const express = require("express");
const minimist = require("minimist");

const app = express();

/*
 Simulasi database user
*/
const users = [
  {
    username: "zen",
    password: "123"
  }
];

/*
 Endpoint vulnerable
*/
app.get("/parse", (req, res) => {

    /*
      Ambil raw query
    */
    const payload = req.query.payload;

    /*
      Ubah jadi array argument CLI
    */
    const args = payload.split(" ");

    console.log("ARGS:", args);

    /*
      Vulnerable parsing
    */
    minimist(args);

    console.log("GLOBAL isAdmin:", {}.isAdmin);

    res.send("Arguments parsed");
});

/*
 Login endpoint
*/
app.post("/login", express.json(), (req, res) => {

    const { username, password } = req.body;

    const user = users.find(
        u =>
          u.username === username &&
          u.password === password
    );

    if(!user){
        return res.json({
            success: false
        });
    }

    console.log("Own property:", user.hasOwnProperty("isAdmin"));
    console.log("user.isAdmin:", user.isAdmin);

    /*
      Vulnerable auth logic
    */
    if(user.isAdmin){
        return res.json({
            success: true,
            role: "ADMIN"
        });
    }

    res.json({
        success: true,
        role: "USER"
    });

});

app.listen(3000, () => {
    console.log("Server running on port 3000");
});