Merge remote-tracking branch 'origin/develop' into login_function

# Conflicts:
#	public/registrieren/registrieren.html

- Cleaned up code
- Passwords are now encrypted in the database. Passwords of all pregenerated useres is "changeme"

database/db_scripts/webshop_test-data.sql

@@ -26,45 +26,45 @@ VALUES (5, 'Holiday Deal', 'Description for Holiday Deal', 20, TRUE);
 
 -- Users
 INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo,  is_admin)
-VALUES (1, 'User1', LOWER('User1'), 'user1@example.com', 'password123', 'bcrypt',  FALSE);
+VALUES (1, 'User1', LOWER('User1'), 'user1@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt',  FALSE);
 INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo,  is_admin)
-VALUES (2, 'User2', LOWER('User2'), 'user2@example.com', 'password123', 'bcrypt',  FALSE);
+VALUES (2, 'User2', LOWER('User2'), 'user2@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt',  FALSE);
 INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo,  is_admin)
-VALUES (3, 'User3', LOWER('User3'), 'user3@example.com', 'password123', 'bcrypt',  FALSE);
+VALUES (3, 'User3', LOWER('User3'), 'user3@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt',  FALSE);
 INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo,  is_admin)
-VALUES (4, 'User4', LOWER('User4'), 'user4@example.com', 'password123', 'bcrypt',  FALSE);
+VALUES (4, 'User4', LOWER('User4'), 'user4@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt',  FALSE);
 INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo,  is_admin)
-VALUES (5, 'User5', LOWER('User5'), 'user5@example.com', 'password123', 'bcrypt',  FALSE);
+VALUES (5, 'User5', LOWER('User5'), 'user5@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt',  FALSE);
 INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo,  is_admin)
-VALUES (6, 'User6', LOWER('User6'), 'user6@example.com', 'password123', 'bcrypt',  FALSE);
+VALUES (6, 'User6', LOWER('User6'), 'user6@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt',  FALSE);
 INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo,  is_admin)
-VALUES (7, 'User7', LOWER('User7'), 'user7@example.com', 'password123', 'bcrypt',  FALSE);
+VALUES (7, 'User7', LOWER('User7'), 'user7@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt',  FALSE);
 INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo,  is_admin)
-VALUES (8, 'User8', LOWER('User8'), 'user8@example.com', 'password123', 'bcrypt',  FALSE);
+VALUES (8, 'User8', LOWER('User8'), 'user8@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt',  FALSE);
 INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo,  is_admin)
-VALUES (9, 'User9', LOWER('User9'), 'user9@example.com', 'password123', 'bcrypt',  FALSE);
+VALUES (9, 'User9', LOWER('User9'), 'user9@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt',  FALSE);
 INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo,  is_admin)
-VALUES (10, 'User10', LOWER('User10'), 'user10@example.com', 'password123', 'bcrypt',  FALSE);
+VALUES (10, 'User10', LOWER('User10'), 'user10@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt',  FALSE);
 INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo,  is_admin)
-VALUES (11, 'User11', LOWER('User11'), 'user11@example.com', 'password123', 'bcrypt',  FALSE);
+VALUES (11, 'User11', LOWER('User11'), 'user11@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt',  FALSE);
 INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo,  is_admin)
-VALUES (12, 'User12', LOWER('User12'), 'user12@example.com', 'password123', 'bcrypt',  FALSE);
+VALUES (12, 'User12', LOWER('User12'), 'user12@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt',  FALSE);
 INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo,  is_admin)
-VALUES (13, 'User13', LOWER('User13'), 'user13@example.com', 'password123', 'bcrypt',  FALSE);
+VALUES (13, 'User13', LOWER('User13'), 'user13@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt',  FALSE);
 INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo,  is_admin)
-VALUES (14, 'User14', LOWER('User14'), 'user14@example.com', 'password123', 'bcrypt',  FALSE);
+VALUES (14, 'User14', LOWER('User14'), 'user14@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt',  FALSE);
 INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo,  is_admin)
-VALUES (15, 'User15', LOWER('User15'), 'user15@example.com', 'password123', 'bcrypt',  FALSE);
+VALUES (15, 'User15', LOWER('User15'), 'user15@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt',  FALSE);
 INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo,  is_admin)
-VALUES (16, 'User16', LOWER('User16'), 'user16@example.com', 'password123', 'bcrypt',  FALSE);
+VALUES (16, 'User16', LOWER('User16'), 'user16@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt',  FALSE);
 INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo,  is_admin)
-VALUES (17, 'User17', LOWER('User17'), 'user17@example.com', 'password123', 'bcrypt',  FALSE);
+VALUES (17, 'User17', LOWER('User17'), 'user17@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt',  FALSE);
 INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo,  is_admin)
-VALUES (18, 'User18', LOWER('User18'), 'user18@example.com', 'password123', 'bcrypt',  FALSE);
+VALUES (18, 'User18', LOWER('User18'), 'user18@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt',  FALSE);
 INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo,  is_admin)
-VALUES (19, 'User19', LOWER('User19'), 'user19@example.com', 'password123', 'bcrypt',FALSE);
+VALUES (19, 'User19', LOWER('User19'), 'user19@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt',FALSE);
 INSERT INTO user (id, name, lower_name, email, passwd, passwd_hash_algo,  is_admin)
-VALUES (20, 'User20', LOWER('User20'), 'user20@example.com', 'password123', 'bcrypt', FALSE);
+VALUES (20, 'User20', LOWER('User20'), 'user20@example.com', '$2b$10$EUsWCS278AwwfZ9K7G4fkellUSPGAOs0hhXkIDbakVGJYE72mNMAC', 'bcrypt', FALSE);
 
 -- User Addresses
 INSERT INTO user_address (user_id, address_line1, address_line2, city, postal_code, country, telephone)

server.js

@@ -2,6 +2,7 @@ const express = require('express');
 const session = require('express-session');
 const router = require('express').Router();
 const path = require('path');
+const bcrypt = require('bcrypt')
 
 require('dotenv').config({path: 'process.env'});
 
@@ -132,14 +133,17 @@ app.get('/api/products/sportwagen', async (req, res) => {
     });
 });
 
-app.post('/api/user/registration', (req, res) => {
+app.post('/api/user/registration', async (req, res) => {
     // SQL-Query für Nutzerregistration
     const {name, lower_name, email, passwd} = req.body;
 
-    const sql = "INSERT INTO webshop.user (name, lower_name, email, passwd, passwd_hash_algo) VALUES (?, ?, ?, ?, 'none')"
+    try {
+        const hashedPassword = await bcrypt.hash(passwd, 10)
+
+        const sql = "INSERT INTO webshop.user (name, lower_name, email, passwd, passwd_hash_algo) VALUES (?, ?, ?, ?, 'bcrypt')"
 
         // Query abschicken
-    db.query(sql, [name, lower_name, email, passwd], (err, results) => {
+        db.query(sql, [name, lower_name, email, hashedPassword], (err, results) => {
             if (err) {
                 if (err.code === 'ER_DUP_ENTRY') {
                     res.status(409).json({message: 'Diese E-Mail Adresse ist bereits registriert.'})
@@ -150,24 +154,33 @@ app.post('/api/user/registration', (req, res) => {
             }
             res.status(201).json({message: 'Nutzer erfolgreich hinzugefügt', id: results.insertId})
         })
+    } catch (error) {
+        console.error('Hashing-Fehler: ', error)
+        res.status(500).json({message: 'Fehler bei der Verarbeitung'})
+    }
 })
 
 app.post('/api/user/login', (req, res) => {
     const {email, password} = req.body
-    const sql = 'SELECT * FROM webshop.user WHERE email = ?'
+    const sql = 'SELECT id, email, name, lower_name, passwd FROM webshop.user WHERE email = ?'
 
-    db.query(sql, [email], (err, results) => {
+    db.query(sql, [email], async (err, results) => {
         if (err) {
             console.error('Fehler beim Abrufen des Nutzers: ', err)
             return res.status(500).json({message: 'Serverfehler'})
         }
         if (results.length === 0) {
-            return res.status(401).json({message: 'E-Mail nicht gefunden'})
+            return res.status(401).json({message: 'E-Mail oder Passwort ist ungültig.'})
         }
+
         const user = results[0]
 
-        if (user.passwd !== password) {
+        try {
-            return res.status(401).json({message: 'Falsches Passwort'})
+            // Vergleiche gegebenes Passwort mit gespeichertem verschlüsseltem Passwort
+            const passwordMatch = await bcrypt.compare(password, user.passwd)
+
+            if (!passwordMatch) {
+                return res.status(401).json({message: 'E-Mail oder Passwort ist ungültig.'})
             }
 
             req.session.userId = user.id;
@@ -175,7 +188,13 @@ app.post('/api/user/login', (req, res) => {
             req.session.vorname = user.name;
             req.session.nachname = user.lower_name;
 
+            // bei erfolgreichem Login Daten ans Frontend geben
             res.json({message: 'Login erfolgreich', id: user.id, name: user.name, lower_name: user.lower_name})
+
+        } catch (compareError) {
+            console.error('Fehler beim Verarbeiten der Anfrage: ', compareError)
+            return res.status(500).json({message: 'Serverfehler bei der Anmeldung'})
+        }
     })
 })
 
@@ -240,23 +259,19 @@ app.post('/api/bestellung/daten', (req, res) => {
     const {user_id} = req.body;
 
     const sql = `
-        SELECT 
+        SELECT od.id    AS order_id,
-            od.id AS order_id,
                od.total AS order_total,
                oi.product_id,
                oi.quantity,
                p.name   AS product_name,
                p.price  AS product_price
-        FROM 
+        FROM webshop.order_details od
-            webshop.order_details od
                  INNER JOIN
              webshop.order_items oi ON od.id = oi.order_id
                  INNER JOIN
              webshop.product p ON oi.product_id = p.id
-        WHERE 
+        WHERE od.user_id = ?
-            od.user_id = ?
+        ORDER BY od.id DESC
-        ORDER BY 
-            od.id DESC
     `;
 
     db.query(sql, [user_id], (err, results) => {