boogerlad/mj - Change 2FPZGFF5PCGNV45HOB6TROMJFPURHPXM7YSPWNXCHFJS7EICVKQAC

authenticated and user count, remember me expiry, actually follow format, some pubsub fun, unregister, disallow multiple sockets with same credentials

Created by kevin on January 11, 2020

2FPZGFF5PCGNV45HOB6TROMJFPURHPXM7YSPWNXCHFJS7EICVKQAC

Dependencies

In channels

main

Change contents

Insertion in initialize.sql at line 121 [3.17]
[3.4556]
[3.4556]
```
	token_expiry timestamptz,
```

Deletion in package-lock.json at line 57 [4.145]

B:BD[4.2382] → [4.2382:2701]

    },
    "bindings": {
      "version": "1.5.0",
      "resolved": "https://registry.npmjs.org/bindings/-/bindings-1.5.0.tgz",
      "integrity": "sha512-p2q/t/mhvuOj/UeLlV6566GD/guowlr0hHxClI0W9m7MWYkL1F0hLo+0Aexs9HSPCtR1SXQ0TD3MMKrXZajbiQ==",
      "requires": {
        "file-uri-to-path": "1.0.0"
      }

Deletion in package-lock.json at line 124 [4.145]

B:BD[4.5611] → [4.5611:5886]

    },
    "file-uri-to-path": {
      "version": "1.0.0",
      "resolved": "https://registry.npmjs.org/file-uri-to-path/-/file-uri-to-path-1.0.0.tgz",
      "integrity": "sha512-0Zt+s3L7Vf1biwWZ29aARiVYLx7iMGnEUl9x33fbB/j3jR81u/O2LbqK+Bm1CDSNDKVtJ/YjwY7TUd5SkeLQLw=="

Deletion in package-lock.json at line 219 [4.145]

B:BD[4.9454] → [4.9454:9783]

    "libpq": {
      "version": "1.8.9",
      "resolved": "https://registry.npmjs.org/libpq/-/libpq-1.8.9.tgz",
      "integrity": "sha512-herU0STiW3+/XBoYRycKKf49O9hBKK0JbdC2QmvdC5pyCSu8prb9idpn5bUSbxj8XwcEsWPWWWwTDZE9ZTwJ7g==",
      "requires": {
        "bindings": "1.5.0",
        "nan": "^2.14.0"
      }
    },

Deletion in package-lock.json at line 261 [4.145]

B:BD[4.11419] → [4.11419:11657]

    },
    "nan": {
      "version": "2.14.0",
      "resolved": "https://registry.npmjs.org/nan/-/nan-2.14.0.tgz",
      "integrity": "sha512-INOFj37C7k3AfaNTtX8RhsTw7qRy7eLET14cROi9+5HAVbbHuIWUHEauBv5qT4Av2tWasiTY1Jw6puUNqRJXQg=="

Deletion in package-lock.json at line 415 [4.145]

B:BD[4.17649] → [4.17649:19720]

    "pg-native": {
      "version": "3.0.0",
      "resolved": "https://registry.npmjs.org/pg-native/-/pg-native-3.0.0.tgz",
      "integrity": "sha512-qZZyywXJ8O4lbiIN7mn6vXIow1fd3QZFqzRe+uET/SZIXvCa3HBooXQA4ZU8EQX8Ae6SmaYtDGLp5DwU+8vrfg==",
      "requires": {
        "libpq": "^1.7.0",
        "pg-types": "^1.12.1",
        "readable-stream": "1.0.31"
      },
      "dependencies": {
        "isarray": {
          "version": "0.0.1",
          "resolved": "https://registry.npmjs.org/isarray/-/isarray-0.0.1.tgz",
          "integrity": "sha1-ihis/Kmo9Bd+Cav8YDiTmwXR7t8="
        },
        "pg-types": {
          "version": "1.13.0",
          "resolved": "https://registry.npmjs.org/pg-types/-/pg-types-1.13.0.tgz",
          "integrity": "sha512-lfKli0Gkl/+za/+b6lzENajczwZHc7D5kiUCZfgm914jipD2kIOIvEkAhZ8GrW3/TUoP9w8FHjwpPObBye5KQQ==",
          "requires": {
            "pg-int8": "1.0.1",
            "postgres-array": "~1.0.0",
            "postgres-bytea": "~1.0.0",
            "postgres-date": "~1.0.0",
            "postgres-interval": "^1.1.0"
          }
        },
        "postgres-array": {
          "version": "1.0.3",
          "resolved": "https://registry.npmjs.org/postgres-array/-/postgres-array-1.0.3.tgz",
          "integrity": "sha512-5wClXrAP0+78mcsNX3/ithQ5exKvCyK5lr5NEEEeGwwM6NJdQgzIJBVxLvRW+huFpX92F2QnZ5CcokH0VhK2qQ=="
        },
        "readable-stream": {
          "version": "1.0.31",
          "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-1.0.31.tgz",
          "integrity": "sha1-jyUC4LyeOw2huUUgqrtOJgPsr64=",
          "requires": {
            "core-util-is": "~1.0.0",
            "inherits": "~2.0.1",
            "isarray": "0.0.1",
            "string_decoder": "~0.10.x"
          }
        },
        "string_decoder": {
          "version": "0.10.31",
          "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-0.10.31.tgz",
          "integrity": "sha1-YuIDvEF2bGwoyfyEMB2rHFMQ+pQ="
        }
      }
    },

Deletion in package.json at line 12 [4.29376]
B:BD[4.29645] → [4.29645:29673]
```
    "pg-native": "^3.0.0",
```

Insertion in server.js at line 17 [2.590]

[2.996]

}
function desensitize(user) {
	delete user.password_hash;
	delete user.type;
	delete user.token_hash;
	delete user.token_expiry;
	Object.keys(user).forEach((key) => (user[key] == null) && delete user[key]);

Replacement in server.js at line 28 [2.590]
B:BD[2.1131] → [2.1131:1133]
[2.1131]
[2.1133]
```
let clients = 0;
let authenticated = new Map();
```

Insertion in server.js at line 39 [2.590]

[2.1375]

		++clients;
		ws.publish('user/count', "" + clients);

Replacement in server.js at line 44 [2.590]

B:BD[2.1536] → [2.1536:1554]

		switch(what) {

[2.1536]

[2.1554]

		switch(what) {//might need some middleware to unsubscribe all topics for each case?? ie don't want to be subscribed to user when navigate away. client side figured out how to ignore, but server side, ...?

Replacement in server.js at line 53 [2.590]

B:BD[2.1734] → [2.1734:1886]

						await pool.query('insert into user_account (email, password_hash) values ($1, $2)', [parameters.email, await argon2.hash(parameters.password)]);

[2.1734]

[2.1886]

						//let id = await return_key(...)
						await pool.query('insert into user_account (email, password_hash) values ($1, $2) returning id', [parameters.email, await argon2.hash(parameters.password)]);

Insertion in server.js at line 58 [2.590]

[2.1962]

						//ws.publish('/users/' + id? dunno if needed, JSON.stringify(event.json id, email, add))

Insertion in server.js at line 72 [2.590]

[2.2262]

			case 'unregister':
				if(isLoggedIn(ws)) {
					await pool.query(`delete from user_account where id = $1`, [ws.user_ID]);
					authenticated.delete(ws.user_ID);
					delete ws.user_ID;
					delete ws.user_type;
					ws.send(JSON.stringify({
						response_ID: request_ID
					}));
					//ws.publish('/users/' + id? dunno if needed, JSON.stringify(event.json id, remove))
					//probably needed, since subscribing to /users/${id} is a given to listen to augment calls or whatever
					ws.publish('user/authenticated', JSON.stringify({
						what: 'user/authenticated',//tbd
						how: 'update',
						data: authenticated.size
					}));
				} else {
					ws.send(JSON.stringify({
						response_ID: request_ID,
						data: 'not logged in'
					}));
				}
				break;

Replacement in server.js at line 115 [2.590]

B:BD[2.3097] → [2.3097:3198]

								delete user.password_hash;
								delete user.token_hash;
								delete user.user_type;

[2.3097]

[2.3198]

								desensitize(user);

Replacement in server.js at line 117 [2.590]

B:BD[2.3345] → [2.3345:3431]

								Object.keys(user).forEach((key) => (user[key] == null) && delete user[key]);

[2.3345]

[2.3431]

								//if remember me on client side, store in localstorage. else do nothing with token
								//on subsequent new sockets, auto_login with token. token will be invalid(undefined) if remember me was not checked

Insertion in server.js at line 123 [2.590]

[2.3535]

								//disallow multiple sockets with same credentials
								let old = authenticated.get(user.id);
								if(old !== undefined) {
									delete old.user_ID;
									delete old.user_type;
									//old.send()logout event
								}
								authenticated.set(user.id, ws);
								ws.publish('user/authenticated', JSON.stringify({
									what: 'user/authenticated',//tbd
									how: 'update',
									data: authenticated.size
								}));

Replacement in server.js at line 159 [2.590]

B:BD[2.4033] → [2.4033:4222]

					let user = (await pool.query('select * from user_account where token_hash = $1', [crypto.createHash('BLAKE2b512').update(Buffer.from(parameters.token, 'base64')).digest()])).rows[0];

[2.4033]

[2.4222]

					let user = (await pool.query('select * from user_account where token_hash = $1 and now() < token_expiry', [crypto.createHash('BLAKE2b512').update(Buffer.from(parameters.token, 'base64')).digest()])).rows[0];

Replacement in server.js at line 168 [2.590]

B:BD[2.4437] → [2.4437:5074]

						//maybe push expiry? lol don't even have a column for that
						//let token = await randomBytes(128);
						//await pool.query('update user_account set token_hash = $1 where id = $2', [crypto.createHash('BLAKE2b512').update(token).digest(), user.id]);//update to blake3 once it's available in openSSL
						delete user.password_hash;
						delete user.token_hash;
						delete user.user_type;
						//user.token = token.toString('base64');//yuck, since json can't send binary, need to base64 encode. fyi base64 is smaller than hex(base16)
						Object.keys(user).forEach((key) => (user[key] == null) && delete user[key]);

[2.4437]

[2.5074]

						desensitize(user);

Insertion in server.js at line 173 [2.590]

[2.5170]

						//disallow multiple sockets with same credentials
						let old = authenticated.get(user.id);
						if(old !== undefined) {
							delete old.user_ID;
							delete old.user_type;
							//old.send()logout event
						}
						authenticated.set(user.id, ws);
						ws.publish('user/authenticated', JSON.stringify({
							what: 'user/authenticated',//tbd
							how: 'update',
							data: authenticated.size
						}));

Replacement in server.js at line 190 [2.590]

B:BD[2.5216] → [2.5216:5272]

				delete ws.user;
				//clear token_hash in db, etc

[2.5216]

[2.5272]

				if(isLoggedIn(ws)) {
					await pool.query(`update user_account set token_expiry = null, token_hash = null where id = $1`, [ws.user_ID]);
					authenticated.delete(ws.user_ID);
					delete ws.user_ID;
					delete ws.user_type;
					ws.send(JSON.stringify({
						response_ID: request_ID
					}));
					ws.publish('user/authenticated', JSON.stringify({
						what: 'user/authenticated',//tbd
						how: 'update',
						data: authenticated.size
					}));
				} else {
					ws.send(JSON.stringify({
						response_ID: request_ID,
						data: 'not logged in'
					}));
				}

Replacement in server.js at line 212 [2.590]

B:BD[2.5307] → [2.5307:5482]

				//401 , 403
				if(ws.user && ws.user.type === 'god') {
					let result = (await pool.query('select * from user_account')).rows;
					ws.send(JSON.stringify(result));

[2.5307]

[2.5482]

				if(isLoggedIn(ws)) {
					if(is(ws, 'god')) {
						let users = (await pool.query('select * from user_account')).rows;//* is a bad idea... fix later
						for(let i = 0; i < users.length; ++i) {
							desensitize(users[i]);//shouldn't need this loop
						}
						ws.subscribe('user/#');//maybe for each subscribe call, call unsubscribeAll before (0.17.1 not released yet)?
						//I suppose the only issue with over subscribe is waste of resources - and if user type changes
						ws.send(JSON.stringify({
							response_ID: request_ID,
							data: users
						}));
					} else {
						ws.send(JSON.stringify({
							response_ID: request_ID,
							data: 'forbidden'
						}));
					}

Replacement in server.js at line 231 [2.590]

B:BD[2.5496] → [2.5496:5627]

					ws.send('401 or 403');//probably want to obfuscate to prevent reverse engineering?? but security through obscurity is stupid

[2.5496]

[2.5627]

					ws.send(JSON.stringify({
						response_ID: request_ID,
						data: 'unauthorized'
					}));

Replacement in server.js at line 237 [2.590]

B:BD[2.5646] → [2.5646:5709]

			case 'update_user' for god, case 'update_profile' for self

[2.5646]

[2.5709]

			// case 'update_user' for god, case 'update_profile' for self(change pw new token, return user and ws.user)

Replacement in server.js at line 247 [2.590]

B:BD[2.5972] → [2.5972:6006]

	close: (ws, code, message) => {

[2.5972]

[2.6006]

	close: async (ws, code, message) => {
		if(isLoggedIn(ws)) {
			await pool.query(`update user_account set token_expiry = now() + interval '14 day' where id = $1`, [ws.user_ID]);
			authenticated.delete(ws.user_ID);
			ws.publish('user/authenticated', JSON.stringify({
				what: 'user/authenticated',//tbd
				how: 'update',
				data: authenticated.size
			}));
		}
		--clients;
		ws.publish('user/count', "" + clients);