update-server

server.js

@@ -5,8 +5,7 @@ const bcrypt = require("bcrypt");
 const pool = require("./config/database"); 
 require("dotenv").config();
 
-const app = express(); // ประกาศ app ที่นี่
-
+const app = express();
 const MySQLStore = require('express-mysql-session')(session);
 const sessionStore = new MySQLStore({ 
     clearExpired: true, 
@@ -28,11 +27,13 @@ app.use(session({
     secret: process.env.SESSION_SECRET || "mysecret",
     resave: false,
     saveUninitialized: false,
-    store: sessionStore, // ใช้ MySQL Store
+    store: sessionStore,
+    rolling: true, // ต่ออายุ session ทุก request
     cookie: {
         maxAge: 24 * 60 * 60 * 1000, // 24 hours
-        secure: false, // true ถ้าใช้ HTTPS
+        secure: process.env.NODE_ENV === "production", // ใช้ secure ถ้าเป็น production
         httpOnly: true,
+        sameSite: "strict"
     },
 }));
 
@@ -40,6 +41,7 @@ app.use(session({
 app.use(express.static(path.join(__dirname, "public")));
 app.use(express.json());
 app.use(express.urlencoded({ extended: true }));
+
 // Middleware เช็ค Session
 app.use((req, res, next) => {
     console.log("Session Middleware Checked");
@@ -66,14 +68,10 @@ app.use("/", indexRoutes);
 app.use("/cart", cartRoutes);
 app.use("/order", orderRoutes);
 
-// Route สำหรับ Checkout
+// Checkout Route
 app.get('/order/checkout', isLoggedIn, (req, res) => {
-    console.log("Session:", req.session); // ตรวจสอบ Session
-    res.render('checkout'); // แสดงหน้า Checkout
-});
-
-app.get('/register', (req, res) => {
-    res.render('register');  // ตรวจสอบว่า 'views/login.ejs' มีอยู่จริง
+    console.log("Session:", req.session);
+    res.render('checkout', { user: req.session.user });
 });
 
 // Register Route (POST)
@@ -86,13 +84,11 @@ app.post("/register", async (req, res) => {
         
         const hashedPassword = await bcrypt.hash(password, 10);
         const [existingUser] = await pool.execute("SELECT * FROM users WHERE email = ?", [email]);
-
         if (existingUser.length > 0) {
             return res.status(400).json({ message: "Email is already registered." });
         }
         
         await pool.execute("INSERT INTO users (email, password, name) VALUES (?, ?, ?)", [email, hashedPassword, name]);
-        console.log("User registered successfully.");
         res.status(201).json({ success: true, message: "Registration successful." });
     } catch (error) {
         console.error("Registration error:", error);
@@ -100,10 +96,6 @@ app.post("/register", async (req, res) => {
     }
 });
 
-app.get('/login', (req, res) => {
-    res.render('login');  // ตรวจสอบว่า 'views/login.ejs' มีอยู่จริง
-});
-
 // Login Route (POST)
 app.post("/login", async (req, res) => {
     try {
@@ -123,12 +115,14 @@ app.post("/login", async (req, res) => {
             return res.status(400).json({ message: "Invalid email or password." });
         }
         
+        req.session.regenerate((err) => {
+            if (err) {
+                console.error("Session regeneration failed:", err);
+                return res.status(500).json({ message: "Login failed." });
+            }
             req.session.user = { id: user.id, email: user.email };
-        console.log("Session after login:", req.session);
-
-        // Redirect ไปยังหน้า Checkout
-        return res.redirect('/order/checkout');
-
+            res.redirect('/order/checkout');
+        });
     } catch (error) {
         console.error("Login error:", error);
         res.status(500).json({ message: "Login failed." });
@@ -136,30 +130,24 @@ app.post("/login", async (req, res) => {
 });
 
 // Logout Route
-app.get("/logout", (req, res) => {
-    req.session.destroy((err) => {
-        if (err) {
-            console.error("Logout error:", err);
-            return res.status(500).json({ message: "Logout failed." });
-        }
-        res.redirect("/login");
-    });
-});
 app.post('/logout', (req, res) => {
     req.session.destroy(err => {
         if (err) {
             return res.status(500).json({ message: "Logout failed" });
         }
-        res.clearCookie('connect.sid'); // ล้าง session cookie
+        res.clearCookie('connect.sid');
         res.status(200).json({ message: "Logged out successfully" });
     });
 });
+
+// Search Route (ป้องกัน SQL Injection)
 app.get("/search", async (req, res) => {
     const searchQuery = req.query.query;
     try {
+        const sanitizedQuery = searchQuery.replace(/[%_]/g, "\\$&");
         const [results] = await pool.execute(
             "SELECT * FROM products WHERE name LIKE ? OR description LIKE ?",
-            [`%${searchQuery}%`, `%${searchQuery}%`]
+            [`%${sanitizedQuery}%`, `%${sanitizedQuery}%`]
         );
         res.render("index", { products: results });
     } catch (err) {

shop-routes/order.js

@@ -51,7 +51,7 @@ router.get('/history', isAuthenticated, async (req, res) => {
     });
 
 // แสดงรายละเอียดออเดอร์ (เฉพาะผู้ที่ Login)
-router.get('/order-details/:orderId', isAuthenticated, async (req, res) => {
+router.get('/detail/:orderId', isAuthenticated, async (req, res) => {
     try {
         if (!req.session.id) {
             return res.status(400).json({ message: "Session ID not found. Please login again." });