const session = require('express-session'); const SQLiteStore = require('connect-sqlite3')(session); const bcrypt = require('bcrypt'); const crypto = require('crypto'); const { db } = require('./db'); const path = require('path'); const sessionDbPath = path.join(__dirname, 'data', 'sessions.sqlite'); const sessionMiddleware = session({ secret: process.env.SESSION_SECRET || 'hotel-secret-key-change-me', resave: false, saveUninitialized: false, cookie: { secure: false, httpOnly: true, sameSite: 'lax', maxAge: 24 * 6 * 60 * 1000 }, store: new SQLiteStore({ db: 'sessions.sqlite', dir: path.join(__dirname, 'data'), table: 'sessions' }) }); function generateCsrfToken(req) { if (!req.session.csrfToken) { req.session.csrfToken = crypto.randomBytes(32).toString('hex'); } return req.session.csrfToken; } function csrfProtection(req, res, next) { if (req.method === 'GET') return next(); const token = req.headers['x-csrf-token'] || req.body._csrf; if (!token || token !== req.session.csrfToken) { return res.status(403).json({ error: 'CSRF token validation failed' }); } next(); } function injectCsrfToken(req, res, next) { res.locals.csrfToken = generateCsrfToken(req); next(); } async function ensureAdmin() { const login = process.env.ADMIN_LOGIN || 'admin'; const password = process.env.ADMIN_PASSWORD || 'admin'; const saltRounds = 10; const admin = db.prepare('SELECT id FROM admins WHERE login = ?').get(login); const hashed = await bcrypt.hash(password, saltRounds); if (admin) { db.prepare('UPDATE admins SET password = ? WHERE login = ?').run(hashed, login); console.log(`Пароль администратора "${login}" обновлён (хэширован)`); } else { db.prepare('INSERT INTO admins (login, password) VALUES (?, ?)').run(login, hashed); console.log(`Администратор "${login}" создан (хэширован)`); } } function requireAdmin(req, res, next) { if (req.session && req.session.isAdmin) { return next(); } res.status(401).json({ error: 'Не авторизован' }); } module.exports = { sessionMiddleware, csrfProtection, injectCsrfToken, ensureAdmin, requireAdmin };