Merge pull request #6 from ajayyy/experimental

Added hashing to userIDs and changed up how the UUID is created
ajayyy · Jul 25, 2019 · 51efb9a · 51efb9a
2 parents c59372d + abfbba2
commit 51efb9a
Showing 1 changed file with 34 additions and 4 deletions.
diff --git a/index.js b/index.js
@@ -92,21 +92,34 @@ app.get('/api/postVideoSponsorTimes', function (req, res) {
         return;
     }
 
+    //hash the userID
+    userID = getHashedUserID(userID);
+
     //x-forwarded-for if this server is behind a proxy
     let ip = req.headers['x-forwarded-for'] || req.connection.remoteAddress;
 
     //hash the ip so no one can get it from the database
     let hashedIP = ip + globalSalt;
     //hash it 5000 times, this makes it very hard to brute force
     for (let i = 0; i < 5000; i++) {
-        let hashCreator = crypto.createHash('sha512');
+        let hashCreator = crypto.createHash('sha256');
         hashedIP = hashCreator.update(hashedIP).digest('hex');
     }
 
     startTime = parseFloat(startTime);
     endTime = parseFloat(endTime);
 
-    let UUID = uuidv1();
+    if (startTime > endTime) {
+        //time can't go backwards
+        res.sendStatus(400);
+        return;
+    }
+
+    //this can just be a hash of the data
+    //it's better than generating an actual UUID like what was used before
+    //also better for duplication checking
+    let hashCreator = crypto.createHash('sha256');
+    let UUID = hashCreator.update(videoID + startTime + endTime + userID).digest('hex');
 
     //get current time
     let timeSubmitted = Date.now();
@@ -156,6 +169,9 @@ app.get('/api/voteOnSponsorTime', function (req, res) {
         return;
     }
 
+    //hash the userID
+    userID = getHashedUserID(userID);
+
     //check if vote has already happened
     db.prepare("SELECT type FROM votes WHERE userID = ? AND UUID = ?").get(userID, UUID, function(err, row) {
         if (err) console.log(err);
@@ -236,16 +252,19 @@ app.get('/api/getViewsForUser', function (req, res) {
         return;
     }
 
+    //hash the userID
+    userID = getHashedUserID(userID);
+
     //up the view count by one
     db.prepare("SELECT SUM(views) as viewCount FROM sponsorTimes WHERE userID = ?").get(userID, function(err, row) {
         if (err) console.log(err);
 
-        if (row != null) {
+        if (row.viewCount != null) {
             res.send({
                 viewCount: row.viewCount
             });
         } else {
-            res.send(404);
+            res.sendStatus(404);
         }
     });
 });
@@ -254,6 +273,17 @@ app.get('/database.db', function (req, res) {
     res.sendFile("./databases/sponsorTimes.db", { root: __dirname });
 });
 
+function getHashedUserID(userID) {
+    //hash the userID so no one can get it from the database
+    let hashedUserID = userID;
+    //hash it 5000 times, this makes it very hard to brute force
+    for (let i = 0; i < 5000; i++) {
+        let hashCreator = crypto.createHash('sha256');
+        hashedUserID = hashCreator.update(hashedUserID).digest('hex');
+    }
+
+    return hashedUserID;
+}
 
 //This function will find sponsor times that are contained inside of eachother, called similar sponsor times
 //Only one similar time will be returned, randomly generated based on the sqrt of votes.