using System.Net; using System.Text; using System.Text.Json; using Backend.Database; using Backend.Model; using Backend.Model.Relations; using Backend.Utils; using Microsoft.AspNetCore.Mvc; namespace Backend.Controllers; [ApiController] [Route("api/")] public class Controller { [ProducesResponseType(200)] [ProducesResponseType(401)] [HttpPost($"{nameof(Login)}")] public Object Login(JsonElement usernamepass) { usernamepass.TryGetProperty("username", out var usr); usernamepass.TryGetProperty("password", out var pwd); var username = usr.ToString(); var password = pwd.ToString(); if (username is null || username == "" || password == "" || password is null) return new HttpResponseMessage(HttpStatusCode.BadRequest); using var db = Db.Connect(); var user = db.GetUserByEmail(username); var hashedPassword = Crypto.ComputeHash(Encoding.UTF8.GetBytes(password), Encoding.UTF8.GetBytes(user.Salt + "innovEnergy")); //Same error as to not communicate if a user exists or not if (user is null || user.Password != hashedPassword) return new HttpResponseMessage(HttpStatusCode.Unauthorized); var ses = new Session(user); db.NewSession(ses); return ses.Token; } [ProducesResponseType(200)] [ProducesResponseType(401)] [HttpPost($"{nameof(Logout)}")] public Object Logout() { var ctxAccessor = new HttpContextAccessor(); var ctx = ctxAccessor.HttpContext; using var db = Db.Connect(); var currentUser = (User)ctx.Items["User"]; if (currentUser is null) return new HttpResponseMessage(HttpStatusCode.Conflict); return db.DeleteSession(currentUser.Id); } [ProducesResponseType(200)] [ProducesResponseType(401)] [HttpPost($"{nameof(UpdateS3Creds)}")] public Object UpdateS3Creds() { var ctxAccessor = new HttpContextAccessor(); var ctx = ctxAccessor.HttpContext; using var db = Db.Connect(); var currentUser = (User)ctx!.Items["User"]!; return db.CreateAndSaveUserS3ApiKey(currentUser); } [ProducesResponseType(200)] [ProducesResponseType(401)] [HttpGet($"{nameof(GetUserById)}")] public Object GetUserById(Int64 id) { var ctxAccessor = new HttpContextAccessor(); var ctx = ctxAccessor.HttpContext; using var db = Db.Connect(); var currentUser = (User)ctx.Items["User"]; var viewedUser = db.GetUserById(id); //using the same error to prevent fishing for ids if (currentUser == null || viewedUser == null || !db.IsParentOfChild(currentUser, viewedUser)) return new HttpResponseMessage(HttpStatusCode.Unauthorized); return viewedUser; } [ProducesResponseType(200)] [ProducesResponseType(401)] [HttpGet($"{nameof(GetInstallationById)}")] public Object GetInstallationById(Int64 id) { var ctxAccessor = new HttpContextAccessor(); var ctx = ctxAccessor.HttpContext; using var db = Db.Connect(); var currentUser = (User)ctx.Items["User"]; var installation = db.GetInstallationById(id); if(currentUser==null || db.GetAllAccessibleInstallationIds(currentUser).ToList().Contains(id)) return installation == null ? new HttpResponseMessage(HttpStatusCode.NotFound) : installation; return new HttpResponseMessage(HttpStatusCode.Unauthorized); } [ProducesResponseType(200)] [ProducesResponseType(401)] [HttpGet($"{nameof(GetFolderById)}")] public Object GetFolderById(Int64 id) { var ctxAccessor = new HttpContextAccessor(); var ctx = ctxAccessor.HttpContext; using var db = Db.Connect(); var currentUser = (User)ctx.Items["User"]; var folder = db.GetFolderById(id); if(currentUser==null || db.GetAllAccessibleFolderIds(currentUser).ToList().Contains(id)) return folder == null ? new HttpResponseMessage(HttpStatusCode.NotFound) : folder; return new HttpResponseMessage(HttpStatusCode.Unauthorized); } [ProducesResponseType(200)] [ProducesResponseType(401)] [HttpGet($"{nameof(GetAllInstallations)}/")] public Object GetAllInstallations() { var ctxAccessor = new HttpContextAccessor(); var ctx = ctxAccessor.HttpContext; using var db = Db.Connect(); var user = (User)ctx.Items["User"]; if (user != null) return db.GetAllAccessibleInstallations(user).ToList(); return new HttpResponseMessage(HttpStatusCode.Unauthorized); } [ProducesResponseType(200)] [ProducesResponseType(401)] [HttpGet($"{nameof(GetAllFolders)}/")] public Object GetAllFolders() { var ctxAccessor = new HttpContextAccessor(); var ctx = ctxAccessor.HttpContext; using var db = Db.Connect(); var user = (User)ctx.Items["User"]; if (user != null) return db.GetAllAccessibleFolders(user).ToList(); return new HttpResponseMessage(HttpStatusCode.Unauthorized); } [ProducesResponseType(200)] [ProducesResponseType(401)] [HttpPut($"{nameof(UpdateUser)}/")] public Object UpdateUser(User updatedUser) { var ctxAccessor = new HttpContextAccessor(); var ctx = ctxAccessor.HttpContext; using var db = Db.Connect(); var currentUser = (User)ctx.Items["User"]; if (currentUser == null || !currentUser.HasWriteAccess || !db.IsParentOfChild(currentUser, updatedUser)) return new HttpResponseMessage(HttpStatusCode.Unauthorized); return db.GetUserById(updatedUser.Id) != null ? db.UpdateUser(updatedUser) : db.CreateUser(updatedUser); } [ProducesResponseType(200)] [ProducesResponseType(401)] [HttpPut($"{nameof(UpdateInstallation)}/")] public Object UpdateInstallation(Installation updatedInstallation) { var ctxAccessor = new HttpContextAccessor(); var ctx = ctxAccessor.HttpContext; using var db = Db.Connect(); var currentUser = (User)ctx.Items["User"]; if (currentUser == null || !currentUser.HasWriteAccess) return new HttpResponseMessage(HttpStatusCode.Unauthorized); if(db.GetAllAccessibleInstallationIds(currentUser).ToList().Contains(updatedInstallation.Id)) return db.GetInstallationById(updatedInstallation.Id) == null ? new HttpResponseMessage(HttpStatusCode.Unauthorized) : db.UpdateInstallation(updatedInstallation); db.AddToAccessibleInstallations(currentUser.Id, updatedInstallation.Id); return db.CreateInstallation(updatedInstallation); } [ProducesResponseType(200)] [ProducesResponseType(401)] [HttpPut($"{nameof(UpdateFolder)}/")] public Object UpdateFolder(Folder updatedFolder) { var ctxAccessor = new HttpContextAccessor(); var ctx = ctxAccessor.HttpContext; using var db = Db.Connect(); var currentUser = (User)ctx.Items["User"]; if (currentUser == null || !currentUser.HasWriteAccess) return new HttpResponseMessage(HttpStatusCode.Unauthorized); if(db.GetAllAccessibleFolderIds(currentUser).ToList().Contains(updatedFolder.Id)) return db.GetFolderById(updatedFolder.Id) == null ? new HttpResponseMessage(HttpStatusCode.Unauthorized) : db.UpdateFolder(updatedFolder); db.AddToAccessibleFolders(currentUser.Id, updatedFolder.Id); return db.CreateFolder(updatedFolder); } [ProducesResponseType(200)] [ProducesResponseType(401)] [HttpDelete($"{nameof(DeleteUser)}/")] public Object DeleteUser(Int64 userId) { var ctxAccessor = new HttpContextAccessor(); var ctx = ctxAccessor.HttpContext; using var db = Db.Connect(); var currentUser = (User)ctx.Items["User"]; var userToBeDeleted = db.GetUserById(userId); if (currentUser == null || userToBeDeleted == null || !currentUser.HasWriteAccess || !db.IsParentOfChild(currentUser,userToBeDeleted)) return new HttpResponseMessage(HttpStatusCode.Unauthorized); return db.DeleteUser(userToBeDeleted); } [ProducesResponseType(200)] [ProducesResponseType(401)] [HttpDelete($"{nameof(DeleteInstallation)}/")] public Object DeleteInstallation(Int64 installationId) { var ctxAccessor = new HttpContextAccessor(); var ctx = ctxAccessor.HttpContext; using var db = Db.Connect(); var currentUser = (User)ctx.Items["User"]; var installationToBeDeleted = db.GetInstallationById(installationId); if (currentUser == null || installationToBeDeleted == null || !currentUser.HasWriteAccess || !db.GetAllAccessibleInstallationIds(currentUser).ToList().Contains(installationToBeDeleted.Id)) return new HttpResponseMessage(HttpStatusCode.Unauthorized); return db.DeleteInstallation(installationToBeDeleted); } [ProducesResponseType(200)] [ProducesResponseType(401)] [HttpDelete($"{nameof(DeleteFolder)}/")] public Object DeleteFolder(Int64 folderId) { var ctxAccessor = new HttpContextAccessor(); var ctx = ctxAccessor.HttpContext; using var db = Db.Connect(); var currentUser = (User)ctx.Items["User"]; var folderToBeDeleted = db.GetFolderById(folderId); if (currentUser == null || folderToBeDeleted == null || !currentUser.HasWriteAccess || !db.GetAllAccessibleFolderIds(currentUser).ToList().Contains(folderToBeDeleted.Id)) return new HttpResponseMessage(HttpStatusCode.Unauthorized); return db.DeleteFolder(folderToBeDeleted); } }