db: input validation and error messages
This commit is contained in:
parent
4b6b5f339f
commit
eee3ed96ac
1 changed files with 81 additions and 56 deletions
|
|
@ -7,6 +7,14 @@ sqlite3 = (require 'sqlite3').verbose()
|
||||||
# bruteforce countermeasure
|
# bruteforce countermeasure
|
||||||
saltRounds = 13
|
saltRounds = 13
|
||||||
|
|
||||||
|
messages =
|
||||||
|
empty: 'Empty user name or password'
|
||||||
|
hash: 'Failed to process your data, try again later'
|
||||||
|
exists: 'User name is already taken'
|
||||||
|
noexists: 'Wrong user name or password'
|
||||||
|
password: 'Wrong user name or password'
|
||||||
|
db: 'Failed to access the database, try again later'
|
||||||
|
|
||||||
class FFTCGDB
|
class FFTCGDB
|
||||||
constructor: (filename, truncate) ->
|
constructor: (filename, truncate) ->
|
||||||
@filename = filename
|
@filename = filename
|
||||||
|
|
@ -56,74 +64,91 @@ class FFTCGDB
|
||||||
@db.close (err) ->
|
@db.close (err) ->
|
||||||
if err
|
if err
|
||||||
logger.error "FAIL '#{err.message}'"
|
logger.error "FAIL '#{err.message}'"
|
||||||
reject 'db'
|
reject null
|
||||||
else
|
else
|
||||||
logger.warn "OK close '#{@filename}'"
|
logger.warn "OK close '#{@filename}'"
|
||||||
resolve 'ok'
|
resolve null
|
||||||
|
|
||||||
|
validate: (login, password) ->
|
||||||
|
defined = (value) -> value? and value isnt ''
|
||||||
|
|
||||||
|
new Promise (resolve, reject) =>
|
||||||
|
if (defined login) and (defined password)
|
||||||
|
# both are defined
|
||||||
|
resolve null
|
||||||
|
else
|
||||||
|
# no user name or password given
|
||||||
|
logger.info "validate: FAIL empty '#{login}' or password"
|
||||||
|
reject null
|
||||||
|
|
||||||
register: (login, password) ->
|
register: (login, password) ->
|
||||||
new Promise (resolve, reject) =>
|
new Promise (resolve, reject) =>
|
||||||
# validate user input
|
# validate user input
|
||||||
if login == '' or password == ''
|
@validate login, password
|
||||||
# no user name or password given
|
.then =>
|
||||||
logger.info "reg: FAIL empty '#{login}' or password"
|
# hash password
|
||||||
reject 'invalid'
|
bcrypt.hash password, saltRounds, (err, hash) =>
|
||||||
|
if err
|
||||||
|
logger.warn "reg: FAIL hash for '#{login}'"
|
||||||
|
reject messages.hash
|
||||||
|
|
||||||
# hash password
|
else
|
||||||
bcrypt.hash password, saltRounds, (err, hash) =>
|
# try creating row in users table
|
||||||
if err
|
stmt = @db.prepare 'INSERT INTO users (login, pwdhash) VALUES (?, ?)'
|
||||||
logger.warn "reg: FAIL hash for '#{login}'"
|
stmt.run [login, hash], (err) ->
|
||||||
reject 'hash'
|
stmt.finalize()
|
||||||
|
if err
|
||||||
|
logger.warn "reg: FAIL db '#{err.code}' for '#{login}'"
|
||||||
|
reject messages.exists # user already exists
|
||||||
|
|
||||||
else
|
else
|
||||||
# try creating row in users table
|
logger.info "reg: OK '#{login}'"
|
||||||
stmt = @db.prepare 'INSERT INTO users (login, pwdhash) VALUES (?, ?)'
|
# registration successful
|
||||||
stmt.run [login, hash], (err) ->
|
resolve
|
||||||
stmt.finalize()
|
user: @lastID
|
||||||
if err
|
login: login
|
||||||
logger.warn "reg: FAIL db '#{err.code}' for '#{login}'"
|
|
||||||
reject 'existence' # user already exists
|
|
||||||
|
|
||||||
else
|
.catch ->
|
||||||
logger.info "reg: OK '#{login}'"
|
reject messages.empty
|
||||||
# registration successful
|
|
||||||
resolve
|
|
||||||
user: @lastID
|
|
||||||
login: login
|
|
||||||
|
|
||||||
login: (login, password) ->
|
login: (login, password) ->
|
||||||
new Promise (resolve, reject) =>
|
new Promise (resolve, reject) =>
|
||||||
# get users table row
|
# validate user input
|
||||||
stmt = @db.prepare 'SELECT user, login, pwdhash FROM users WHERE login = ?'
|
@validate login, password
|
||||||
stmt.get [login], (err, row) =>
|
.then =>
|
||||||
stmt.finalize()
|
# get users table row
|
||||||
if err
|
stmt = @db.prepare 'SELECT user, login, pwdhash FROM users WHERE login = ?'
|
||||||
logger.warn "login: FAIL db '#{err.code}' for '#{login}'"
|
stmt.get [login], (err, row) =>
|
||||||
reject 'db'
|
stmt.finalize()
|
||||||
|
if err
|
||||||
|
logger.warn "login: FAIL db '#{err.code}' for '#{login}'"
|
||||||
|
reject messages.db
|
||||||
|
|
||||||
else if not row
|
else if not row
|
||||||
# hash the password for timing attack reasons
|
# hash the password for timing attack reasons
|
||||||
bcrypt.hash password, saltRounds, (err, hash) ->
|
bcrypt.hash password, saltRounds, (err, hash) ->
|
||||||
logger.debug "login: FAIL nonexistent '#{login}'"
|
logger.debug "login: FAIL nonexistent '#{login}'"
|
||||||
reject 'existence' # user doesnt exist
|
reject messages.noexists # user doesnt exist
|
||||||
|
|
||||||
else
|
else
|
||||||
bcrypt.compare password, row.pwdhash, (err, res) ->
|
bcrypt.compare password, row.pwdhash, (err, res) ->
|
||||||
if err
|
if err
|
||||||
logger.warn "login: FAIL hash for '#{login}'"
|
logger.warn "login: FAIL hash for '#{login}'"
|
||||||
reject 'hash'
|
reject messages.hash
|
||||||
|
|
||||||
if res == true
|
if res == true
|
||||||
logger.debug "login: OK '#{row.login}'"
|
logger.debug "login: OK '#{row.login}'"
|
||||||
# login successful
|
# login successful
|
||||||
resolve
|
resolve
|
||||||
user: row.user
|
user: row.user
|
||||||
login: row.login
|
login: row.login
|
||||||
|
|
||||||
else
|
else
|
||||||
logger.debug "login: FAIL password for '#{login}'"
|
logger.debug "login: FAIL password for '#{login}'"
|
||||||
# login failed
|
reject messages.password # login failed
|
||||||
reject 'login'
|
|
||||||
|
.catch ->
|
||||||
|
reject messages.empty
|
||||||
|
|
||||||
addDeck: (user, deckCards) ->
|
addDeck: (user, deckCards) ->
|
||||||
new Promise (resolve, reject) =>
|
new Promise (resolve, reject) =>
|
||||||
|
|
@ -133,7 +158,7 @@ class FFTCGDB
|
||||||
stmt.finalize()
|
stmt.finalize()
|
||||||
if err
|
if err
|
||||||
logger.warn "addDeck: FAIL db '#{err.code}' for '#{user}'"
|
logger.warn "addDeck: FAIL db '#{err.code}' for '#{user}'"
|
||||||
reject 'db'
|
reject messages.db
|
||||||
|
|
||||||
else
|
else
|
||||||
logger.debug "addDeck: OK '#{@lastID}'"
|
logger.debug "addDeck: OK '#{@lastID}'"
|
||||||
|
|
@ -146,7 +171,7 @@ class FFTCGDB
|
||||||
stmt.finalize()
|
stmt.finalize()
|
||||||
if err
|
if err
|
||||||
logger.warn "modDeck: FAIL db '#{err.code}' for '#{deckID}'"
|
logger.warn "modDeck: FAIL db '#{err.code}' for '#{deckID}'"
|
||||||
reject 'db'
|
reject messages.db
|
||||||
else
|
else
|
||||||
logger.debug "modDeck: OK '#{deckID}'"
|
logger.debug "modDeck: OK '#{deckID}'"
|
||||||
resolve deckID
|
resolve deckID
|
||||||
|
|
@ -158,7 +183,7 @@ class FFTCGDB
|
||||||
stmt.finalize()
|
stmt.finalize()
|
||||||
if err
|
if err
|
||||||
logger.warn "getDeck: FAIL db '#{err.code}' for '#{deckID}'"
|
logger.warn "getDeck: FAIL db '#{err.code}' for '#{deckID}'"
|
||||||
reject 'db'
|
reject messages.db
|
||||||
else
|
else
|
||||||
logger.debug "getDeck: OK '#{deckID}'"
|
logger.debug "getDeck: OK '#{deckID}'"
|
||||||
resolve (id: row.deck, content: JSON.parse row.json for row, i in rows)
|
resolve (id: row.deck, content: JSON.parse row.json for row, i in rows)
|
||||||
|
|
@ -170,7 +195,7 @@ class FFTCGDB
|
||||||
stmt.finalize()
|
stmt.finalize()
|
||||||
if err
|
if err
|
||||||
logger.warn "delDeck: FAIL db '#{err.code}' for '#{deckID}'"
|
logger.warn "delDeck: FAIL db '#{err.code}' for '#{deckID}'"
|
||||||
reject 'db'
|
reject messages.db
|
||||||
else
|
else
|
||||||
logger.debug "delDeck: OK '#{deckID}'"
|
logger.debug "delDeck: OK '#{deckID}'"
|
||||||
resolve deckID
|
resolve deckID
|
||||||
|
|
|
||||||
Reference in a new issue