token handling and verification

8 files changed, 142 insertions, 77 deletions

diff --git a/config.sample.js b/config.sample.js
index c63d5fd..83c8baa 100644
--- a/config.sample.js
+++ b/config.sample.js
@@ -6,6 +6,9 @@ module.exports = {
 		Ideally the only options you should change are port and basedomain.
 	*/
 
+	// Should this instance of loli-safe be private? If so, a client token will be needed for uploads
+	private: true,
+	
 	// Your base domain where the app is running. Remember to finish it with '/'
 	basedomain: 'https://i.kanacchi.moe/',
 
diff --git a/controllers/galleryController.js b/controllers/galleryController.js
index 8bcdd1e..0f64086 100644
--- a/controllers/galleryController.js
+++ b/controllers/galleryController.js
@@ -5,18 +5,18 @@ let galleryController = {}
 
 galleryController.list = function(req, res, next){
 	
-	if(config.TOKEN === true)
+	if(config.private === true)
 		if(req.headers.auth !== config.clientToken)
 			return res.status(401).send('not-authorized')
 
-	db.table('gallery').select('id', 'name').then((data) => {
-		res.json({ data })
+	db.table('gallery').select('id', 'name').then((galleries) => {
+		return res.json({ galleries })
 	})
 }
 
 galleryController.test = function(req, res, next){
 	
-	if(config.TOKEN === true)
+	if(config.private === true)
 		if(req.headers.auth !== config.clientToken)
 			return res.status(401).send('not-authorized')
 
diff --git a/controllers/uploadController.js b/controllers/uploadController.js
index a374137..c9959fb 100644
--- a/controllers/uploadController.js
+++ b/controllers/uploadController.js
@@ -22,7 +22,7 @@ const upload = multer({
 
 uploadsController.upload = function(req, res, next){
 
-	if(config.TOKEN === true)
+	if(config.private === true)
 		if(req.headers.auth !== config.clientToken)
 			return res.status(401).send('not-authorized')
 
@@ -70,9 +70,8 @@ uploadsController.upload = function(req, res, next){
 
 uploadsController.list = function(req, res){
 
-	if(config.TOKEN === true)
-		if(req.headers.auth !== config.clientToken)
-			return res.status(401).send('not-authorized')
+	if(req.headers.auth !== config.adminToken)
+		return res.status(401).send('not-authorized')
 
 	db.table('files').then((files) => {
 
diff --git a/pages/home.html b/pages/home.html
index b4aa56d..9aba94b 100644
--- a/pages/home.html
+++ b/pages/home.html
@@ -9,7 +9,7 @@
     </head>
 
     <body>
-        <section class="hero is-fullheight has-text-centered">
+        <section class="hero is-fullheight has-text-centered" id="home">
             <div class="hero-body">
                 <div class="container">
                     <p id="b">
@@ -39,6 +39,14 @@
                         <div class="column"></div>
                     </div>
 
+                    <div class="columns">
+                        <div class="column"></div>
+                        <div class="column"><a href="https://chrome.google.com/webstore/detail/loli-safe-uploader/enkkmplljfjppcdaancckgilmgoiofnj/related" target="_blank" class="is-danger">Uploader Chrome extension</a></div>
+                        <div class="column"></div>
+                    </div>
+
+                    
+
                     <div id="uploads">
                         <div id="template" class="columns">
                             <div class="column">
diff --git a/public/css/style.css b/public/css/style.css
index ad67545..b8d69ee 100644
--- a/public/css/style.css
+++ b/public/css/style.css
@@ -82,11 +82,13 @@ img.logo { height: 200px; margin-top: 20px; }
 ------------------ */
 
 section#dashboard { display: none }
+section#auth input { background: rgba(0, 0, 0, 0); }
 section#auth input, section#auth a {
 	border-left: 0px;
     border-top: 0px;
     border-right: 0px;
     border-radius: 0px;
-    background: rgba(0, 0, 0, 0);
     box-shadow: 0 0 0;
 }
+
+section#dashboard .table { font-size: 12px }
diff --git a/public/js/panel.js b/public/js/panel.js
index ed1bea0..cff5609 100644
--- a/public/js/panel.js
+++ b/public/js/panel.js
@@ -1,15 +1,11 @@
 window.onload = function () {
 
-	if(!localStorage.admintoken){
-		askForToken();
-		return;
-	}
+	var page;
 
-	var dashboard = document.getElementById('dashboard');
-	var page = document.getElementById('page');
+	if(!localStorage.admintoken)
+		return askForToken();
 
-	dashboard.style.display = 'block';
-	prepareMenu();
+	prepareDashboard();
 
 	function askForToken(){
 		document.getElementById('tokenSubmit').addEventListener('click', function(){
@@ -21,15 +17,35 @@ window.onload = function () {
 
 			xhr.onreadystatechange = function() {
 				if (xhr.readyState == XMLHttpRequest.DONE) {
+					try{
+						
+						var json = JSON.parse(xhr.responseText);
+						if(json.success === false)
+							return alert(json.description);
+
+						localStorage.admintoken = document.getElementById('token').value;
+						prepareDashboard();
+
+					}catch(e){
+						console.log(e);
+					}
+
+					console.log(xhr.responseText);
 					// xhr.responseText
 				}
 			}
-			xhr.open('POST', '/api/info', true);
+			xhr.open('GET', '/api/verify', true);
+			xhr.setRequestHeader('type', 'admin');
+			xhr.setRequestHeader('token', document.getElementById('token').value);
 			xhr.send(null);
 		}
 	}
 
-	function prepareMenu(){
+	function prepareDashboard(){
+		page = document.getElementById('page');
+		document.getElementById('auth').style.display = 'none';
+		document.getElementById('dashboard').style.display = 'block';
+
 		document.getElementById('itemUploads').addEventListener('click', function(){
 			getUploads();
 		});
@@ -45,44 +61,47 @@ window.onload = function () {
 
 		xhr.onreadystatechange = function() {
 			if(xhr.readyState == XMLHttpRequest.DONE){
-				if(xhr.responseText !== 'not-authorized'){
-					var json = JSON.parse(xhr.responseText);
-
-					var container = document.createElement('div');
-					container.innerHTML = `
-						<table class="table">
-					  		<thead>
-					    		<tr>
-								      <th>File</th>
-								      <th>Gallery</th>
-								      <th>Date</th>
-					    		</tr>
-					  		</thead>
-					  		<tbody id="table">
-					  		</tbody>
-					  	</table>`;
-					page.appendChild(container);
-
-					var table = document.getElementById('table');
-
-					for(var item of json){
-
-						var tr = document.createElement('tr');
-						tr.innerHTML = `
-							<tr>
-						    	<th><a href="${item.file}" target="_blank">${item.file}</a></th>
-						      	<th>${item.gallery}</th>
-						      	<td>${item.date}</td>
-						    </tr>
-						    `;
-
-						table.appendChild(tr);
-					}
+				
+				if(xhr.responseText === 'not-authorized')
+					return notAuthorized();
+
+				var json = JSON.parse(xhr.responseText);
+
+				var container = document.createElement('div');
+				container.innerHTML = `
+					<table class="table">
+				  		<thead>
+				    		<tr>
+							      <th>File</th>
+							      <th>Gallery</th>
+							      <th>Date</th>
+				    		</tr>
+				  		</thead>
+				  		<tbody id="table">
+				  		</tbody>
+				  	</table>`;
+				page.appendChild(container);
+
+				var table = document.getElementById('table');
+
+				for(var item of json){
+
+					var tr = document.createElement('tr');
+					tr.innerHTML = `
+						<tr>
+					    	<th><a href="${item.file}" target="_blank">${item.file}</a></th>
+					      	<th>${item.gallery}</th>
+					      	<td>${item.date}</td>
+					    </tr>
+					    `;
+
+					table.appendChild(tr);
 				}
+				
 			}
 		}
 		xhr.open('GET', '/api/uploads', true);
-		xhr.setRequestHeader('auth', localStorage.token);
+		xhr.setRequestHeader('auth', localStorage.admintoken);
 		xhr.send(null);
 	}
 
@@ -93,4 +112,9 @@ window.onload = function () {
 
 	}
 
+	function notAuthorized() {
+		localStorage.removeItem("admintoken");
+		location.reload();
+	}
+
 }
diff --git a/public/js/upload.js b/public/js/upload.js
index bb60f28..c99ecb4 100644
--- a/public/js/upload.js
+++ b/public/js/upload.js
@@ -8,7 +8,7 @@ window.onload = function () {
 	var xhr = new XMLHttpRequest();
 	xhr.onreadystatechange = function() {
 		if (xhr.readyState == XMLHttpRequest.DONE) {
-			USINGTOKEN = JSON.parse(xhr.responseText).token;
+			USINGTOKEN = JSON.parse(xhr.responseText).private;
 			prepareTokenThing();
 		}
 	}
@@ -20,14 +20,14 @@ window.onload = function () {
 		if(!USINGTOKEN) return getInfo();
 
 		if(!localStorage.token){
-			document.getElementById('tokenContainer').style.display = 'flex'
 			document.getElementById('tokenSubmit').addEventListener('click', function(){
 				getInfo(document.getElementById('token').value)
 			});
-		}else{
-			getInfo(localStorage.token);
+			return document.getElementById('tokenContainer').style.display = 'flex';
 		}
 
+		getInfo(localStorage.token);
+
 	}
 
 	function prepareDropzone(){
@@ -91,23 +91,25 @@ window.onload = function () {
 
 		xhr.onreadystatechange = function() {
 			if (xhr.readyState == XMLHttpRequest.DONE) {
-				if(xhr.responseText !== 'not-authorized'){
-					
-					div = document.createElement('div');
-					div.id = 'dropzone';
-					div.innerHTML = 'Click here or drag and drop files';
-					div.style.display = 'flex';
-
-					document.getElementById('btnGithub').style.display = 'none';
-					document.getElementById('tokenContainer').style.display = 'none';
-					document.getElementById('uploadContainer').appendChild(div);
-					document.getElementById('panel').style.display = 'block';
-					
-					if(xhr.responseText.maxFileSize) maxSize = JSON.parse(xhr.responseText).maxFileSize;
-					if(token) localStorage.token = token;
-
-					prepareDropzone();
-				}
+				
+				if(xhr.responseText === 'not-authorized')
+					return notAuthorized();
+
+				div = document.createElement('div');
+				div.id = 'dropzone';
+				div.innerHTML = 'Click here or drag and drop files';
+				div.style.display = 'flex';
+
+				document.getElementById('btnGithub').style.display = 'none';
+				document.getElementById('tokenContainer').style.display = 'none';
+				document.getElementById('uploadContainer').appendChild(div);
+				document.getElementById('panel').style.display = 'block';
+				
+				if(xhr.responseText.maxFileSize) maxSize = JSON.parse(xhr.responseText).maxFileSize;
+				if(token) localStorage.token = token;
+
+				prepareDropzone();
+				
 			}
 		}
 		xhr.open('GET', '/api/info', true);
@@ -117,4 +119,9 @@ window.onload = function () {
 
 		xhr.send(null);
 	}
+
+	function notAuthorized() {
+		localStorage.removeItem("token");
+		location.reload();
+	}
 };
\ No newline at end of file
diff --git a/routes/api.js b/routes/api.js
index 18135ac..aeedfa9 100644
--- a/routes/api.js
+++ b/routes/api.js
@@ -4,12 +4,34 @@ const uploadController = require('../controllers/uploadController')
 const galleryController = require('../controllers/galleryController')
 
 routes.get ('/check', (req, res, next) => {
-	return res.json({token: config.TOKEN})
+	return res.json({ private: config.private })
+})
+
+routes.get ('/verify', (req, res, next) => {
+	let type = req.headers.type
+	let token = req.headers.token
+
+	if(type === undefined) return res.json({ success: false, description: 'No type provided.' })
+	if(token === undefined) return res.json({ success: false, description: 'No token provided.' })
+	if(type !== 'client' && type !== 'admin') return res.json({ success: false, description: 'Wrong type provided.' })
+
+	if(type === 'client'){
+		if(token !== config.clientToken) return res.json({ success: false, description: 'Token mismatch.' })
+		return res.json({ success: true })
+	}
+
+	if(type === 'admin'){
+		if(token !== config.adminToken) return res.json({ success: false, description: 'Token mismatch.' })
+		return res.json({ success: true })
+	}
+
+	return res.json({ success: false, description: '(╯°□°）╯︵ ┻━┻' })
+
 })
 
 routes.get('/info', (req, res, next) => {
 
-	if(config.TOKEN === true)
+	if(config.private === true)
 		if(req.headers.auth !== config.clientToken)
 			return res.status(401).send('not-authorized')