current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Code Review Stack Exchange is a question and answer site for peer programmer code reviews. It's 100% free, no registration required.

Sign up
Here's how it works:
  1. Anybody can ask a question
  2. Anybody can answer
  3. The best answers are voted up and rise to the top
up vote 3 down vote favorite

I get the feeling the code for this to-do app is not secure. I am just a beginner, and I don't know much about coding style so do you think it is conventional/elegant?

Please don't hesitate to criticize my code.

/*global require*/
/*global console*/
/*global __dirname*/

(function () {

  'use strict';

  //////////////////////////////Express boilerplate//////////////////////////////

  var express = require('express'),
    app = express(),
    server = app.listen(3000, function () {
      var host = server.address().address,
        port = server.address().port;
      console.log('Example app listening at http://%s:%s', host, port);
    });

  /////////////////////////////Mongoose boilerplate//////////////////////////////

  var mongoose = require('mongoose');
  mongoose.connect('mongodb://localhost/test');

  var db = mongoose.connection, User, Todo;

  db.on('error', console.error.bind(console, 'connection error:'));
  db.once('open', function (callback) {
    User = mongoose.model('User', mongoose.Schema({
      email: String,
      password: String
    }));

    Todo = mongoose.model('Todo', mongoose.Schema({
      todo: String,
      userId: String
    }));
  });

  /////////////////////////////Passport boilerplate//////////////////////////////

  var passport = require('passport'),
    LocalStrategy = require('passport-local').Strategy;

  passport.use(new LocalStrategy({
    usernameField: 'email',
    passwordField: 'password'
  }, function (email, password, done) {
    User.findOne({ email: email }, function (err, user) {
      if (err) {
        return done(err);
      } else if (!user) {
        return done(null, false, { message: 'Incorrect email.' });
      } else if (user.password !== password) {
        return done(null, false, { message: 'Incorrect password.' });
      } else {
        return done(null, user);
      }
    });
  }));

  app.use(express.static('public'));
  app.use(require('cookie-parser')());
  app.use(require('body-parser')());
  app.use(require('express-session')({ secret: 'Elvis is alive' }));
  app.use(passport.initialize());
  app.use(passport.session());

  passport.serializeUser(function (user, done) {
    done(null, user.id);
  });

  passport.deserializeUser(function (id, done) {
    User.findById(id, function (err, user) {
      done(err, user);
    });
  });

  ////////////////////////////////////Captcha////////////////////////////////////

  var https = require('https');
  var secret = '6LfGKAITAAAAAHOSSPZprPvU3AkoJ4IOQd0w3H62';

  ////////////////////////////////////Routing////////////////////////////////////

  app.get('/', function (req, res) {
    res.send('Hello World!');
  });

  app.get('/login', function (req, res) {
    res.sendFile('login.html', {root: __dirname + '/html'});
  });

  app.post('/login', passport.authenticate('local', {
    successRedirect: '/app',
    failureRedirect: '/login'
  }));

  app.get('/signup', function (req, res) {
    res.sendFile('signup.html', {root: __dirname + '/html'});
  });

  app.post('/signup', function (req, res) {
    //info verification
    https.get('https://www.google.com/recaptcha/api/siteverify?secret=' + secret + '&response=' + req.body['g-recaptcha-response'], function (res2) {
      var data = '';
      res2.on('data', function (chunk) {
        data += chunk.toString();
      });
      res2.on('end', function () {
        if (JSON.parse(data).success && req.body.email !== "" && req.body.password !== "") {
          var newUser = new User({email: req.body.email, password: req.body.password});
          newUser.save(function (err) {
            res.redirect('/');
          });
        } else {
          res.redirect('/signup');
        }
      });
    });
  });

  app.get('/logout', function (req, res) {
    if (req.user) {
      req.user.logout();
    }
    res.redirect('/');
  });

  app.get('/app', function (req, res) {
    if (req.user) {
      res.send('App');
    } else {
      res.redirect('/');
    }
  });

  app.get('/get', function (req, res) {
    if (req.user) {
      Todo.find({userId: req.user.id}, function (err, todos) {
        if (err) return console.error(err);
        res.send(todos);
      });
    } else {
      res.send('not authorized');
    }
  });

  app.post('/add', function (req, res) {
    if (req.user) {
      var newTodo = new Todo({todo: req.body.todo, userId: req.user.id});
      newTodo.save(function (err) {
        Todo.find({userId: req.user.id}, function (err, todos) {
        if (err) return console.error(err);
          res.send(todos);
        });
      });
    } else {
      res.send('not authorized');
    }
  });

  app.post('/delete', function (req, res) {
    if (req.user) {
      Todo.findOneAndRemove({userId: req.user.id, todo: req.body.todo}, function (err, todo) {
        Todo.find({userId: req.user.id}, function (err, todos) {
        if (err) return console.error(err);
          res.send(todos);
        });
      });
    } else {
      res.send('not authorized');
    }
  });

}());
share|improve this question

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Browse other questions tagged or ask your own question.