node-fftcg/inc/fftcgdb.coffee

# libraries
bcrypt = (require 'bcrypt')
sqlite3 = (require 'sqlite3').verbose()

# bruteforce countermeasure
saltRounds = 13

FFTCGDB = (filename) ->
  @filename = filename

  @db = new sqlite3.Database @filename, (err) ->
    if err
      console.error err.message

  @db.run """
    CREATE TABLE IF NOT EXISTS users (
      login text NOT NULL COLLATE NOCASE,
      pwdhash text NOT NULL,
      session text,
      UNIQUE(login)
    );
  """
  console.log "[FFTCGDB] Connected to '#{@filename}'"
  return

FFTCGDB::close = ->
  new Promise (resolve, reject) ->
    @db.close (err) ->
      if err
        resolve "[FFTCGDB] Error closing: '#{err.message}'"
      else
        reject "[FFTCGDB] Closed '#{@filename}'"

FFTCGDB::register = (login, password) ->
  that = @

  new Promise (resolve, reject) ->
    # validate username

    # hash password
    bcrypt.hash password, saltRounds, (err, hash) ->
      reject 'hash' if err
      # try creating row in users table
      that.db.run "INSERT INTO users (login, pwdhash) VALUES ('#{login}', '#{hash}');", (err) ->
        if err
          if err.code == 'SQLITE_CONSTRAINT'
            reject 'existence'
          else
            reject 'db'

        else
          # registration successful
          resolve @lastID

FFTCGDB::login = (login, password) ->
  that = @

  new Promise (resolve, reject) ->
    # validate username

    # get users table row
    that.db.all "SELECT rowid, pwdhash FROM users WHERE login = '#{login}';", (err, rows) ->
      if err
        reject 'db'

      else if rows.length == 0
        # hashing the password for timing attack reasons
        bcrypt.hash password, saltRounds, (err, hash) ->
          reject 'existence'

      else
        row = rows[0]
        bcrypt.compare password, row.pwdhash, (err, res) ->
          reject 'hash' if err
          if res == true
            resolve row.rowid
          else
            reject 'login'

module.exports = FFTCGDB
mysql -> sqlite DB, own db module 2018-12-07 09:38:46 +00:00			`# libraries`
			`bcrypt = (require 'bcrypt')`
			`sqlite3 = (require 'sqlite3').verbose()`

mitigation for timing attacks 2018-12-16 01:37:00 +00:00			`# bruteforce countermeasure`
			`saltRounds = 13`

actual work 2018-12-14 06:03:03 +00:00			`FFTCGDB = (filename) ->`
			`@filename = filename`

			`@db = new sqlite3.Database @filename, (err) ->`
			`if err`
			`console.error err.message`

			`@db.run """`
			`CREATE TABLE IF NOT EXISTS users (`
basic register/login functionality. prepared session storage. 2018-12-14 12:31:07 +00:00			`login text NOT NULL COLLATE NOCASE,`
			`pwdhash text NOT NULL,`
			`session text,`
actual work 2018-12-14 06:03:03 +00:00			`UNIQUE(login)`
			`);`
			`"""`
basic register/login functionality. prepared session storage. 2018-12-14 12:31:07 +00:00			`console.log "[FFTCGDB] Connected to '#{@filename}'"`
actual work 2018-12-14 06:03:03 +00:00			`return`

			`FFTCGDB::close = ->`
basic register/login functionality. prepared session storage. 2018-12-14 12:31:07 +00:00			`new Promise (resolve, reject) ->`
			`@db.close (err) ->`
			`if err`
			`resolve "[FFTCGDB] Error closing: '#{err.message}'"`
			`else`
			`reject "[FFTCGDB] Closed '#{@filename}'"`
actual work 2018-12-14 06:03:03 +00:00
			`FFTCGDB::register = (login, password) ->`
			`that = @`

			`new Promise (resolve, reject) ->`
			`# validate username`
basic register/login functionality. prepared session storage. 2018-12-14 12:31:07 +00:00
actual work 2018-12-14 06:03:03 +00:00			`# hash password`
mysql -> sqlite DB, own db module 2018-12-07 09:38:46 +00:00			`bcrypt.hash password, saltRounds, (err, hash) ->`
basic register/login functionality. prepared session storage. 2018-12-14 12:31:07 +00:00			`reject 'hash' if err`
actual work 2018-12-14 06:03:03 +00:00			`# try creating row in users table`
basic register/login functionality. prepared session storage. 2018-12-14 12:31:07 +00:00			`that.db.run "INSERT INTO users (login, pwdhash) VALUES ('#{login}', '#{hash}');", (err) ->`
			`if err`
			`if err.code == 'SQLITE_CONSTRAINT'`
			`reject 'existence'`
			`else`
			`reject 'db'`

			`else`
			`# registration successful`
mitigation for timing attacks 2018-12-16 01:37:00 +00:00			`resolve @lastID`
actual work 2018-12-14 06:03:03 +00:00
			`FFTCGDB::login = (login, password) ->`
			`that = @`

			`new Promise (resolve, reject) ->`
basic register/login functionality. prepared session storage. 2018-12-14 12:31:07 +00:00			`# validate username`
actual work 2018-12-14 06:03:03 +00:00
basic register/login functionality. prepared session storage. 2018-12-14 12:31:07 +00:00			`# get users table row`
			`that.db.all "SELECT rowid, pwdhash FROM users WHERE login = '#{login}';", (err, rows) ->`
			`if err`
			`reject 'db'`
mysql -> sqlite DB, own db module 2018-12-07 09:38:46 +00:00
basic register/login functionality. prepared session storage. 2018-12-14 12:31:07 +00:00			`else if rows.length == 0`
mitigation for timing attacks 2018-12-16 01:37:00 +00:00			`# hashing the password for timing attack reasons`
			`bcrypt.hash password, saltRounds, (err, hash) ->`
			`reject 'existence'`
mysql -> sqlite DB, own db module 2018-12-07 09:38:46 +00:00
basic register/login functionality. prepared session storage. 2018-12-14 12:31:07 +00:00			`else`
			`row = rows[0]`
			`bcrypt.compare password, row.pwdhash, (err, res) ->`
			`reject 'hash' if err`
			`if res == true`
			`resolve row.rowid`
			`else`
			`reject 'login'`

			`module.exports = FFTCGDB`