New release 1.0.4

Added Logout, some fixes
Added user management
2025-10-07 23:06:54 +02:00 · 2025-10-07 23:06:32 +02:00 · 2025-10-04 13:40:30 +02:00 · 2025-10-03 11:41:58 +02:00 · 2025-10-03 11:41:30 +02:00
10 changed files with 388 additions and 49 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -138,3 +138,8 @@ dist
 # Vite logs files
 vite.config.js.timestamp-*
 vite.config.ts.timestamp-*
+
+
+# user files
+
+/responses
--- a/index.js
+++ b/index.js
@@ -4,9 +4,11 @@ import express from "express";
 import expressWs from "express-ws";
 import morgan from "morgan";
 import cookieParser from "cookie-parser";
+import cors from "cors";
 import { initWebsocket } from "./src/websocket.js";
 import { initAuth } from "./src/auth.js";
 import { close as closeDbConnection, initDbConnection, db } from "./src/db.js";
+import { initUsers } from "./src/user.js";
 const app = express();
 const appWs = expressWs(app);
 const port = 12345;
@@ -17,6 +19,7 @@ process.on('exit', function() {
  closeDbConnection();
 });

+app.use(cors({credentials: true, origin: process.env.JEOPARDY_URL}));
 app.use(morgan(process.env.production ? 'common' : 'dev'));
 app.use(express.json());
 app.use(cookieParser());
@@ -24,6 +27,7 @@ app.use(cookieParser());
 await initDbConnection();

 initAuth(app, db);
+initUsers(app, db);
 initWebsocket(app);

 app.listen(port, () => {
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,16 +1,17 @@
 {
  "name": "jeopardyserver",
-  "version": "1.0.1",
+  "version": "1.0.4",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "jeopardyserver",
-      "version": "1.0.1",
+      "version": "1.0.4",
      "license": "ISC",
      "dependencies": {
        "@types/express": "^5.0.3",
        "cookie-parser": "^1.4.7",
+        "cors": "^2.8.5",
        "dotenv": "^17.2.3",
        "express": "^5.1.0",
        "express-ws": "^5.0.2",
@@ -298,6 +299,19 @@
        "node": ">=6.6.0"
      }
    },
+    "node_modules/cors": {
+      "version": "2.8.5",
+      "resolved": "https://registry.npmjs.org/cors/-/cors-2.8.5.tgz",
+      "integrity": "sha512-KIHbLJqu73RGr/hnbrO9uBeixNGuvSQjul/jdFvS/KFSIH1hWVd1ng7zOHx+YrEfInLG7q4n6GHQ9cDtxv/P6g==",
+      "license": "MIT",
+      "dependencies": {
+        "object-assign": "^4",
+        "vary": "^1"
+      },
+      "engines": {
+        "node": ">= 0.10"
+      }
+    },
    "node_modules/debug": {
      "version": "4.4.3",
      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz",
@@ -834,6 +848,15 @@
        "node": ">= 0.6"
      }
    },
+    "node_modules/object-assign": {
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/object-assign/-/object-assign-4.1.1.tgz",
+      "integrity": "sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
    "node_modules/object-inspect": {
      "version": "1.13.4",
      "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.13.4.tgz",
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "jeopardyserver",
-  "version": "1.0.1",
+  "version": "1.0.4",
  "description": "",
  "license": "ISC",
  "author": "",
@@ -13,6 +13,7 @@
  "dependencies": {
    "@types/express": "^5.0.3",
    "cookie-parser": "^1.4.7",
+    "cors": "^2.8.5",
    "dotenv": "^17.2.3",
    "express": "^5.1.0",
    "express-ws": "^5.0.2",
--- a/requests/auth.http
+++ b/requests/auth.http
@@ -6,5 +6,9 @@ content-type: application/json

 {
    "username": "jonas",
-    "password": "kappa"
+    "password": "paula"
 }
+
+###
+
+GET {{url}}/auth HTTP/1.1
--- a/requests/user.http
+++ b/requests/user.http
@@ -0,0 +1,55 @@
+@url = http://{{host}}:{{port}}
+
+PUT {{url}}/admin/user HTTP/1.1
+Content-Type: application/json
+
+{
+    "username": "Paula"
+}
+
+###
+
+GET {{url}}/admin/user/list HTTP/1.1
+
+###
+
+POST {{url}}/admin/user/resetpw HTTP/1.1
+Content-Type: application/json
+
+{
+    "userid": "68e1058faf78b3aabbdfe8dc"
+}
+
+###
+
+GET {{url}}/admin/roles HTTP/1.1
+
+###
+
+POST {{url}}/admin/user/changerole HTTP/1.1
+Content-Type: application/json
+
+{
+    "userid": "68e0efc6e4ac740114d8fc9d",
+    "role": "default"
+}
+
+###
+
+POST {{url}}/user/changepw HTTP/1.1
+Content-Type: application/json
+
+{
+    "old": "DkgnWspm4To2ww==",
+    "new": "Kolata"
+}
+
+
+###
+
+DELETE {{url}}/admin/user HTTP/1.1
+Content-Type: application/json
+
+{
+    "userid": "68e0f66a7b5795e3704501cf"
+}
--- a/src/auth.js
+++ b/src/auth.js
@@ -1,23 +1,36 @@
-import { createHash, pbkdf2Sync, randomBytes } from "node:crypto";
+import { createUser, generateHash, updateSessionToken } from "./userHelper.js";

 let db;
 let users;

 export function initAuth(app, db) {
    app.use(checkSessionToken);
+    app.use('/admin', checkAuthorization('admin'));
    users = db.collection('users');
+    app.get('/auth', getUserInfo);
    app.post('/auth/login', loginUser);
 }

+async function getUserInfo(req, res) {
+    // const sessiontoken = await updateSessionToken(users, req.user._id);
+
+    // setTokenCookie(res, sessiontoken);
+
+    res.status(200).send({
+        username: req.user.username,
+        role: req.user.role,
+        _id: req.user._id
+    });
+}
+
 async function checkSessionToken(req, res, next) {
-    
    if (req.path.startsWith("/auth/")) {
        next();
        return;
    }

    const token = req.cookies.jeopardytoken;
-    
+
    let user = await users.findOne({sessiontoken: token});

    if (user === null) {
@@ -27,80 +40,75 @@ async function checkSessionToken(req, res, next) {

    req.user = {
        role: user.role,
-        username: user.username
+        username: user.username,
+        _id: user._id
    }

    next();
 }

+function checkAuthorization(role) {
+    return (req, res, next) => {        
+        if (req.user === undefined) {
+            res.status(403).send();
+            return;
+        }
+
+        if (req.user.role === role) {
+            next();
+        } else {
+            res.status(403).send();
+        }
+    }
+}
+
 async function loginUser(req, res) {
    const username = req.body.username;
    const password = req.body.password;

    let userCount = await users.estimatedDocumentCount();
-    let sessiontoken = null;
+    let userobj = null;
    if (userCount <= 0) {
        // create first user
-        sessiontoken = await createUser(username, password, 'admin');
+        userobj = await createUser(users, username, password, 'admin', true);
    } else {
        // authenticate user
-        sessiontoken = await authenticateUser(username, password);
+        userobj = await authenticateUser(username, password);
    }

-    if (sessiontoken !== null) {
-        const expires = new Date();
-        expires.setDate(expires.getDate() + 1);
+    if (userobj !== null) {
+        setTokenCookie(res, userobj.sessiontoken);

-        res.cookie('jeopardytoken', sessiontoken, {
-            maxAge: 1e3 * 60 * 60 * 24
-        })
-
-        res.status(200).send(username);
+        res.status(200).send({username: userobj.username, role: userobj.role, _id: userobj._id});
    } else {
        res.sendStatus(403);
    }
 }

-async function createUser(username, password, role) {
-    const salt = randomBytes(128).toString('base64');
-    const iterations = Math.floor(Math.random() * 5000) + 5000;
-    const hash = generateHash(password, salt, iterations);
-
-    const sessiontoken = generateSessionToken();
-
-    await users.insertOne({
-        username,
-        role,
-        salt,
-        iterations,
-        hash,
-        sessiontoken
-    });
-
-    return sessiontoken;
-}
-
-async function authenticateUser(username, password) {
+export async function authenticateUser(username, password, updateSession = true) {
    let foundUser = await users.findOne({username});
    if (foundUser === null) return null;

    const hash = generateHash(password, foundUser.salt, foundUser.iterations);

    if (hash === foundUser.hash) {
-        const sessiontoken = generateSessionToken();
-        await users.updateOne({_id: foundUser._id}, {$set: {
-            sessiontoken
-        }});
-        return sessiontoken;
+        if (updateSession) {
+            let sessiontoken =  await updateSessionToken(users, foundUser._id);
+            return {sessiontoken, username, role: foundUser.role, _id: foundUser._id};
+        } else {
+            return {sessiontoken: foundUser.sessiontoken, username, role: foundUser.role, _id: foundUser._id};
+        }
    }

    return null;
 }

-function generateSessionToken() {
-    return randomBytes(128).toString('base64');
-}
+function setTokenCookie(res, sessiontoken) {
+    const expires = new Date();
+    expires.setDate(expires.getDate() + 1);

-function generateHash(password, salt, iterations) {
-    return pbkdf2Sync(password, salt, iterations, 128, 'sha512').toString('hex');
+    res.cookie('jeopardytoken', sessiontoken, {
+        maxAge: 1e3 * 60 * 60 * 24 * 7,
+        path: "/"
+    })
 }
--- a/src/roles.js
+++ b/src/roles.js
@@ -0,0 +1,12 @@
+export const roles = [
+    "admin",
+    "default"
+]
+
+/**
+ * 
+ * @param {string} newrole 
+ */
+export function isValidRole(newrole) {
+    return roles.includes(newrole);
+}
--- a/src/user.js
+++ b/src/user.js
@@ -0,0 +1,151 @@
+import { ObjectId } from "mongodb";
+import { createUser as userHelperCreateUser, generateSessionToken, updatePassword, userExists } from "./userHelper.js";
+import { isValidRole, roles } from "./roles.js";
+import { authenticateUser } from "./auth.js";
+
+let db;
+let users;
+
+export function initUsers(app, db) {
+    users = db.collection('users');
+    app.put('/admin/user', createUser);
+    app.delete('/admin/user', deleteUser);
+    app.get('/admin/user/list', userlist);
+    app.post('/admin/user/resetpw', resetpassword);
+    app.post('/admin/user/changerole', changerole);
+    app.get('/admin/roles', getRoles);
+    app.post('/user/changepw', changePassword);
+    app.post('/user/logout', logoutUser);
+}
+
+async function createUser(req, res) {
+    const username = req.body.username;
+
+    if (username.length <= 0) {
+        res.status(400).send();
+        return;
+    }
+
+    // check if user exists
+    let foundUser = await users.findOne({username});
+
+    if (foundUser !== null) {
+        res.status(400).send();
+        return;
+    }
+
+    const password = generateSessionToken(10);
+
+    const userobj = await userHelperCreateUser(users, username, password, 'default', false);
+
+    res.status(200).send({
+        username: userobj.username,
+        role: userobj.role,
+        _id: userobj._id,
+        password
+    });
+}
+
+async function deleteUser(req, res) {
+    /** @type {string} */
+    const userid = req.body.userid;
+    const _id = new ObjectId(userid);
+
+    if (userid === req.user._id.toString()) {
+        console.log("Cant delete yourself");
+        res.status(400).send();
+        return;
+    }
+
+    const foundUser = userExists(res, users, _id);
+    if (foundUser === null) return;
+
+    await users.deleteOne({_id});
+
+    res.status(200).send();
+}
+
+async function userlist(req, res) {
+    const result = await users.find().project({
+            username: 1,
+            role: 1
+        }).toArray();
+
+    res.status(200).send(result);
+}
+
+async function resetpassword(req, res) {
+    /** @type {string} */
+    const userid = req.body.userid;
+    const _id = new ObjectId(userid);
+
+    const foundUser = userExists(res, users, _id);
+    if (foundUser === null) return;
+
+    const password = generateSessionToken(10);
+
+    await updatePassword(users, _id, password, false);
+    res.status(200).send({
+        _id: userid,
+        username: foundUser.username,
+        role: foundUser.role,
+        password
+    });
+}
+
+async function changerole(req, res) {
+    /** @type {string} */
+    const userid = req.body.userid;
+    const _id = new ObjectId(userid);
+    const newrole = req.body.role;
+
+    if (!isValidRole(newrole)) {
+        res.status(400).send("No valid role");
+        return;
+    }
+
+    const foundUser = await userExists(res, users, _id);
+    if (foundUser === null) return;
+
+    await users.updateOne({_id}, {
+        $set: {
+            role: newrole
+        }
+    });
+
+    res.status(200).send({
+        _id,
+        username: foundUser.username,
+        role: newrole
+    });
+}
+
+function getRoles(req, res) {
+    res.status(200).send(roles);
+}
+
+async function changePassword(req, res) {
+    const oldpassword = req.body.old;
+    const newpassword = req.body.new;
+
+    const userobj = await authenticateUser(req.user.username, oldpassword, false);
+
+    if (userobj === null) {
+        res.status(400).send();
+        return;
+    }
+
+    await updatePassword(users, req.user._id, newpassword, false);
+
+    res.status(200).send();
+}
+
+async function logoutUser(req, res) {
+    await users.updateOne({_id: req.user._id}, {
+        $set: {
+            sessiontoken: ""
+        }
+    });
+
+    res.status(200).send();
+}
--- a/src/userHelper.js
+++ b/src/userHelper.js
@@ -0,0 +1,76 @@
+import { pbkdf2Sync, randomBytes } from "node:crypto";
+
+export async function createUser(collection, username, password, role, withSession = true) {
+    const {salt, iterations, hash} = createHash(password);
+
+    let sessiontoken = "";
+    if (withSession) {
+        sessiontoken = generateSessionToken();
+    }
+
+    const result = await collection.insertOne({
+        username,
+        role,
+        salt,
+        iterations,
+        hash,
+        sessiontoken
+    });
+
+    return {sessiontoken, username, role, _id: result.insertedId};
+}
+
+export async function updatePassword(collection, _id, password, keepSession = true) {
+    const {salt, iterations, hash} = createHash(password);
+
+    if (keepSession) {
+        await collection.updateOne({_id}, {$set: {
+            salt,
+            iterations,
+            hash
+        }});
+    } else {
+        await collection.updateOne({_id}, {$set: {
+            salt,
+            iterations,
+            hash,
+            sessiontoken: ""
+        }});
+    }
+}
+
+export function generateSessionToken(length = 128, encoding = 'base64') {
+    return randomBytes(length).toString(encoding);
+}
+
+export function generateHash(password, salt, iterations) {
+    return pbkdf2Sync(password, salt, iterations, 128, 'sha512').toString('hex');
+}
+
+export async function updateSessionToken(collection, _id) {
+    const sessiontoken = generateSessionToken();
+    await collection.updateOne({_id: _id}, {$set: {
+        sessiontoken
+    }});
+    return sessiontoken;
+}
+
+export async function userExists(res, collection, _id) {
+    const foundUser = await collection.findOne({_id});
+
+    if (foundUser === null) {
+        res.status(400).send();
+    }
+
+    return foundUser;
+}
+
+function createHash(password) {
+    const salt = randomBytes(128).toString('base64');
+    const iterations = Math.floor(Math.random() * 5000) + 5000;
+    const hash = generateHash(password, salt, iterations);
+
+    return {
+        salt, hash, iterations
+    }
+}
Author	SHA1	Message	Date
Jonas Kappa	ba6d8eeffc	New release 1.0.4	2025-10-07 23:06:54 +02:00
Jonas Kappa	4ccdbfc8a4	Added Logout, some fixes	2025-10-07 23:06:32 +02:00
Jonas Kappa	34696a1fc8	Added user management	2025-10-04 13:40:30 +02:00
Jonas Kappa	a197d9bd3b	Bump version to 1.0.2	2025-10-03 11:41:58 +02:00
Jonas Kappa	91cdc9e08a	Updated login	2025-10-03 11:41:30 +02:00