blink/backend/apis/nodejs/api_controller.js

/*
    This code is part of Blink
    licensed under GPLv3

    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 
    IMPLIED,  INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 
    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL 
    THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 
    FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
    IN THE SOFTWARE.
*/
const bcrypt = require('bcrypt');
const crypto = require('crypto');
const pgp = require('pg-promise')();
const jwt = require('jsonwebtoken');
require('dotenv').config();

const database_configuration = {
  host: process.env.POSTGRES_SERVER,
  port: process.env.POSTGRES_PORT,
  database: "Blink",
  user: process.env.POSTGRES_USERNAME,
  password: process.env.POSTGRES_PASSWORD
};
const db = pgp(database_configuration);

// ======== API ENDPOINTS ========

// POST
async function registerPerson(req, res){

    const userData = req.body;
  
    // Ensure that the required fields are present before proceeding
    if (!userData.display_name || !userData.email || !userData.password) {
      return res.status(400).json("Invalid request.");
    }

    // Generate activation link token
    const activationLink = crypto.randomBytes(16).toString('hex');

    // Hash provided password
    const hashPasswordPromise = bcrypt.hash(userData.password, 10);

    try{
        
        // Begin transaction
        await db.tx(async (t) => {
        
          // Inserting in the "Person" table
          const userInsertQuery = `
            INSERT INTO "Person" (email, password, display_name, date_of_birth, available, enabled, place_of_living)
            VALUES ($1, $2, $3, $4, $5, $6, $7)
            RETURNING id`;
  
          const userResult = await t.one(userInsertQuery, [
            userData.email,
            await hashPasswordPromise,
            userData.display_name,
            userData.date_of_birth,
            userData.available,
            false,
            userData.place_of_living
          ]);
  
          // Inserting in the "ActivationLink" table
          const activationLinkInsertQuery = `
            INSERT INTO "ActivationLink" (person_id, identifier)
            VALUES ($1, $2)
            RETURNING *`;
  
          const activationLinkResult = await t.one(activationLinkInsertQuery, [
            userResult.id,  
            activationLink,
          ]);

          return res.status(200).json({ activationLink: activationLinkResult.identifier });

      });
    }
    catch (error){
      console.error('Error inserting data:', error);
      res.status(500).json("Internal server error");
    }
}

// POST
async function login(req, res){
  
  const userData = req.body;
      
  // Ensure that the required fields are present before proceeding
  if (!userData.email || !userData.password) {
    return res.status(400).json("Invalid request");
  }

  const person = await checkUserCredentials(userData.email, userData.password);

  if (person){
    const token = generateToken(person.id);
    res.status(200).json({ token });
  }
  else{ 
    res.status(401).json("Unauthorized");
  }
}

// GET
async function getPerson(req, res){
  try {
    const user = await db.oneOrNone('SELECT * FROM "Person" WHERE id = $1 and enabled = $2' , [req.params.id, false]);
    
    if(user){
      if(user.id == req.jwt.person_id || user.active == true){
        return res.status(200).send(user);
      }
    }
    return res.status(403);
  }
  catch (error) {
    console.log(error);
    return res.status(500);
  }
}

// POST
async function createOrganization(req, res){
  const organizationData = req.body;
  
  // Ensure that the required fields are present before proceeding
  if (!organizationData.name) {
    return res.status(400).json("Invalid request.");
  }

  try{
        
    // Begin transaction
    await db.tx(async (t) => {
    
      // Inserting in the "Organization" table
      const OrganizationInsertQuery = `
        INSERT INTO "Organization" (name, location, description, is_hiring)
        VALUES ($1, $2, $3, $4)
        RETURNING *`;

      const organizationResult = await t.one(OrganizationInsertQuery, [
        organizationData.name,
        organizationData.location,
        organizationData.description,
        organizationData.is_hiring
      ]);

      // Inserting in the "OrganizationAdministrator" table
      const OrganizationAdministratorInsertQuery = `
        INSERT INTO "OrganizationAdministrator" (id_person, id_organization)
        VALUES ($1, $2)`;

      await t.none(OrganizationAdministratorInsertQuery, [
        req.jwt.person_id,
        organizationResult.id
      ]);

      return res.status(200).json({ "Organization" : organizationResult});

    });
  }
  catch (error){
    console.error('Error inserting data:', error);
    res.status(500).json("Internal server error");
  }
}

// DELETE
async function deleteOrganization(req, res){
  const organizationIdToDelete = req.params.id;

  try {
    if(await isPersonOrganizationAdmin(req.jwt.person_id, organizationIdToDelete)){
      await db.none('DELETE FROM "Organization" WHERE id = $1', [organizationIdToDelete]);
      return res.status(200).json("Ok");
    }
    return res.status(403).json("Forbidden");
  }
  catch (error) {
    console.error(error);
    return res.status(500);
  }
}

// ======== END API ENDPOINTS ========

async function checkUserCredentials(email, password){
  try {
    const user = await db.oneOrNone('SELECT * FROM "Person" WHERE email = $1 and enabled = $2', [email, true]);
    if(user){
      const passwordMatches = await bcrypt.compare(password, user.password);
      if (passwordMatches) {
        return user;
      }
    }
    return null;
  }
  catch (error) {
    console.log(error);
    return null;
  }
}

async function isPersonOrganizationAdmin(personId, organizationId){
  try {
    if(await db.oneOrNone('SELECT * FROM "OrganizationAdministrator" WHERE id_person = $1 AND id_organization = $2', [personId, organizationId])){
      return true;
    }
    return false;
  }
  catch (error) {
    return false;
  }
}

function generateToken(person_id) {
  const payload = {
    person_id: person_id
  };

  const token = jwt.sign(payload, 'your-secret-key', { expiresIn: '1h' });
  return token;
}

// Middlware
function verifyToken(req, res, next) {
  const token = req.headers.authorization;

  if (!token) {
    return res.status(403).send('No token provided');
  }

  jwt.verify(token, 'your-secret-key', (err, decoded) => {
    if (err) {
      return res.status(401).send('Failed to authenticate token');
    }

    // If the token is valid, store the decoded data in the request object
    req.jwt = decoded;
    next();
  });
}

// Exporting a function
// means making a JavaScript function defined in one
// module available for use in another module.
module.exports = {
    registerPerson,
    login,
    getPerson,
    verifyToken,
    createOrganization,
    deleteOrganization
};