From b4c3edcd5965c22ca882babc6ae51fff38d727e4 Mon Sep 17 00:00:00 2001 From: Ajay Ramachandran Date: Tue, 3 Sep 2019 19:27:02 -0400 Subject: [PATCH 1/2] Allowed set username to be used by the admin to change any username. --- index.js | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/index.js b/index.js index 93ff897..a82b8b6 100644 --- a/index.js +++ b/index.js @@ -291,14 +291,27 @@ app.post('/api/setUsername', function (req, res) { let userID = req.query.userID; let userName = req.query.username; + let adminUserIDInput = req.query.adminUserID; + if (userID == undefined || userName == undefined || userID === "undefined") { //invalid request res.sendStatus(400); return; } - //hash the userID - userID = getHash(userID); + if (adminUserIDInput != undefined) { + //this is the admin controlling the other users account, don't hash the controling account's ID + adminUserIDInput = getHash(adminUserIDInput); + + if (adminUserIDInput != adminUserID) { + //they aren't the admin + res.sendStatus(403); + return; + } + } else { + //hash the userID + userID = getHash(userID); + } //check if username is already set db.prepare("SELECT count(*) as count FROM userNames WHERE userID = ?").get(userID, function(err, row) { From 347ae87b1243f9831f858c6246283497274ffb1a Mon Sep 17 00:00:00 2001 From: Ajay Ramachandran Date: Wed, 4 Sep 2019 13:18:47 -0400 Subject: [PATCH 2/2] Added config file. --- .gitignore | 5 ++++- config.json.example | 5 +++++ index.js | 12 ++++++------ 3 files changed, 15 insertions(+), 7 deletions(-) create mode 100644 config.json.example diff --git a/.gitignore b/.gitignore index d50513a..7de7642 100644 --- a/.gitignore +++ b/.gitignore @@ -89,4 +89,7 @@ typings/ # Databases databases/sponsorTimes.db -databases/private.db \ No newline at end of file +databases/private.db + +# Config files +config.json \ No newline at end of file diff --git a/config.json.example b/config.json.example new file mode 100644 index 0000000..b988c6a --- /dev/null +++ b/config.json.example @@ -0,0 +1,5 @@ +{ + "globalSalt": "[global salt (pepper) that is added to every ip before hashing to make it even harder for someone to decode the ip]", + "adminUserID": "[the hashed id of the user who can perform admin actions]", + "behindProxy": true +} \ No newline at end of file diff --git a/index.js b/index.js index a82b8b6..dbabfe8 100644 --- a/index.js +++ b/index.js @@ -1,4 +1,5 @@ var express = require('express'); +var fs = require('fs'); var http = require('http'); // Create a service (the app object is just a callback). var app = express(); @@ -15,14 +16,13 @@ var privateDB = new sqlite3.Database('./databases/private.db'); // Create an HTTP service. http.createServer(app).listen(80); -//global salt that is added to every ip before hashing to -// make it even harder for someone to decode the ip -var globalSalt = "49cb0d52-1aec-4b89-85fc-fab2c53062fb"; -//this is the user that can add shadow bans -var adminUserID = "7b89ea26f77bda8176e655eee86029f28c1e6514b6d6e3450bce362b5b126ca3"; +let config = JSON.parse(fs.readFileSync('config.json')); + +var globalSalt = config.globalSalt; +var adminUserID = config.adminUserID; //if so, it will use the x-forwarded header instead of the ip address of the connection -var behindProxy = true; +var behindProxy = config.behindProxy; //setup CORS correctly app.use(function(req, res, next) {