You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

365 lines
11 KiB
TypeScript

import crypto from 'crypto'
import bodyParser from 'body-parser'
import cookieParser from 'cookie-parser'
import express, { Request, Router } from 'express'
import { StatusCodes } from 'http-status-codes'
import {
createDatabase,
createProblem,
createSolution,
deleteProblem,
deleteSolution,
getProblem,
getProblems,
getSolution,
getSolutions,
getUser,
getUsers,
updateProblem,
updateSolution,
} from './db/database'
import {
Id,
isAdministrator,
isStudent,
Opaque,
Problem as ProblemModel,
ProblemId,
Solution as SolutionModel,
SolutionId,
User as UserModel,
UserId,
} from '../shared/model'
import { initialDatabaseValue } from './db/example-data'
import { validateObjectKeys } from '../shared/utils'
export async function createApiRouter() {
type SessionId = Opaque<string, string, 'session'>
const sessionStore: Record<SessionId, UserId> = {}
const sessions = {
createSession(userId: UserId) {
const sid = crypto.randomBytes(10).toString('hex') as SessionId
sessionStore[sid] = userId
return sid
},
getUserForSession(sid: SessionId) {
return sessionStore[sid] ?? null
},
}
const db = createDatabase(process.env.DATABASE_PATH ?? './db.local.json', initialDatabaseValue)
async function getRequestUser(req: Request): Promise<UserModel | null> {
const userId = sessions.getUserForSession(req.cookies.sid)
if (!userId) {
return null
}
return await getUser(db, userId)
}
const r: Router = express.Router()
r.use(bodyParser.json())
r.use(cookieParser())
r.get('/api/status', (req, res) => {
res.json({ url: req.originalUrl, status: 'ok' })
})
r.get('/api/current-user', async (req, res) => {
res.json(await getRequestUser(req))
})
r.post('/api/login', async (req, res) => {
const { id } = req.body
const user = await getUser(db, id)
if (!user) {
res.sendStatus(StatusCodes.FORBIDDEN)
return
}
res.cookie('sid', sessions.createSession(id), { maxAge: 1000 * 60 * 60 * 24 * 7 })
res.json({ status: 'ok' })
})
r.post('/api/logout', (req, res) => {
res.cookie('sid', '', { expires: new Date() })
res.json({ status: 'ok' })
})
r.get('/api/users', async (req, res) => {
const requestUser = await getRequestUser(req)
if (!requestUser || !isAdministrator(requestUser.role)) {
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
const users = await getUsers(db)
res.json(users)
})
r.get('/api/problems', async (req, res) => {
type ProblemWithSolutionsCount = ProblemModel & { solutionsCount?: number }
const problems: ProblemWithSolutionsCount[] = await getProblems(db)
const solutions = await getSolutions(db)
const solutionCounts: Record<ProblemId, number> = {}
for (const s of solutions) {
solutionCounts[s.forProblem] ||= 0
solutionCounts[s.forProblem]++
}
for (const p of problems) {
p.solutionsCount = solutionCounts[p.id] || 0
}
res.json(problems)
})
r.get('/api/problem/:id', async (req, res) => {
res.json(await getProblem(db, req.params.id))
})
r.patch('/api/problem/:id', async (req, res) => {
const id = req.params.id as ProblemId
const user = await getRequestUser(req)
// l'utente deve essere loggato
if (!user) {
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
// l'utente deve essere un admin o un moderatore
if (!isAdministrator(user.role)) {
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
// uno studente può modificare solo il campo "content"
if (user.role === 'moderator' && !validateObjectKeys<keyof ProblemModel>(req.body, ['content'])) {
res.status(StatusCodes.UNAUTHORIZED)
res.send(`a moderator can only modify the field "content"`)
return
}
await updateProblem(db, id, req.body)
res.send({ status: 'ok' })
})
r.delete('/api/problem/:id', async (req, res) => {
const id = req.params.id as ProblemId
const user = await getRequestUser(req)
if (!user) {
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
if (user.role !== 'admin') {
res.status(StatusCodes.UNAUTHORIZED)
res.send(`only an admin can delete this entity`)
return
}
await deleteProblem(db, id)
res.send({ status: 'ok' })
})
r.post('/api/problem', async (req, res) => {
const user = await getRequestUser(req)
// l'utente deve essere loggato
if (!user) {
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
// Solo un amministratore può inviare nuovi problemi
if (user.role !== 'admin' && user.role !== 'moderator') {
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
// Il contenuto del problema deve essere non vuoto
if (req.body.content.trim().length === 0) {
res.sendStatus(StatusCodes.UNPROCESSABLE_ENTITY)
return
}
const problemNextId = (await getProblems(db)).map(p => parseInt(p.id)).reduce((acc, v) => Math.max(acc, v), 0) + 1
const id = await createProblem(db, {
title: req.body.title ?? `Problema ${problemNextId}`,
content: req.body.content,
createdBy: user.id,
})
res.json(id)
})
r.get('/api/solutions', async (req, res) => {
let queryUser = (req.query.user ?? null) as UserId | null
let queryProblem = (req.query.problem ?? null) as ProblemId | null
const requestUser = await getRequestUser(req)
let solutions = await getSolutions(db)
// se l'utente non è loggato o se non è un amministratore allora mostra solo le soluzioni "visibili"
if (!requestUser || !isAdministrator(requestUser.role)) {
solutions = solutions.filter(s => s.visible || (requestUser && s.sentBy === requestUser.id))
}
// filtra rispetto agli utenti
if (queryUser !== null) {
solutions = solutions.filter(s => s.sentBy === queryUser)
}
// filtra rispetto ai problemi
if (queryProblem !== null) {
solutions = solutions.filter(s => s.forProblem === queryProblem)
}
res.json(solutions)
})
r.get('/api/solution/:id', async (req, res) => {
const user = await getRequestUser(req)
const solution = await getSolution(db, req.params.id as SolutionId)
// la soluzione deve esistere
if (solution === null) {
res.sendStatus(StatusCodes.NOT_FOUND)
return
}
// uno studente può vedere solo soluzioni visibili o proprie soluzione
if (!solution.visible && user && isStudent(user.role) && solution.sentBy !== user.id) {
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
res.json(solution)
})
r.post('/api/solution', async (req, res) => {
const user = await getRequestUser(req)
if (!user) {
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
await createSolution(db, {
sentBy: user.id,
forProblem: req.body.forProblem,
content: req.body.content,
})
res.send({ status: 'ok' })
})
r.patch('/api/solution/:id', async (req, res) => {
const id = req.params.id as SolutionId
const user = await getRequestUser(req)
// l'utente deve essere loggato
if (!user) {
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
const solution = await getSolution(db, id)
// la soluzione deve esistere
if (solution === null) {
res.sendStatus(404)
return
}
// uno studente non può modificare una soluzione di un altro utente
if (user.role === 'student' && solution.sentBy !== user.id) {
res.status(StatusCodes.UNAUTHORIZED)
res.send(`a student can only modify its own solution`)
return
}
// uno studente può modificare solo il campo "content"
if (user.role === 'student' && !validateObjectKeys<keyof SolutionModel>(req.body, ['content'])) {
res.status(StatusCodes.UNAUTHORIZED)
res.send(`a student can only modify the field "content"`)
return
}
// un moderatore può modificare solo i campi "content", "visible", "status"
if (user.role === 'moderator' && !validateObjectKeys<keyof SolutionModel>(req.body, ['content', 'status', 'visible'])) {
res.status(StatusCodes.UNAUTHORIZED)
res.send(`a moderator can only modify the fields "content", "visible", "status"`)
return
}
await updateSolution(db, id, req.body)
res.json({ status: 'ok' })
})
r.delete('/api/solution/:id', async (req, res) => {
const id = req.params.id as SolutionId
const user = await getRequestUser(req)
// l'utente deve essere loggato
if (!user) {
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
const solution = await getSolution(db, id)
// la soluzione deve esistere
if (solution === null) {
res.sendStatus(StatusCodes.NOT_FOUND)
return
}
// solo un admin può eliminare le soluzioni degli utenti
if (user.role !== 'admin' && solution.sentBy !== user.id) {
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
await deleteSolution(db, id)
res.send({ status: 'ok' })
})
r.get('/api/user/:id', async (req, res) => {
const user = await getRequestUser(req)
// intanto l'utente deve essere loggato
if (!user) {
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
// solo gli amministratori possono usare questa route
if (!isAdministrator(user.role)) {
res.sendStatus(StatusCodes.UNAUTHORIZED)
return
}
const requestedUser = await getUser(db, req.params.id)
// l'utente richiesto magari deve esistere
if (!requestedUser) {
res.sendStatus(404)
return
}
res.json(requestedUser)
})
return r
}