1 files changed, 81 insertions, 30 deletions

diff --git a/protoype/router/user.js b/protoype/router/user.js
index 4215054..5df1469 100644
--- a/protoype/router/user.js
+++ b/protoype/router/user.js
@@ -6,28 +6,70 @@
  */
 
 var util = require('util');
+var crypto = require('crypto')
+
 var db = require('../mydb.js');
+var driver = require('./driver.js');
+var auth = require('../auth.js');
 
 var connected_clients = {};
 
 function create_get(req, res, next) {
+    driver.create_get(req, res, next);
 }
 
+/* how much input sanitazion do we want? */
 function create_post(req, res, next) {
-    db.users.save({tag: req.param('tag'), id: req.param('id'), status: "offline",
-    vehicle: {make: req.param('make'), model: req.param('model'), year: req.param('year'),
-    desc: req.param('desc')}, userinfo: {sig: req.param('sig')}, location: {loc: req.param('loc')},
-    stats: {matches: 0, won: 0, lost: 0}},
-    function(err, thing) {
-        if (err || !thing)
-            util.log('[create] error saving');
-        else
-            util.log('[create] successfully saved');
+    /* would need to be in the if statement */
+    //crypto.createHash('md5').update(req.param('secret') + req.param('id') + '0xdeadbeef').digest('hex')
+    var secret_hash = '0xdeadbeef'; /* grant creation */
+    if (req.param('secret') == undefined || req.param('secret').length < 1 || !(req.param('secret') === secret_hash)) {
+        util.log('[create] unauthorized creation attempt');
+        return res.send(403, 'creation aborted, invalid secret\n'); /* return could be after this statement for clarity */
+    } else if (req.param('tag') == undefined || req.param('tag').length < 2 || req.param('tag').length > 16 || /* tag */
+               req.param('id') == undefined || req.param('id').length < 8 || req.param('id').length > 30) /* pass */ {
+        util.log('[create] client input sanitazation failed');
+        return res.send(400, 'invalid registration attributes\n');
+    }
+
+    var user_record = {
+        tag: req.param('tag'), /* really an id */
+        //id: req.param('id'), /* this is evil */
+        salt: '',
+        hash: '',
+        status: "offline",
+        vehicle: {make: req.param('make'), model: req.param('model'), year: req.param('year'), desc: req.param('desc')},
+        userinfo: {sig: req.param('sig')},
+        location: {loc: req.param('loc')},
+        stats: {matches: 0, won: 0, lost: 0}
+    };
+
+    /* not sure how this fits the async routine */
+    /* yep, had to move code into the callback */
+    auth.hash(req.param('id'), function(err, salt, hash) {
+        if (err) {
+            next(new Error('failed to compute hash'));
+        } else {
+            user_record.salt = salt;
+            user_record.hash = hash;
+
+            db.users.save(user_record, function(err, thing) {
+                if (err || !thing)
+                    util.log('[create] error saving');
+                else
+                    util.log('[create] successfully saved');
+            });
+            res.redirect('/');
+        }
     });
-    res.redirect('/');
 }
 
 function login_get(req, res, next) {
+    /* todo: jade page for this? */
+    /* res.send('just use curl to login'); */
+    res.render('login', {
+            title: 'Challenger 2.0', /* might use app.locals */
+    });
 }
 
 /*
@@ -35,27 +77,36 @@ function login_get(req, res, next) {
  *
  */
 function login_post(req, res, next) {
-    db.users.find({tag: req.param('tag')}, function(err, thing) {
-        if (err || !thing || thing.length == 0) {
-            util.log('[login] user does not exist');
-            res.send('user does not exist\n', 403);
-        }
-        else {
-            /* util.log('[login] retrived user: ' + util.inspect(thing)); */
-            if (req.param('id') === thing[0].id) { /* insert md5 hashing here */
-                util.log('[login] ' + thing[0].tag + ' authenticated');
-                db.users.update({tag: req.param('tag')}, {$set: {status: 'online'}}, function(err, updated) {
-                    if (err || !updated)
-                        util.log('[login] failed to set status to online');
-                });
+    auth.auth_user(req.param('tag'), req.param('id'), function(err, user, code) {
+        if (err)
+            return next(err);
+        switch (code) {
+        case 200:
+        {
+            /* util.log('[login] retrived user: ' + util.inspect(user)); */
+            util.log('[login] ' + user.tag + ' authenticated');
+            db.users.update({tag: user.tag}, {$set: {status: 'online'}}, function(err, updated) {
+                if (err || !updated)
+                {
+                    util.log('[login] failed to set status to online');
+                    return next(new Error('failed to set status to online'));
+                }
                 /* real deal? */
-                connected_clients[thing[0].tag] = {ip: res.connection.myip, port: res.connection.myport};
-                res.send('successfully logged in\n', 200);
-            }
-            else {
-                util.log('[login] could not authenticate');
-                res.send('could not authenticate\n', 401);
-            }
+                connected_clients[user.tag] = {ip: res.connection.myip, port: res.connection.myport};
+                /* req.session.regenerate(function() { */
+                req.session.user = user.tag; /* keep track of auth'ed user */
+                res.send(200, 'successfully logged in\n');
+            });
+            break;
+        }
+        case 401:
+            util.log('[login] could not authenticate');
+            res.send(401, 'could not authenticate\n');
+            break;
+        case 403:
+            util.log('[login] user does not exist');
+            res.send(403, 'user does not exist\n');
+            break;
         }
     });
 }