remove user admin routes
This commit is contained in:
parent
4fdfacd7be
commit
c22a7f0e99
@ -1,23 +0,0 @@
|
|||||||
import type { RequestHandler } from '@sveltejs/kit';
|
|
||||||
import { error } from '@sveltejs/kit';
|
|
||||||
|
|
||||||
import { dbConnect, dbDisconnect } from '../../../../../utils/db';
|
|
||||||
import { User } from '../../../../../models/User';
|
|
||||||
import { get_username } from '$lib/js/get_username';
|
|
||||||
|
|
||||||
// header: use for bearer token for now
|
|
||||||
// recipe json in body
|
|
||||||
export const POST: RequestHandler = async ({cookies}) => {
|
|
||||||
const requesting_user = await get_username(cookies)
|
|
||||||
await dbConnect()
|
|
||||||
let res = await User.findOne({username: requesting_user}, 'access').lean()
|
|
||||||
if(!res.access.contains("admin")){
|
|
||||||
await dbDisconnect()
|
|
||||||
throw error(401, {message: "Your user does not have the permissions to do this"})
|
|
||||||
}
|
|
||||||
else{
|
|
||||||
let res = await User.find({}, 'username access').lean()
|
|
||||||
await dbDisconnect()
|
|
||||||
return { res }
|
|
||||||
}
|
|
||||||
};
|
|
@ -1,36 +0,0 @@
|
|||||||
import type { RequestHandler } from '@sveltejs/kit';
|
|
||||||
import { error } from '@sveltejs/kit';
|
|
||||||
import { verify } from 'argon2';
|
|
||||||
import { hashPassword } from '$lib/js/hashPassword'
|
|
||||||
import {randomBytes} from 'crypto'
|
|
||||||
|
|
||||||
import { PEPPER } from '$env/static/private';
|
|
||||||
|
|
||||||
import { User } from '../../../../models/User';
|
|
||||||
import { dbConnect, dbDisconnect } from '../../../../utils/db';
|
|
||||||
|
|
||||||
// header: use for bearer token for now
|
|
||||||
// recipe json in body
|
|
||||||
export const POST: RequestHandler = async ({request}) => {
|
|
||||||
const {username, old_password, new_password, new_password_rep} = await request.json()
|
|
||||||
if(new_password != new_password_rep){
|
|
||||||
throw error(400, 'new passwords do not match!')
|
|
||||||
}
|
|
||||||
await dbConnect();
|
|
||||||
const user = await User.findOne({username: username});
|
|
||||||
console.log("Found user:", user)
|
|
||||||
const isMatch = await verify(user.pass_hash, old_password + PEPPER, {salt: user.salt})
|
|
||||||
console.log("isMatch:", isMatch)
|
|
||||||
if(isMatch){
|
|
||||||
const salt = randomBytes(32).toString('hex'); // Generate a random salt
|
|
||||||
const pass_hash = await hashPassword(new_password + PEPPER, salt)
|
|
||||||
await User.findOneAndUpdate({username: username}, {pass_hash: pass_hash, salt: salt})
|
|
||||||
await dbDisconnect()
|
|
||||||
return new Response(JSON.stringify({message: "Password updated successfully"}),
|
|
||||||
{status: 200})
|
|
||||||
}
|
|
||||||
else{
|
|
||||||
await dbDisconnect();
|
|
||||||
throw error(401, "Wrong old password")
|
|
||||||
}
|
|
||||||
};
|
|
@ -1,46 +0,0 @@
|
|||||||
import type { RequestHandler } from '@sveltejs/kit';
|
|
||||||
import { error } from '@sveltejs/kit';
|
|
||||||
import pkg from 'jsonwebtoken';
|
|
||||||
const { sign } = pkg;
|
|
||||||
import { verify} from 'argon2';
|
|
||||||
import { COOKIE_SECRET } from '$env/static/private'
|
|
||||||
import { PEPPER } from '$env/static/private'
|
|
||||||
|
|
||||||
import { dbConnect, dbDisconnect } from '../../../../utils/db';
|
|
||||||
import { User } from '../../../../models/User';
|
|
||||||
|
|
||||||
// header: use for bearer token for now
|
|
||||||
// recipe json in body
|
|
||||||
export const POST: RequestHandler = async ({request}) => {
|
|
||||||
const {username, password} = await request.json()
|
|
||||||
await dbConnect()
|
|
||||||
let res = await User.findOne({username: username}, 'pass_hash salt').lean()
|
|
||||||
await dbDisconnect()
|
|
||||||
if(!res){
|
|
||||||
console.log("NOT FOUND")
|
|
||||||
throw error(401, {message: "wrong password or user does not exist"})
|
|
||||||
}
|
|
||||||
|
|
||||||
const stored_pw = res.pass_hash
|
|
||||||
const salt = res.salt
|
|
||||||
|
|
||||||
const isMatch = await verify(stored_pw, password + PEPPER, {salt})
|
|
||||||
if(!isMatch){
|
|
||||||
throw error(401, {message: "wrong password or user does not exist"})
|
|
||||||
}
|
|
||||||
|
|
||||||
res = await createJWT(username)
|
|
||||||
return new Response(JSON.stringify(res))
|
|
||||||
};
|
|
||||||
|
|
||||||
async function createJWT(username) {
|
|
||||||
const payload = {
|
|
||||||
username: username,
|
|
||||||
};
|
|
||||||
|
|
||||||
const masterSecret = COOKIE_SECRET;
|
|
||||||
const secretKey = masterSecret;
|
|
||||||
const jwt = sign(payload, secretKey);
|
|
||||||
console.log(jwt)
|
|
||||||
return jwt
|
|
||||||
}
|
|
@ -1,41 +0,0 @@
|
|||||||
import type { RequestHandler } from '@sveltejs/kit';
|
|
||||||
import { error } from '@sveltejs/kit';
|
|
||||||
import { randomBytes } from 'crypto';
|
|
||||||
import { ALLOW_REGISTRATION } from '$env/static/private';
|
|
||||||
import { PEPPER } from '$env/static/private';
|
|
||||||
import {hashPassword} from '$lib/js/hashPassword'
|
|
||||||
|
|
||||||
import { User } from '../../../../models/User';
|
|
||||||
import { dbConnect, dbDisconnect } from '../../../../utils/db';
|
|
||||||
|
|
||||||
// header: use for bearer token for now
|
|
||||||
// recipe json in body
|
|
||||||
export const POST: RequestHandler = async ({request}) => {
|
|
||||||
if(ALLOW_REGISTRATION){
|
|
||||||
const {username, password} = await request.json()
|
|
||||||
const salt = randomBytes(32).toString('hex'); // Generate a random salt
|
|
||||||
|
|
||||||
const pass_hash = await hashPassword(password + PEPPER, salt)
|
|
||||||
await dbConnect();
|
|
||||||
try{
|
|
||||||
await User.create({
|
|
||||||
username: username,
|
|
||||||
pass_hash: pass_hash,
|
|
||||||
salt: salt,
|
|
||||||
access: [],
|
|
||||||
})
|
|
||||||
}catch(e){
|
|
||||||
await dbDisconnect();
|
|
||||||
throw error(400, e);
|
|
||||||
}
|
|
||||||
await dbDisconnect();
|
|
||||||
return new Response(JSON.stringify({message: "User added successfully"}),
|
|
||||||
{status: 200}
|
|
||||||
);
|
|
||||||
}
|
|
||||||
else{
|
|
||||||
throw error(401, "user registration currently closed")
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
};
|
|
Loading…
Reference in New Issue
Block a user