mipilin/routes/login.ts

import { Express } from "express";
import bcrypt from "bcrypt";
import { render } from "./util.js";
import { NodePgDatabase } from "drizzle-orm/node-postgres";
import { follows, inviteCodes, profiles, users } from "../db/schema.js";
import { eq } from "drizzle-orm";

//! TEMP Also not sanitized like at all
//! Also make sure user isnt logged in before doing this
export default function(app: Express, db: NodePgDatabase) {
  app.get("/register", (req, res) => {
    if (req.session["loggedIn"]) {
      res.redirect("/");
      return;
    }
    render(db, "register", "sign up", res, req);
  });
  app.post("/register", async (req, res) => {
    if (req.session["loggedIn"]) {
      res.redirect("/");
      return;
    }
    // validation
    if (!req.body.name || !req.body.referral || !req.body.email || !req.body.pass) {
      req.flash("error", "A required field wasn't filled in.");
      res.redirect("/register");
      return;
    }
    if (req.body.referral.length < 22) {
      req.flash("error", "Invalid invite code! Make sure you pasted it in correctly WITH the hyphens.");
      res.redirect("/register");
      return;
    }
    if (req.body.name.length < 3) {
      req.flash("error", "Username can't be shorter than 3 characters");
      res.redirect("/register");
      return;
    }
    if (req.body.name.length > 26) {
      req.flash("error", "Username can't be longer than 26 characters");
      res.redirect("/register");
      return;
    }

    //! dumb
    req.body.name = req.body.name.trim();
    const match = req.body.name.match(/[A-Z0-9_-]+/i);
    if (match?.[0] !== req.body.name) {
      req.flash(
        "error",
        "Username can only contain letters, numbers, underscores, hyphens, and periods!!"
      );
      res.redirect("/register");
      return;
    }
    if (!req.body.email || !req.body.pass) {
      req.flash("error", "Email or password not provided");
      res.redirect("/register");
      return;
    }

    // field conflicts
    if (
      (await db.select().from(users).where(eq(users.name, req.body.name)))
        .length > 0
    ) {
      req.flash("error", "That username is taken MORON");
      res.redirect("/register");
      return;
    }
    //! ew
    if (
      (await db.select().from(users).where(eq(users.email, req.body.email)))
        .length > 0
    ) {
      req.flash("error", "A user with that email already exists");
      res.redirect("/register");
      return;
    }
    
    // invite code checking
    const code = (await db.select({ expires: inviteCodes.expires, confers: inviteCodes.confers }).from(inviteCodes).where(eq(inviteCodes.token, req.body.referral)).limit(1))[0];
    if (!code) {
      req.flash("error", "Invalid invite code! Make sure you pasted it in correctly WITH the hyphens.");
      res.redirect("/register");
      return;
    }
    const expiration = code.expires.getTime();
    if (expiration > 0 && Date.now() >= expiration) {
      req.flash("error", "That code is expired.");
      res.redirect("/register");
      return;
    }
    // we're verified now so get that dumb fucker out of the database
    await db.delete(inviteCodes).where(eq(inviteCodes.token, req.body.referral));

    const hash = await bcrypt.hash(req.body.pass, 10);
    const { uid } = (
      await db
        .insert(users)
        //@ts-expect-error
        .values({
          name: req.body.name,
          email: req.body.email, //! Not actually validating this like at all???
          pass: hash,
          status: code.confers,
          registered: new Date(Date.now())
        })
        .returning({ uid: users.id })
    )[0];
    await db.insert(profiles).values({ user: uid });

    // Follow me by default ;w;;;
    //! Also this assumes that im at id 1 which might not be true ever
    await db.insert(follows).values({
      userId: 1,
      followerId: uid
    });

    req.session["loggedIn"] = true;
    req.session["status"] = code.confers;
    req.session["user"] = req.body.name;
    req.session["uid"] = uid;
    req.flash(
      "success",
      "Welcome to mipilin. After three months in development, hopefully it will have been worth the wait. Please let me know what you think after you have had a chance to use the website. I can be reached at gaben@roxwize.xyz, and my favorite mood is hormonal. Thanks, and have fun!"
    );
    res.redirect("/");
  });

  app.get("/login", async (req, res) => {
    if (req.session["loggedIn"]) {
      res.redirect("/");
      return;
    }
    render(db, "login", "log in", res, req);
  });
  app.post("/login", async (req, res) => {
    if (req.session["loggedIn"]) {
      res.redirect("/");
      return;
    }
    const user = (
      await db.select().from(users).where(eq(users.name, req.body.name))
    )[0];
    if (!user) {
      req.flash("error", "The username or password is invalid! I'm sorry! :(");
      res.redirect("/login");
      return;
    }
    if (!(await bcrypt.compare(req.body.pass, user.pass))) {
      req.flash("error", "The username or password is invalid! I'm sorry! :(");
      res.redirect("/login");
      return;
    }
    req.session["loggedIn"] = true;
    req.session["status"] = user.status;
    req.session["user"] = user.name;
    req.session["uid"] = user.id;
    req.flash("success", "You're logged in! Welcome back!!");
    res.redirect("/dashboard");
  });
  app.get("/logout", (req, res) => {
    req.session["loggedIn"] = false;
    delete req.session["user"];
    req.flash("info", "Good bye!");
    res.redirect("/");
  });
}