if(err != null)\r
RenderMessage(res,err,info);\r
else{\r
- result.token = info.token;\r
+ result.token = req.session._csrf;\r
+ res.setHeader("X-FRAME-OPTIONS","DENY");\r
res.render("profile/admin",result);\r
}\r
});\r
\r
function admin_postproc(req,res)\r
{\r
- if(req.session.items.token != req.body.token){\r
- RenderMessage(res,resource.invaild_parameter,req.session.items);\r
- return;\r
- }\r
async.waterfall([\r
function(cb){\r
if(typeof(req.body.removeall) != "undefined")\r
else if(result.length == 0)\r
RenderMessage(res,resource.notfound_name,req.session.items);\r
else{\r
- res.render("profile/detail",{list:result,token:req.session.items.token,admin:req.session.items.admin});\r
+ res.setHeader("X-FRAME-OPTIONS","DENY");\r
+ res.render("profile/detail",{list:result,alias:config.alias,token:req.session._csrf,admin:req.session.items.admin});\r
}\r
});\r
}\r
\r
function detail_postproc(req, res)\r
{\r
- if(req.session.items.token != req.body.token){\r
- RenderMessage(res,resource.invaild_parameter,req.session.items);\r
- return;\r
- }\r
if(typeof(req.body.remove) != "undefined"){\r
async.waterfall([\r
function(cb){\r
if(err != null){\r
RenderMessage(res,err,req.session.items);\r
}else if(result != null){\r
- res.render("profile/edit",{list:result,token:req.body.token});\r
+ res.setHeader("X-FRAME-OPTIONS","DENY");\r
+ res.render("profile/edit",{list:result,token:req.session._csrf,alias:config.alias});\r
}else{\r
RenderMessage(res,resource.unmatch_password,req.session.items);\r
}\r
\r
function edit_postproc(req, res)\r
{\r
- if(req.session.items.token != req.body.token){\r
- RenderMessage(res,resource.invaild_parameter,req.session.items);\r
- return;\r
- }\r
if(typeof(req.body.name) == "undefined")\r
{\r
RenderMessage(res,resource.invaild_parameter,req.session.items);\r
}else if(typeof(req.body.edit) != "undefined"){\r
async.waterfall([\r
function(cb){\r
- collection.UpdatAsync(req.body.name,req.body,cb);\r
- }\r
+ if(req.body.updatepassword == false)\r
+ collection.UpdatAsync(req.body.name,req.body,null,cb);\r
+ else\r
+ collection.UpdatAsync(req.body.name,req.body,req.body.password,cb);\r
+ },\r
],function(err,result){\r
if(err != null)\r
RenderMessage(res,err,req.session.items);\r
\r
function registor_postproc(req, res)\r
{\r
- if(req.session.items.token != req.body.token){\r
- RenderMessage(res,resource.invaild_parameter,req.session.items);\r
- return;\r
- }\r
if(typeof(req.body.registor) != "undefined"){\r
async.waterfall([\r
function(cb){\r
if(typeof(req.session.items) == "undefined")\r
req.session.items = new security.SessionInfomation(false);\r
\r
- res.render("profile/registor",{token:req.session.items.token});\r
+ res.setHeader("X-FRAME-OPTIONS","DENY");\r
+ res.render("profile/registor",{token:req.session._csrf,alias:config.alias});\r
}\r
\r
function RenderMessage(res,msg,info)\r
{\r
- if(typeof(info) == "undefined")\r
- res.render("profile/message",{message:msg});\r
+ if(typeof(info) == "undefined" || typeof(info.admin) == "undefined")\r
+ res.render("profile/message",{message:msg,admin:false});\r
else\r
res.render("profile/message",{message:msg,admin:info.admin});\r
}\r
function ProfileCollection()\r
{\r
var MySQLPool = new require("./mysql_pool.js");\r
+ var murmurhash = require("murmurhash");\r
var pool = new MySQLPool({\r
host : config.db_host,\r
user : config.db_user,\r
password : config.db_password,\r
- port : config.db_port,\r
- database : "profile",\r
+ port : config.db_port,\r
+ database : "webchat",\r
});\r
this.AuthAsync = function(name,password,cb){\r
async.waterfall([\r
function(next){\r
- pool.query("SELECT * FROM list WHERE name = ?",[name],next);\r
+ pool.query("SELECT * FROM list WHERE name_hash = ? and name = ?",[murmurhash.v3(name),name],next);\r
},\r
function(result,next){\r
- if(result[0].password == password)\r
+ if(result[0].password == md5_hex(password))\r
next(null,true);\r
else\r
next(null,false);\r
],cb);\r
}\r
this.GetAsync = function(name,cb){\r
- pool.query("SELECT * FROM list WHERE name = ?",[name],cb);\r
+ pool.query("SELECT * FROM list WHERE name_hash = ? and name = ?",[murmurhash.v3(name),name],cb);\r
}\r
this.AddAsync = function(data,cb){\r
- var item = {\r
- name:data.name,\r
- age:data.age,\r
- gender:data.gender,\r
- height:data.height,\r
- weight:data.weight,\r
- race:data.race,\r
- password:data.password,\r
- lastmodified:new Date(),\r
- etc:data.etc\r
- };\r
+ var item = GetItem(data);\r
pool.query("INSERT INTO list SET ?",[item],cb);\r
}\r
- this.UpdatAsync = function(name,data,cb){\r
- var item = {\r
- name:data.name,\r
- age:data.age,\r
- gender:data.gender,\r
- height:data.height,\r
- weight:data.weight,\r
- race:data.race,\r
- password:data.password,\r
- lastmodified:new Date(),\r
- etc:data.etc\r
- };\r
+ this.UpdatAsync = function(name,data,newpassword,cb){\r
+ var item = GetItem(data);\r
+ if(newpassword != null)\r
+ item.password = md5_hex(newpassword);\r
pool.query("UPDATE list SET ? WHERE name = ?",[item,name],cb);\r
}\r
this.ClearAsync = function(cb){\r
pool.query("DELETE FROM list WHERE name IN (?)",[names],cb);\r
}\r
this.RemoveAsync = function(name,cb){\r
- pool.query("DELETE FROM list WHERE name = ?",[name],cb);\r
+ pool.query("DELETE FROM list WHERE name_hash = ? and name = ?",[murmurhash.v3(name),name],cb);\r
}\r
this.FindByNameAsync = function(pattern,start,count,cb){\r
pool.query("SELECT * FROM list WHERE name LIKE ? LIMIT ?,?",[pattern+"%",start,count],cb);\r
}\r
this.ToArrayAsync = function(start,count,cb){\r
- pool.query("SELECT * FROM list LIMIT ?,?",[start,count],cb);\r
+ pool.query("SELECT name,lastmodified FROM list LIMIT ?,?",[start,count],cb);\r
+ }\r
+\r
+ var crypto = require("crypto");\r
+ function md5_hex(src)\r
+ {\r
+ var md5 = crypto.createHash('md5');\r
+ md5.update(src, 'utf8');\r
+ return md5.digest('hex');\r
+ }\r
+\r
+ function GetItem(data)\r
+ {\r
+ var item = {\r
+ name_hash:murmurhash.v3(data.name),\r
+ name:data.name,\r
+ password:md5_hex(data.password),\r
+ lastmodified:new Date(),\r
+ };\r
+ for(var key in config.alias)\r
+ item[key] = data[key];\r
+ return item;\r
}\r
}\r
\r