From b59744e84ab0724eabc80983ce39431a56179963 Mon Sep 17 00:00:00 2001 From: 65160270 <65160270@go.buu.ac.th> Date: Tue, 25 Mar 2025 16:10:49 +0700 Subject: [PATCH] update-server --- server.js | 66 ++++++++++++++++++-------------------------- shop-routes/order.js | 2 +- 2 files changed, 28 insertions(+), 40 deletions(-) diff --git a/server.js b/server.js index ce5a413..ec54e86 100644 --- a/server.js +++ b/server.js @@ -5,8 +5,7 @@ const bcrypt = require("bcrypt"); const pool = require("./config/database"); require("dotenv").config(); -const app = express(); // ประกาศ app ที่นี่ - +const app = express(); const MySQLStore = require('express-mysql-session')(session); const sessionStore = new MySQLStore({ clearExpired: true, @@ -28,11 +27,13 @@ app.use(session({ secret: process.env.SESSION_SECRET || "mysecret", resave: false, saveUninitialized: false, - store: sessionStore, // ใช้ MySQL Store + store: sessionStore, + rolling: true, // ต่ออายุ session ทุก request cookie: { maxAge: 24 * 60 * 60 * 1000, // 24 hours - secure: false, // true ถ้าใช้ HTTPS + secure: process.env.NODE_ENV === "production", // ใช้ secure ถ้าเป็น production httpOnly: true, + sameSite: "strict" }, })); @@ -40,6 +41,7 @@ app.use(session({ app.use(express.static(path.join(__dirname, "public"))); app.use(express.json()); app.use(express.urlencoded({ extended: true })); + // Middleware เช็ค Session app.use((req, res, next) => { console.log("Session Middleware Checked"); @@ -66,14 +68,10 @@ app.use("/", indexRoutes); app.use("/cart", cartRoutes); app.use("/order", orderRoutes); -// Route สำหรับ Checkout +// Checkout Route app.get('/order/checkout', isLoggedIn, (req, res) => { - console.log("Session:", req.session); // ตรวจสอบ Session - res.render('checkout'); // แสดงหน้า Checkout -}); - -app.get('/register', (req, res) => { - res.render('register'); // ตรวจสอบว่า 'views/login.ejs' มีอยู่จริง + console.log("Session:", req.session); + res.render('checkout', { user: req.session.user }); }); // Register Route (POST) @@ -83,16 +81,14 @@ app.post("/register", async (req, res) => { if (!email || !password || !name) { return res.status(400).json({ message: "All fields are required." }); } - + const hashedPassword = await bcrypt.hash(password, 10); const [existingUser] = await pool.execute("SELECT * FROM users WHERE email = ?", [email]); - if (existingUser.length > 0) { return res.status(400).json({ message: "Email is already registered." }); } - + await pool.execute("INSERT INTO users (email, password, name) VALUES (?, ?, ?)", [email, hashedPassword, name]); - console.log("User registered successfully."); res.status(201).json({ success: true, message: "Registration successful." }); } catch (error) { console.error("Registration error:", error); @@ -100,10 +96,6 @@ app.post("/register", async (req, res) => { } }); -app.get('/login', (req, res) => { - res.render('login'); // ตรวจสอบว่า 'views/login.ejs' มีอยู่จริง -}); - // Login Route (POST) app.post("/login", async (req, res) => { try { @@ -111,24 +103,26 @@ app.post("/login", async (req, res) => { if (!email || !password) { return res.status(400).json({ message: "All fields are required." }); } - + const [users] = await pool.execute("SELECT * FROM users WHERE email = ?", [email]); if (users.length === 0) { return res.status(400).json({ message: "Invalid email or password." }); } - + const user = users[0]; const passwordMatch = await bcrypt.compare(password, user.password); if (!passwordMatch) { return res.status(400).json({ message: "Invalid email or password." }); } - - req.session.user = { id: user.id, email: user.email }; - console.log("Session after login:", req.session); - - // Redirect ไปยังหน้า Checkout - return res.redirect('/order/checkout'); - + + req.session.regenerate((err) => { + if (err) { + console.error("Session regeneration failed:", err); + return res.status(500).json({ message: "Login failed." }); + } + req.session.user = { id: user.id, email: user.email }; + res.redirect('/order/checkout'); + }); } catch (error) { console.error("Login error:", error); res.status(500).json({ message: "Login failed." }); @@ -136,30 +130,24 @@ app.post("/login", async (req, res) => { }); // Logout Route -app.get("/logout", (req, res) => { - req.session.destroy((err) => { - if (err) { - console.error("Logout error:", err); - return res.status(500).json({ message: "Logout failed." }); - } - res.redirect("/login"); - }); -}); app.post('/logout', (req, res) => { req.session.destroy(err => { if (err) { return res.status(500).json({ message: "Logout failed" }); } - res.clearCookie('connect.sid'); // ล้าง session cookie + res.clearCookie('connect.sid'); res.status(200).json({ message: "Logged out successfully" }); }); }); + +// Search Route (ป้องกัน SQL Injection) app.get("/search", async (req, res) => { const searchQuery = req.query.query; try { + const sanitizedQuery = searchQuery.replace(/[%_]/g, "\\$&"); const [results] = await pool.execute( "SELECT * FROM products WHERE name LIKE ? OR description LIKE ?", - [`%${searchQuery}%`, `%${searchQuery}%`] + [`%${sanitizedQuery}%`, `%${sanitizedQuery}%`] ); res.render("index", { products: results }); } catch (err) { diff --git a/shop-routes/order.js b/shop-routes/order.js index 1b882d0..05a39c8 100644 --- a/shop-routes/order.js +++ b/shop-routes/order.js @@ -51,7 +51,7 @@ router.get('/history', isAuthenticated, async (req, res) => { }); // แสดงรายละเอียดออเดอร์ (เฉพาะผู้ที่ Login) -router.get('/order-details/:orderId', isAuthenticated, async (req, res) => { +router.get('/detail/:orderId', isAuthenticated, async (req, res) => { try { if (!req.session.id) { return res.status(400).json({ message: "Session ID not found. Please login again." }); -- GitLab