import { BEARER_TOKEN } from '$env/static/private'
|
||||
import { error } from '@sveltejs/kit';
|
||||
import { authenticateUser } from '$lib/js/authenticate';
|
||||
// header: use for bearer token for now
|
||||
// recipe json in body
|
||||
export const POST: RequestHandler = async ({request}) => {
|
||||
export const POST: RequestHandler = async ({request, cookies}) => {
|
||||
let message = await request.json()
|
||||
const recipe_json = message.recipe
|
||||
const bearer_token = message.headers.bearer
|
||||
if(bearer_token === BEARER_TOKEN){
|
||||
await dbConnect();
|
||||
const user = await authenticateUser(cookies)
|
||||
console.log(user)
|
||||
if(!user){
|
||||
throw error(403, "Not logged in")
|
||||
}
|
||||
else if(!user.access.includes("rezepte")){
|
||||
throw error(403, "This user does not have edit permissions for recipes")
|
||||
}
|
||||
else{
|
||||
await dbConnect();
|
||||
await Recipe.findOneAndUpdate({short_name: message.old_short_name }, recipe_json);
|
||||
await dbDisconnect();
|
||||
return new Response(JSON.stringify({msg: "Edited recipe successfully"}),{
|
||||
@ -19,7 +26,4 @@ export const POST: RequestHandler = async ({request}) => {
|
||||
});
|
||||
|
||||
}
|
||||
else{
|
||||
throw error(403, "Password incorrect")
|
||||
}
|
||||
};
|
||||
|
||||
@ -1,13 +1,15 @@
|
||||
import path from 'path'
|
||||
import type { RequestHandler } from '@sveltejs/kit';
|
||||
import { BEARER_TOKEN } from '$env/static/private'
|
||||
import { error } from '@sveltejs/kit';
|
||||
import { IMAGE_DIR } from '$env/static/private'
|
||||
import sharp from 'sharp';
|
||||
import { authenticateUser } from '$lib/js/authenticate';
|
||||
|
||||
export const POST = (async ({ request }) => {
|
||||
const data = await request.json();
|
||||
if(data.bearer === BEARER_TOKEN){
|
||||
export const POST = (async ({ request, cookies }) => {
|
||||
const data = await request.json();
|
||||
const user = await authenticateUser(cookies)
|
||||
if (!user) throw error(401, "Need to be logged in")
|
||||
if (!user.access.includes("rezepte")) throw error(401, "You don't have sufficient permissions for this")
|
||||
let full_res = new Buffer.from(data.image, 'base64')
|
||||
// reduce image size if over 500KB
|
||||
const MAX_SIZE_KB = 500
|
||||
@ -41,9 +43,4 @@ export const POST = (async ({ request }) => {
|
||||
return new Response(JSON.stringify({msg: "Added image successfully"}),{
|
||||
status: 200,
|
||||
});
|
||||
}
|
||||
else{
|
||||
throw error(403, "Password incorrect")
|
||||
}
|
||||
|
||||
}) satisfies RequestHandler;
|
||||
|
||||
@ -1,13 +1,15 @@
|
||||
import path from 'path'
|
||||
import type { RequestHandler } from '@sveltejs/kit';
|
||||
import { BEARER_TOKEN } from '$env/static/private'
|
||||
import { IMAGE_DIR } from '$env/static/private'
|
||||
import { unlink } from 'node:fs';
|
||||
import { error } from '@sveltejs/kit';
|
||||
import { authenticateUser } from '$lib/js/authenticate';;
|
||||
|
||||
export const POST = (async ({ request }) => {
|
||||
const data = await request.json();
|
||||
if(data.bearer === BEARER_TOKEN){
|
||||
export const POST = (async ({ request, cookies }) => {
|
||||
const data = await request.json();
|
||||
const user = await authenticateUser(cookies)
|
||||
if(!user) throw error(401, "You need to be logged in")
|
||||
if(!user.access.includes("rezepte")) throw error(401, "Your don't have the required permission for this")
|
||||
[ "full", "thumb", "placeholder"].forEach((folder) => {
|
||||
unlink(path.join(IMAGE_DIR, "rezepte", folder, data.name + ".webp"), (e) => {
|
||||
if(e) error(404, "could not delete: " + folder + "/" + data.name + ".webp" + e)
|
||||
@ -16,9 +18,4 @@ export const POST = (async ({ request }) => {
|
||||
return new Response(JSON.stringify({msg: "Deleted image successfully"}),{
|
||||
status: 200,
|
||||
});
|
||||
}
|
||||
else{
|
||||
throw error(403, "Password incorrect")
|
||||
}
|
||||
|
||||
}) satisfies RequestHandler;
|
||||
|
||||
@ -1,13 +1,16 @@
|
||||
import path from 'path'
|
||||
import type { RequestHandler } from '@sveltejs/kit';
|
||||
import { BEARER_TOKEN } from '$env/static/private'
|
||||
import { IMAGE_DIR } from '$env/static/private'
|
||||
import { rename } from 'node:fs';
|
||||
import { error } from '@sveltejs/kit';
|
||||
import { authenticateUser } from '$lib/js/authenticate';
|
||||
|
||||
export const POST = (async ({ request, cookies }) => {
|
||||
const data = await request.json();
|
||||
const user = await authenticateUser(cookies)
|
||||
if(!user) throw error(401, "need to be logged in")
|
||||
if(!user.access.includes("rezepte")) throw error(401, "You don't have the required permission to do this")
|
||||
|
||||
export const POST = (async ({ request }) => {
|
||||
const data = await request.json();
|
||||
if(data.bearer === BEARER_TOKEN){
|
||||
[ "full", "thumb", "placeholder"].forEach((folder) => {
|
||||
const old_path = path.join(IMAGE_DIR, "rezepte", folder, data.old_name + ".webp")
|
||||
rename(old_path, path.join(IMAGE_DIR, "rezepte", folder, data.new_name + ".webp"), (e) => {
|
||||
@ -15,12 +18,8 @@ export const POST = (async ({ request }) => {
|
||||
if(e) throw error(500, "could not mv: " + old_path)
|
||||
})
|
||||
});
|
||||
|
||||
return new Response(JSON.stringify({msg: "Deleted image successfully"}),{
|
||||
status: 200,
|
||||
});
|
||||
}
|
||||
else{
|
||||
throw error(403, "Password incorrect")
|
||||
}
|
||||
|
||||
}) satisfies RequestHandler;
|
||||
|
||||
@ -1,8 +1,9 @@
|
||||
import type { RequestHandler } from '@sveltejs/kit';
|
||||
import { error } from '@sveltejs/kit';
|
||||
import { sign } from 'jsonwebtoken';
|
||||
import { hash, verify} from 'argon2';
|
||||
import { verify} from 'argon2';
|
||||
import { COOKIE_SECRET } from '$env/static/private'
|
||||
import { PEPPER } from '$env/static/private'
|
||||
|
||||
import { dbConnect, dbDisconnect } from '../../../utils/db';
|
||||
import { User } from '../../../models/User';
|
||||
@ -15,13 +16,14 @@ export const POST: RequestHandler = async ({request}) => {
|
||||
let res = await User.findOne({username: username}, 'pass_hash salt').lean()
|
||||
await dbDisconnect()
|
||||
if(!res){
|
||||
console.log("NOT FOUND")
|
||||
throw error(401, {message: "wrong password or user does not exist"})
|
||||
}
|
||||
|
||||
const stored_pw = res.pass_hash
|
||||
const salt = res.salt
|
||||
|
||||
const isMatch = await verify(stored_pw, password, {salt})
|
||||
const isMatch = await verify(stored_pw, password + PEPPER, {salt})
|
||||
if(!isMatch){
|
||||
throw error(401, {message: "wrong password or user does not exist"})
|
||||
}
|
||||
@ -38,5 +40,6 @@ async function createJWT(username) {
|
||||
const masterSecret = COOKIE_SECRET;
|
||||
const secretKey = masterSecret;
|
||||
const jwt = sign(payload, secretKey);
|
||||
console.log(jwt)
|
||||
return jwt
|
||||
}
|
||||
|
||||
@ -1,10 +1,9 @@
|
||||
import type { RequestHandler } from '@sveltejs/kit';
|
||||
import { error } from '@sveltejs/kit';
|
||||
import { sign } from 'jsonwebtoken';
|
||||
import { hash, verify } from 'argon2';
|
||||
import { hash } from 'argon2';
|
||||
import { randomBytes } from 'crypto';
|
||||
import { COOKIE_SECRET } from '$env/static/private'
|
||||
import { ALLOW_REGISTRATION } from '$env/static/private'
|
||||
import { ALLOW_REGISTRATION } from '$env/static/private';
|
||||
import { PEPPER } from '$env/static/private';
|
||||
|
||||
import { User } from '../../../models/User';
|
||||
import { dbConnect, dbDisconnect } from '../../../utils/db';
|
||||
@ -16,7 +15,7 @@ export const POST: RequestHandler = async ({request}) => {
|
||||
const {username, password, access} = await request.json()
|
||||
const salt = randomBytes(32).toString('hex'); // Generate a random salt
|
||||
|
||||
const pass_hash = await hashPassword(password, salt)
|
||||
const pass_hash = await hashPassword(password + PEPPER, salt)
|
||||
await dbConnect();
|
||||
try{
|
||||
await User.create({
|
||||
@ -43,7 +42,7 @@ export const POST: RequestHandler = async ({request}) => {
|
||||
|
||||
async function hashPassword(password, salt) {
|
||||
try {
|
||||
const hashedPassword = await hash(password, salt); // Hash the password with the salt
|
||||
const hashedPassword = await hash(password, salt); // Hash the password with the salt and pepper
|
||||
return hashedPassword;
|
||||
} catch (error) {
|
||||
console.error('Error hashing password:', error);
|
||||
|
||||
Reference in New Issue
Block a user