diff --git a/index.js b/index.js index 8a9ddc2..1fe6256 100644 --- a/index.js +++ b/index.js @@ -92,6 +92,9 @@ app.get('/api/postVideoSponsorTimes', function (req, res) { return; } + //hash the userID + userID = getHashedUserID(userID); + //x-forwarded-for if this server is behind a proxy let ip = req.headers['x-forwarded-for'] || req.connection.remoteAddress; @@ -156,6 +159,9 @@ app.get('/api/voteOnSponsorTime', function (req, res) { return; } + //hash the userID + userID = getHashedUserID(userID); + //check if vote has already happened db.prepare("SELECT type FROM votes WHERE userID = ? AND UUID = ?").get(userID, UUID, function(err, row) { if (err) console.log(err); @@ -236,16 +242,19 @@ app.get('/api/getViewsForUser', function (req, res) { return; } + //hash the userID + userID = getHashedUserID(userID); + //up the view count by one db.prepare("SELECT SUM(views) as viewCount FROM sponsorTimes WHERE userID = ?").get(userID, function(err, row) { if (err) console.log(err); - if (row != null) { + if (row.viewCount != null) { res.send({ viewCount: row.viewCount }); } else { - res.send(404); + res.sendStatus(404); } }); }); @@ -254,6 +263,17 @@ app.get('/database.db', function (req, res) { res.sendFile("./databases/sponsorTimes.db", { root: __dirname }); }); +function getHashedUserID(userID) { + //hash the userID so no one can get it from the database + let hashedUserID = userID; + //hash it 5000 times, this makes it very hard to brute force + for (let i = 0; i < 5000; i++) { + let hashCreator = crypto.createHash('sha512'); + hashedUserID = hashCreator.update(hashedUserID).digest('hex'); + } + + return hashedUserID; +} //This function will find sponsor times that are contained inside of eachother, called similar sponsor times //Only one similar time will be returned, randomly generated based on the sqrt of votes.