Use async bcrypt operations and clarify SQL placeholder construction
This commit is contained in:
parent
633b0a79a0
commit
c46fc7960d
|
|
@ -30,7 +30,12 @@ router.post('/register', (req, res) => {
|
||||||
return res.status(409).json({ success: false, message: "Username is already taken" });
|
return res.status(409).json({ success: false, message: "Username is already taken" });
|
||||||
}
|
}
|
||||||
|
|
||||||
const hash = bcrypt.hashSync(password, 10);
|
bcrypt.hash(password, 10, (err, hash) => {
|
||||||
|
if (err) {
|
||||||
|
console.error('Failed to hash password:', err.message);
|
||||||
|
return res.status(500).json({ success: false, message: "Internal server error" });
|
||||||
|
}
|
||||||
|
|
||||||
db.run(`INSERT INTO users (username, password) VALUES (?, ?)`, [username, hash], function (err) {
|
db.run(`INSERT INTO users (username, password) VALUES (?, ?)`, [username, hash], function (err) {
|
||||||
if (err) {
|
if (err) {
|
||||||
console.error('Failed to create user:', err.message);
|
console.error('Failed to create user:', err.message);
|
||||||
|
|
@ -43,6 +48,7 @@ router.post('/register', (req, res) => {
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
});
|
||||||
|
|
||||||
router.post('/login', (req, res) => {
|
router.post('/login', (req, res) => {
|
||||||
const { username, password } = req.body || {};
|
const { username, password } = req.body || {};
|
||||||
|
|
@ -57,7 +63,17 @@ router.post('/login', (req, res) => {
|
||||||
return res.status(500).json({ success: false, message: "Internal server error" });
|
return res.status(500).json({ success: false, message: "Internal server error" });
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!user || !bcrypt.compareSync(password, user.password)) {
|
if (!user) {
|
||||||
|
return res.status(401).json({ success: false, message: "Invalid username or password" });
|
||||||
|
}
|
||||||
|
|
||||||
|
bcrypt.compare(password, user.password, (err, matches) => {
|
||||||
|
if (err) {
|
||||||
|
console.error('Failed to verify password:', err.message);
|
||||||
|
return res.status(500).json({ success: false, message: "Internal server error" });
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!matches) {
|
||||||
return res.status(401).json({ success: false, message: "Invalid username or password" });
|
return res.status(401).json({ success: false, message: "Invalid username or password" });
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -66,6 +82,7 @@ router.post('/login', (req, res) => {
|
||||||
res.json({ success: true, user: { id: user.id, username: user.username } });
|
res.json({ success: true, user: { id: user.id, username: user.username } });
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
});
|
||||||
|
|
||||||
router.post('/logout', (req, res) => {
|
router.post('/logout', (req, res) => {
|
||||||
req.session.destroy((err) => {
|
req.session.destroy((err) => {
|
||||||
|
|
|
||||||
|
|
@ -105,6 +105,7 @@ router.delete('/places/:placeId', loadOwnedPlace, (req, res) => {
|
||||||
const apIds = accessPoints.map(ap => ap.id);
|
const apIds = accessPoints.map(ap => ap.id);
|
||||||
const deleteAclAndAp = (cb) => {
|
const deleteAclAndAp = (cb) => {
|
||||||
if (apIds.length === 0) return cb();
|
if (apIds.length === 0) return cb();
|
||||||
|
// Build a `?` placeholder per id so all values stay parameterized; apIds never contains raw user input here.
|
||||||
const placeholders = apIds.map(() => '?').join(',');
|
const placeholders = apIds.map(() => '?').join(',');
|
||||||
db.run(`DELETE FROM acl WHERE accessPoint IN (${placeholders})`, apIds, (err) => {
|
db.run(`DELETE FROM acl WHERE accessPoint IN (${placeholders})`, apIds, (err) => {
|
||||||
if (err) return cb(err);
|
if (err) return cb(err);
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue