Merge pull request #6 from ajayyy/experimental

Added hashing to userIDs and changed up how the UUID is created
2025-12-14 15:37:07 +03:00 · 2019-07-25 16:59:36 -04:00
parent c59372dd62 abfbba2ad0
commit 51efb9a5c1
1 changed files with 34 additions and 4 deletions
--- a/index.js
+++ b/index.js
@@ -92,6 +92,9 @@ app.get('/api/postVideoSponsorTimes', function (req, res) {
        return;
    }

+    //hash the userID
+    userID = getHashedUserID(userID);
+
    //x-forwarded-for if this server is behind a proxy
    let ip = req.headers['x-forwarded-for'] || req.connection.remoteAddress;

@@ -99,14 +102,24 @@ app.get('/api/postVideoSponsorTimes', function (req, res) {
    let hashedIP = ip + globalSalt;
    //hash it 5000 times, this makes it very hard to brute force
    for (let i = 0; i < 5000; i++) {
-        let hashCreator = crypto.createHash('sha512');
+        let hashCreator = crypto.createHash('sha256');
        hashedIP = hashCreator.update(hashedIP).digest('hex');
    }

    startTime = parseFloat(startTime);
    endTime = parseFloat(endTime);

-    let UUID = uuidv1();
+    if (startTime > endTime) {
+        //time can't go backwards
+        res.sendStatus(400);
+        return;
+    }
+
+    //this can just be a hash of the data
+    //it's better than generating an actual UUID like what was used before
+    //also better for duplication checking
+    let hashCreator = crypto.createHash('sha256');
+    let UUID = hashCreator.update(videoID + startTime + endTime + userID).digest('hex');

    //get current time
    let timeSubmitted = Date.now();
@@ -156,6 +169,9 @@ app.get('/api/voteOnSponsorTime', function (req, res) {
        return;
    }

+    //hash the userID
+    userID = getHashedUserID(userID);
+
    //check if vote has already happened
    db.prepare("SELECT type FROM votes WHERE userID = ? AND UUID = ?").get(userID, UUID, function(err, row) {
        if (err) console.log(err);
@@ -236,16 +252,19 @@ app.get('/api/getViewsForUser', function (req, res) {
        return;
    }

+    //hash the userID
+    userID = getHashedUserID(userID);
+
    //up the view count by one
    db.prepare("SELECT SUM(views) as viewCount FROM sponsorTimes WHERE userID = ?").get(userID, function(err, row) {
        if (err) console.log(err);

-        if (row != null) {
+        if (row.viewCount != null) {
            res.send({
                viewCount: row.viewCount
            });
        } else {
-            res.send(404);
+            res.sendStatus(404);
        }
    });
 });
@@ -254,6 +273,17 @@ app.get('/database.db', function (req, res) {
    res.sendFile("./databases/sponsorTimes.db", { root: __dirname });
 });

+function getHashedUserID(userID) {
+    //hash the userID so no one can get it from the database
+    let hashedUserID = userID;
+    //hash it 5000 times, this makes it very hard to brute force
+    for (let i = 0; i < 5000; i++) {
+        let hashCreator = crypto.createHash('sha256');
+        hashedUserID = hashCreator.update(hashedUserID).digest('hex');
+    }
+
+    return hashedUserID;
+}

 //This function will find sponsor times that are contained inside of eachother, called similar sponsor times
 //Only one similar time will be returned, randomly generated based on the sqrt of votes.