From 16b2b22bc0f4f47c8ec299790d021b5ac45b7828 Mon Sep 17 00:00:00 2001 From: Ajay Ramachandran Date: Wed, 10 Jul 2019 19:25:49 -0400 Subject: [PATCH 1/7] Added support for receiving a userID --- index.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/index.js b/index.js index 0a9cc58..2632892 100644 --- a/index.js +++ b/index.js @@ -53,8 +53,9 @@ app.get('/api/postVideoSponsorTimes', function (req, res) { let videoID = req.query.videoID; let startTime = req.query.startTime; let endTime = req.query.endTime; + let userID = req.query.userID; - if (typeof videoID != 'string' || startTime == undefined || endTime == undefined) { + if (typeof videoID != 'string' || startTime == undefined || endTime == undefined || userID == undefined) { //invalid request res.sendStatus(400); return; @@ -65,7 +66,7 @@ app.get('/api/postVideoSponsorTimes', function (req, res) { let UUID = uuidv1(); - db.prepare("INSERT INTO sponsorTimes VALUES(?, ?, ?, ?)").run(videoID, startTime, endTime, UUID); + db.prepare("INSERT INTO sponsorTimes VALUES(?, ?, ?, ?, ?)").run(videoID, startTime, endTime, UUID, userID); res.sendStatus(200); }); From 05da836384fd0a883a9876c719c365d81286bd47 Mon Sep 17 00:00:00 2001 From: Ajay Ramachandran Date: Wed, 10 Jul 2019 22:00:28 -0400 Subject: [PATCH 2/7] Made the server save a hash of their ip with the data. --- index.js | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/index.js b/index.js index 2632892..2ae4ab2 100644 --- a/index.js +++ b/index.js @@ -7,6 +7,10 @@ var app = express(); //uuid service var uuidv1 = require('uuid/v1'); +//hashing service +var crypto = require('crypto'); +var hash = crypto.createHash('sha256'); + //load database var sqlite3 = require('sqlite3').verbose(); var db = new sqlite3.Database('./databases/sponsorTimes.db'); @@ -55,6 +59,12 @@ app.get('/api/postVideoSponsorTimes', function (req, res) { let endTime = req.query.endTime; let userID = req.query.userID; + //x-forwarded-for if this server is behind a proxy + let ip = req.headers['x-forwarded-for'] || req.connection.remoteAddress; + + //hash the ip so no one can get it from the database + let hashedIP = hash.update(ip).digest('hex'); + if (typeof videoID != 'string' || startTime == undefined || endTime == undefined || userID == undefined) { //invalid request res.sendStatus(400); @@ -66,7 +76,7 @@ app.get('/api/postVideoSponsorTimes', function (req, res) { let UUID = uuidv1(); - db.prepare("INSERT INTO sponsorTimes VALUES(?, ?, ?, ?, ?)").run(videoID, startTime, endTime, UUID, userID); + db.prepare("INSERT INTO sponsorTimes VALUES(?, ?, ?, ?, ?, ?)").run(videoID, startTime, endTime, UUID, userID, hashedIP); res.sendStatus(200); }); From a2889925e70c20ea651f3d5ad724d5d0604be7bc Mon Sep 17 00:00:00 2001 From: Ajay Ramachandran Date: Wed, 10 Jul 2019 22:07:39 -0400 Subject: [PATCH 3/7] Added global salt for hashed ips --- index.js | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/index.js b/index.js index 2ae4ab2..cce8ebb 100644 --- a/index.js +++ b/index.js @@ -18,6 +18,10 @@ var db = new sqlite3.Database('./databases/sponsorTimes.db'); // Create an HTTP service. http.createServer(app).listen(80); +//global salt that is added to every ip before hashing to +// make it even harder for someone to decode the ip +var globalSalt = "49cb0d52-1aec-4b89-85fc-fab2c53062fb"; + //setup CORS correctly app.use(function(req, res, next) { res.header("Access-Control-Allow-Origin", "*"); @@ -59,18 +63,18 @@ app.get('/api/postVideoSponsorTimes', function (req, res) { let endTime = req.query.endTime; let userID = req.query.userID; - //x-forwarded-for if this server is behind a proxy - let ip = req.headers['x-forwarded-for'] || req.connection.remoteAddress; - - //hash the ip so no one can get it from the database - let hashedIP = hash.update(ip).digest('hex'); - if (typeof videoID != 'string' || startTime == undefined || endTime == undefined || userID == undefined) { //invalid request res.sendStatus(400); return; } + //x-forwarded-for if this server is behind a proxy + let ip = req.headers['x-forwarded-for'] || req.connection.remoteAddress; + + //hash the ip so no one can get it from the database + let hashedIP = hash.update(ip + globalSalt).digest('hex'); + startTime = parseFloat(startTime); endTime = parseFloat(endTime); From 12745531e25d4d99fc4a4084a6cd8efbfe9f1f09 Mon Sep 17 00:00:00 2001 From: Ajay Ramachandran Date: Wed, 10 Jul 2019 22:45:15 -0400 Subject: [PATCH 4/7] Added duplication check. --- index.js | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/index.js b/index.js index cce8ebb..ab6532a 100644 --- a/index.js +++ b/index.js @@ -9,7 +9,6 @@ var uuidv1 = require('uuid/v1'); //hashing service var crypto = require('crypto'); -var hash = crypto.createHash('sha256'); //load database var sqlite3 = require('sqlite3').verbose(); @@ -73,16 +72,27 @@ app.get('/api/postVideoSponsorTimes', function (req, res) { let ip = req.headers['x-forwarded-for'] || req.connection.remoteAddress; //hash the ip so no one can get it from the database - let hashedIP = hash.update(ip + globalSalt).digest('hex'); + let hashCreator = crypto.createHash('sha256'); + let hashedIP = hashCreator.update(ip + globalSalt).digest('hex'); startTime = parseFloat(startTime); endTime = parseFloat(endTime); let UUID = uuidv1(); - db.prepare("INSERT INTO sponsorTimes VALUES(?, ?, ?, ?, ?, ?)").run(videoID, startTime, endTime, UUID, userID, hashedIP); + //check if this info has already been submitted first + db.prepare("SELECT UUID From sponsorTimes WHERE startTime = ? and endTime = ? and videoID = ?").get([startTime, endTime, videoID], function(err, row) { + if (err) console.log(err); + + if (row == null) { + //not a duplicate, execute query + db.prepare("INSERT INTO sponsorTimes VALUES(?, ?, ?, ?, ?, ?)").run(videoID, startTime, endTime, UUID, userID, hashedIP); - res.sendStatus(200); + res.sendStatus(200); + } else { + res.sendStatus(400); + } + }) }); app.get('/database.db', function (req, res) { From da9fc1f4a1b3a2064d814567b73b7d1b1aaebf22 Mon Sep 17 00:00:00 2001 From: Ajay Ramachandran Date: Wed, 10 Jul 2019 23:34:37 -0400 Subject: [PATCH 5/7] Made it save the time the data was submitted (in unix time) --- index.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/index.js b/index.js index ab6532a..31dc6c8 100644 --- a/index.js +++ b/index.js @@ -80,13 +80,16 @@ app.get('/api/postVideoSponsorTimes', function (req, res) { let UUID = uuidv1(); + //get current time + let timeSubmitted = Date.now(); + //check if this info has already been submitted first db.prepare("SELECT UUID From sponsorTimes WHERE startTime = ? and endTime = ? and videoID = ?").get([startTime, endTime, videoID], function(err, row) { if (err) console.log(err); if (row == null) { //not a duplicate, execute query - db.prepare("INSERT INTO sponsorTimes VALUES(?, ?, ?, ?, ?, ?)").run(videoID, startTime, endTime, UUID, userID, hashedIP); + db.prepare("INSERT INTO sponsorTimes VALUES(?, ?, ?, ?, ?, ?, ?)").run(videoID, startTime, endTime, UUID, userID, hashedIP, timeSubmitted); res.sendStatus(200); } else { From 1afd720241ce2a63e6d399817297331765fec992 Mon Sep 17 00:00:00 2001 From: Ajay Ramachandran Date: Wed, 10 Jul 2019 23:38:28 -0400 Subject: [PATCH 6/7] Changed 400 error code to 409 --- index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.js b/index.js index 31dc6c8..3dcbf26 100644 --- a/index.js +++ b/index.js @@ -93,7 +93,7 @@ app.get('/api/postVideoSponsorTimes', function (req, res) { res.sendStatus(200); } else { - res.sendStatus(400); + res.sendStatus(409); } }) }); From 9b812721ad8c1c4101638581becce90a772baef6 Mon Sep 17 00:00:00 2001 From: Ajay Ramachandran Date: Thu, 11 Jul 2019 19:45:55 -0400 Subject: [PATCH 7/7] Made it so that each user can only submit 4 sponsorship segments per video --- index.js | 30 +++++++++++++++++++----------- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/index.js b/index.js index 3dcbf26..5c3220d 100644 --- a/index.js +++ b/index.js @@ -83,19 +83,27 @@ app.get('/api/postVideoSponsorTimes', function (req, res) { //get current time let timeSubmitted = Date.now(); - //check if this info has already been submitted first - db.prepare("SELECT UUID From sponsorTimes WHERE startTime = ? and endTime = ? and videoID = ?").get([startTime, endTime, videoID], function(err, row) { - if (err) console.log(err); - - if (row == null) { - //not a duplicate, execute query - db.prepare("INSERT INTO sponsorTimes VALUES(?, ?, ?, ?, ?, ?, ?)").run(videoID, startTime, endTime, UUID, userID, hashedIP, timeSubmitted); - - res.sendStatus(200); + //check to see if the user has already submitted sponsors for this video + db.prepare("SELECT UUID FROM sponsorTimes WHERE userID = ? and videoID = ?").all([userID, videoID], function(err, rows) { + if (rows.length >= 4) { + //too many sponsors for the same video from the same user + res.sendStatus(429); } else { - res.sendStatus(409); + //check if this info has already been submitted first + db.prepare("SELECT UUID FROM sponsorTimes WHERE startTime = ? and endTime = ? and videoID = ?").get([startTime, endTime, videoID], function(err, row) { + if (err) console.log(err); + + if (row == null) { + //not a duplicate, execute query + db.prepare("INSERT INTO sponsorTimes VALUES(?, ?, ?, ?, ?, ?, ?)").run(videoID, startTime, endTime, UUID, userID, hashedIP, timeSubmitted); + + res.sendStatus(200); + } else { + res.sendStatus(409); + } + }); } - }) + }); }); app.get('/database.db', function (req, res) {