PSForever/PSFPortal
1
0
Fork 0
mirror of https://github.com/psforever/PSFPortal.git synced 2026-04-29 16:25:27 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix admin/session middleware to prevent casade on to later routes

Browse source
This commit is contained in:
Chord 2020-01-09 21:22:07 +01:00
parent bed14bdb86
commit f96b37aad3
5 changed files with 67 additions and 48 deletions
Download patch file Download diff file Expand all files Collapse all files

45
api/index.js
View file

@ -1,3 +1,4 @@
import fs from 'fs'
import express from 'express'
import bodyParser from 'body-parser'
import * as db from './db.js'
@ -6,6 +7,7 @@ import api_user from './user.js'
import api_info from './info.js'
import api_admin from './admin.js'
const VERSION = JSON.parse(fs.readFileSync('package.json', 'utf8')).version;
const api = express.Router();
if (process.env.NODE_ENV !== "production") {
@ -17,46 +19,19 @@ if (process.env.NODE_ENV !== "production") {
});
}
async function sessionRequired(req, res, next) {
if (!req.session || !req.session.account_id) {
res.status(403).json({message: 'session required'})
} else {
try {
const account = await db.get_account_by_id(req.session.account_id);
if (!account) {
console.log("ERROR: failed to lookup account from session!")
res.status(500).json({message: 'error'});
} else {
req.session_account = account;
next();
}
} catch (e) {
console.log(e)
res.status(500).json({message: 'error'});
}
}
}
async function adminRequired(req, res, next) {
if (!req.session_account) {
console.log("ERROR: sessionRequired needs to be called before adminRequired")
res.status(500).json({message: ''})
} else {
if (req.session_account.gm === true && req.session_account.inactive === false) {
next();
} else {
res.status(403).json({message : 'admin required'})
}
}
}
api.use(bodyParser.json());
api.use(bodyParser.urlencoded({ extended: true }));
api.use(api_auth)
api.use(api_info)
api.use(sessionRequired, api_user)
api.use(sessionRequired, adminRequired, api_admin)
// These calls are gated within their respective routers
api.use(api_user)
api.use(api_admin)
api.get("/", async (req, res, next) => {
res.status(200).json({message : 'PSFPortal ' + VERSION + ' API base. Created by Chord for the PSForever Project: https://psforever.net'})
});
api.post("/bad_route", async (req, res, next) => {
console.log("BAD APP ROUTE:", req.body.route)