working ish website

routes/auth.js

@@ -14,6 +14,14 @@ router.get('/selfservice/api', function (req, res) {
       response += 'Username: ' + req.user.username + '<br>';
       response += 'First Name: ' + req.user.first_name + '<br>';
       response += 'Last Name: ' + req.user.last_name + '<br>';
+      usertype_map = ['Unknown', 'Student', 'Parent'];
+      response += 'User Type: ' + usertype_map[req.user.userType] + '<br>';
+      if (req.user.userType === directory.USER_TYPE.STUDENT) {
+        response += 'Primary Parent: ' + req.user.primaryParent + '<br>';
+      } 
+      else if (req.user.userType === directory.USER_TYPE.PARENT) {
+        response += 'Students: ' + req.user.students + '<br>';
+      }
       response += '<a href="/selfservice/api/logout">Logout</a>';
       res.send(response);
     }
@@ -25,7 +33,7 @@ router.get('/selfservice/api', function (req, res) {
   
   router.get('/selfservice/api/logout', function (req, res) {
     req.logout();
-    res.redirect('/selfservice/api');
+    res.redirect('/selfservice');
   });
   
   router.get('/selfservice/api/login',
@@ -42,7 +50,7 @@ router.get('/selfservice/api', function (req, res) {
   });
   
   router.post('/selfservice/api/login/postResponse',
-    passport.authenticate('saml', { failureRedirect: '/selfservice/api',successRedirect: '/selfservice/api', failureFlash: true }),
+    passport.authenticate('saml', { failureRedirect: '/selfservice',successRedirect: '/selfservice', failureFlash: true }),
     function (req, res) {
       console.log('SAML authentication successful');
       res.redirect('/selfservice');

routes/ps_relation_parent.js

@@ -39,6 +39,18 @@ router.get('/parent/:parent_upn/add-student', async function (req, res) {
     if(!req.isAuthenticated()) {
         return res.status(401).send('Unauthorized');
     }
+    if (!req.query.pairing_code) {
+        return res.status(400).send('Pairing code not provided');
+    }
+    if (!req.params.parent_upn) {
+        return res.status(400).send('Parent UPN not provided');
+    }
+    if (req.user.username !== req.params.parent_upn) {
+        return res.status(403).send('Forbidden, UPN mismatch');
+    }
+    if (req.user.userType !== directory.USER_TYPE.PARENT) {
+        return res.status(403).send('Forbidden, not a parent');
+    }
     let parent_upn = req.params.parent_upn;
     // Is the logged in user a parent with the same UPN as the one in the URL?
     // If not, return a 403 Forbidden response
@@ -63,10 +75,16 @@ router.get('/parent/:parent_upn/add-student', async function (req, res) {
     res.send('Student added');
 });
 
-router.get('/parent/:parent_upn', function (req, res) {
+router.get('/parent/:parent_upn', async function (req, res) {
     if(!req.isAuthenticated()) {
         return res.status(401).send('Unauthorized');
     }
+    if (req.user.username !== req.params.parent_upn) {
+        return res.status(403).send('Forbidden, UPN mismatch');
+    }
+    if (req.user.userType !== directory.USER_TYPE.PARENT) {
+        return res.status(403).send('Forbidden, not a parent');
+    }
     let parent_upn = req.params.parent_upn;
     // Is the logged in user a parent with the same UPN as the one in the URL?
     // If not, return a 403 Forbidden response

routes/ps_relation_student.js

@@ -3,6 +3,7 @@
 let express = require('express');
 let router = express.Router();
 let passport = require('passport');
+let directory = require('../directory.js');
 let database = require('../config/database.js');
 let uuid = require('uuid');
 
@@ -24,6 +25,9 @@ router.get('/student/:upn/pairing-code', function (req, res) {
     if(!req.isAuthenticated()) {
         return res.status(401).send('Unauthorized');
     }
+    if (req.user.userType !== directory.USER_TYPE.STUDENT) {
+        return res.status(403).send('Forbidden, not a student');
+    }
     let upn = req.params.upn;
     // Is the logged in user a student with the same UPN as the one in the URL?
     // If not, return a 403 Forbidden response
@@ -45,6 +49,9 @@ router.get('/student/:upn', function (req, res) {
     if(!req.isAuthenticated()) {
         return res.status(401).send('Unauthorized');
     }
+    if (req.user.userType !== directory.USER_TYPE.STUDENT) {
+        return res.status(403).send('Forbidden, not a student');
+    }
     let upn = req.params.upn;
     // Is the logged in user a student with the same UPN as the one in the URL?
     // If not, return a 403 Forbidden response