diff --git a/routes/auth.js b/routes/auth.js index 275ebda..e7a84b3 100644 --- a/routes/auth.js +++ b/routes/auth.js @@ -30,16 +30,22 @@ router.post('/register', (req, res) => { return res.status(409).json({ success: false, message: "Username is already taken" }); } - const hash = bcrypt.hashSync(password, 10); - db.run(`INSERT INTO users (username, password) VALUES (?, ?)`, [username, hash], function (err) { + bcrypt.hash(password, 10, (err, hash) => { if (err) { - console.error('Failed to create user:', err.message); + console.error('Failed to hash password:', err.message); return res.status(500).json({ success: false, message: "Internal server error" }); } - req.session.userId = this.lastID; - req.session.username = username; - res.json({ success: true, user: { id: this.lastID, username } }); + db.run(`INSERT INTO users (username, password) VALUES (?, ?)`, [username, hash], function (err) { + if (err) { + console.error('Failed to create user:', err.message); + return res.status(500).json({ success: false, message: "Internal server error" }); + } + + req.session.userId = this.lastID; + req.session.username = username; + res.json({ success: true, user: { id: this.lastID, username } }); + }); }); }); }); @@ -57,13 +63,24 @@ router.post('/login', (req, res) => { return res.status(500).json({ success: false, message: "Internal server error" }); } - if (!user || !bcrypt.compareSync(password, user.password)) { + if (!user) { return res.status(401).json({ success: false, message: "Invalid username or password" }); } - req.session.userId = user.id; - req.session.username = user.username; - res.json({ success: true, user: { id: user.id, username: user.username } }); + bcrypt.compare(password, user.password, (err, matches) => { + if (err) { + console.error('Failed to verify password:', err.message); + return res.status(500).json({ success: false, message: "Internal server error" }); + } + + if (!matches) { + return res.status(401).json({ success: false, message: "Invalid username or password" }); + } + + req.session.userId = user.id; + req.session.username = user.username; + res.json({ success: true, user: { id: user.id, username: user.username } }); + }); }); }); diff --git a/routes/dashboard.js b/routes/dashboard.js index 1cf7b2f..8676ed2 100644 --- a/routes/dashboard.js +++ b/routes/dashboard.js @@ -105,6 +105,7 @@ router.delete('/places/:placeId', loadOwnedPlace, (req, res) => { const apIds = accessPoints.map(ap => ap.id); const deleteAclAndAp = (cb) => { if (apIds.length === 0) return cb(); + // Build a `?` placeholder per id so all values stay parameterized; apIds never contains raw user input here. const placeholders = apIds.map(() => '?').join(','); db.run(`DELETE FROM acl WHERE accessPoint IN (${placeholders})`, apIds, (err) => { if (err) return cb(err);