You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

433 lines
13 KiB
TypeScript

import crypto from 'crypto'
import bodyParser from 'body-parser'
import cookieParser from 'cookie-parser'
import express, { Request, Router } from 'express'
2 years ago
import { StatusCodes } from 'http-status-codes'
import {
createDatabase,
createProblem,
createSolution,
deleteProblem,
deleteSolution,
getProblem,
getProblems,
getSolution,
getSolutions,
getUser,
getUsers,
updateProblem,
updateSolution,
} from './db/database'
2 years ago
import {
isAdministrator,
isStudent,
Opaque,
Problem as ProblemModel,
2 years ago
ProblemId,
Solution as SolutionModel,
SolutionId,
SolutionStat,
User as UserModel,
2 years ago
UserId,
} from '../shared/model'
import { initialDatabaseValue } from './db/example-data'
2 years ago
import { validateObjectKeys } from '../shared/utils'
import { setupOAuth } from './auth'
2 years ago
type SessionId = Opaque<string, string, 'session'>
export interface SessionService {
createSession(userId: UserId): SessionId
getUserForSession(sid: SessionId): UserId | null
}
export async function createApiRouter() {
2 years ago
const sessionStore: Record<SessionId, UserId> = {}
const sessions: SessionService = {
createSession(userId: UserId) {
2 years ago
const sid = crypto.randomBytes(10).toString('hex') as SessionId
sessionStore[sid] = userId
return sid
},
getUserForSession(sid: SessionId) {
2 years ago
return sessionStore[sid] ?? null
},
}
const db = createDatabase(process.env.DATABASE_PATH ?? './db.local.json', initialDatabaseValue)
async function getRequestUser(req: Request): Promise<UserModel | null> {
const userId = sessions.getUserForSession(req.cookies.sid)
if (!userId) {
return null
}
return await getUser(db, userId)
}
const r: Router = express.Router()
r.use(bodyParser.json())
r.use(cookieParser())
const authRouter: Router = express.Router()
setupOAuth(authRouter, db, sessions)
r.use('/auth', authRouter)
r.get('/api/status', (req, res) => {
res.json({ url: req.originalUrl, status: 'ok' })
})
r.get('/api/current-user', async (req, res) => {
res.json(await getRequestUser(req))
})
// r.post('/api/login', async (req, res) => {
// const { id, name } = req.body
// const user = await getUser(db, id)
// if (!user) {
// res.sendStatus(StatusCodes.FORBIDDEN)
// return
// }
// res.cookie('sid', sessions.createSession(id), { maxAge: 1000 * 60 * 60 * 24 * 7 })
// res.json({ status: 'ok' })
// })
r.post('/api/admin/su', async (req, res) => {
const requestUser = await getRequestUser(req)
if (!requestUser || requestUser.role !== 'admin') {
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
const username: string = req.body.username ?? ''
const newUser = await getUser(db, username)
if (!newUser) {
res.status(StatusCodes.NOT_FOUND)
res.send(`no user for id "${username}"`)
return
}
res.cookie('sid', sessions.createSession(username as UserId), { maxAge: 1000 * 60 * 60 * 24 * 7 })
res.send({ status: 'ok' })
})
r.post('/api/logout', (req, res) => {
res.cookie('sid', '', { expires: new Date() })
res.json({ status: 'ok' })
})
r.get('/api/users', async (req, res) => {
const requestUser = await getRequestUser(req)
if (!requestUser || requestUser.role !== 'admin') {
2 years ago
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
const users = await getUsers(db)
res.json(users)
})
r.get('/api/problems', async (req, res) => {
type ProblemWithSolutionsCount = ProblemModel & { solutionsCount?: number }
const problems: ProblemWithSolutionsCount[] = await getProblems(db)
const solutions = await getSolutions(db)
const solutionCounts: Record<ProblemId, number> = {}
for (const s of solutions) {
solutionCounts[s.forProblem] ||= 0
solutionCounts[s.forProblem]++
}
for (const p of problems) {
p.solutionsCount = solutionCounts[p.id] || 0
}
res.json(problems)
})
r.get('/api/problem/:id', async (req, res) => {
res.json(await getProblem(db, req.params.id))
})
r.patch('/api/problem/:id', async (req, res) => {
const id = req.params.id as ProblemId
const user = await getRequestUser(req)
// l'utente deve essere loggato
if (!user) {
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
// l'utente deve essere un admin o un moderatore
if (!isAdministrator(user.role)) {
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
// uno studente può modificare solo il campo "content"
if (user.role === 'moderator' && !validateObjectKeys<keyof ProblemModel>(req.body, ['content'])) {
res.status(StatusCodes.UNAUTHORIZED)
res.send(`a moderator can only modify the field "content"`)
return
}
await updateProblem(db, id, req.body)
res.send({ status: 'ok' })
})
r.delete('/api/problem/:id', async (req, res) => {
const id = req.params.id as ProblemId
const user = await getRequestUser(req)
if (!user) {
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
if (!isAdministrator(user.role)) {
res.status(StatusCodes.UNAUTHORIZED)
res.send(`only administrators can delete this entity`)
return
}
await deleteProblem(db, id)
res.send({ status: 'ok' })
})
r.post('/api/problem', async (req, res) => {
const user = await getRequestUser(req)
// l'utente deve essere loggato
if (!user) {
2 years ago
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
// Solo un amministratore può inviare nuovi problemi
if (user.role !== 'admin' && user.role !== 'moderator') {
2 years ago
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
// Il contenuto del problema deve essere non vuoto
if (req.body.content.trim().length === 0) {
res.sendStatus(StatusCodes.UNPROCESSABLE_ENTITY)
return
}
const problemNextId = (await getProblems(db)).map(p => parseInt(p.id)).reduce((acc, v) => Math.max(acc, v), 0) + 1
const id = await createProblem(db, {
title: req.body.title ?? `Problema ${problemNextId}`,
content: req.body.content,
createdBy: user.id,
})
res.json(id)
})
// questa route ritorna la lista di utenti con associato numero di soluzioni inviate, corrette.
r.get('/api/stats', async (req, res) => {
let queryUser = (req.query.user ?? null) as UserId | null
let solutions = await getSolutions(db)
if (queryUser !== null) {
solutions = solutions.filter(s => s.sentBy === queryUser)
}
const stats: Record<string, SolutionStat> = {}
solutions.forEach(s => {
if (!stats[s.sentBy]) {
stats[s.sentBy] = {
sentSolutionsCount: s.status !== 'pending' ? 1 : 0,
correctSolutionsCount: s.status === 'correct' ? 1 : 0,
}
} else {
if (s.status !== 'pending') {
stats[s.sentBy].sentSolutionsCount += 1
}
if (s.status === 'correct') {
stats[s.sentBy].correctSolutionsCount += 1
}
}
})
return res.json(stats)
})
2 years ago
r.get('/api/solutions', async (req, res) => {
let queryUser = (req.query.user ?? null) as UserId | null
let queryProblem = (req.query.problem ?? null) as ProblemId | null
let isPublic = req.query.public === ''
2 years ago
const requestUser = await getRequestUser(req)
2 years ago
let solutions = await getSolutions(db)
// se l'utente non è loggato o se non è un amministratore, mostra solo le soluzioni "visibili"
2 years ago
if (!requestUser || !isAdministrator(requestUser.role)) {
solutions = solutions.filter(s => s.visible || (requestUser && s.sentBy === requestUser.id))
2 years ago
}
// filtra rispetto agli utenti
if (queryUser !== null) {
solutions = solutions.filter(s => s.sentBy === queryUser)
}
if (isPublic) {
solutions = solutions.filter(s => s.visible)
}
2 years ago
// filtra rispetto ai problemi
if (queryProblem !== null) {
solutions = solutions.filter(s => s.forProblem === queryProblem)
}
2 years ago
res.json(solutions)
})
2 years ago
r.get('/api/solution/:id', async (req, res) => {
const user = await getRequestUser(req)
2 years ago
const solution = await getSolution(db, req.params.id as SolutionId)
// la soluzione deve esistere
if (solution === null) {
res.sendStatus(StatusCodes.NOT_FOUND)
return
}
2 years ago
// uno studente può vedere solo soluzioni visibili o proprie soluzione
if (!solution.visible && user && isStudent(user.role) && solution.sentBy !== user.id) {
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
2 years ago
res.json(solution)
})
r.post('/api/solution', async (req, res) => {
const user = await getRequestUser(req)
if (!user) {
2 years ago
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
await createSolution(db, {
sentBy: user.id,
2 years ago
forProblem: req.body.forProblem,
content: req.body.content,
})
res.send({ status: 'ok' })
})
2 years ago
r.patch('/api/solution/:id', async (req, res) => {
const id = req.params.id as SolutionId
2 years ago
const user = await getRequestUser(req)
// l'utente deve essere loggato
if (!user) {
2 years ago
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
2 years ago
const solution = await getSolution(db, id)
// la soluzione deve esistere
if (solution === null) {
res.sendStatus(404)
return
}
// uno studente non può modificare una soluzione di un altro utente
2 years ago
if (user.role === 'student' && solution.sentBy !== user.id) {
res.status(StatusCodes.UNAUTHORIZED)
res.send(`a student can only modify its own solution`)
return
}
// uno studente può modificare solo il campo "content"
if (user.role === 'student' && !validateObjectKeys<keyof SolutionModel>(req.body, ['content'])) {
2 years ago
res.status(StatusCodes.UNAUTHORIZED)
res.send(`a student can only modify the field "content"`)
return
}
// un moderatore può modificare solo i campi "content", "visible", "status"
if (user.role === 'moderator' && !validateObjectKeys<keyof SolutionModel>(req.body, ['content', 'status', 'visible'])) {
2 years ago
res.status(StatusCodes.UNAUTHORIZED)
res.send(`a moderator can only modify the fields "content", "visible", "status"`)
return
}
2 years ago
await updateSolution(db, id, req.body)
res.json({ status: 'ok' })
})
r.delete('/api/solution/:id', async (req, res) => {
const id = req.params.id as SolutionId
const user = await getRequestUser(req)
// l'utente deve essere loggato
if (!user) {
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
const solution = await getSolution(db, id)
// la soluzione deve esistere
if (solution === null) {
res.sendStatus(StatusCodes.NOT_FOUND)
return
}
// solo un admin può eliminare le soluzioni degli utenti
if (user.role !== 'admin' && solution.sentBy !== user.id) {
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
await deleteSolution(db, id)
res.send({ status: 'ok' })
})
r.get('/api/user/:id', async (req, res) => {
const user = await getRequestUser(req)
// intanto l'utente deve essere loggato
if (!user) {
2 years ago
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
// solo gli amministratori possono usare questa route
if (!isAdministrator(user.role)) {
2 years ago
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
const requestedUser = await getUser(db, req.params.id)
// l'utente richiesto magari deve esistere
if (!requestedUser) {
res.sendStatus(404)
return
}
res.json(requestedUser)
})
return r
}