varq="SELECT participant FROM participants WHERE participant='"+user+"' AND id IN (SELECT id FROM rooms WHERE name='"+room+"' AND token='"+token+"');";
varq="SELECT `participant` FROM `participants` WHERE `participant`="+sql.escape(user)+" AND `id` IN (SELECT `id` FROM `rooms` WHERE `name`="+sql.escape(room)+" AND `token`="+sql.escape(token)+");";
console.log('Checking if '+user+' is allowed to join room '+room+' using token '+token);
console.log('Checking if '+user+' is allowed to join room '+room+' using token '+token);
sql.query(q,function(err,rows,fields){
sql.query(q,function(err,rows,fields){
if(err)throwerr;
if(err){
throwerr;
}
// No result ? This user hasn't joined this room through our frontend
// No result ? This user hasn't joined this room through our frontend
if(rows.length<1)returnfalse;
if(rows.length>0){
cb(true);
}
else{
cb(false);
}
});
});
returntrue;
}
}
io.configure(function(){
io.configure(function(){
@ -58,7 +64,7 @@ io.configure(function(){
varsession=data.cookie['vroomsession'];
varsession=data.cookie['vroomsession'];
if(typeofsession!='string'){
if(typeofsession!='string'){
console.log('Cookie vroomsession not found, access unauthorized');
console.log('Cookie vroomsession not found, access unauthorized');
return('error',false);
accept('vroomsession cookie not found',false);
}
}
// vroomsession is base64(user:room:token) so let's decode this !
// vroomsession is base64(user:room:token) so let's decode this !
session=newBuffer(session,encoding='base64');
session=newBuffer(session,encoding='base64');
@ -69,17 +75,22 @@ io.configure(function(){
// sanitize user input, we don't want to pass random junk to MySQL do we ?
// sanitize user input, we don't want to pass random junk to MySQL do we ?