From 3d93817b855dcbe1c4d2573faa2901ae3db0f7d8 Mon Sep 17 00:00:00 2001
From: alex <alex@alexloehr.net>
Date: Fri, 28 Nov 2025 10:29:25 +0000
Subject: [PATCH] audit
---
app.js | 179 +++++++++++++++++++++++++++++++++++++++++++++--------------
1 files changed, 135 insertions(+), 44 deletions(-)
diff --git a/app.js b/app.js
index dd1065a..05e0430 100644
--- a/app.js
+++ b/app.js
@@ -1,9 +1,15 @@
const path = require("path")
const fastify = require('fastify')({
- logger: true
+ logger: false,
+ // logger: true
})
const _ = require("lodash")
const fs = require("node:fs")
+const dayjs = require("dayjs")
+
+const log = require("./logger")
+log.info("")
+log.info(`--- STARTUP ${dayjs().format("DD.MM.YYYY HH:mm:ss")} ---`)
const db = require("./lib/db")
const libIlias = require("./lib/libIlias")
@@ -19,18 +25,26 @@
// AUTH
fastify.addHook("onRequest", async (req, res) => {
- console.log(req.url)
+ // custom logging
+ log.info(`${req.method} ${req.url}`);
+ // console.log(req.url)
+
const token = req.query.token
- console.log(req.url)
- if (token !== settings.authtoken && !req.url.startsWith("/ui/")) {
- console.error("# AUTH ERROR #", token)
+ if (token !== settings.authtoken && !req.url.startsWith("/ui/") && !req.url.startsWith("/api/version")) {
+ log.error("# AUTH ERROR #", token)
await promiseDelay(500) // delay response to avoid denial of service attacks
res.code(403)
return res.send({status: "error", error: "access denied"})
+ } else {
+ // log.debug("AUTH FOR ", req.url)
}
- else {
- console.log("AUTH FOR ", req.url)
- }
+})
+
+/////// VERSION ////////////////////////////////////////////////////////////////
+
+fastify.get("/api/version", async function (req, res) {
+ const {version} = require("./package.json")
+ return res.send({version})
})
/////// SEARCH ////////////////////////////////////////////////////////////////
@@ -38,21 +52,21 @@
const searchLib = require("./lib/search")
const {setStatus} = require("./lib/db")
searchLib.doIndex().catch(console.error)
+
fastify
.get("/api/search/user", async function (req, res) {
- console.log(req.query)
+ log.info(req.query)
const search = req.query?.search
if (!search) {
return res.code(422).send({status: "error", msg: "no search"})
- }
- else {
- console.log(search)
+ } else {
+ log.info(search)
const data = await searchLib.search(search)
return res.send(data)
}
})
.post("/api/search/reindex", async function (req, res) {
- console.log("REINDEX ++++")
+ log.info("REINDEX ++++")
const start = Date.now()
await searchLib.doIndex().catch(console.error)
return res.send({
@@ -61,8 +75,10 @@
})
})
+
+/////// USER ////////////////////////////////////////////////////////////////
+
fastify
- /////// USER ////////////////////////////////////////////////////////////////
.get('/api/user', async function (req, res) {
const {offset, limit, search} = req.query
const users = await db.getUsers(offset, limit, search)
@@ -77,8 +93,7 @@
const user = await db.getUserByLogin(login)
if (user) {
return res.send(user)
- }
- else {
+ } else {
return res.code(404).send({status: "error", msg: "not found"})
}
})
@@ -90,22 +105,20 @@
const user = await db.getUserByUserId(userid)
if (user) {
return res.send(user)
- }
- else {
+ } else {
return res.code(404).send({status: "error", msg: "not found"})
}
})
.get("/api/user/teilnahmen/:userId", async function (req, res) {
let userId = req.params.userId
- console.log(`--------${userId}-----------`, typeof userId)
+ log.debug(`--------${userId}-----------`, typeof userId)
if (!userId || isNaN(Number(userId))) {
return res.code(500).send({status: "error", msg: "userId error"})
}
const tn = await db.getUserTeilnahmen(userId)
if (tn) {
return res.send(tn)
- }
- else {
+ } else {
return res.code(404).send({status: "error", msg: "not found"})
}
})
@@ -116,18 +129,13 @@
return res.send(res2)
})
- .delete("/api/user", async function (req, res) { // DELETE ALL users
- const res2 = await libIlias.deleteAllUsers()
- return res.send(res2)
- })
.delete("/api/user/:usr_id", async function (req, res) {
const {usr_id} = req.params
if (!usr_id || isNaN(Number(usr_id))) {
return res.code(500).send({status: "error", msg: "userId error"})
- }
- else {
+ } else {
const res2 = await libIlias.deleteUser(usr_id)
- console.log(res2)
+ log.info(res2)
return res.send(res2)
}
})
@@ -139,8 +147,7 @@
const data = await db.getObjIdFromRefId(ref_id)
if (data) {
return res.send(data)
- }
- else {
+ } else {
return res.code(404).send({status: "error", msg: "not found"})
}
})
@@ -149,8 +156,7 @@
let data = await db.getRefIdFromObjId(obj_id)
if (data) {
return res.send(data)
- }
- else {
+ } else {
return res.code(404).send({status: "error", msg: "not found"})
}
})
@@ -161,8 +167,7 @@
let data = await db.getKurse()
if (data) {
return res.send(data)
- }
- else {
+ } else {
return res.code(404).send({status: "error", msg: "not found"})
}
})
@@ -171,8 +176,7 @@
let data = await db.getKurs(refId)
if (data) {
return res.send(data)
- }
- else {
+ } else {
return res.code(404).send({status: "error", msg: "not found"})
}
})
@@ -181,8 +185,7 @@
let data = await db.getKursItems2(refId)
if (data) {
return res.send(data)
- }
- else {
+ } else {
return res.code(404).send({status: "error", msg: "not found"})
}
})
@@ -191,8 +194,40 @@
let data = await db.getKursTeilnehmer(refId)
if (data) {
return res.send(data)
+ } else {
+ return res.code(404).send({status: "error", msg: "not found"})
}
- else {
+ })
+ .get("/api/kurs/:refId/lp", async function (req, res) {
+ const {refId} = req.params
+ const {obj_id: objId} = await db.getObjIdFromRefId(refId)
+
+ const raw = req.query.raw
+ let data = await db.getKursLp(objId, raw)
+
+ if (data) {
+ return res.send(data)
+ } else {
+ return res.code(404).send({status: "error", msg: "not found"})
+ }
+ })
+ .get("/api/kurs/:refId/teilnehmerByRole", async function (req, res) {
+ const {refId} = req.params
+ const {obj_id} = await db.getObjIdFromRefId(refId)
+ let data = await db.getKursTeilnehmerByRole(obj_id)
+ return res.send(data)
+ })
+ .get("/api/kurs/:refId/roles", async function (req, res) {
+ const {refId} = req.params
+ let data = await db.getKursRoles(refId)
+ return res.send(data)
+ })
+ .get("/api/kurs/:refId/teilnehmer/:userId", async function (req, res) {
+ const {refId, userId} = req.params
+ let data = await db.getSingleKursTeilnehmer(refId, userId)
+ if (data) {
+ return res.send(data)
+ } else {
return res.code(404).send({status: "error", msg: "not found"})
}
})
@@ -211,7 +246,7 @@
.post("/api/kurs/:refId/status/:usrId", async function (req, res) {
const {refId, usrId} = req.params
const {passed, status} = req.body
- if (!refId || !usrId || _.isEmpty(passed) || _.isEmpty(status)) {
+ if (!refId || !usrId || _.isNil(passed) || _.isNil(status)) {
throw {
statusCode: 400,
status: "error",
@@ -232,6 +267,36 @@
}
})
+ .get("/api/kurs/:refId/offline", async function (req, res) {
+ const refId = Number(req.params.refId)
+
+ try {
+ const {obj_id} = await db.getObjIdFromRefId(refId)
+ const res2 = await db.getKursOffline(obj_id)
+ return res.send(res2)
+ } catch (err) {
+ console.error(err)
+ log.error(err.message)
+ return res.code(500).send({status: "error", message: err.message})
+ }
+ })
+ .post("/api/kurs/:refId/offline", async function (req, res) {
+ const refId = Number(req.params.refId)
+ const {offline} = req.body
+ // console.dir(req.body, {depth: null, colors: true, maxArrayLength: null})
+
+ try {
+ const {obj_id} = await db.getObjIdFromRefId(refId)
+ const res2 = await db.setKursOffline(offline, obj_id)
+ return res.send(res2)
+ } catch (err) {
+ console.error(err)
+ log.error(err.message)
+ return res.code(500).send({status: "error", message: err.message})
+ }
+ })
+
+ // abmelden
.delete("/api/kurs/:refId/teilnehmer/:usrId", async function (req, res) {
const {refId, usrId} = req.params
if (!refId || !usrId) throw {status: "error", msg: "refId and usrId requried"}
@@ -251,6 +316,29 @@
}
})
+ // Kurs Admins - über Rolle
+ .get("/api/kurs/rolle/admin", async function (req, res) {
+ try {
+ const data = await db.getCourseAdminRoles()
+ return res.send(data)
+ } catch (err) {
+ console.error(err)
+ return res.code(500).send({status: "error", error: err.toString()})
+ }
+ })
+
+ // Kurs Admins - über Rolle - FEHLENDE Zuweisung eines tatsächlichen Users
+ .get("/api/kurs/rolle/noadmin", async function (req, res) {
+ try {
+ const data = await db.getCourseWithoutAdminRoles()
+ return res.send(data)
+ } catch (err) {
+ console.error(err)
+ return res.code(500).send({status: "error", error: err.toString()})
+ }
+ })
+
+
/////// STATIC / SPA ////////////////////////////////////////////////////////////////
@@ -264,7 +352,7 @@
const indexFile = fs.readFileSync(path.join(__dirname, "vue/dist", 'index.html'), 'utf8')
fastify.setNotFoundHandler(function (req, res) {
- console.log("!!!")
+ log.error("!!! Not found")
// res.sendFile("vue/dist/index.html")
res.type("text/html").send(indexFile)
})
@@ -273,9 +361,11 @@
/////////////////////////////////////////////////////////////////////////
fastify.listen({port: settings.port}, function (err, address) {
- console.log("📡 -=> Listening on", address)
+ console.log(address)
+ log.info(`📡 -=> Listening on ${address}`)
if (err) {
- fastify.log.error(err)
+ // fastify.log.error(err)
+ log.error(err)
process.exit(1)
}
// Server is now listening on ${address}
@@ -283,6 +373,7 @@
/////////////////////////////////////////////////////////////////////////
-async function promiseDelay (ms) {
+async function promiseDelay(ms) {
return new Promise(resolve => setTimeout(resolve, ms))
}
+
--
Gitblit v1.8.0