Implemented permabans

2021-03-28 08:32:28 +11:00
7 changed files with 106 additions and 1 deletions
@@ -0,0 +1,37 @@
+const { accounts, tokens } = require('../database/models');
+const Sequelize = require('sequelize');
+const Op = Sequelize.Op;
+
+//admin/banuser
+const route = async (req, res) => {
+	const updated = await accounts.update({
+		banned: true
+	}, {
+		where: {
+			username: {
+				[Op.eq]: req.body.username
+			},
+			admin: {
+				[Op.not]: true
+			},
+			mod: {
+				[Op.not]: true
+			}
+		}
+	});
+
+	if (!updated[0]) {
+		return res.status(500).send('Failed to set banned status');
+	}
+
+	//forcibly logout
+	tokens.destroy({
+		where: {
+			username: req.body.username
+		}
+	});
+
+	res.status(200).end();
+};
+
+module.exports = route;
@@ -1,10 +1,46 @@
 const express = require('express');
 const router = express.Router();

+const { accounts } = require('../database/models');
+
 //middleware
 const tokenAuth = require('../utilities/token-auth');

 router.use(tokenAuth);
+
+//handle ban stuff
+router.use(async (req, res, next) => {
+	const record = await accounts.findOne({
+		where: {
+			username: req.user.username
+		}
+	});
+
+	if (!record) {
+		return res.status(500).send('Account not found in banning middleware');
+	}
+
+	if (record.banned) {
+		return res.status(403).send('This account has been banned');
+	}
+
+	next();
+});
+
+//handle mod stuff
+router.use((req, res, next) => {
+	//check the user's mod status
+	if (!req.user.mod) {
+		return res.status(401).send('Mods only');
+	}
+
+	next();
+});
+
+//routes
+router.post('/banuser', require('./ban-user'));
+
+//handle admin stuff
 router.use((req, res, next) => {
 	//check the user's admin status
 	if (!req.user.admin) {
@@ -1,6 +1,8 @@
 const express = require('express');
 const router = express.Router();

+const { accounts } = require('../database/models');
+
 //middleware
 const tokenAuth = require('../utilities/token-auth');

@@ -15,6 +17,24 @@ router.post('/token', require('./token'));
 //middleware
 router.use(tokenAuth);

+router.use(async (req, res, next) => {
+	const record = await accounts.findOne({
+		where: {
+			username: req.user.username
+		}
+	});
+
+	if (!record) {
+		return res.status(500).send('Account not found in banning middleware');
+	}
+
+	if (record.banned) {
+		return res.status(403).send('This account has been banned');
+	}
+
+	next();
+});
+
 //basic account management (needs a token)
 router.delete('/logout', require('./logout'));
 router.get('/account', require('./account-query'));
@@ -42,6 +42,11 @@ const route = async (req, res) => {
 		}
 	});

+	//reject on banned
+	if (account.banned) {
+		return res.status(403).send('this account has been banned');
+	}
+
 	//generate the JWT
 	const tokens = generate(account.id, account.username, account.type, account.admin, account.mod);

@@ -40,6 +40,12 @@ module.exports = sequelize.define('accounts', {
 		defaultValue: false
 	},

+	banned: {
+		type: Sequelize.BOOLEAN,
+		allowNull: false,
+		defaultValue: false
+	},
+
 	contact: {
 		type: Sequelize.BOOLEAN,
 		allowNull: false,
@@ -3,4 +3,5 @@ const sequelize = require('..');

 module.exports = sequelize.define('tokens', {
 	token: 'varchar(320)',
+	username: 'varchar(320)'
 });
@@ -14,7 +14,7 @@ module.exports = (id, username, type, admin, mod) => {
 	const accessToken = jwt.sign(content, process.env.SECRET_ACCESS, { expiresIn: '10m' });
 	const refreshToken = jwt.sign(content, process.env.SECRET_REFRESH, { expiresIn: '30d' });

-	tokens.create({ token: refreshToken });
+	tokens.create({ token: refreshToken, username: username });

 	return { accessToken, refreshToken };
 };