diff --git a/public/news/2019-06-04-01.md b/public/news/2019-06-04-01.md index 7bd1d33..bbef0d0 100644 --- a/public/news/2019-06-04-01.md +++ b/public/news/2019-06-04-01.md @@ -7,4 +7,5 @@ _4 June 2019_ * Added credentials to attack status requests (others can't spoof to see who you're attacking anymore - my bad!) * Began work on spying infrastructure. * Made the attack button more generic - can reuse a lot of attack code for spying code. +* Added credentials to the combat logs (How did I miss TWO credential requirements?) * More coming later today... \ No newline at end of file diff --git a/server/combat.js b/server/combat.js index f91316b..2599c07 100644 --- a/server/combat.js +++ b/server/combat.js @@ -104,12 +104,30 @@ const attackStatusRequest = (connection) => (req, res) => { }; const combatLogRequest = (connection) => (req, res) => { - let query = 'SELECT pastCombat.*, atk.username AS attacker, def.username AS defender FROM pastCombat JOIN accounts AS atk ON pastCombat.attackerId = atk.id JOIN accounts AS def ON pastCombat.defenderId = def.id WHERE atk.username = ? OR def.username = ? ORDER BY eventTime DESC LIMIT ?, ?;'; - connection.query(query, [req.body.username, req.body.username, req.body.start, req.body.length], (err, results) => { + //verify the user's credentials + let query = 'SELECT COUNT(*) AS total FROM sessions WHERE accountId = ? AND token = ?;'; + connection.query(query, [req.body.id, req.body.token], (err, results) => { if (err) throw err; - res.status(200).json(results); - log('Combat log sent', req.body.username, req.body.start, req.body.length); + if (results[0].total !== 1) { + res.status(400).write(log('Invalid combat log credentials', req.body.id, req.body.token)); + res.end(); + return; + } + + //grab the username based on the ID + let query = 'SELECT username FROM accounts WHERE id = ?;'; + connection.query(query, [req.body.id], (err, results) => { + if (err) throw err; + + let query = 'SELECT pastCombat.*, atk.username AS attacker, def.username AS defender FROM pastCombat JOIN accounts AS atk ON pastCombat.attackerId = atk.id JOIN accounts AS def ON pastCombat.defenderId = def.id WHERE atk.username = ? OR def.username = ? ORDER BY eventTime DESC LIMIT ?, ?;'; + connection.query(query, [results[0].username, results[0].username, req.body.start, req.body.length], (err, results) => { + if (err) throw err; + + res.status(200).json(results); + log('Combat log sent', results[0].username, req.body.id, req.body.token, req.body.start, req.body.length); + }); + }); }); }; diff --git a/server/spying.js b/server/spying.js index 97b8de3..284dfc5 100644 --- a/server/spying.js +++ b/server/spying.js @@ -11,9 +11,70 @@ let { log } = require('../common/utilities.js'); let { isSpying } = require('./utilities.js'); const spyRequest = (connection) => (req, res) => { - //TODO - res.status(400).write(log('Not yet implemented', 'spyRequest')); - res.end(); + //verify the attacker's credentials (only the attacker can launch an attack) + let query = 'SELECT COUNT(*) AS total FROM sessions WHERE accountId = ? AND accountId IN (SELECT id FROM accounts WHERE username = ?) AND token = ?;'; + connection.query(query, [req.body.id, req.body.attacker, req.body.token], (err, results) => { + if (err) throw err; + + if (results[0].total !== 1) { + res.status(400).write(log('Invalid spying credentials', req.body.id, req.body.attacker, req.body.defender, req.body.token)); + res.end(); + return; + } + + //verify that the defender's profile exists + let query = 'SELECT accountId FROM profiles WHERE accountId IN (SELECT id FROM accounts WHERE username = ?);'; + connection.query(query, [req.body.defender], (err, results) => { + if (err) throw err; + + if (results.length !== 1) { + res.status(400).write(log('Invalid defender spying credentials', req.body.id, req.body.attacker, req.body.defender, req.body.token)); + res.end(); + return; + } + + let defenderId = results[0].accountId; + + //verify that the attacker has enough spies + let query = 'SELECT spies FROM profiles WHERE accountId = ?;'; + connection.query(query, [req.body.id], (err, results) => { + if (err) throw err; + + if (results[0].spies <= 0) { + res.status(400).write(log('Not enough spies', req.body.attacker, req.body.defender, results[0].spies)); + res.end(); + return; + } + + let attackingUnits = results[0].spies; + + //verify that the attacker is not already spying on someone + isSpying(connection, req.body.attacker, (err, spying) => { + if (err) throw err; + + if (spying) { + res.status(400).write(log('You are already spying on someone', req.body.id, req.body.attacker, req.body.token)); + res.end(); + return; + } + + //create the pending spy record + let query = 'INSERT INTO pendingSpying (eventTime, attackerId, defenderId, attackingUnits) VALUES (DATE_ADD(CURRENT_TIMESTAMP(), INTERVAL 10 * ? MINUTE), ?, ?, ?);'; + connection.query(query, [attackingUnits, req.body.id, defenderId, attackingUnits], (err) => { + if (err) throw err; + + res.status(200).json({ + status: 'spying', + attacker: req.body.attacker, + defender: req.body.defender, + msg: log('Spying', req.body.attacker, req.body.defender) //TODO: am I using this msg parameter anywhere? + }); + res.end(); + }); + }); + }); + }); + }); }; const spyStatusRequest = (connection) => (req, res) => { diff --git a/src/components/panels/paged_combat_log.jsx b/src/components/panels/paged_combat_log.jsx index 505c56e..a997942 100644 --- a/src/components/panels/paged_combat_log.jsx +++ b/src/components/panels/paged_combat_log.jsx @@ -14,7 +14,7 @@ class PagedCombatLog extends React.Component { }; if (props.getFetch) { - props.getFetch(() => this.sendRequest('/combatlogrequest', {username: props.username, start: props.start, length: props.length})); + props.getFetch(() => this.sendRequest('/combatlogrequest', {start: props.start, length: props.length})); } }