You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

281 lines
8.0 KiB
TypeScript

import crypto from 'crypto'
import bodyParser from 'body-parser'
import cookieParser from 'cookie-parser'
import express, { Request, Response, Router } from 'express'
import { createStatusRouter } from './middlewares'
2 years ago
import { StatusCodes } from 'http-status-codes'
import {
createDatabase,
createProblem,
createSolution,
getProblem,
getProblems,
getSolution,
getSolutions,
getUser,
getUsers,
2 years ago
getVisibleSolutions,
updateSolution,
} from './db/database'
2 years ago
import {
Id,
isAdministrator,
isStudent,
Opaque,
Problem,
ProblemId,
Solution as SolutionModel,
SolutionId,
UserId,
} from '../shared/model'
import { initialDatabaseValue } from './db/example-data'
2 years ago
import { validateObjectKeys } from '../shared/utils'
export async function createApiRouter() {
2 years ago
type SessionId = Opaque<string, string, 'session'>
2 years ago
const sessionStore: Record<SessionId, UserId> = {}
const sessions = {
createSession(userId: UserId) {
2 years ago
const sid = crypto.randomBytes(10).toString('hex') as SessionId
sessionStore[sid] = userId
return sid
},
getUserForSession(sid: SessionId) {
2 years ago
return sessionStore[sid] ?? null
},
}
const db = createDatabase(process.env.DATABASE_PATH ?? './db.local.json', initialDatabaseValue)
async function getRequestUser(req: Request) {
const userId = sessions.getUserForSession(req.cookies.sid)
if (!userId) {
return null
}
console.log(userId)
return await getUser(db, userId)
}
const r: Router = express.Router()
r.use(bodyParser.json())
r.use(cookieParser())
r.use('/api/status', createStatusRouter())
// r.use('/api/ping', new PingRouter())
r.get('/api/current-user', async (req, res) => {
res.json(await getRequestUser(req))
})
r.post('/api/login', async (req, res) => {
const { id } = req.body
const user = await getUser(db, id)
if (!user) {
2 years ago
res.sendStatus(StatusCodes.FORBIDDEN)
return
}
res.cookie('sid', sessions.createSession(id), { maxAge: 1000 * 60 * 60 * 24 * 7 })
res.json({ status: 'ok' })
})
r.post('/api/logout', (req, res) => {
res.cookie('sid', '', { expires: new Date() })
res.json({ status: 'ok' })
})
r.get('/api/users', async (req, res) => {
const requestUser = await getRequestUser(req)
2 years ago
if (!requestUser || !isAdministrator(requestUser.role)) {
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
const users = await getUsers(db)
res.json(users)
})
r.get('/api/problems', async (req, res) => {
type ProblemWithSolutionsCount = Problem & { solutionsCount?: number }
const problems: ProblemWithSolutionsCount[] = await getProblems(db)
const solutions = await getSolutions(db)
const solutionCounts: Record<ProblemId, number> = {}
for (const s of solutions) {
solutionCounts[s.forProblem] ||= 0
solutionCounts[s.forProblem]++
}
for (const p of problems) {
p.solutionsCount = solutionCounts[p.id] || 0
}
res.json(problems)
})
r.get('/api/problem/:id', async (req, res) => {
res.json(await getProblem(db, req.params.id))
})
r.post('/api/problem', async (req, res) => {
const user = await getRequestUser(req)
if (!user) {
2 years ago
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
if (user.role !== 'admin' && user.role !== 'moderator') {
2 years ago
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
const id = await createProblem(db, {
content: req.body.content,
createdBy: user.id,
})
res.json(id)
})
2 years ago
r.get('/api/solutions', async (req, res) => {
let queryUser = (req.query.user ?? null) as UserId | null
let queryProblem = (req.query.problem ?? null) as ProblemId | null
2 years ago
const requestUser = await getRequestUser(req)
2 years ago
let solutions = await getSolutions(db)
// se l'utente non è loggato o se non è un amministratore allora mostra solo le soluzioni "visibili"
if (!requestUser || !isAdministrator(requestUser.role)) {
solutions = solutions.filter(s => s.visible || (requestUser && s.sentBy === requestUser.id))
2 years ago
}
// filtra rispetto agli utenti
if (queryUser !== null) {
solutions = solutions.filter(s => s.sentBy === queryUser)
}
// filtra rispetto ai problemi
if (queryProblem !== null) {
solutions = solutions.filter(s => s.forProblem === queryProblem)
}
2 years ago
res.json(solutions)
})
2 years ago
r.get('/api/solution/:id', async (req, res) => {
const user = await getRequestUser(req)
2 years ago
const solution = await getSolution(db, req.params.id as SolutionId)
// la soluzione deve esistere
if (solution === null) {
res.sendStatus(StatusCodes.NOT_FOUND)
return
}
2 years ago
// uno studente può vedere solo soluzioni visibili o proprie soluzione
if (!solution.visible && user && isStudent(user.role) && solution.sentBy !== user.id) {
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
2 years ago
res.json(solution)
})
r.post('/api/solution', async (req, res) => {
const user = await getRequestUser(req)
if (!user) {
2 years ago
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
await createSolution(db, {
sentBy: user.id,
2 years ago
forProblem: req.body.forProblem,
content: req.body.content,
})
res.send({ status: 'ok' })
})
2 years ago
r.patch('/api/solution/:id', async (req, res) => {
const id = req.params.id as SolutionId
2 years ago
const user = await getRequestUser(req)
// l'utente deve essere loggato
if (!user) {
2 years ago
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
2 years ago
const solution = await getSolution(db, id)
// la soluzione deve esistere
if (solution === null) {
res.sendStatus(404)
return
}
// uno studente non può modificare una soluzione di un altro utente
2 years ago
if (user.role === 'student' && solution.sentBy !== user.id) {
res.status(StatusCodes.UNAUTHORIZED)
res.send(`a student can only modify its own solution`)
return
}
// uno studente può modificare solo il campo "content"
if (user.role === 'student' && !validateObjectKeys<keyof SolutionModel>(req.body, ['content'])) {
2 years ago
res.status(StatusCodes.UNAUTHORIZED)
res.send(`a student can only modify the field "content"`)
return
}
// un moderatore può modificare solo i campi "content", "visible", "status"
if (
user.role === 'moderator' &&
!validateObjectKeys<keyof SolutionModel>(req.body, ['content', 'status', 'visible'])
) {
res.status(StatusCodes.UNAUTHORIZED)
res.send(`a moderator can only modify the fields "content", "visible", "status"`)
return
}
2 years ago
await updateSolution(db, id, req.body)
res.json({ status: 'ok' })
})
r.get('/api/user/:id', async (req, res) => {
const user = await getRequestUser(req)
// intanto l'utente deve essere loggato
if (!user) {
2 years ago
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
// solo gli amministratori possono usare questa route
if (!isAdministrator(user.role)) {
2 years ago
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
const requestedUser = await getUser(db, req.params.id)
// l'utente richiesto magari deve esistere
if (!requestedUser) {
res.sendStatus(404)
return
}
res.json(requestedUser)
})
return r
}