From 4f8b365cca376b4fd815a92618afbbba5e153ac2 Mon Sep 17 00:00:00 2001
From: counter <counter@counters-MacBook-Air.local>
Date: Sun, 15 Jan 2023 22:13:54 -0800
Subject: [PATCH] users can update their paths

---
 api.js                           | 48 ++++++++++++++++++++++++++++++++
 front-end/src/libs/api.js        | 21 ++++++++++++++
 front-end/src/pages/Settings.vue | 34 +++++++++++++---------
 3 files changed, 90 insertions(+), 13 deletions(-)

diff --git a/api.js b/api.js
index c53a411..09a4030 100644
--- a/api.js
+++ b/api.js
@@ -210,6 +210,54 @@ async function set_up_api_server(app) {
         }).end();
     });
 
+    /*
+		Get the user's path.
+    */
+    app.get(constants.API_BASE_PATH + 'user-path', async (req, res) => {
+        const user = await Users.findOne({ where: { 'id': req.session.user_id } });
+        res.status(200).json({
+            "success": true,
+            "result": {
+            	"uri": user.path
+            }
+        }).end();
+    });
+
+    /*
+		Update the user's path.
+    */
+    app.put(constants.API_BASE_PATH + 'user-path', async (req, res) => {
+        if(req.body.path instanceof String){
+            const desiredPath = req.body.path;
+            const collisionUser = await Users.findOne({ where: { 'path': desiredPath } });
+        }else{
+            return res.status(200).json({
+                "success": false,
+                "error": "invalid path"
+            }).end();
+        }
+        if( collisionUser ){
+            return res.status(200).json({
+                "success": false,
+                "error": "Path taken by another user"
+            }).end();
+        }
+
+        const user = await Users.findOne({ where: { 'id': req.session.user_id } });
+        user.path = desiredPath;
+        user.save();
+        res.status(200).json({
+            "success": true,
+            "result": {
+            	"uri": user.path
+            }
+        }).end();
+    });
+
+
+
+
+
 
     /*
     	Attempt to log into the administrator account
diff --git a/front-end/src/libs/api.js b/front-end/src/libs/api.js
index cf58fd4..247f435 100644
--- a/front-end/src/libs/api.js
+++ b/front-end/src/libs/api.js
@@ -122,6 +122,25 @@ async function generate_new_correlation_api_key() {
     );
 }
 
+async function get_user_path() {
+    return api_request(
+        'PUT',
+        `/api/v1/user-path`,
+        false
+    );
+}
+
+async function update_user_path(path) {
+    return api_request(
+        'PUT',
+        `/api/v1/user-path`,
+        {
+            "user_path": path,
+        }
+    );
+}
+
+
 async function set_chainload_uri(chainload_uri) {
     return api_request(
         'PUT',
@@ -168,6 +187,8 @@ module.exports = {
     api_request,
     is_authenticated,
     authenticate,
+    get_user_path,
+    update_user_path,
     get_payload_fires,
     delete_payload_fires,
     get_collect_pages,
diff --git a/front-end/src/pages/Settings.vue b/front-end/src/pages/Settings.vue
index 0c2c359..58f97d7 100644
--- a/front-end/src/pages/Settings.vue
+++ b/front-end/src/pages/Settings.vue
@@ -21,13 +21,13 @@
                             </base-button>
                         </card>
                         <card>
-                            <h4 class="card-title">Master Password</h4>
-                            <h6 class="card-subtitle mb-2 text-muted">Change your login password for this XSS Hunter express instance.</h6>
+                            <h4 class="card-title">XSSHunter path</h4>
+                            <h6 class="card-subtitle mb-2 text-muted">This unique path ties injection payloads back to you. You can set it to something shorter (it defaults to 20 chars).</h6>
                             <p class="card-text">
-                                <base-input v-model="password" type="password" placeholder="*******************"></base-input>
+                                <base-input v-bind:value="user_path" type="text" placeholder="..."></base-input>
                             </p>
-                            <base-button type="primary" v-on:click="update_password">
-                                <i class="fas fa-lock"></i> Update Password
+                            <base-button type="primary" v-on:click="update_path">
+                                <i class="fas fa-lock"></i> Update Path
                             </base-button>
                         </card>
                         <card>
@@ -164,6 +164,7 @@ export default {
             ],
             chainload_uri: '',
             correlation_api_key: '',
+            user_path: '',
             pages_to_collect: [],
             selected_page_to_collect: [],
             new_page_to_collect: '',
@@ -174,15 +175,20 @@ export default {
     },
     watch: {},
     methods: {
-        update_password: async function() {
-            const password = this.password;
-            if(password === '') {
-                alert('Password is empty, please provide a valid password to continue.');
+        update_path: async function() {
+            const desiredPath = this.user_path;
+            if(desiredPath === '') {
+                alert('Path is empty, please provide a valid path to continue.');
                 return
             }
-            await api_request.update_password(this.password);
-            this.password = '';
-            toastr.success('Your instance password has been updated.', 'Password Updated')
+            const res = await api_request.update_user_path(path);
+            const user_path = await api_request.get_user_path();
+            this.user_path = user_path;
+            if(res.success){
+                toastr.success('Your user path has been updated.', 'Path Updated');
+            }else{
+                toastr.error(res.error, 'Path Update Error');
+            }
         },
         generate_new_correlation_api_key: async function() {
             await api_request.generate_new_correlation_api_key();
@@ -204,6 +210,8 @@ export default {
             settings_keys.map(settings_key => {
                 this[settings_key] = settings[settings_key];
             });
+            const user_path = await api_request.get_user_path();
+            this[user_path] = user_path;
         },
         update_chainload_uri: async function() {
             await api_request.set_chainload_uri(this.chainload_uri);
@@ -269,4 +277,4 @@ export default {
 .dropdown-item {
     font-size: 16px !important;
 }
-</style>
\ No newline at end of file
+</style>