token handling and verification

config.sample.js

@@ -6,6 +6,9 @@ module.exports = {
 		Ideally the only options you should change are port and basedomain.
 	*/
 
+	// Should this instance of loli-safe be private? If so, a client token will be needed for uploads
+	private: true,
+	
 	// Your base domain where the app is running. Remember to finish it with '/'
 	basedomain: 'https://i.kanacchi.moe/',
 

controllers/galleryController.js

@@ -5,18 +5,18 @@ let galleryController = {}
 
 galleryController.list = function(req, res, next){
 	
-	if(config.TOKEN === true)
+	if(config.private === true)
 		if(req.headers.auth !== config.clientToken)
 			return res.status(401).send('not-authorized')
 
-	db.table('gallery').select('id', 'name').then((data) => {
+	db.table('gallery').select('id', 'name').then((galleries) => {
-		res.json({ data })
+		return res.json({ galleries })
 	})
 }
 
 galleryController.test = function(req, res, next){
 	
-	if(config.TOKEN === true)
+	if(config.private === true)
 		if(req.headers.auth !== config.clientToken)
 			return res.status(401).send('not-authorized')
 

controllers/uploadController.js

@@ -22,7 +22,7 @@ const upload = multer({
 
 uploadsController.upload = function(req, res, next){
 
-	if(config.TOKEN === true)
+	if(config.private === true)
 		if(req.headers.auth !== config.clientToken)
 			return res.status(401).send('not-authorized')
 
@@ -70,8 +70,7 @@ uploadsController.upload = function(req, res, next){
 
 uploadsController.list = function(req, res){
 
-	if(config.TOKEN === true)
+	if(req.headers.auth !== config.adminToken)
-		if(req.headers.auth !== config.clientToken)
 		return res.status(401).send('not-authorized')
 
 	db.table('files').then((files) => {

pages/home.html

@@ -9,7 +9,7 @@
     </head>
 
     <body>
-        <section class="hero is-fullheight has-text-centered">
+        <section class="hero is-fullheight has-text-centered" id="home">
             <div class="hero-body">
                 <div class="container">
                     <p id="b">
@@ -39,6 +39,14 @@
                         <div class="column"></div>
                     </div>
 
+                    <div class="columns">
+                        <div class="column"></div>
+                        <div class="column"><a href="https://chrome.google.com/webstore/detail/loli-safe-uploader/enkkmplljfjppcdaancckgilmgoiofnj/related" target="_blank" class="is-danger">Uploader Chrome extension</a></div>
+                        <div class="column"></div>
+                    </div>
+
+                    
+
                     <div id="uploads">
                         <div id="template" class="columns">
                             <div class="column">

public/css/style.css

@@ -82,11 +82,13 @@ img.logo { height: 200px; margin-top: 20px; }
 ------------------ */
 
 section#dashboard { display: none }
+section#auth input { background: rgba(0, 0, 0, 0); }
 section#auth input, section#auth a {
 	border-left: 0px;
     border-top: 0px;
     border-right: 0px;
     border-radius: 0px;
-    background: rgba(0, 0, 0, 0);
     box-shadow: 0 0 0;
 }
+
+section#dashboard .table { font-size: 12px }

public/js/panel.js

@@ -1,15 +1,11 @@
 window.onload = function () {
 
-	if(!localStorage.admintoken){
+	var page;
-		askForToken();
-		return;
-	}
 
-	var dashboard = document.getElementById('dashboard');
+	if(!localStorage.admintoken)
-	var page = document.getElementById('page');
+		return askForToken();
 
-	dashboard.style.display = 'block';
+	prepareDashboard();
-	prepareMenu();
 
 	function askForToken(){
 		document.getElementById('tokenSubmit').addEventListener('click', function(){
@@ -21,15 +17,35 @@ window.onload = function () {
 
 			xhr.onreadystatechange = function() {
 				if (xhr.readyState == XMLHttpRequest.DONE) {
+					try{
+						
+						var json = JSON.parse(xhr.responseText);
+						if(json.success === false)
+							return alert(json.description);
+
+						localStorage.admintoken = document.getElementById('token').value;
+						prepareDashboard();
+
+					}catch(e){
+						console.log(e);
+					}
+
+					console.log(xhr.responseText);
 					// xhr.responseText
 				}
 			}
-			xhr.open('POST', '/api/info', true);
+			xhr.open('GET', '/api/verify', true);
+			xhr.setRequestHeader('type', 'admin');
+			xhr.setRequestHeader('token', document.getElementById('token').value);
 			xhr.send(null);
 		}
 	}
 
-	function prepareMenu(){
+	function prepareDashboard(){
+		page = document.getElementById('page');
+		document.getElementById('auth').style.display = 'none';
+		document.getElementById('dashboard').style.display = 'block';
+
 		document.getElementById('itemUploads').addEventListener('click', function(){
 			getUploads();
 		});
@@ -45,7 +61,10 @@ window.onload = function () {
 
 		xhr.onreadystatechange = function() {
 			if(xhr.readyState == XMLHttpRequest.DONE){
-				if(xhr.responseText !== 'not-authorized'){
+				
+				if(xhr.responseText === 'not-authorized')
+					return notAuthorized();
+
 				var json = JSON.parse(xhr.responseText);
 
 				var container = document.createElement('div');
@@ -78,11 +97,11 @@ window.onload = function () {
 
 					table.appendChild(tr);
 				}
-				}
+				
 			}
 		}
 		xhr.open('GET', '/api/uploads', true);
-		xhr.setRequestHeader('auth', localStorage.token);
+		xhr.setRequestHeader('auth', localStorage.admintoken);
 		xhr.send(null);
 	}
 
@@ -93,4 +112,9 @@ window.onload = function () {
 
 	}
 
+	function notAuthorized() {
+		localStorage.removeItem("admintoken");
+		location.reload();
+	}
+
 }

public/js/upload.js

@@ -8,7 +8,7 @@ window.onload = function () {
 	var xhr = new XMLHttpRequest();
 	xhr.onreadystatechange = function() {
 		if (xhr.readyState == XMLHttpRequest.DONE) {
-			USINGTOKEN = JSON.parse(xhr.responseText).token;
+			USINGTOKEN = JSON.parse(xhr.responseText).private;
 			prepareTokenThing();
 		}
 	}
@@ -20,14 +20,14 @@ window.onload = function () {
 		if(!USINGTOKEN) return getInfo();
 
 		if(!localStorage.token){
-			document.getElementById('tokenContainer').style.display = 'flex'
 			document.getElementById('tokenSubmit').addEventListener('click', function(){
 				getInfo(document.getElementById('token').value)
 			});
-		}else{
+			return document.getElementById('tokenContainer').style.display = 'flex';
-			getInfo(localStorage.token);
 		}
 
+		getInfo(localStorage.token);
+
 	}
 
 	function prepareDropzone(){
@@ -91,7 +91,9 @@ window.onload = function () {
 
 		xhr.onreadystatechange = function() {
 			if (xhr.readyState == XMLHttpRequest.DONE) {
-				if(xhr.responseText !== 'not-authorized'){
+				
+				if(xhr.responseText === 'not-authorized')
+					return notAuthorized();
 
 				div = document.createElement('div');
 				div.id = 'dropzone';
@@ -107,7 +109,7 @@ window.onload = function () {
 				if(token) localStorage.token = token;
 
 				prepareDropzone();
-				}
+				
 			}
 		}
 		xhr.open('GET', '/api/info', true);
@@ -117,4 +119,9 @@ window.onload = function () {
 
 		xhr.send(null);
 	}
+
+	function notAuthorized() {
+		localStorage.removeItem("token");
+		location.reload();
+	}
 };

routes/api.js

@@ -4,12 +4,34 @@ const uploadController = require('../controllers/uploadController')
 const galleryController = require('../controllers/galleryController')
 
 routes.get ('/check', (req, res, next) => {
-	return res.json({token: config.TOKEN})
+	return res.json({ private: config.private })
+})
+
+routes.get ('/verify', (req, res, next) => {
+	let type = req.headers.type
+	let token = req.headers.token
+
+	if(type === undefined) return res.json({ success: false, description: 'No type provided.' })
+	if(token === undefined) return res.json({ success: false, description: 'No token provided.' })
+	if(type !== 'client' && type !== 'admin') return res.json({ success: false, description: 'Wrong type provided.' })
+
+	if(type === 'client'){
+		if(token !== config.clientToken) return res.json({ success: false, description: 'Token mismatch.' })
+		return res.json({ success: true })
+	}
+
+	if(type === 'admin'){
+		if(token !== config.adminToken) return res.json({ success: false, description: 'Token mismatch.' })
+		return res.json({ success: true })
+	}
+
+	return res.json({ success: false, description: '(╯°□°）╯︵ ┻━┻' })
+
 })
 
 routes.get('/info', (req, res, next) => {
 
-	if(config.TOKEN === true)
+	if(config.private === true)
 		if(req.headers.auth !== config.clientToken)
 			return res.status(401).send('not-authorized')