hyf-assignment-template/assets/courses/backend/databases/example-api/index.js at fd6b01bdbe47933ce57de40e8e28cb2cc1ddb87b · HackYourFuture-CPH/hyf-assignment-template · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
import express, { json } from "express";
import knex from "knex";

const app = express();
const port = 3000;

// Database configuration

// Development: local SQLite
const developmentConfig = {
	client: "sqlite3",
	connection: {
		filename: "../database/tasks.sqlite3",
		useNullAsDefault: true,
	},
};

// Production: remote PostgreSQL
const productionConfig = {
	client: "pg",
	connection: {
		connectionString: process.env.DATABASE_URL,
		ssl: { rejectUnauthorized: false },
	},
};

const isProductionEnvironment = process.env.NODE_ENV === "production";

// Use the right config based on environment
const config = isProductionEnvironment ? productionConfig : developmentConfig;

// Database configuration
const db = knex(config);

// Middleware
app.use(json());

app.get("/", (req, res) => {
	res.send("Welcome to the Task Management API");
});

// Get all users
app.get("/api/users", async (req, res) => {
	try {
		if (isProductionEnvironment) {
			console.log(`Users from Postgres database: ${config.connection.connectionString}`);
		} else {
			console.log(`Users from SQLite: ${config.connection.filename}`);
		}

		const users = await db.raw('SELECT * FROM "user"');

		// Postgres returns an object with a 'rows' property
		// SQLite returns an array directly
		const result = isProductionEnvironment ? users.rows : users;
		res.json(result);
	} catch (error) {
		res.status(500).json({ error: error.message });
	}
});

// Get all tasks
app.get("/api/stats/tasks-per-user-unoptimized", async (req, res) => {
	try {
		const tasks = await db.raw(
			"SELECT task.*, user_task.user_id FROM task INNER JOIN user_task ON task.id = user_task.task_id"
		);

		const users = await db.raw("SELECT * FROM user");
		const userTaskCounts = {};

		for (const user of users) {
			userTaskCounts[user.name] = 0; // Initialize count

			for (const task of tasks) {
				if (task.user_id === user.id) {
					userTaskCounts[user.name] += 1; // Increment count for this user
				}
			}
		}

		res.json(userTaskCounts);
	} catch (error) {
		res.status(500).json({ error: error.message });
	}
});

// Routes for aggregate functions examples
app.get("/api/stats/tasks-per-user", async (req, res) => {
	try {
		const stats = await db.raw(
			`SELECT u.name, COUNT(ut.task_id) as task_count, SUM(CASE WHEN t.status_id = 1 THEN 1 ELSE 0 END) as completed_tasks
      FROM user u
      LEFT JOIN user_task ut ON u.id = ut.user_id
      LEFT JOIN task t ON ut.task_id = t.id
      GROUP BY u.id, u.name
      ORDER BY task_count DESC`
		);

		res.json(stats);
	} catch (error) {
		res.status(500).json({ error: error.message });
	}
});

app.get("/api/stats/status-distribution", async (req, res) => {
	try {
		const stats = await db.raw(
			`SELECT status.name as status, COUNT(task.id) as count
      FROM task
      JOIN status ON task.status_id = status.id
      GROUP BY status.id, status.name`
		);

		res.json(stats);
	} catch (error) {
		res.status(500).json({ error: error.message });
	}
});

// Vulnerable search endpoint for SQL injection demo
app.get("/api/search/vulnerable", async (req, res) => {
	const { query } = req.query;

	if (!query) {
		return res.status(400).json({ error: "Query parameter required" });
	}

	try {
		// VULNERABLE: Direct string concatenation
		const sql = `SELECT id, title, created FROM task WHERE title LIKE '%${query}%'`;

		console.warn("Executing vulnerable SQL:", sql);
		const results = await db.raw(sql);

		res.json(results);
	} catch (error) {
		res.status(500).json({ error: error.message });
	}
});

// Secure search endpoint
app.get("/api/search/secure", async (req, res) => {
	const { query } = req.query;

	if (!query) {
		return res.status(400).json({ error: "Query parameter required" });
	}

	console.log(query);
	try {
		// SECURE: Using parameterized queries
		const results = await db.raw(`SELECT id, title, created FROM task WHERE title LIKE ?`, [
			`%${query}%`,
		]);

		// Or use the ORM
		const results_orm = await db("task")
			.select("id", "title", "created")
			.where("title", "like", `%${query}%`);

		res.json(results);
	} catch (error) {
		res.status(500).json({ error: error.message });
	}
});

app.post("/api/tasks/:taskId/transfer-unsafe", async (req, res) => {
	try {
		const { fromUserId, toUserId, shouldFail } = req.body;
		const { taskId } = req.params;

		await db.raw("DELETE FROM user_task WHERE user_id = ? AND task_id = ?", [
			fromUserId,
			taskId,
		]);

		// Force failure based on body parameter
		if (shouldFail) {
			throw new Error("System failure - task doesn't belong to anyone");
		}

		await db.raw("INSERT INTO user_task (user_id, task_id) VALUES (?, ?)", [toUserId, taskId]);

		res.json({ message: "Task transferred successfully" });
	} catch (error) {
		res.status(500).json({ error: error.message });
	}
});

app.listen(port, () => {});