node-fftcg/backend/db.coffee

# node libraries
bcrypt = (require 'bcrypt')
logger = (require 'logging').default 'db'
path = (require 'path')
sqlite3 = (require 'sqlite3').verbose()

# bruteforce countermeasure
saltRounds = 13

messages =
  empty:    'Empty user name or password'
  hash:     'Failed to process your data, try again later'
  exists:   'User name is already taken'
  noexists: 'Wrong user name or password'
  password: 'Wrong user name or password'
  db:       'Failed to access the database, try again later'

class FFTCGDB
  constructor: (filename, truncate) ->
    @filename = filename

    @db = new sqlite3.Database @filename, (err) =>
      if err
        logger.error err.message

      else
        logger.info "OK open '#{@filename}'"

        @db.run 'PRAGMA foreign_keys = ON;', (err) =>
          logger.error err.message if err

          if truncate == true
            @db.run 'DROP TABLE IF EXISTS users;', (err) =>
              logger.error err.message if err
              @db.run '''
                CREATE TABLE users (
                  user integer PRIMARY KEY,
                  login text NOT NULL COLLATE NOCASE,
                  pwdhash text NOT NULL,
                  settings text,
                  UNIQUE(login)
                );
                ''', (err) =>
                  logger.error err.message if err

                  @db.run 'DROP TABLE IF EXISTS decks;', (err) =>
                    logger.error err.message if err
                    @db.run '''
                      CREATE TABLE decks (
                        deck integer PRIMARY KEY,
                        user integer NOT NULL,
                        json text,
                        FOREIGN KEY (user) REFERENCES users (user)
                          ON DELETE CASCADE
                      );
                      ''', (err) =>
                        logger.error err.message if err

                        @db.run '''INSERT INTO users VALUES(1,'jmm','$2b$13$jgDdHHDWqq1RV6PXxf7aOO6AbxqY6tbxIADyIO0FeXt2BlKQCCMzS',NULL);'''
                        @db.run '''INSERT INTO decks VALUES(1,1,'{"name":"Antipode Bomb Version 6.0","note":"As Seen In Tournament: The North American Water Cup","cards":[{"count":1,"serial":"1-192"},{"count":2,"serial":"7-132"},{"count":2,"serial":"8-037"},{"count":2,"serial":"8-139"},{"count":1,"serial":"5-036"},{"count":3,"serial":"4-048"},{"count":1,"serial":"2-026"},{"count":3,"serial":"8-043"},{"count":3,"serial":"4-021"},{"count":3,"serial":"3-033"},{"count":1,"serial":"8-014"},{"count":2,"serial":"8-006"},{"count":1,"serial":"8-042"},{"count":1,"serial":"6-027"},{"count":3,"serial":"5-019"},{"count":2,"serial":"2-019"},{"count":2,"serial":"5-032"},{"count":3,"serial":"4-026"},{"count":3,"serial":"1-057"},{"count":1,"serial":"1-048"},{"count":2,"serial":"8-036"},{"count":3,"serial":"8-005"},{"count":3,"serial":"2-005"},{"count":1,"serial":"7-017"},{"count":1,"serial":"8-007"}]}');'''

            logger.info 'OK clear'

  close: ->
    logger.info 'shutting down'
    new Promise (resolve, reject) =>
      @db.close (err) ->
        if err
          logger.error "FAIL '#{err.message}'"
          reject null
        else
          logger.warn  "OK close '#{@filename}'"
          resolve null

  validate: (login, password) ->
    defined = (value) -> value? and value isnt ''

    new Promise (resolve, reject) =>
      if (defined login) and (defined password)
        # both are defined
        resolve null
      else
        # no user name or password given
        logger.info "validate: FAIL empty '#{login}' or password"
        reject null

  register: (login, password) ->
    new Promise (resolve, reject) =>
      # validate user input
      @validate login, password
      .then =>
        # hash password
        bcrypt.hash password, saltRounds, (err, hash) =>
          if err
            logger.warn "reg: FAIL hash for '#{login}'"
            reject messages.hash

          else
            # try creating row in users table
            stmt = @db.prepare 'INSERT INTO users (login, pwdhash) VALUES (?, ?)'
            stmt.run [login, hash], (err) ->
              stmt.finalize()
              if err
                logger.warn "reg: FAIL db '#{err.code}' for '#{login}'"
                # user already exists
                reject messages.exists

              else
                logger.info "reg: OK '#{login}'"
                # registration successful
                resolve null

      .catch ->
        reject messages.empty

  login: (login, password) ->
    new Promise (resolve, reject) =>
      # validate user input
      @validate login, password
      .then =>
        # get users table row
        stmt = @db.prepare 'SELECT * FROM users WHERE login = ?'
        stmt.get [login], (err, row) =>
          stmt.finalize()
          if err
            logger.warn "login: FAIL db '#{err.code}' for '#{login}'"
            reject messages.db

          else if not row
            # hash the password for timing attack reasons
            bcrypt.hash password, saltRounds, (err, hash) ->
              logger.debug "login: FAIL nonexistent '#{login}'"
              reject messages.noexists # user doesnt exist

          else
            bcrypt.compare password, row.pwdhash, (err, res) ->
              if err
                logger.warn "login: FAIL hash for '#{login}'"
                reject messages.hash

              if res == true
                logger.debug "login: OK '#{row.login}'"
                # login successful
                resolve row.user

              else
                logger.debug "login: FAIL password for '#{login}'"
                reject messages.password # login failed

      .catch ->
        reject messages.empty

  getUser: (userID) ->
    new Promise (resolve, reject) =>
      # get users table row
      stmt = @db.prepare 'SELECT * FROM users WHERE user = ?'
      stmt.get [userID], (err, row) =>
        stmt.finalize()
        if err
          logger.warn "get: FAIL db '#{err.code}' for '#{userID}'"
          reject messages.db

        else if not row
          logger.debug "get: FAIL nonexistent '#{userID}'"
          reject messages.noexists # user doesnt exist

        else
          resolve
            user: row.user
            login: row.login
            settings: row.settings

  addDeck: (userID, deckCards) ->
    new Promise (resolve, reject) =>
      # try creating row in decks table
      stmt = @db.prepare 'INSERT INTO decks (user, json) VALUES (?, ?)'
      stmt.run [userID, JSON.stringify deckCards], (err) ->
        stmt.finalize()
        if err
          logger.warn "addDeck: FAIL db '#{err.code}' for '#{userID}'"
          reject messages.db

        else
          logger.debug "addDeck: OK '#{@lastID}'"
          resolve @lastID

  modDeck: (userID, deckID, deckCards) ->
    new Promise (resolve, reject) =>
      stmt = @db.prepare 'UPDATE decks SET json = ? WHERE deck = ? AND user = ?'
      stmt.run [(JSON.stringify deckCards), deckID, userID], (err) ->
        stmt.finalize()
        if err
          logger.warn "modDeck: FAIL db '#{err.code}' for '#{deckID}'"
          reject messages.db
        else if @changes == 0
          logger.warn "no changes for input (#{userID}, #{deckID}, #{JSON.stringify deckCards})!"
          reject messages.db
        else
          resolve deckID

  getDecks: (userID) ->
    new Promise (resolve, reject) =>
      stmt = @db.prepare 'SELECT decks.deck, decks.json FROM decks INNER JOIN users ON decks.user = users.user WHERE users.user = ?'
      stmt.all [userID], (err, rows) ->
        stmt.finalize()
        if err
          logger.warn "getDecks: FAIL db '#{err.code}' for '#{userID}'"
          reject messages.db
        else
          logger.debug "getDecks: OK '#{userID}'"
          resolve (id: row.deck, content: JSON.parse row.json for row, i in rows)

  delDeck: (userID, deckID) ->
    new Promise (resolve, reject) =>
      stmt = @db.prepare 'DELETE FROM decks WHERE deck = ? AND user = ?'
      stmt.run [deckID, userID], (err) ->
        stmt.finalize()
        if err
          logger.warn "delDeck: FAIL db '#{err.code}' for '#{deckID}'"
          reject messages.db
        else
          logger.debug "delDeck: OK '#{deckID}'"
          resolve deckID


module.exports = new FFTCGDB path.resolve(__dirname, 'fftcg.db'), true
basic session management, not really working 2019-02-14 16:47:47 +00:00			`# node libraries`
mysql -> sqlite DB, own db module 2018-12-07 09:38:46 +00:00			`bcrypt = (require 'bcrypt')`
decoupled backend 2019-02-07 16:03:20 +00:00			`logger = (require 'logging').default 'db'`
singletons 2019-02-19 18:57:22 +00:00			`path = (require 'path')`
			`sqlite3 = (require 'sqlite3').verbose()`
mysql -> sqlite DB, own db module 2018-12-07 09:38:46 +00:00
mitigation for timing attacks 2018-12-16 01:37:00 +00:00			`# bruteforce countermeasure`
			`saltRounds = 13`

db: input validation and error messages 2019-05-08 19:35:11 +00:00			`messages =`
			`empty: 'Empty user name or password'`
			`hash: 'Failed to process your data, try again later'`
			`exists: 'User name is already taken'`
			`noexists: 'Wrong user name or password'`
			`password: 'Wrong user name or password'`
			`db: 'Failed to access the database, try again later'`

classify db 2019-02-19 20:36:14 +00:00			`class FFTCGDB`
			`constructor: (filename, truncate) ->`
			`@filename = filename`
actual work 2018-12-14 06:03:03 +00:00
classify db 2019-02-19 20:36:14 +00:00			`@db = new sqlite3.Database @filename, (err) =>`
usable authentication and session management 2018-12-16 21:51:08 +00:00			`if err`
classify db 2019-02-19 20:36:14 +00:00			`logger.error err.message`
usable authentication and session management 2018-12-16 21:51:08 +00:00
classify db 2019-02-19 20:36:14 +00:00			`else`
			`logger.info "OK open '#{@filename}'"`

			`@db.run 'PRAGMA foreign_keys = ON;', (err) =>`
			`logger.error err.message if err`

			`if truncate == true`
			`@db.run 'DROP TABLE IF EXISTS users;', (err) =>`
			`logger.error err.message if err`
			`@db.run '''`
			`CREATE TABLE users (`
			`user integer PRIMARY KEY,`
			`login text NOT NULL COLLATE NOCASE,`
			`pwdhash text NOT NULL,`
			`settings text,`
			`UNIQUE(login)`
			`);`
			`''', (err) =>`
			`logger.error err.message if err`

defined test database 2019-05-10 12:34:58 +00:00			`@db.run 'DROP TABLE IF EXISTS decks;', (err) =>`
			`logger.error err.message if err`
			`@db.run '''`
			`CREATE TABLE decks (`
			`deck integer PRIMARY KEY,`
			`user integer NOT NULL,`
			`json text,`
			`FOREIGN KEY (user) REFERENCES users (user)`
			`ON DELETE CASCADE`
			`);`
			`''', (err) =>`
			`logger.error err.message if err`

			`@db.run '''INSERT INTO users VALUES(1,'jmm','$2b$13$jgDdHHDWqq1RV6PXxf7aOO6AbxqY6tbxIADyIO0FeXt2BlKQCCMzS',NULL);'''`
Crude UserCP deck display 2019-05-13 15:35:32 +00:00			@db.run '''INSERT INTO decks VALUES(1,1,'{"name":"Antipode Bomb Version 6.0","note":"As Seen In Tournament: The North American Water Cup","cards":[{"count":1,"serial":"1-192"},{"count":2,"serial":"7-132"},{"count":2,"serial":"8-037"},{"count":2,"serial":"8-139"},{"count":1,"serial":"5-036"},{"count":3,"serial":"4-048"},{"count":1,"serial":"2-026"},{"count":3,"serial":"8-043"},{"count":3,"serial":"4-021"},{"count":3,"serial":"3-033"},{"count":1,"serial":"8-014"},{"count":2,"serial":"8-006"},{"count":1,"serial":"8-042"},{"count":1,"serial":"6-027"},{"count":3,"serial":"5-019"},{"count":2,"serial":"2-019"},{"count":2,"serial":"5-032"},{"count":3,"serial":"4-026"},{"count":3,"serial":"1-057"},{"count":1,"serial":"1-048"},{"count":2,"serial":"8-036"},{"count":3,"serial":"8-005"},{"count":3,"serial":"2-005"},{"count":1,"serial":"7-017"},{"count":1,"serial":"8-007"}]}');'''
classify db 2019-02-19 20:36:14 +00:00
			`logger.info 'OK clear'`

			`close: ->`
			`logger.info 'shutting down'`
			`new Promise (resolve, reject) =>`
			`@db.close (err) ->`
basic register/login functionality. prepared session storage. 2018-12-14 12:31:07 +00:00			`if err`
classify db 2019-02-19 20:36:14 +00:00			`logger.error "FAIL '#{err.message}'"`
db: input validation and error messages 2019-05-08 19:35:11 +00:00			`reject null`
classify db 2019-02-19 20:36:14 +00:00			`else`
			`logger.warn "OK close '#{@filename}'"`
db: input validation and error messages 2019-05-08 19:35:11 +00:00			`resolve null`

			`validate: (login, password) ->`
			`defined = (value) -> value? and value isnt ''`
classify db 2019-02-19 20:36:14 +00:00
			`new Promise (resolve, reject) =>`
db: input validation and error messages 2019-05-08 19:35:11 +00:00			`if (defined login) and (defined password)`
			`# both are defined`
			`resolve null`
			`else`
classify db 2019-02-19 20:36:14 +00:00			`# no user name or password given`
db: input validation and error messages 2019-05-08 19:35:11 +00:00			`logger.info "validate: FAIL empty '#{login}' or password"`
			`reject null`
classify db 2019-02-19 20:36:14 +00:00
db: input validation and error messages 2019-05-08 19:35:11 +00:00			`register: (login, password) ->`
			`new Promise (resolve, reject) =>`
			`# validate user input`
			`@validate login, password`
			`.then =>`
			`# hash password`
			`bcrypt.hash password, saltRounds, (err, hash) =>`
			`if err`
			`logger.warn "reg: FAIL hash for '#{login}'"`
			`reject messages.hash`

			`else`
			`# try creating row in users table`
			`stmt = @db.prepare 'INSERT INTO users (login, pwdhash) VALUES (?, ?)'`
			`stmt.run [login, hash], (err) ->`
			`stmt.finalize()`
			`if err`
			`logger.warn "reg: FAIL db '#{err.code}' for '#{login}'"`
sqldb cleanup 2019-05-09 12:33:43 +00:00			`# user already exists`
			`reject messages.exists`
db: input validation and error messages 2019-05-08 19:35:11 +00:00
			`else`
			`logger.info "reg: OK '#{login}'"`
			`# registration successful`
sqldb cleanup 2019-05-09 12:33:43 +00:00			`resolve null`
db: input validation and error messages 2019-05-08 19:35:11 +00:00
			`.catch ->`
			`reject messages.empty`
classify db 2019-02-19 20:36:14 +00:00
			`login: (login, password) ->`
			`new Promise (resolve, reject) =>`
db: input validation and error messages 2019-05-08 19:35:11 +00:00			`# validate user input`
			`@validate login, password`
			`.then =>`
			`# get users table row`
sqldb cleanup 2019-05-09 12:33:43 +00:00			`stmt = @db.prepare 'SELECT * FROM users WHERE login = ?'`
db: input validation and error messages 2019-05-08 19:35:11 +00:00			`stmt.get [login], (err, row) =>`
			`stmt.finalize()`
			`if err`
			`logger.warn "login: FAIL db '#{err.code}' for '#{login}'"`
			`reject messages.db`

			`else if not row`
			`# hash the password for timing attack reasons`
			`bcrypt.hash password, saltRounds, (err, hash) ->`
			`logger.debug "login: FAIL nonexistent '#{login}'"`
			`reject messages.noexists # user doesnt exist`

			`else`
			`bcrypt.compare password, row.pwdhash, (err, res) ->`
			`if err`
			`logger.warn "login: FAIL hash for '#{login}'"`
			`reject messages.hash`

			`if res == true`
			`logger.debug "login: OK '#{row.login}'"`
			`# login successful`
less stuff into Redis, /user/info from sqlite 2019-05-09 16:03:35 +00:00			`resolve row.user`
db: input validation and error messages 2019-05-08 19:35:11 +00:00
			`else`
			`logger.debug "login: FAIL password for '#{login}'"`
			`reject messages.password # login failed`

			`.catch ->`
			`reject messages.empty`
classify db 2019-02-19 20:36:14 +00:00
better database API 2019-05-13 15:35:15 +00:00			`getUser: (userID) ->`
less stuff into Redis, /user/info from sqlite 2019-05-09 16:03:35 +00:00			`new Promise (resolve, reject) =>`
			`# get users table row`
			`stmt = @db.prepare 'SELECT * FROM users WHERE user = ?'`
better database API 2019-05-13 15:35:15 +00:00			`stmt.get [userID], (err, row) =>`
less stuff into Redis, /user/info from sqlite 2019-05-09 16:03:35 +00:00			`stmt.finalize()`
			`if err`
better database API 2019-05-13 15:35:15 +00:00			`logger.warn "get: FAIL db '#{err.code}' for '#{userID}'"`
less stuff into Redis, /user/info from sqlite 2019-05-09 16:03:35 +00:00			`reject messages.db`

			`else if not row`
better database API 2019-05-13 15:35:15 +00:00			`logger.debug "get: FAIL nonexistent '#{userID}'"`
less stuff into Redis, /user/info from sqlite 2019-05-09 16:03:35 +00:00			`reject messages.noexists # user doesnt exist`

			`else`
			`resolve`
			`user: row.user`
			`login: row.login`
			`settings: row.settings`

better database API 2019-05-13 15:35:15 +00:00			`addDeck: (userID, deckCards) ->`
classify db 2019-02-19 20:36:14 +00:00			`new Promise (resolve, reject) =>`
			`# try creating row in decks table`
			`stmt = @db.prepare 'INSERT INTO decks (user, json) VALUES (?, ?)'`
better database API 2019-05-13 15:35:15 +00:00			`stmt.run [userID, JSON.stringify deckCards], (err) ->`
classify db 2019-02-19 20:36:14 +00:00			`stmt.finalize()`
			`if err`
better database API 2019-05-13 15:35:15 +00:00			`logger.warn "addDeck: FAIL db '#{err.code}' for '#{userID}'"`
db: input validation and error messages 2019-05-08 19:35:11 +00:00			`reject messages.db`
usable authentication and session management 2018-12-16 21:51:08 +00:00
classify db 2019-02-19 20:36:14 +00:00			`else`
			`logger.debug "addDeck: OK '#{@lastID}'"`
			`resolve @lastID`
basic register/login functionality. prepared session storage. 2018-12-14 12:31:07 +00:00
better database API 2019-05-13 15:35:15 +00:00			`modDeck: (userID, deckID, deckCards) ->`
classify db 2019-02-19 20:36:14 +00:00			`new Promise (resolve, reject) =>`
better database API 2019-05-13 15:35:15 +00:00			`stmt = @db.prepare 'UPDATE decks SET json = ? WHERE deck = ? AND user = ?'`
decks/modify route 2019-05-20 15:02:39 +00:00			`stmt.run [(JSON.stringify deckCards), deckID, userID], (err) ->`
classify db 2019-02-19 20:36:14 +00:00			`stmt.finalize()`
			`if err`
			`logger.warn "modDeck: FAIL db '#{err.code}' for '#{deckID}'"`
db: input validation and error messages 2019-05-08 19:35:11 +00:00			`reject messages.db`
decks/modify route 2019-05-20 15:02:39 +00:00			`else if @changes == 0`
			`logger.warn "no changes for input (#{userID}, #{deckID}, #{JSON.stringify deckCards})!"`
			`reject messages.db`
classify db 2019-02-19 20:36:14 +00:00			`else`
			`resolve deckID`
"uid" -> "user"; sqlite DB structure 2018-12-27 02:03:22 +00:00
better database API 2019-05-13 15:35:15 +00:00			`getDecks: (userID) ->`
classify db 2019-02-19 20:36:14 +00:00			`new Promise (resolve, reject) =>`
			`stmt = @db.prepare 'SELECT decks.deck, decks.json FROM decks INNER JOIN users ON decks.user = users.user WHERE users.user = ?'`
better database API 2019-05-13 15:35:15 +00:00			`stmt.all [userID], (err, rows) ->`
"uid" -> "user"; sqlite DB structure 2018-12-27 02:03:22 +00:00			`stmt.finalize()`
classify db 2019-02-19 20:36:14 +00:00			`if err`
better database API 2019-05-13 15:35:15 +00:00			`logger.warn "getDecks: FAIL db '#{err.code}' for '#{userID}'"`
db: input validation and error messages 2019-05-08 19:35:11 +00:00			`reject messages.db`
classify db 2019-02-19 20:36:14 +00:00			`else`
better database API 2019-05-13 15:35:15 +00:00			`logger.debug "getDecks: OK '#{userID}'"`
classify db 2019-02-19 20:36:14 +00:00			`resolve (id: row.deck, content: JSON.parse row.json for row, i in rows)`
"uid" -> "user"; sqlite DB structure 2018-12-27 02:03:22 +00:00
Delete deck 2019-05-24 11:41:48 +00:00			`delDeck: (userID, deckID) ->`
classify db 2019-02-19 20:36:14 +00:00			`new Promise (resolve, reject) =>`
Delete deck 2019-05-24 11:41:48 +00:00			`stmt = @db.prepare 'DELETE FROM decks WHERE deck = ? AND user = ?'`
			`stmt.run [deckID, userID], (err) ->`
"uid" -> "user"; sqlite DB structure 2018-12-27 02:03:22 +00:00			`stmt.finalize()`
classify db 2019-02-19 20:36:14 +00:00			`if err`
			`logger.warn "delDeck: FAIL db '#{err.code}' for '#{deckID}'"`
db: input validation and error messages 2019-05-08 19:35:11 +00:00			`reject messages.db`
classify db 2019-02-19 20:36:14 +00:00			`else`
			`logger.debug "delDeck: OK '#{deckID}'"`
			`resolve deckID`
"uid" -> "user"; sqlite DB structure 2018-12-27 02:03:22 +00:00
usable authentication and session management 2018-12-16 21:51:08 +00:00
singletons 2019-02-19 18:57:22 +00:00			`module.exports = new FFTCGDB path.resolve(__dirname, 'fftcg.db'), true`