From 286ffda45779addfa5abdb515cddd99891a49d6d Mon Sep 17 00:00:00 2001 From: vextv Date: Thu, 1 May 2025 12:10:41 +0200 Subject: [PATCH] Merge remote-tracking branch 'origin/develop' into login_function # Conflicts: # public/registrieren/registrieren.html - Cleaned up code - Passwords are now encrypted in the database. Passwords of all pregenerated useres is "changeme" --- database/db_scripts/webshop_test-data.sql | 40 +++---- server.js | 125 ++++++++++++---------- 2 files changed, 90 insertions(+), 75 deletions(-) diff --git a/database/db_scripts/webshop_test-data.sql b/database/db_scripts/webshop_test-data.sql index d94c6b2..7a6c973 100644 --- a/database/db_scripts/webshop_test-data.sql +++ b/database/db_scripts/webshop_test-data.sql @@ -26,45 +26,45 @@ VALUES (5, 'Holiday Deal', 'Description for Holiday Deal', 20, TRUE); -- Users INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo, is_admin) -VALUES (1, 'User1', LOWER('User1'), 'user1@example.com', 'password123', 'bcrypt', FALSE); +VALUES (1, 'User1', LOWER('User1'), 'user1@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt', FALSE); INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo, is_admin) -VALUES (2, 'User2', LOWER('User2'), 'user2@example.com', 'password123', 'bcrypt', FALSE); +VALUES (2, 'User2', LOWER('User2'), 'user2@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt', FALSE); INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo, is_admin) -VALUES (3, 'User3', LOWER('User3'), 'user3@example.com', 'password123', 'bcrypt', FALSE); +VALUES (3, 'User3', LOWER('User3'), 'user3@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt', FALSE); INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo, is_admin) -VALUES (4, 'User4', LOWER('User4'), 'user4@example.com', 'password123', 'bcrypt', FALSE); +VALUES (4, 'User4', LOWER('User4'), 'user4@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt', FALSE); INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo, is_admin) -VALUES (5, 'User5', LOWER('User5'), 'user5@example.com', 'password123', 'bcrypt', FALSE); +VALUES (5, 'User5', LOWER('User5'), 'user5@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt', FALSE); INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo, is_admin) -VALUES (6, 'User6', LOWER('User6'), 'user6@example.com', 'password123', 'bcrypt', FALSE); +VALUES (6, 'User6', LOWER('User6'), 'user6@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt', FALSE); INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo, is_admin) -VALUES (7, 'User7', LOWER('User7'), 'user7@example.com', 'password123', 'bcrypt', FALSE); +VALUES (7, 'User7', LOWER('User7'), 'user7@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt', FALSE); INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo, is_admin) -VALUES (8, 'User8', LOWER('User8'), 'user8@example.com', 'password123', 'bcrypt', FALSE); +VALUES (8, 'User8', LOWER('User8'), 'user8@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt', FALSE); INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo, is_admin) -VALUES (9, 'User9', LOWER('User9'), 'user9@example.com', 'password123', 'bcrypt', FALSE); +VALUES (9, 'User9', LOWER('User9'), 'user9@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt', FALSE); INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo, is_admin) -VALUES (10, 'User10', LOWER('User10'), 'user10@example.com', 'password123', 'bcrypt', FALSE); +VALUES (10, 'User10', LOWER('User10'), 'user10@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt', FALSE); INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo, is_admin) -VALUES (11, 'User11', LOWER('User11'), 'user11@example.com', 'password123', 'bcrypt', FALSE); +VALUES (11, 'User11', LOWER('User11'), 'user11@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt', FALSE); INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo, is_admin) -VALUES (12, 'User12', LOWER('User12'), 'user12@example.com', 'password123', 'bcrypt', FALSE); +VALUES (12, 'User12', LOWER('User12'), 'user12@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt', FALSE); INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo, is_admin) -VALUES (13, 'User13', LOWER('User13'), 'user13@example.com', 'password123', 'bcrypt', FALSE); +VALUES (13, 'User13', LOWER('User13'), 'user13@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt', FALSE); INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo, is_admin) -VALUES (14, 'User14', LOWER('User14'), 'user14@example.com', 'password123', 'bcrypt', FALSE); +VALUES (14, 'User14', LOWER('User14'), 'user14@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt', FALSE); INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo, is_admin) -VALUES (15, 'User15', LOWER('User15'), 'user15@example.com', 'password123', 'bcrypt', FALSE); +VALUES (15, 'User15', LOWER('User15'), 'user15@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt', FALSE); INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo, is_admin) -VALUES (16, 'User16', LOWER('User16'), 'user16@example.com', 'password123', 'bcrypt', FALSE); +VALUES (16, 'User16', LOWER('User16'), 'user16@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt', FALSE); INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo, is_admin) -VALUES (17, 'User17', LOWER('User17'), 'user17@example.com', 'password123', 'bcrypt', FALSE); +VALUES (17, 'User17', LOWER('User17'), 'user17@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt', FALSE); INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo, is_admin) -VALUES (18, 'User18', LOWER('User18'), 'user18@example.com', 'password123', 'bcrypt', FALSE); +VALUES (18, 'User18', LOWER('User18'), 'user18@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt', FALSE); INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo, is_admin) -VALUES (19, 'User19', LOWER('User19'), 'user19@example.com', 'password123', 'bcrypt',FALSE); +VALUES (19, 'User19', LOWER('User19'), 'user19@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt',FALSE); INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo, is_admin) -VALUES (20, 'User20', LOWER('User20'), 'user20@example.com', 'password123', 'bcrypt', FALSE); +VALUES (20, 'User20', LOWER('User20'), 'user20@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt', FALSE); -- User Addresses INSERT INTO user_address (user_id, address_line1, address_line2, city, postal_code, country, telephone) diff --git a/server.js b/server.js index 5ef778c..1aee010 100644 --- a/server.js +++ b/server.js @@ -2,6 +2,7 @@ const express = require('express'); const session = require('express-session'); const router = require('express').Router(); const path = require('path'); +const bcrypt = require('bcrypt') require('dotenv').config({path: 'process.env'}); @@ -132,59 +133,77 @@ app.get('/api/products/sportwagen', async (req, res) => { }); }); -app.post('/api/user/registration', (req, res) => { +app.post('/api/user/registration', async (req, res) => { // SQL-Query für Nutzerregistration const {name, lower_name, email, passwd} = req.body; - const sql = "INSERT INTO webshop.user (name, lower_name, email, passwd, passwd_hash_algo) VALUES (?, ?, ?, ?, 'none')" + try { + const hashedPassword = await bcrypt.hash(passwd, 10) - // Query abschicken - db.query(sql, [name, lower_name, email, passwd], (err, results) => { - if (err) { - if (err.code === 'ER_DUP_ENTRY'){ - res.status(409).json({message: 'Diese E-Mail Adresse ist bereits registriert.'}) + const sql = "INSERT INTO webshop.user (name, lower_name, email, passwd, passwd_hash_algo) VALUES (?, ?, ?, ?, 'bcrypt')" + + // Query abschicken + db.query(sql, [name, lower_name, email, hashedPassword], (err, results) => { + if (err) { + if (err.code === 'ER_DUP_ENTRY') { + res.status(409).json({message: 'Diese E-Mail Adresse ist bereits registriert.'}) + } + console.error('Fehler beim Schreiben in die Datenbank: ', err); + res.status(500).send('Fehler beim Schreiben in die Datenbank'); + return; } - console.error('Fehler beim Schreiben in die Datenbank: ', err); - res.status(500).send('Fehler beim Schreiben in die Datenbank'); - return; - } - res.status(201).json({message: 'Nutzer erfolgreich hinzugefügt', id: results.insertId}) - }) + res.status(201).json({message: 'Nutzer erfolgreich hinzugefügt', id: results.insertId}) + }) + } catch (error) { + console.error('Hashing-Fehler: ', error) + res.status(500).json({message: 'Fehler bei der Verarbeitung'}) + } }) app.post('/api/user/login', (req, res) => { const {email, password} = req.body - const sql = 'SELECT * FROM webshop.user WHERE email = ?' + const sql = 'SELECT id, email, name, lower_name, passwd FROM webshop.user WHERE email = ?' - db.query(sql, [email], (err, results) => { + db.query(sql, [email], async (err, results) => { if (err) { console.error('Fehler beim Abrufen des Nutzers: ', err) return res.status(500).json({message: 'Serverfehler'}) } if (results.length === 0) { - return res.status(401).json({message: 'E-Mail nicht gefunden'}) + return res.status(401).json({message: 'E-Mail oder Passwort ist ungültig.'}) } + const user = results[0] - if (user.passwd !== password) { - return res.status(401).json({message: 'Falsches Passwort'}) + try { + // Vergleiche gegebenes Passwort mit gespeichertem verschlüsseltem Passwort + const passwordMatch = await bcrypt.compare(password, user.passwd) + + if (!passwordMatch) { + return res.status(401).json({message: 'E-Mail oder Passwort ist ungültig.'}) + } + + req.session.userId = user.id; + req.session.email = user.email; + req.session.vorname = user.name; + req.session.nachname = user.lower_name; + + // bei erfolgreichem Login Daten ans Frontend geben + res.json({message: 'Login erfolgreich', id: user.id, name: user.name, lower_name: user.lower_name}) + + } catch (compareError) { + console.error('Fehler beim Verarbeiten der Anfrage: ', compareError) + return res.status(500).json({message: 'Serverfehler bei der Anmeldung'}) } - - req.session.userId = user.id; - req.session.email = user.email; - req.session.vorname = user.name; - req.session.nachname = user.lower_name; - - res.json({message: 'Login erfolgreich', id: user.id, name: user.name, lower_name: user.lower_name}) }) }) app.post('/api/bestellung', (req, res) => { - const { user_id, produkte } = req.body; + const {user_id, produkte} = req.body; // produkte erwartet als Array: [{product_id: 1, quantity: 2}, {product_id: 5, quantity: 1}, ...] if (!user_id || !Array.isArray(produkte) || produkte.length === 0) { - return res.status(400).json({ message: 'Ungültige Anfrage: user_id oder Produkte fehlen.' }); + return res.status(400).json({message: 'Ungültige Anfrage: user_id oder Produkte fehlen.'}); } // Preise der Produkte abrufen @@ -194,11 +213,11 @@ app.post('/api/bestellung', (req, res) => { db.query(priceQuery, [productIds], (err, priceResults) => { if (err) { console.error('Fehler beim Abrufen der Produktpreise:', err); - return res.status(500).json({ message: 'Serverfehler beim Abrufen der Produktpreise.' }); + return res.status(500).json({message: 'Serverfehler beim Abrufen der Produktpreise.'}); } if (priceResults.length !== productIds.length) { - return res.status(400).json({ message: 'Eines oder mehrere Produkte existieren nicht.' }); + return res.status(400).json({message: 'Eines oder mehrere Produkte existieren nicht.'}); } // Total berechnen @@ -216,7 +235,7 @@ app.post('/api/bestellung', (req, res) => { db.query(sqlOrder, [user_id, payment_id, total], (err1, result1) => { if (err1) { console.error('Fehler beim Erstellen der Bestellung:', err1); - return res.status(500).json({ message: 'Fehler beim Erstellen der Bestellung.' }); + return res.status(500).json({message: 'Fehler beim Erstellen der Bestellung.'}); } const orderId = result1.insertId; @@ -227,46 +246,42 @@ app.post('/api/bestellung', (req, res) => { db.query(sqlItems, [values], (err2, result2) => { if (err2) { console.error('Fehler beim Einfügen der Order-Items:', err2); - return res.status(500).json({ message: 'Fehler beim Hinzufügen der Produkte zur Bestellung.' }); + return res.status(500).json({message: 'Fehler beim Hinzufügen der Produkte zur Bestellung.'}); } - res.status(201).json({ message: 'Bestellung erfolgreich!', order_id: orderId, total: total.toFixed(2) }); + res.status(201).json({message: 'Bestellung erfolgreich!', order_id: orderId, total: total.toFixed(2)}); }); }); }); }); app.post('/api/bestellung/daten', (req, res) => { - const { user_id } = req.body; + const {user_id} = req.body; const sql = ` - SELECT - od.id AS order_id, - od.total AS order_total, - oi.product_id, - oi.quantity, - p.name AS product_name, - p.price AS product_price - FROM - webshop.order_details od - INNER JOIN - webshop.order_items oi ON od.id = oi.order_id - INNER JOIN - webshop.product p ON oi.product_id = p.id - WHERE - od.user_id = ? - ORDER BY - od.id DESC + SELECT od.id AS order_id, + od.total AS order_total, + oi.product_id, + oi.quantity, + p.name AS product_name, + p.price AS product_price + FROM webshop.order_details od + INNER JOIN + webshop.order_items oi ON od.id = oi.order_id + INNER JOIN + webshop.product p ON oi.product_id = p.id + WHERE od.user_id = ? + ORDER BY od.id DESC `; db.query(sql, [user_id], (err, results) => { if (err) { console.error('Fehler beim Abrufen der Bestellungen: ', err); - return res.status(500).json({ message: 'Fehler beim Abrufen der Bestellungen' }); + return res.status(500).json({message: 'Fehler beim Abrufen der Bestellungen'}); } if (results.length === 0) { - return res.status(404).json({ message: 'Keine Bestellungen gefunden.' }); + return res.status(404).json({message: 'Keine Bestellungen gefunden.'}); } res.json(results); @@ -277,7 +292,7 @@ app.get('/api/pruefe-artikel', (req, res) => { const artikelnummer = req.query.nummer; if (!artikelnummer) { - return res.status(400).json({ error: 'Keine Artikelnummer angegeben.' }); + return res.status(400).json({error: 'Keine Artikelnummer angegeben.'}); } const query = 'SELECT id FROM webshop.product WHERE id = ?'; @@ -285,11 +300,11 @@ app.get('/api/pruefe-artikel', (req, res) => { db.query(query, [artikelnummer], (err, results) => { if (err) { console.error('Fehler bei der Artikelsuche:', err); - return res.status(500).json({ error: 'Serverfehler bei der Artikelsuche.' }); + return res.status(500).json({error: 'Serverfehler bei der Artikelsuche.'}); } const verfuegbar = results.length > 0; - res.json({ verfuegbar }); + res.json({verfuegbar}); }); });