SyedM/infinsweeper
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
infinsweeper/main.rb
Syed Daanish 0c2a8f3d98 Add CSRF token support
2025-09-03 15:36:28 +01:00

207 lines
5.9 KiB
Ruby
Raw Permalink Blame History

require "base64"
require "erb"
require "json"
require "net/http"
require "sequel"
require "sinatra"
require "uri"
require "xxhash"
require "zlib"
ALPHANUM = [*"0".."9", *"A".."Z", *"a".."z", "-", "_"].freeze
env_data = File.exist?(".env") ? File.read(".env") : ""
ENV_HASH = {}
env_data.each_line do |line|
next unless (match = line.match(/^([A-Z_][A-Z0-9_]*)=(.*)$/))
ENV_HASH[match[1]] = match[2]
end
load "logman.rb"
# Logman.log ENV_HASH.inspect
db_file = File.expand_path("infinsweeper.db")
DB = Sequel.connect("sqlite:///#{db_file}", single_threaded: false)
DB.run("PRAGMA foreign_keys = ON;")
$active_users = DB[:SignedInUsers].all.map { |x| [x[:code], x[:player]] }.to_h
load "mailer.rb"
load "players.rb"
load "session.rb"
set :public_folder, "public"
get "/" do
session = Sessions.new request, response
@message = session.message || ""
session.message = ""
@signed_in = session.signed_in?.nil? ? false : true
@csrf_token = Array.new(32) { ALPHANUM.sample }.join
session["csrf_token"] = @csrf_token
ERB.new(File.read("index.erb")).result(binding)
end
get "/debug" do
content_type :json
(Sessions.new request, response).all.to_json
end
post "/signup" do
session = Sessions.new request, response
uid = session["user"]
session.logout unless uid.nil? || $active_users[uid].nil?
data = JSON.parse(request.body.read)
unless session.csrf_auth?
status 401
return { "message" => "Unauthorized (invalid CSRF token)!" }.to_json
end
session["csrf_token"] = Array.new(32) { ALPHANUM.sample }.join
if data["email"].nil? || data["pass"].nil? || data["username"].nil?
status 400
return { "message" => "Bad request made!", "csrf_token" => session["csrf_token"] }.to_json
end
signup_status = Players.mk_player(data["username"], data["email"], data["pass"])
if signup_status[0] == 200
login_status = session.login(data["username"], data["pass"])
if login_status[0] == 200
status 200
return { "message" => login_status[1], "success" => "true", "csrf_token" => session["csrf_token"] }.to_json
else
status login_status[0]
return { "message" => login_status[1], "csrf_token" => session["csrf_token"] }.to_json
end
end
status signup_status[0]
return { "message" => signup_status[1], "csrf_token" => session["csrf_token"] }.to_json
end
get "/verify/:code" do
session = Sessions.new request, response
session.message = Players.verify(params[:code]) ? "Verified successfully!" : "Verification failed!"
redirect "/"
end
post "/login" do
data = JSON.parse(request.body.read)
session = Sessions.new request, response
uid = session["user"]
Logman.log(request.env["HTTP_X_CSRF_TOKEN"].to_s + " " + session["csrf_token"].to_s)
unless session.csrf_auth?
status 401
return { "message" => "Unauthorized (invalid CSRF token)!" }.to_json
end
session["csrf_token"] = Array.new(32) { ALPHANUM.sample }.join
if $active_users[uid] && !session.logout
status 500
return {
"message" => "Internal server error when signing the existing session out!",
"csrf_token" => session["csrf_token"],
}.to_json
end
if data["username"].nil? || data["pass"].nil?
status 400
return { "message" => "Bad request made!", "csrf_token" => session["csrf_token"] }.to_json
end
login_status = session.login(data["username"], data["pass"])
if login_status[0] == 200
status 200
return { "message" => login_status[1], "success" => "true", "csrf_token" => session["csrf_token"] }.to_json
else
status login_status[0]
return { "message" => login_status[1], "csrf_token" => session["csrf_token"] }.to_json
end
end
post "/logout" do
session = Sessions.new request, response
uid = session["user"]
if $active_users[uid].nil?
status 400
return { "message" => "Not logged in!" }.to_json
end
unless session.logout
status 500
return { "message" => "Internal server error when logging you out!" }.to_json
end
status 200
return { "message" => "Logged out successfully!", "success" => "true" }.to_json
end
get "/logout" do
session = Sessions.new request, response
uid = session["user"]
session.logout unless $active_users[uid].nil?
session.message = "Logged out successfully!"
redirect "/"
end
post "/forgot_password" do
data = JSON.parse(request.body.read)
if data["email"].nil?
status 400
return { "message" => "Bad request made (Email not provided)!" }.to_json
end
if Players.pass_req(data["email"])
status 200
return { "message" => "Email sent successfully!" }.to_json
else
status 400
return { "message" => "Couldn't send email!" }.to_json
end
end
post "/pass_reset?" do
data = JSON.parse(request.body.read)
if data["code"].nil?
status 400
return { "message" => "Bad request made!" }.to_json
end
if Players.pass_reset?(data["code"])
status 200
return { "message" => "Password reset link exists!" }.to_json
else
status 400
return { "message" => "Code doesn't exist!" }.to_json
end
end
get "/reset_password/:code" do
redirect "/?reset_code=#{params[:code]}"
end
post "/reset_password/:code" do
data = JSON.parse(request.body.read)
if data["pass"].nil? || params[:code].nil?
status 400
return { "message" => "Bad request made!" }.to_json
end
if Players.pass_reset(data["pass"], params[:code])
status 200
return { "message" => "Password reset successfully!" }.to_json
else
status 400
return { "message" => "Couldn't reset password!" }.to_json
end
end
delete "/rm_player" do
session = Sessions.new request, response
uid = session["user"]
if uid.nil? || $active_users[uid].nil?
status 400
return { "message" => "Not signed in!" }.to_json
end
if session.logout && Players.rm_player($active_users[uid])
status 200
return { "message" => "Sorry to see you go.." }.to_json
else
status 500
return { "message" => "Couldn't delete!" }.to_json
end
end
get "*" do
redirect "/"
end
Reference in New Issue View Git Blame Copy Permalink