From 0d1f384079e436d03d9f05df03997750fa749ff7 Mon Sep 17 00:00:00 2001
From: jrtechs <jeffery@jrtechs.net>
Date: Sun, 3 Feb 2019 12:33:49 -0500
Subject: [PATCH] Updated system to keep track of administrator privileges and
 api keys for users.

---
 html/users.html | 101 +++++++++++++++++++++++++++---------------------
 server.js       |  43 ++++++++++++++++-----
 user.js         |  32 ++++++++++++---
 3 files changed, 118 insertions(+), 58 deletions(-)

diff --git a/html/users.html b/html/users.html
index ca18f35..4aada34 100644
--- a/html/users.html
+++ b/html/users.html
@@ -29,6 +29,11 @@
                         <input class="form-control" type="password" name="password" required>
                         <label>Password</label>
                     </div>
+
+                    <div class="form-group">
+                        <input class="form-control w-100" type="checkbox" name="admin">
+                        <label>Admin</label>
+                    </div>
                     <div class="text-center">
                         <input type="submit" name="add_user" value="Update User"
                                class="btn btn-lg btn-secondary"/>
@@ -40,29 +45,31 @@
     </div>
 </div>
 
-
-<div class="row">
-    <!-- Current Users -->
-    <div class="col-md-6">
-        <div class='card'>
-            <div class="card-header">
-                <h3 class="text-center">Users</h3>
-            </div>
-            <div class="card-body">
-                <table class="table table-striped">
-                    <thead class="thead-dark">
+{if admin}
+    <div class="row">
+        <!-- Current Users -->
+        <div class="col-md-8">
+            <div class='card'>
+                <div class="card-header">
+                    <h3 class="text-center">Users</h3>
+                </div>
+                <div class="card-body">
+                    <table class="table table-striped">
+                        <thead class="thead-dark">
                         <tr>
                             <td>User Name</td>
                             <td>User ID</td>
+                            <td>Admin</td>
                             <td>Edit</td>
                             <td>Terminate</td>
                         </tr>
-                    </thead>
-                    <tbody>
-                    {for user in users}
+                        </thead>
+                        <tbody>
+                        {for user in users}
                         <tr>
                             <td>{user.username}</td>
                             <td>{user.id}</td>
+                            <td>{user.admin}</td>
                             <td>
                                 <button onclick="editHostForm({user.id}, '{user.username}')" class="btn btn-secondary">Edit User</button>
                             </td>
@@ -73,38 +80,46 @@
                                 </form>
                             </td>
                         </tr>
-                    {/for}
-                    </tbody>
-                </table>
+                        {/for}
+                        </tbody>
+                    </table>
+                </div>
             </div>
         </div>
-    </div>
 
-    <!-- Add User -->
-    <div class="col-md-6">
-        <div class="card">
-            <div class="card-header">
-                <h3 class="text-center">Add New User</h3>
-            </div>
-            <div class="card-body">
-                <form action="/addUser" method ="post" class="p-2">
-                    <div class="form-group">
-                        <label> User Name
-                            <input class="form-control w-100" type="text" name="username" required>
-                        </label>
-                    </div>
-                    <div class="form-group">
-                        <label>Password
-                            <input class="form-control w-100" type="password" name="password" required>
-                        </label>
-                    </div>
-                    <div class="text-center">
-                        <input type="submit" name="add_user" value="Create User"
-                               class="btn btn-lg btn-secondary"/>
-                    </div>
-                </form>
+        <!-- Add User -->
+        <div class="col-md-4">
+            <div class="card">
+                <div class="card-header">
+                    <h3 class="text-center">Add New User</h3>
+                </div>
+                <div class="card-body">
+                    <form action="/addUser" method ="post" class="p-2">
+                        <div class="form-group">
+                            <label> User Name
+                                <input class="form-control w-100" type="text" name="username" required>
+                            </label>
+                        </div>
+                        <div class="form-group">
+                            <label>Password
+                                <input class="form-control w-100" type="password" name="password" required>
+                            </label>
+                        </div>
+                        <div class="form-group">
+                            <label>Admin
+                                <input class="form-control w-100" type="checkbox" name="admin">
+                            </label>
+                        </div>
+                        <div class="text-center">
+                            <input type="submit" name="add_user" value="Create User"
+                                   class="btn btn-lg btn-secondary"/>
+                        </div>
+                    </form>
+                </div>
             </div>
+            <br>
         </div>
-        <br>
     </div>
-</div>
\ No newline at end of file
+{else}
+    This is an admin page.
+{/if}
diff --git a/server.js b/server.js
index 331ebe2..9731d5a 100644
--- a/server.js
+++ b/server.js
@@ -8,7 +8,6 @@ const fileIO = require('./fileIO');
 
 const userUtils = require('./user.js');
 
-
 const recursive = require('./recursiveTraversal');
 
 const fs = require('fs');
@@ -28,7 +27,7 @@ app.use(session({ secret: config.sessionSecret, cookie: { maxAge: 6000000 }}));
 /** Template engine */
 const whiskers = require('whiskers');
 
-var rootDir = '/home/jeff/public/Movies/';
+var rootDir = '/home/jeff/public/Shows/';
 
 function fetchInTemplate(templateContext, templateKey, filename)
 {
@@ -43,9 +42,11 @@ function renderHTML(request, result, templateFile, templateDependencyFunction)
     prom.push(fileIO.getFile("./html/mainTemplate.html"));
     prom.push(fetchInTemplate(templateContext, "header", "./html/header.html"));
     prom.push(fetchInTemplate(templateContext, "footer", "./html/footer.html"));
-    if(request.session.login === true)
+    if(checkPrivilege(request) >= PRIVILEGE.MEMBER)
     {
         templateContext.loggedIn = true;
+        if(checkPrivilege(request) === PRIVILEGE.ADMIN)
+            templateContext.admin = true;
         if(templateDependencyFunction !== null)
             prom.push(templateDependencyFunction(templateContext, request));
         prom.push(fetchInTemplate(templateContext, "main","./html/" + templateFile));
@@ -85,6 +86,12 @@ app.post('/login', function(request, result)
     {
         request.session.login = true;
         request.session.username = request.body.username;
+
+        if(userUtils.isAdmin(request.body.username, config))
+        {
+            request.session.admin = true;
+        }
+
     }
     result.redirect('/');
 });
@@ -127,7 +134,7 @@ app.get('/watch', (req, res) => renderHTML(req, res, "watch.html", getVideoTempl
 
 app.get('/video/', function(request, result)
 {
-    if(request.session.login === true)
+    if(checkPrivilege(request) >= PRIVILEGE.MEMBER)
     {
         var videoID = request.query.v;
         const path = rootDir + videoID;
@@ -179,9 +186,13 @@ app.get('/video/', function(request, result)
 
 app.post('/addUser', function(request, result)
 {
-    if(request.session.login === true)
+    if(checkPrivilege(request) === PRIVILEGE.ADMIN)
     {
-        userUtils.addUser(request.body.username, request.body.password, config);
+        console.log(request.body);
+        var admin = false;
+        if(request.body.admin === 'on')
+            admin = true;
+        userUtils.addUser(request.body.username, request.body.password,admin, config);
         fileIO.writeJSONToFile(CONFIG_FILE_NAME, config);
         result.redirect('/users');
     }
@@ -195,9 +206,12 @@ app.post('/addUser', function(request, result)
 
 app.post('/edituser', function(request, result)
 {
-    if(request.session.login === true)
+    if(checkPrivilege(request) === PRIVILEGE.ADMIN)
     {
-        userUtils.editUser(request.body.id, request.body.username, request.body.password, config);
+        var admin = false;
+        if(request.body.admin === 'on')
+            admin = true;
+        userUtils.editUser(request.body.id, request.body.username, request.body.password,admin, config);
         fileIO.writeJSONToFile(CONFIG_FILE_NAME, config);
         result.redirect('/users');
     }
@@ -208,11 +222,19 @@ app.post('/edituser', function(request, result)
     }
 });
 
-
+const PRIVILEGE = {NOBODY: 0, MEMBER: 1, ADMIN: 2};
+const checkPrivilege = function(request)
+{
+    if(request.session.login !== true)
+        return PRIVILEGE.NOBODY;
+    else if(request.session.admin === true)
+        return PRIVILEGE.ADMIN;
+    return PRIVILEGE.MEMBER;
+};
 
 app.post('/removeuser', function(request, result)
 {
-    if(request.session.login === true)
+    if(checkPrivilege(request) === PRIVILEGE.ADMIN)
     {
         userUtils.removeUser(request.body.id, config);
         fileIO.writeJSONToFile(CONFIG_FILE_NAME, config);
@@ -228,6 +250,7 @@ app.post('/removeuser', function(request, result)
 app.post('/logout', function(request, result)
 {
     request.session.login = false;
+    request.session.admin = false;
     result.redirect('/');
 });
 
diff --git a/user.js b/user.js
index 09ee1d7..213a623 100644
--- a/user.js
+++ b/user.js
@@ -27,6 +27,13 @@ const createHashedPasswordObject = function(password)
 };
 
 
+const generateRandomAPIKey = function()
+{
+    const randBuff = crypto.randomBytes(64);
+    return crypto.createHash('sha256').update(randBuff).digest('hex');
+};
+
+
 /**
  * Hashes a pasword with a aprticular salt
  * using the crypto library
@@ -63,6 +70,18 @@ const getIndexOfUser = function(username, configuration)
 
 module.exports =
     {
+
+        isAdmin: function(username, configuration)
+        {
+            var index = getIndexOfUser(username, configuration);
+
+            if(index !== -1)
+            {
+                return configuration.users[index].admin;
+            }
+            return false;
+        },
+
         /**
          * Checks to see if there was a valid login attempt
          *
@@ -81,6 +100,7 @@ module.exports =
             return configuration.users[userIndex].password == hashedPassword;
         },
 
+
         /**
          * Adds a user to the configuration
          *
@@ -89,7 +109,7 @@ module.exports =
          * @param configuration
          * @returns {boolean}
          */
-        addUser: function(username, password, configuration)
+        addUser: function(username, password, admin, configuration)
         {
             const userIndex = getIndexOfUser(username, configuration);
             if(userIndex !== -1)
@@ -97,7 +117,7 @@ module.exports =
 
             var newUser = new Object();
             newUser.username = username;
-
+            newUser.api = generateRandomAPIKey();
             if(configuration.users.length === 0)
                 newUser.id = 1;
             else
@@ -106,12 +126,12 @@ module.exports =
             const passObject = createHashedPasswordObject(password);
             newUser.salt = passObject.salt;
             newUser.password = passObject.pass;
-
+            newUser.admin = admin;
             configuration.users.push(newUser);
-
             return true;
         },
 
+
         /**
          * Edits a user based on their id
          *
@@ -120,13 +140,14 @@ module.exports =
          * @param password
          * @param configuration
          */
-        editUser: function(id, userName, password, configuration)
+        editUser: function(id, userName, password, admin, configuration)
         {
             for(var i = 0; i < configuration.users.length; i++)
             {
                 if (configuration.users[i].id + "" === id)
                 {
                     configuration.users[i].username = userName;
+                    configuration.users[i].admin = admin;
 
                     var passObj = createHashedPasswordObject(password);
                     configuration.users[i].salt = passObj.salt;
@@ -135,6 +156,7 @@ module.exports =
             }
         },
 
+
         /**
          * Removes a user account from the configuration
          * @param id