From b59744e84ab0724eabc80983ce39431a56179963 Mon Sep 17 00:00:00 2001
From: 65160270 <65160270@go.buu.ac.th>
Date: Tue, 25 Mar 2025 16:10:49 +0700
Subject: [PATCH] update-server

---
 server.js            | 66 ++++++++++++++++++--------------------------
 shop-routes/order.js |  2 +-
 2 files changed, 28 insertions(+), 40 deletions(-)

diff --git a/server.js b/server.js
index ce5a413..ec54e86 100644
--- a/server.js
+++ b/server.js
@@ -5,8 +5,7 @@ const bcrypt = require("bcrypt");
 const pool = require("./config/database"); 
 require("dotenv").config();
 
-const app = express(); // ประกาศ app ที่นี่
-
+const app = express();
 const MySQLStore = require('express-mysql-session')(session);
 const sessionStore = new MySQLStore({ 
     clearExpired: true, 
@@ -28,11 +27,13 @@ app.use(session({
     secret: process.env.SESSION_SECRET || "mysecret",
     resave: false,
     saveUninitialized: false,
-    store: sessionStore, // ใช้ MySQL Store
+    store: sessionStore,
+    rolling: true, // ต่ออายุ session ทุก request
     cookie: {
         maxAge: 24 * 60 * 60 * 1000, // 24 hours
-        secure: false, // true ถ้าใช้ HTTPS
+        secure: process.env.NODE_ENV === "production", // ใช้ secure ถ้าเป็น production
         httpOnly: true,
+        sameSite: "strict"
     },
 }));
 
@@ -40,6 +41,7 @@ app.use(session({
 app.use(express.static(path.join(__dirname, "public")));
 app.use(express.json());
 app.use(express.urlencoded({ extended: true }));
+
 // Middleware เช็ค Session
 app.use((req, res, next) => {
     console.log("Session Middleware Checked");
@@ -66,14 +68,10 @@ app.use("/", indexRoutes);
 app.use("/cart", cartRoutes);
 app.use("/order", orderRoutes);
 
-// Route สำหรับ Checkout
+// Checkout Route
 app.get('/order/checkout', isLoggedIn, (req, res) => {
-    console.log("Session:", req.session); // ตรวจสอบ Session
-    res.render('checkout'); // แสดงหน้า Checkout
-});
-
-app.get('/register', (req, res) => {
-    res.render('register');  // ตรวจสอบว่า 'views/login.ejs' มีอยู่จริง
+    console.log("Session:", req.session);
+    res.render('checkout', { user: req.session.user });
 });
 
 // Register Route (POST)
@@ -83,16 +81,14 @@ app.post("/register", async (req, res) => {
         if (!email || !password || !name) {
             return res.status(400).json({ message: "All fields are required." });
         }
-
+        
         const hashedPassword = await bcrypt.hash(password, 10);
         const [existingUser] = await pool.execute("SELECT * FROM users WHERE email = ?", [email]);
-
         if (existingUser.length > 0) {
             return res.status(400).json({ message: "Email is already registered." });
         }
-
+        
         await pool.execute("INSERT INTO users (email, password, name) VALUES (?, ?, ?)", [email, hashedPassword, name]);
-        console.log("User registered successfully.");
         res.status(201).json({ success: true, message: "Registration successful." });
     } catch (error) {
         console.error("Registration error:", error);
@@ -100,10 +96,6 @@ app.post("/register", async (req, res) => {
     }
 });
 
-app.get('/login', (req, res) => {
-    res.render('login');  // ตรวจสอบว่า 'views/login.ejs' มีอยู่จริง
-});
-
 // Login Route (POST)
 app.post("/login", async (req, res) => {
     try {
@@ -111,24 +103,26 @@ app.post("/login", async (req, res) => {
         if (!email || !password) {
             return res.status(400).json({ message: "All fields are required." });
         }
-
+        
         const [users] = await pool.execute("SELECT * FROM users WHERE email = ?", [email]);
         if (users.length === 0) {
             return res.status(400).json({ message: "Invalid email or password." });
         }
-
+        
         const user = users[0];
         const passwordMatch = await bcrypt.compare(password, user.password);
         if (!passwordMatch) {
             return res.status(400).json({ message: "Invalid email or password." });
         }
-
-        req.session.user = { id: user.id, email: user.email };
-        console.log("Session after login:", req.session);
-
-        // Redirect ไปยังหน้า Checkout
-        return res.redirect('/order/checkout');
-
+        
+        req.session.regenerate((err) => {
+            if (err) {
+                console.error("Session regeneration failed:", err);
+                return res.status(500).json({ message: "Login failed." });
+            }
+            req.session.user = { id: user.id, email: user.email };
+            res.redirect('/order/checkout');
+        });
     } catch (error) {
         console.error("Login error:", error);
         res.status(500).json({ message: "Login failed." });
@@ -136,30 +130,24 @@ app.post("/login", async (req, res) => {
 });
 
 // Logout Route
-app.get("/logout", (req, res) => {
-    req.session.destroy((err) => {
-        if (err) {
-            console.error("Logout error:", err);
-            return res.status(500).json({ message: "Logout failed." });
-        }
-        res.redirect("/login");
-    });
-});
 app.post('/logout', (req, res) => {
     req.session.destroy(err => {
         if (err) {
             return res.status(500).json({ message: "Logout failed" });
         }
-        res.clearCookie('connect.sid'); // ล้าง session cookie
+        res.clearCookie('connect.sid');
         res.status(200).json({ message: "Logged out successfully" });
     });
 });
+
+// Search Route (ป้องกัน SQL Injection)
 app.get("/search", async (req, res) => {
     const searchQuery = req.query.query;
     try {
+        const sanitizedQuery = searchQuery.replace(/[%_]/g, "\\$&");
         const [results] = await pool.execute(
             "SELECT * FROM products WHERE name LIKE ? OR description LIKE ?",
-            [`%${searchQuery}%`, `%${searchQuery}%`]
+            [`%${sanitizedQuery}%`, `%${sanitizedQuery}%`]
         );
         res.render("index", { products: results });
     } catch (err) {
diff --git a/shop-routes/order.js b/shop-routes/order.js
index 1b882d0..05a39c8 100644
--- a/shop-routes/order.js
+++ b/shop-routes/order.js
@@ -51,7 +51,7 @@ router.get('/history', isAuthenticated, async (req, res) => {
     });
 
 // แสดงรายละเอียดออเดอร์ (เฉพาะผู้ที่ Login)
-router.get('/order-details/:orderId', isAuthenticated, async (req, res) => {
+router.get('/detail/:orderId', isAuthenticated, async (req, res) => {
     try {
         if (!req.session.id) {
             return res.status(400).json({ message: "Session ID not found. Please login again." });
-- 
GitLab