kalugin66/hotel777-manager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
hotel777-manager/auth.js
kalugin66 e20188c869 oc
2026-05-04 21:09:42 +05:00

72 lines
2.2 KiB
JavaScript
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
const session = require('express-session');
const SQLiteStore = require('connect-sqlite3')(session);
const bcrypt = require('bcrypt');
const crypto = require('crypto');
const { db } = require('./db');
const path = require('path');
const sessionDbPath = path.join(__dirname, 'data', 'sessions.sqlite');
const sessionMiddleware = session({
secret: process.env.SESSION_SECRET || 'hotel-secret-key-change-me',
resave: false,
saveUninitialized: false,
cookie: {
secure: false,
httpOnly: true,
sameSite: 'lax',
maxAge: 24 * 6 * 60 * 1000
},
store: new SQLiteStore({
db: 'sessions.sqlite',
dir: path.join(__dirname, 'data'),
table: 'sessions'
})
});
function generateCsrfToken(req) {
if (!req.session.csrfToken) {
req.session.csrfToken = crypto.randomBytes(32).toString('hex');
}
return req.session.csrfToken;
}
function csrfProtection(req, res, next) {
if (req.method === 'GET') return next();
const token = req.headers['x-csrf-token'] || req.body._csrf;
if (!token || token !== req.session.csrfToken) {
return res.status(403).json({ error: 'CSRF token validation failed' });
}
next();
}
function injectCsrfToken(req, res, next) {
res.locals.csrfToken = generateCsrfToken(req);
next();
}
async function ensureAdmin() {
const login = process.env.ADMIN_LOGIN || 'admin';
const password = process.env.ADMIN_PASSWORD || 'admin';
const saltRounds = 10;
const admin = db.prepare('SELECT id FROM admins WHERE login = ?').get(login);
const hashed = await bcrypt.hash(password, saltRounds);
if (admin) {
db.prepare('UPDATE admins SET password = ? WHERE login = ?').run(hashed, login);
console.log(`Пароль администратора "${login}" обновлён (хэширован)`);
} else {
db.prepare('INSERT INTO admins (login, password) VALUES (?, ?)').run(login, hashed);
console.log(`Администратор "${login}" создан (хэширован)`);
}
}
function requireAdmin(req, res, next) {
if (req.session && req.session.isAdmin) {
return next();
}
res.status(401).json({ error: 'Не авторизован' });
}
module.exports = { sessionMiddleware, csrfProtection, injectCsrfToken, ensureAdmin, requireAdmin };
Reference in New Issue View Git Blame Copy Permalink