Remove flash and redirect session data.

author: Tor Andersson <tor@ccxvii.net> 2021-12-03 13:41:52 +0100
committer: Tor Andersson <tor@ccxvii.net> 2021-12-04 02:31:35 +0100
commit: 0ce74e5d0cc2d573a1d7c69315dd00830f971712 (patch)
tree: f37551720da3d28b8453ab7df7d8e78677b73ffb
parent: f52fe1a99f4b92b39b5f2e4aa95c404af391682d (diff)
download: server-0ce74e5d0cc2d573a1d7c69315dd00830f971712.tar.gz
7 files changed, 55 insertions, 95 deletions
diff --git a/server.js b/server.js
index 7196ef0..eb7b20e 100644
--- a/server.js
+++ b/server.js
@@ -40,8 +40,8 @@ let app = express();
 app.set('x-powered-by', false);
 app.set('etag', false);
 app.set('view engine', 'pug');
-app.use(body_parser.urlencoded({extended:false}));
 app.use(express.static('public', { setHeaders: set_static_headers, lastModified:false }));
+app.use(body_parser.urlencoded({extended:false}));
 
 let http_port = process.env.HTTP_PORT || 8080;
 let http_server = http.createServer(app);
@@ -108,18 +108,6 @@ function SLOG(socket, ...msg) {
 		socket.title_id + "/" + socket.game_id  + "/" + socket.role, ...msg);
 }
 
-function flash(req, msg) {
-	if (req.session) {
-		if (msg === undefined) {
-			msg = req.session.flash;
-			delete req.session.flash;
-		} else {
-			req.session.flash = msg;
-		}
-	}
-	return msg;
-}
-
 function human_date(time) {
 	var date = time ? new Date(time + " UTC") : new Date(0);
 	var seconds = (Date.now() - date.getTime()) / 1000;
@@ -232,15 +220,13 @@ app.use(function (req, res, next) {
 });
 
 function must_be_logged_in(req, res, next) {
-	if (!req.user) {
-		req.session.redirect = req.originalUrl;
-		return res.redirect('/login');
-	}
+	if (!req.user)
+		return res.redirect('/login?redirect=' + encodeURIComponent(req.originalUrl));
 	return next();
 }
 
 app.get('/', function (req, res) {
-	res.render('index.pug', { user: req.user, titles: TITLES, flash: flash(req) });
+	res.render('index.pug', { user: req.user, titles: TITLES });
 });
 
 app.get('/about', function (req, res) {
@@ -256,13 +242,14 @@ app.get('/logout', function (req, res) {
 app.get('/login', function (req, res) {
 	if (req.user)
 		return res.redirect('/');
-	LOG(req, "GET /login");
-	res.render('login.pug', { user: null, flash: null });
+	LOG(req, "GET /login redirect=" + req.query.redirect);
+	res.render('login.pug', { redirect: req.query.redirect || '/profile' });
 });
 
 app.post('/login', function (req, res) {
 	let name_or_mail = req.body.username;
 	let password = req.body.password;
+	let redirect = req.body.redirect;
 	if (!is_email(name_or_mail))
 		name_or_mail = clean_user_name(name_or_mail);
 	LOG(req, "POST /login", name_or_mail);
@@ -270,11 +257,8 @@ app.post('/login', function (req, res) {
 	if (!user)
 		user = SQL_SELECT_LOGIN_BY_MAIL.get(name_or_mail);
 	if (!user || is_blacklisted(user.mail) || hash_password(password, user.salt) != user.password)
-		return setTimeout(() => res.render('login.pug', { user: null, flash: "Invalid login." }), 1000);
+		return setTimeout(() => res.render('login.pug', { flash: "Invalid login." }), 1000);
 	req.session.user_id = user.user_id;
-	let redirect = req.session.redirect || '/profile';
-	console.log("redirect", redirect);
-	delete req.session.redirect;
 	res.redirect(redirect);
 });
 
@@ -282,12 +266,12 @@ app.get('/signup', function (req, res) {
 	if (req.user)
 		return res.redirect('/');
 	LOG(req, "GET /signup");
-	res.render('signup.pug', { user: null, flash: null });
+	res.render('signup.pug');
 });
 
 app.post('/signup', function (req, res) {
 	function err(msg) {
-		res.render('signup.pug', { user: null, flash: msg });
+		res.render('signup.pug', { flash: msg });
 	}
 	let name = req.body.username;
 	let mail = req.body.mail;
@@ -314,8 +298,10 @@ app.post('/signup', function (req, res) {
 });
 
 app.get('/forgot-password', function (req, res) {
+	if (req.user)
+		return res.redirect('/');
 	LOG(req, "GET /forgot-password");
-	res.render('forgot_password.pug', { user: req.user, flash: flash(req) });
+	res.render('forgot_password.pug');
 });
 
 app.post('/forgot-password', function (req, res) {
@@ -328,58 +314,56 @@ app.post('/forgot-password', function (req, res) {
 			token = SQL_CREATE_TOKEN.run(user.user_id);
 			mail_password_reset_token(user, token);
 		}
-		flash(req, "A password reset token has been sent to " + mail + ".");
 		return res.redirect('/reset-password/' + mail);
 	}
-	flash(req, "User not found.");
-	return res.redirect('/forgot-password');
+	res.render('forgot_password.pug', { flash: "User not found." });
 });
 
 app.get('/reset-password', function (req, res) {
 	LOG(req, "GET /reset-password");
-	res.render('reset_password.pug', { user: null, mail: "", token: "", flash: flash(req) });
+	res.render('reset_password.pug', { mail: "", token: "" });
 });
 
 app.get('/reset-password/:mail', function (req, res) {
 	let mail = req.params.mail;
 	LOG(req, "GET /reset-password", mail);
-	res.render('reset_password.pug', { user: null, mail: mail, token: "", flash: flash(req) });
+	res.render('reset_password.pug', { mail: mail, token: "" });
 });
 
 app.get('/reset-password/:mail/:token', function (req, res) {
 	let mail = req.params.mail;
 	let token = req.params.token;
 	LOG(req, "GET /reset-password", mail, token);
-	res.render('reset_password.pug', { user: null, mail: mail, token: token, flash: flash(req) });
+	res.render('reset_password.pug', { mail: mail, token: token });
 });
 
 app.post('/reset-password', function (req, res) {
 	let mail = req.body.mail;
 	let token = req.body.token;
 	let password = req.body.password;
+	function err(msg) {
+		res.render('reset_password.pug', { mail: mail, token: token });
+	}
 	LOG(req, "POST /reset-password", mail, token);
 	let user = SQL_SELECT_LOGIN_BY_MAIL.get(mail);
-	if (!user) {
-		flash(req, "User not found.");
-		return res.redirect('/reset-password/'+mail+'/'+token);
-	}
-	if (password.length < 4) {
-		flash(req, "Password is too short!");
-		return res.redirect('/reset-password/'+mail+'/'+token);
-	}
-	if (!SQL_VERIFY_TOKEN.get(user.user_id, token)) {
-		flash(req, "Invalid or expired token!");
-		return res.redirect('/reset-password/'+mail);
-	}
+	if (!user)
+		return err("User not found.");
+	if (password.length < 4)
+		return err("Password is too short!");
+	if (password.length > 100)
+		return err("Password is too long!");
+	if (!SQL_VERIFY_TOKEN.get(user.user_id, token))
+		return err("Invalid or expired token!");
 	let salt = crypto.randomBytes(32).toString('hex');
 	let hash = hash_password(password, salt);
 	SQL_UPDATE_USER_PASSWORD.run(hash, salt, user.user_id);
-	return res.redirect('/login');
+	req.session.user_id = user.user_id;
+	return res.redirect('/profile');
 });
 
 app.get('/change-password', must_be_logged_in, function (req, res) {
 	LOG(req, "GET /change-password");
-	res.render('change_password.pug', { user: req.user, flash: flash(req) });
+	res.render('change_password.pug', { user: req.user });
 });
 
 app.post('/change-password', must_be_logged_in, function (req, res) {
@@ -388,19 +372,15 @@ app.post('/change-password', must_be_logged_in, function (req, res) {
 	LOG(req, "POST /change-password", req.user.name);
 	// Get full user record including password and salt
 	let user = SQL_SELECT_LOGIN_BY_MAIL.get(req.user.mail);
-	if (newpass.length < 4) {
-		flash(req, "Password is too short!");
-		return res.redirect('/change-password');
-	}
+	if (newpass.length < 4)
+		return res.render('change_password.pug', { user: req.user, flash: "Password is too short!" });
+	if (newpass.length > 100)
+		return res.render('change_password.pug', { user: req.user, flash: "Password is too long!" });
 	let oldhash = hash_password(oldpass, user.salt);
-	if (oldhash !== user.password) {
-		flash(req, "Wrong password.");
-		return res.redirect('/change-password');
-	}
+	if (oldhash !== user.password)
+		return res.render('change_password.pug', { user: req.user, flash: "Wrong password!" });
 	let salt = crypto.randomBytes(32).toString('hex');
 	let hash = hash_password(newpass, salt);
-	SQL_UPDATE_USER_PASSWORD.run(hash, salt, user.user_id);
-	flash(req, "Your password has been updated.");
 	return res.redirect('/profile');
 });
 
@@ -422,40 +402,32 @@ app.get('/unsubscribe', must_be_logged_in, function (req, res) {
 
 app.get('/change-name', must_be_logged_in, function (req, res) {
 	LOG(req, "GET /change-name");
-	res.render('change_name.pug', { user: req.user, flash: flash(req) });
+	res.render('change_name.pug', { user: req.user });
 });
 
 app.post('/change-name', must_be_logged_in, function (req, res) {
 	let newname = clean_user_name(req.body.newname);
 	LOG(req, "POST /change-name", req.user, req.body, newname);
-	if (!is_valid_user_name(newname)) {
-		flash(req, "Invalid user name!");
-		return res.redirect('/change-name');
-	}
-	if (SQL_EXISTS_USER_NAME.get(newname)) {
-		flash(req, "That name is already taken!");
-		return res.redirect('/change-name');
-	}
+	if (!is_valid_user_name(newname))
+		return res.render('change_name.pug', { user: req.user, flash: "Invalid user name!" });
+	if (SQL_EXISTS_USER_NAME.get(newname))
+		return res.render('change_name.pug', { user: req.user, flash: "That name is already taken!" });
 	SQL_UPDATE_USER_NAME.run(newname, req.user.user_id);
 	return res.redirect('/profile');
 });
 
 app.get('/change-mail', must_be_logged_in, function (req, res) {
 	LOG(req, "GET /change-mail");
-	res.render('change_mail.pug', { user: req.user, flash: flash(req) });
+	res.render('change_mail.pug', { user: req.user });
 });
 
 app.post('/change-mail', must_be_logged_in, function (req, res) {
 	let newmail = req.body.newmail;
 	LOG(req, "POST /change-mail", req.user, req.body);
-	if (!is_email(newmail)) {
-		flash(req, "Invalid mail address!");
-		return res.redirect('/change-mail');
-	}
-	if (SQL_EXISTS_USER_MAIL.get(newmail)) {
-		flash(req, "That mail address is already taken!");
-		return res.redirect('/change-mail');
-	}
+	if (!is_email(newmail))
+		res.render('change_mail.pug', { user: req.user, flash: "Invalid mail address!" });
+	if (SQL_EXISTS_USER_MAIL.get(newmail))
+		res.render('change_mail.pug', { user: req.user, flash: "That mail address is already taken!" });
 	SQL_UPDATE_USER_MAIL.run(newmail, req.user.user_id);
 	return res.redirect('/profile');
 });
@@ -1040,7 +1012,6 @@ app.get('/create/:title_id', must_be_logged_in, function (req, res) {
 		title: title,
 		scenarios: RULES[title_id].scenarios,
 		create_html: HTML_CREATE[title_id],
-		flash: flash(req)
 	});
 });
 
@@ -1065,16 +1036,12 @@ app.post('/create/:title_id', must_be_logged_in, function (req, res) {
 	let options = JSON.stringify(req.body, options_json_replacer);
 	LOG(req, "POST /create/" + req.params.title_id, scenario, options, priv, JSON.stringify(descr));
 	let count = SQL_COUNT_OPEN_GAMES.get(user_id);
-	if (count >= 5) {
-		flash(req, "You have too many open games!");
-		return res.redirect('/create/'+title_id);
-	}
-	if (!(title_id in RULES)) {
+	if (count >= 5)
+		return res.send("You have too many open games!");
+	if (!(title_id in RULES))
 		return res.send("Invalid title.");
-	}
-	if (!RULES[title_id].scenarios.includes(scenario)) {
+	if (!RULES[title_id].scenarios.includes(scenario))
 		return res.send("Invalid scenario.");
-	}
 	let info = SQL_INSERT_GAME.run(user_id, title_id, scenario, options, priv ? 1 : 0, rand ? 1 : 0, descr);
 	res.redirect('/join/'+info.lastInsertRowid);
 });
@@ -1123,8 +1090,7 @@ app.get('/rematch/:old_game_id/:role', must_be_logged_in, function (req, res) {
 		new_game_id = SQL_SELECT_REMATCH.get(magic);
 	if (new_game_id)
 		return join_rematch(req, res, new_game_id, role);
-	flash(req, "Can't create or find rematch game!");
-	return res.redirect('/join/'+old_game_id);
+	return res.status(404).send("Can't create or find rematch game!");
 });
 
 let join_clients = {};
@@ -1184,7 +1150,6 @@ app.get('/join/:game_id', must_be_logged_in, function (req, res) {
 		roles: roles,
 		players: players,
 		ready: ready,
-		flash: flash(req)
 	});
 });
 
diff --git a/views/change_mail.pug b/views/change_mail.pug
index 32b399d..d244e98 100644
--- a/views/change_mail.pug
+++ b/views/change_mail.pug
@@ -10,6 +10,7 @@ html
 			h1 Change mail address
 			if flash
 				p.error= flash
+
 			form(method="post" action="/change-mail")
 				p Name: #{user.name}
 				p Mail: #{user.mail}
diff --git a/views/change_name.pug b/views/change_name.pug
index ebf5dc6..03763ac 100644
--- a/views/change_name.pug
+++ b/views/change_name.pug
@@ -10,6 +10,7 @@ html
 			h1 Change name
 			if flash
 				p.error= flash
+
 			form(method="post" action="/change-name")
 				p Name: #{user.name}
 				p Mail: #{user.mail}
diff --git a/views/create.pug b/views/create.pug
index a736dbe..7aa53f3 100644
--- a/views/create.pug
+++ b/views/create.pug
@@ -10,8 +10,6 @@ html
 		include header
 		article
 			h1= title.title_name
-			if flash
-				p.error= flash
 
 			a(href="/info/"+title.title_id): img.logo(src="/"+title.title_id+"/cover.jpg")
 
diff --git a/views/index.pug b/views/index.pug
index db6fcdc..ab5cdc9 100644
--- a/views/index.pug
+++ b/views/index.pug
@@ -29,8 +29,6 @@ html
 		include header
 		article
 			h1 Rally the Troops!
-			if flash
-				p.error= flash
 
 			p Rally the Troops! is a website where you can play historic games with other players.
 
diff --git a/views/join.pug b/views/join.pug
index 8a04ad6..101afdf 100644
--- a/views/join.pug
+++ b/views/join.pug
@@ -21,10 +21,6 @@ html
 		include header
 		article
 			h1= game.title_name
-			if flash
-				p.error#error= flash
-			else
-				p.error#error
 
 			a(href="/info/"+game.title_id): img.logo(src="/"+game.title_id+"/cover.jpg")
 
diff --git a/views/login.pug b/views/login.pug
index 391debe..88d75fe 100644
--- a/views/login.pug
+++ b/views/login.pug
@@ -15,6 +15,7 @@ html
 				p You're already logged in!
 			else
 				form(method="post" action="/login")
+					input(type="hidden" name="redirect" value=redirect)
 					p
 						label Name or mail:
 							br
author	Tor Andersson <tor@ccxvii.net>	2021-12-03 13:41:52 +0100
committer	Tor Andersson <tor@ccxvii.net>	2021-12-04 02:31:35 +0100
commit	0ce74e5d0cc2d573a1d7c69315dd00830f971712 (patch)
tree	f37551720da3d28b8453ab7df7d8e78677b73ffb
parent	f52fe1a99f4b92b39b5f2e4aa95c404af391682d (diff)
download	server-0ce74e5d0cc2d573a1d7c69315dd00830f971712.tar.gz