From 89654f9aa6552f23a9dc05355ca28ae720f137c1 Mon Sep 17 00:00:00 2001 From: nitrotap <9121718+nitrotap@users.noreply.github.com> Date: Fri, 9 Jun 2023 04:06:15 -0600 Subject: [PATCH] locking remaining api routes behind user auth --- client/src/app/results/results.page.ts | 8 ++ .../src/app/services/answer-data.service.ts | 14 ++++ client/src/app/services/task-data.service.ts | 16 ++++ server/api/answer/delete/index.php | 51 +++++++++---- server/api/answer/update/index.php | 76 +++++++++++++------ server/api/task/delete/index.php | 67 +++++++++++----- server/api/task/update/index.php | 51 +++++++++---- 7 files changed, 211 insertions(+), 72 deletions(-) diff --git a/client/src/app/results/results.page.ts b/client/src/app/results/results.page.ts index d38db6a..d6defe5 100644 --- a/client/src/app/results/results.page.ts +++ b/client/src/app/results/results.page.ts @@ -63,8 +63,16 @@ export class ResultsPage implements OnInit { ngOnInit() { this.getTaskData(); this.getAnswerData(); + + } + ionViewDidEnter() { + this.getTaskData(); + this.getAnswerData(); + + + } deleteTask(task: any) { // Handle task deletion here console.log('Deleting task: ', task); diff --git a/client/src/app/services/answer-data.service.ts b/client/src/app/services/answer-data.service.ts index a97281b..72ec0dd 100644 --- a/client/src/app/services/answer-data.service.ts +++ b/client/src/app/services/answer-data.service.ts @@ -74,6 +74,14 @@ export class AnswerDataService { updateData(formData: any): Observable { + const sessionID = sessionStorage.getItem("sessionID") + const userID = sessionStorage.getItem("userID") + + formData.sessionID = sessionID; + formData.userID = userID; + + + const updateUrl = `${this.url}/update/`; const httpOptions = { @@ -103,6 +111,12 @@ export class AnswerDataService { params: new HttpParams(), }; + const sessionID = sessionStorage.getItem("sessionID") + const userID = sessionStorage.getItem("userID") + + formData.sessionID = sessionID; + formData.userID = userID; + // Convert the formData object to URL-encoded format let body = new HttpParams(); for (const key of Object.keys(formData)) { diff --git a/client/src/app/services/task-data.service.ts b/client/src/app/services/task-data.service.ts index 817a362..c9ee357 100644 --- a/client/src/app/services/task-data.service.ts +++ b/client/src/app/services/task-data.service.ts @@ -73,6 +73,14 @@ export class TaskDataService { updateData(formData: any): Observable { + const sessionID = sessionStorage.getItem("sessionID") + const userID = sessionStorage.getItem("userID") + + formData.sessionID = sessionID; + formData.userID = userID; + + + const updateUrl = `${this.url}/update/`; const httpOptions = { @@ -93,6 +101,14 @@ export class TaskDataService { } deleteData(formData: any): Observable { + + const sessionID = sessionStorage.getItem("sessionID") + const userID = sessionStorage.getItem("userID") + + formData.sessionID = sessionID; + formData.userID = userID; + + const deleteUrl = `${this.url}/delete/`; const httpOptions = { diff --git a/server/api/answer/delete/index.php b/server/api/answer/delete/index.php index 796aef9..f2648a0 100644 --- a/server/api/answer/delete/index.php +++ b/server/api/answer/delete/index.php @@ -22,19 +22,44 @@ sanitizeRequestStrings(); $requestData = $_REQUEST; - // Your DELETE query - $query = "DELETE FROM $table WHERE answerID = :value1"; - $stmt = $db->prepare($query); - $stmt->bindParam(':value1', $requestData['answerID']); - - try { + // authenticate user with userID and sessionID. + if (isset($requestData['sessionID']) && isset($requestData['userID'])) { + // get user email and sessionID + $query = "SELECT * FROM user_table WHERE userID = :userID"; + $stmt = $db->prepare($query); + $stmt->bindParam(':userID', $requestData['userID']); $stmt->execute(); - } catch (PDOException $e) { - die("Delete failed: " . $e->getMessage()); - } + $user = $stmt->fetch(PDO::FETCH_ASSOC); + + if (!($user['session_id'] === $requestData['sessionID'])) { + // Set headers to return a JSON response + header('HTTP/1.1 400 Bad Request'); + header('Access-Control-Allow-Origin: *'); // Allow requests from any origin + // Return success response + echo json_encode(array('message' => 'Session ID Mismatch')); + return; + } + - // Return success response - header('Content-Type: application/json'); - header('Access-Control-Allow-Origin: *'); // Allow requests from any origin - echo json_encode(array('message' => 'Data deleted successfully')); + // Your DELETE query + $query = "DELETE FROM $table WHERE answerID = :value1"; + $stmt = $db->prepare($query); + $stmt->bindParam(':value1', $requestData['answerID']); + + try { + $stmt->execute(); + } catch (PDOException $e) { + die("Delete failed: " . $e->getMessage()); + } + + // Return success response + header('Content-Type: application/json'); + header('Access-Control-Allow-Origin: *'); // Allow requests from any origin + echo json_encode(array('message' => 'Data deleted successfully')); + } else { + // Return error message if required data is not provided + header('HTTP/1.1 400 Bad Request'); + header('Access-Control-Allow-Origin: *'); // Allow requests from any origin + echo json_encode(array('message' => 'Required data not provided')); + } } diff --git a/server/api/answer/update/index.php b/server/api/answer/update/index.php index 4ee11ea..8162d96 100644 --- a/server/api/answer/update/index.php +++ b/server/api/answer/update/index.php @@ -24,31 +24,57 @@ sanitizeRequestStrings(); $requestData = $_REQUEST; - - // Your UPDATE query - $query = "UPDATE $table SET taskAnswer_1 = :value2, taskAnswer_2 = :value3, taskAnswer_3 = :value4, taskAnswer_4 = :value5, taskAnswer_5 = :value6, taskAnswer_6 = :value7, taskScore = :value8, dateTaken = :value9, userID = :value10, taskID = :value11 WHERE answerID = :value1"; - $stmt = $db->prepare($query); - $stmt->bindParam(':value1', $requestData['answerID']); - $stmt->bindParam(':value2', $requestData['taskAnswer_1']); - $stmt->bindParam(':value3', $requestData['taskAnswer_2']); - $stmt->bindParam(':value4', $requestData['taskAnswer_3']); - $stmt->bindParam(':value5', $requestData['taskAnswer_4']); - $stmt->bindParam(':value6', $requestData['taskAnswer_5']); - $stmt->bindParam(':value7', $requestData['taskAnswer_6']); - $stmt->bindParam(':value8', $requestData['taskScore']); - $stmt->bindParam(':value9', $requestData['dateTaken']); - $stmt->bindParam(':value10', $requestData['userID']); - $stmt->bindParam(':value11', $requestData['taskID']); - - - try { + // authenticate user with userID and sessionID. + if (isset($requestData['sessionID']) && isset($requestData['userID'])) { + // get user email and sessionID + $query = "SELECT * FROM user_table WHERE userID = :userID"; + $stmt = $db->prepare($query); + $stmt->bindParam(':userID', $requestData['userID']); $stmt->execute(); - } catch (PDOException $e) { - die("Update failed: " . $e->getMessage()); - } + $user = $stmt->fetch(PDO::FETCH_ASSOC); + + if (!($user['session_id'] === $requestData['sessionID'])) { + // Set headers to return a JSON response + header('HTTP/1.1 400 Bad Request'); + header('Access-Control-Allow-Origin: *'); // Allow requests from any origin + // Return success response + echo json_encode(array('message' => 'Session ID Mismatch')); + return; + } + + - // Return success response - header('Content-Type: application/json'); - header('Access-Control-Allow-Origin: *'); // Allow requests from any origin - echo json_encode(array('message' => 'Data updated successfully')); + + // Your UPDATE query + $query = "UPDATE $table SET taskAnswer_1 = :value2, taskAnswer_2 = :value3, taskAnswer_3 = :value4, taskAnswer_4 = :value5, taskAnswer_5 = :value6, taskAnswer_6 = :value7, taskScore = :value8, dateTaken = :value9, userID = :value10, taskID = :value11 WHERE answerID = :value1"; + $stmt = $db->prepare($query); + $stmt->bindParam(':value1', $requestData['answerID']); + $stmt->bindParam(':value2', $requestData['taskAnswer_1']); + $stmt->bindParam(':value3', $requestData['taskAnswer_2']); + $stmt->bindParam(':value4', $requestData['taskAnswer_3']); + $stmt->bindParam(':value5', $requestData['taskAnswer_4']); + $stmt->bindParam(':value6', $requestData['taskAnswer_5']); + $stmt->bindParam(':value7', $requestData['taskAnswer_6']); + $stmt->bindParam(':value8', $requestData['taskScore']); + $stmt->bindParam(':value9', $requestData['dateTaken']); + $stmt->bindParam(':value10', $requestData['userID']); + $stmt->bindParam(':value11', $requestData['taskID']); + + + try { + $stmt->execute(); + } catch (PDOException $e) { + die("Update failed: " . $e->getMessage()); + } + + // Return success response + header('Content-Type: application/json'); + header('Access-Control-Allow-Origin: *'); // Allow requests from any origin + echo json_encode(array('message' => 'Data updated successfully')); + } else { + // Return error message if required data is not provided + header('HTTP/1.1 400 Bad Request'); + header('Access-Control-Allow-Origin: *'); // Allow requests from any origin + echo json_encode(array('message' => 'Required data not provided')); + } } diff --git a/server/api/task/delete/index.php b/server/api/task/delete/index.php index b76e217..ddb747d 100644 --- a/server/api/task/delete/index.php +++ b/server/api/task/delete/index.php @@ -28,30 +28,55 @@ sanitizeRequestStrings(); $requestData = $_REQUEST; - // Check if the required parameter is present - if (empty($requestData['taskID'])) { - header('Content-Type: application/json'); - header('Access-Control-Allow-Origin: *'); // Allow requests from any origin - echo json_encode(array('error' => 'Missing required parameter: id')); - exit; - } + // authenticate user with userID and sessionID. + if (isset($requestData['sessionID']) && isset($requestData['userID'])) { + // get user email and sessionID + $query = "SELECT * FROM user_table WHERE userID = :userID"; + $stmt = $db->prepare($query); + $stmt->bindParam(':userID', $requestData['userID']); + $stmt->execute(); + $user = $stmt->fetch(PDO::FETCH_ASSOC); - // Delete the row from the table - $query = "DELETE FROM $table WHERE taskID = :id"; - $stmt = $db->prepare($query); - $stmt->bindParam(':id', $requestData['taskID']); - $stmt->execute(); + if (!($user['session_id'] === $requestData['sessionID'])) { + // Set headers to return a JSON response + header('HTTP/1.1 400 Bad Request'); + header('Access-Control-Allow-Origin: *'); // Allow requests from any origin + // Return success response + echo json_encode(array('message' => 'Session ID Mismatch')); + return; + } - // Check if any rows were affected - $rowCount = $stmt->rowCount(); - header('Content-Type: application/json'); - if ($rowCount > 0) { - // Return success response - header('Access-Control-Allow-Origin: *'); // Allow requests from any origin - echo json_encode(array('message' => 'Row deleted successfully')); + + // Check if the required parameter is present + if (empty($requestData['taskID'])) { + header('Content-Type: application/json'); + header('Access-Control-Allow-Origin: *'); // Allow requests from any origin + echo json_encode(array('error' => 'Missing required parameter: id')); + exit; + } + + // Delete the row from the table + $query = "DELETE FROM $table WHERE taskID = :id"; + $stmt = $db->prepare($query); + $stmt->bindParam(':id', $requestData['taskID']); + $stmt->execute(); + + // Check if any rows were affected + $rowCount = $stmt->rowCount(); + header('Content-Type: application/json'); + if ($rowCount > 0) { + // Return success response + header('Access-Control-Allow-Origin: *'); // Allow requests from any origin + echo json_encode(array('message' => 'Row deleted successfully')); + } else { + header('Access-Control-Allow-Origin: *'); // Allow requests from any origin + // Return error response if no rows were affected + echo json_encode(array('error' => 'No rows found with the specified ID')); + } } else { + // Return error message if required data is not provided + header('HTTP/1.1 400 Bad Request'); header('Access-Control-Allow-Origin: *'); // Allow requests from any origin - // Return error response if no rows were affected - echo json_encode(array('error' => 'No rows found with the specified ID')); + echo json_encode(array('message' => 'Required data not provided')); } } diff --git a/server/api/task/update/index.php b/server/api/task/update/index.php index 1dc0503..a3bf020 100644 --- a/server/api/task/update/index.php +++ b/server/api/task/update/index.php @@ -31,20 +31,45 @@ // Retrieve data from the request body $requestData = $_REQUEST; + // authenticate user with userID and sessionID. + if (isset($requestData['sessionID']) && isset($requestData['userID'])) { + // get user email and sessionID + $query = "SELECT * FROM user_table WHERE userID = :userID"; + $stmt = $db->prepare($query); + $stmt->bindParam(':userID', $requestData['userID']); + $stmt->execute(); + $user = $stmt->fetch(PDO::FETCH_ASSOC); - // Update the data in the table - $query = "UPDATE $table SET taskName = :value1, taskType = :value2, taskTime = :value3, userID = :value4 WHERE taskID = :id"; - $stmt = $db->prepare($query); - $stmt->bindParam(':value1', $requestData['taskName']); - $stmt->bindParam(':value2', $requestData['taskType']); - $stmt->bindParam(':value3', $requestData['taskTime']); - $stmt->bindParam(':value4', $requestData['userID']); - $stmt->bindParam(':id', $requestData['taskID']); + if (!($user['session_id'] === $requestData['sessionID'])) { + // Set headers to return a JSON response + header('HTTP/1.1 400 Bad Request'); + header('Access-Control-Allow-Origin: *'); // Allow requests from any origin + // Return success response + echo json_encode(array('message' => 'Session ID Mismatch')); + return; + } - $stmt->execute(); - // Return success response - header('Content-Type: application/json'); - header('Access-Control-Allow-Origin: *'); // Allow requests from any origin - echo json_encode(array('message' => 'Data updated successfully')); + + // Update the data in the table + $query = "UPDATE $table SET taskName = :value1, taskType = :value2, taskTime = :value3, userID = :value4 WHERE taskID = :id"; + $stmt = $db->prepare($query); + $stmt->bindParam(':value1', $requestData['taskName']); + $stmt->bindParam(':value2', $requestData['taskType']); + $stmt->bindParam(':value3', $requestData['taskTime']); + $stmt->bindParam(':value4', $requestData['userID']); + $stmt->bindParam(':id', $requestData['taskID']); + + $stmt->execute(); + + // Return success response + header('Content-Type: application/json'); + header('Access-Control-Allow-Origin: *'); // Allow requests from any origin + echo json_encode(array('message' => 'Data updated successfully')); + } else { + // Return error message if required data is not provided + header('HTTP/1.1 400 Bad Request'); + header('Access-Control-Allow-Origin: *'); // Allow requests from any origin + echo json_encode(array('message' => 'Required data not provided')); + } }