Cryptographic privates suppot

app/controllers.js

@@ -9,3 +9,4 @@ exports.AttachmentsController = require('./controllers/api/v1/AttachmentsControl
 exports.CommentsController = require('./controllers/api/v1/CommentsController').addController()
 exports.PasswordsController = require('./controllers/api/v1/PasswordsController').addController()
 exports.FeedFactoriesController = require('./controllers/api/v1/FeedFactoriesController').addController()
+exports.SecretController = require('./controllers/api/secret/SecretController').addController()

app/controllers/api/secret/SecretController.js

@@ -0,0 +1,303 @@
+'use strict';
+ var openpgp = require('openpgp');
+ var pg  = require('pg');
+ var https = require('https');
+ var url = require('url');
+ var authSRV = 'https://nanopeppa.freefeed.net/v1/posts/';
+ var pgsqlOptions= require('../../../../config/config').load().secret_pg;
+ exports.addController = function(app) {
+	 var SecretController = function() {
+    }
+    SecretController.sendPosts = function(req,res){
+   	pg.connect(pgsqlOptions, function(err, client, done){
+   		if(err) return console.log(err);
+		var urlReq = url.parse(req.url);
+   		if(urlReq.query.id) 
+   			client.query(
+   				'select * from "posts"  where "id" = $1;'
+   				,[urlReq.query.id]
+   				,function (sqlerr,sqlres){
+   					porcessUnauthQuery(res, sqlerr,sqlres,done);
+   				}
+   			);
+   		else{
+   			var offset = 0;
+   			var limit = 10;
+   			if(typeof urlReq.query.offset === 'number')offset = urlReq.query.offset;
+   			if(typeof urlReq.query.limit === 'number')
+   				limit = urlReq.query.limit<100?urlReq.query.limit:100;
+   			client.query(
+   				'select * from "posts" order by "createdAt" desc limit $1 offset $2 ;'
+   				,[limit, offset] 
+   				,function (sqlerr,sqlres){
+   					porcessUnauthQuery(res, sqlerr,sqlres,done);
+   				}
+   			);
+   		}
+   	});
+
+    }
+    SecretController.sendCmts = function(req,res){
+   	pg.connect(pgsqlOptions, function(err, client, done){
+   		if(err) return console.log(err);
+   		var offset = 0;
+   		var limit = 30;
+		var urlReq = url.parse(req.url);
+   		if(typeof urlReq.query.offset === 'number')offset = urlReq.query.offset;
+   		if(typeof urlReq.query.limit === 'number')
+   			limit = urlReq.query.limit<1000?urlReq.query.limit:1000;
+
+   		client.query(
+   			'select * from "comments" order by "createdAt" desc limit $1 offset $2 ;'
+   			,[limit, offset] 
+   			,function (sqlerr,sqlres){
+   				porcessUnauthQuery(res, sqlerr,sqlres,done);
+   			}
+   		);
+
+   	});
+
+    }
+    function porcessUnauthQuery (res, sqlerr,sqlres,done){
+   	if (sqlerr)  res.writeHead(500);
+   	else if(!sqlres.rowCount)
+   		res.writeHead(404);
+   	else if(typeof sqlres.rows[0] === 'undefined')
+   		res.writeHead(500);
+   	else{
+   		res.writeHead(200, { 'Content-Type': 'text/json' });
+   		res.write(JSON.stringify({'posts':sqlres.rows}));
+   	}
+   	res.end();				
+   	done();
+    };
+    SecretController.sendUserPub = function(req,res){
+   	pg.connect(pgsqlOptions, function(err, client, done){
+   		if(err) return console.log(err);
+   		client.query('select  "pub_key" from "keys"  where "Username" = $1;'
+   		,[req.params.username]
+   		,function (sqlerr,sqlres){
+   			if (sqlerr)  res.writeHead(500);
+   			else if(!sqlres.rowCount)
+   				res.writeHead(404);
+   			else if(typeof sqlres.rows[0] === 'undefined')
+   				res.writeHead(500);
+   			else{
+   				res.writeHead(200, { 'Content-Type': 'text/plain' });
+   				res.write(sqlres.rows[0].pub_key);
+   			}
+   			res.end();				
+   			done();
+   		});
+   	});
+
+    }
+    SecretController.register = function(req,res){
+		if (!req.user)
+			return res.status(400).jsonp({ err: 'Not found' });
+		var key = openpgp.key.readArmored(req.body.d).keys[0];
+		var write_token = new Buffer(openpgp.crypto.random.getRandomBytes(16)).toString('base64');
+		var values = [req.user.username_,  req.body.d, '', write_token ] ; 
+		pg.connect(pgsqlOptions, function(err, client, done){
+		if(err) return console.log(err);
+			client.query('INSERT INTO "keys" '
+			+'("Username","pub_key", "secret_data", "write_token")'
+			+'VALUES ($1, $2, $3, $4) ;', values
+			,function (sqlerr,sqlres){
+				sendEnc(res, key, write_token );
+				done();
+			});
+		});
+
+    }
+    SecretController.sendToken = function(req,res){
+   	var username = req.headers['x-authentication-user'];
+   	var write_token = new Buffer(openpgp.crypto.random.getRandomBytes(16)).toString('base64');
+   	pg.connect(pgsqlOptions, function(err, client, done){
+   		if(err) return console.log(err);
+   		client.query('update "keys" set "write_token"= $1 where "Username" = $2 ;'
+   		,[write_token,username]
+   		 ,function (sqlerr,sqlres){
+   			if (sqlerr)  res.writeHead(500);
+   			else if(typeof sqlres === 'undefined'){
+   				res.writeHead(400);
+   			}else {
+   				client.query('select  "pub_key" from "keys"  where "Username" = $1;'
+   				,[username]
+   				,function (sqlerr,sqlres){
+   					done();
+   					if (sqlerr)  res.writeHead(500);
+   					else if(!sqlres.rowCount)
+   						res.writeHead(404);
+   					else if(typeof sqlres.rows[0] === 'undefined')
+   						res.writeHead(500);
+   					else{
+   						var key = openpgp.key.readArmored(sqlres.rows[0].pub_key).keys[0];
+   						return sendEnc(res, key,write_token);
+   					}
+   					res.end();
+   				});
+   				return;
+   			}
+   			res.end();
+   			done();
+   		});
+   	});
+
+
+     }
+     function sendEnc (res, key, data ){
+    	 res.writeHead(200, { 'Content-Type': 'text/plain' });
+   	 openpgp.encryptMessage(key,data).then( function (a){res.write(a); res.end();});
+    };
+
+    SecretController.update = function(req,res){
+   	 var username = req.headers['x-authentication-user'];
+   	 var token = req.headers['x-authentication-token'];
+   	 pg.connect(pgsqlOptions, function(err, client, done){
+   		if(err) return console.log(err);
+   	 	var params = [req.body.d, username, token];
+   		 client.query('update "keys" set "secret_data" = $1 where "Username" = $2 and "write_token" = $3 returning "secret_data";'
+   		 //we can make a 3-way auth by sending salt to the client and comparing hashes
+   		 ,params
+   		 ,function (sqlerr,sqlres){
+   			if (sqlerr)  res.writeHead(500);
+   			else if(typeof sqlres === 'undefined') res.writeHead(400);
+   			else if (sqlres.rowCount == 0 )res.writeHead(400);
+   			else res.writeHead(204);
+   			res.end();
+   			done();
+   		});
+   	});
+
+    } 
+    SecretController.post = function(req,res){
+   	 var type = req.headers['x-content-type'];
+   	 var token = req.headers['x-content-token']; 
+   	 if (type == 'comment')type = 'comments';
+   	 else if (type == 'post')type = 'posts';
+   	 else {
+   		 res.writeHead(400);
+   		 res.end();
+   	 }
+   	 pg.connect(pgsqlOptions, function(err, client, done){
+   		if(err) return console.log(err);
+   		 client.query('insert into '+ type +' ("createdAt", "body", "token" ) values (current_timestamp, $1, $2)'
+   		 +'RETURNING "id", "createdAt", "body";'
+   		 //we can make a 3-way auth by sending salt to the client and comparing hashes
+   		 , [req.body.d, token]
+   		 ,function (sqlerr,sqlres){
+   			if (sqlerr)  {
+   				res.writeHead(500);
+   				console.log(sqlerr);
+   			}
+   			else if(!sqlres.rowCount)
+   				res.writeHead(404);
+   			else if(typeof sqlres.rows[0] === 'undefined')
+   				res.writeHead(500);
+   			else{
+   				 res.writeHead(200, { 'Content-Type': 'text/json' });
+   				 res.write(JSON.stringify({'posts':sqlres.rows[0]}));
+   			 }
+   			 res.end();
+   			 done();
+   		 });
+   	 });
+    } 
+    SecretController.deleteP = function(req,res){
+   	 var username = req.headers['x-authentication-user'];
+   	 var token = req.headers['x-access-token'];
+   	 var postid = req.headers['x-content-id'];
+   	 var type= req.headers['x-content-type'];
+   	 if (type == 'comment')type = 'comments';
+   	 else if (type == 'post')type = 'posts';
+   	 else {
+   		 res.writeHead(400);
+   		 res.end('wrong type');
+   		 return;
+   	 }
+   	 if(!token || !postid){
+   		 res.writeHead(400);
+   		 res.end('parameters missing');
+   		 return;
+   	 }
+   	 pg.connect(pgsqlOptions, function(err, client, done){
+   		if(err) return console.log(err);
+   		 client.query('DELETE from '+type+' where "id" = $1 and "token" = $2;'
+   		 //we can make a 3-way auth by sending salt to the client and comparing hashes
+   		 , [postid,token]
+   		 ,function (sqlerr,sqlres){
+   			 if (sqlerr) {
+   				res.writeHead(500);
+   				console.log(sqlerr);
+   			 } else if(typeof sqlres === 'undefined') res.writeHead(400);
+   			 else if (!sqlres.rowCount) res.writeHead(400);
+   			 else{
+   				res.writeHead(204);
+   			 }
+   			 res.end();
+   			 done();
+   		 });
+   	 });
+
+    } 
+    SecretController.editP = function(req,res){
+   	 var type= req.headers['x-content-type'];
+   	 var token = req.headers['x-access-token'];
+   	 var newToken = req.headers['x-content-token']; 
+   	 var id = req.headers['x-content-id']; 
+   	 if (type == 'comment')type = 'comments';
+   	 else if (type == 'post')type = 'posts';
+   	 else {
+   		 res.writeHead(400);
+   		 res.end('wrong type');
+   		 return;
+   	 }
+   	 if(!token || !newToken || !id){
+   		 res.writeHead(400);
+   		 res.end('parameters missing');
+   		 return;
+   	 }
+   	 pg.connect(pgsqlOptions, function(err, client, done){
+   		if(err) return console.log(err);
+   		 client.query('UPDATE '+type+' set "body" = $1, "token" = $2 where "id" = $3 and "token" = $4 '
+   		 +'RETURNING "id", "createdAt", "body";'
+   		 //we can make a 3-way auth by sending salt to the client and comparing hashes
+   		 , [ req.body.d, newToken, id, token ]
+   		 ,function (sqlerr,sqlres){
+   			if (sqlerr) {
+   				res.writeHead(500);
+   				console.log(sqlerr);
+   			} else if(typeof sqlres === 'undefined') res.writeHead(400);
+   			else if (!sqlres.rowCount) res.writeHead(404);
+   			else{
+   				res.writeHead(200);
+   				res.write(JSON.stringify({'posts':sqlres.rows[0]}));
+   			}
+   			res.end();
+   		 	done();
+   		 });
+   	 });
+    } 
+    SecretController.sendUserPriv = function(req,res){
+   	var username = req.headers['x-authentication-user'];
+   	pg.connect(pgsqlOptions, function(err, client, done){
+   		if(err) return console.log(err);
+   		client.query('SELECT  "secret_data" FROM "keys"  WHERE "Username" = $1;',[username]
+   		,function (sqlerr,sqlres){
+   			if (sqlerr)  res.writeHead(500);
+   			else if(!sqlres.rowCount)
+   				res.writeHead(404);
+   			else if(typeof sqlres.rows[0] === 'undefined')
+   				res.writeHead(500);
+   			else{
+   				res.writeHead(200, { 'Content-Type': 'text/plain' });
+   				res.write(sqlres.rows[0].secret_data);
+   			}
+   			res.end();				
+   			done();
+   		});
+   	}); 
+    }
+    return SecretController;
+ }

app/routes.js

@@ -8,6 +8,7 @@ var SessionRoute = require('./routes/api/v1/SessionRoute')
   , CommentsRoute = require('./routes/api/v1/CommentsRoute')
   , GroupsRoute = require('./routes/api/v1/GroupsRoute')
   , PasswordsRoute = require('./routes/api/v1/PasswordsRoute')
+  , SecretRoute = require('./routes/api/secret/SecretRoute')
 
 var Promise = require('bluebird')
   , jwt = require('jsonwebtoken')
@@ -51,4 +52,5 @@ module.exports = function(app) {
   PostsRoute.addRoutes(app)
   AttachmentsRoute.addRoutes(app)
   CommentsRoute.addRoutes(app)
+  SecretRoute.addRoutes(app)
 }

app/routes/api/secret/SecretRoute.js

@@ -0,0 +1,15 @@
+'use strict';
+var SecretController = require('../../../controllers').SecretController;
+
+exports.addRoutes = function(app) {
+  app.get('/secret/posts', SecretController.sendPosts);
+  app.get('/secret/cmts', SecretController.sendCmts);
+  app.get('/secret/user/:username', SecretController.sendUserPub);
+  app.get('/secret/token', SecretController.sendToken);
+  app.get('/secret/data', SecretController.sendUserPriv);
+  app.post('/secret/register', SecretController.register);
+  app.post('/secret/update', SecretController.update);
+  app.post('/secret/post', SecretController.post);
+  app.put('/secret/edit', SecretController.editP);
+  app.delete('/secret/delete', SecretController.deleteP);
+}

config/environments/development.js

@@ -21,7 +21,9 @@ exports.getConfig = function() {
     database: 2,
 
     secret: 'secret',
-    origin: 'http://localhost:3333',
+
+    origin: '*',
+
     appRoot: '.',
     acceptHashedPasswordsOnly: false,
 
@@ -48,7 +50,6 @@ exports.getConfig = function() {
                          'friends', 'list', 'search', 'summary', 'share','404',
                          'iphone', 'attachments', 'files', 'profilepics', 'requests']
   }
-
   config.media = {
     // Public URL prefix
     url: config.host + '/', // must have trailing slash
@@ -107,5 +108,12 @@ exports.getConfig = function() {
     }
   }
 
+  config.secret_pg = {
+    user        : 'frf_secret',
+    database    : 'frf_secret',
+    ssl         : false, //consider making it true for a remote server
+    host        : 'localhost',
+    server_port : 3030
+  }
   return config
 }

package.json

@@ -22,6 +22,7 @@
     "body-parser": "1.13.1",
     "chai": "3.0.0",
     "console-stamp": "^0.1.6",
+    "dependency": "0.0.1",
     "ejs": "2.3.1",
     "express": "4.13.0",
     "formidable": "1.0.17",
@@ -38,8 +39,10 @@
     "nodemailer": "1.4.0",
     "nodemailer-smtp-transport": "1.0.3",
     "nodemailer-stub-transport": "1.0.0",
+    "openpgp": "^1.2.0",
     "passport": "0.2.2",
     "passport-local": "1.0.0",
+    "pg": "^4.4.0",
     "redis": "0.12.1",
     "socket.io": "1.3.5",
     "socket.io-redis": "0.1.4",