summaryrefslogtreecommitdiffstats
path: root/server/api/authentication.js
diff options
context:
space:
mode:
authorJannik Schönartz2019-03-04 01:14:38 +0100
committerJannik Schönartz2019-03-04 01:14:38 +0100
commit6471511909de79c1f3739ba9d6a5b45b7eb1fadb (patch)
treeb0702eae88cea3ce8fff89f1fa2f91849e79e1ee /server/api/authentication.js
parent[webapp] add option to disable all animations (diff)
downloadbas-6471511909de79c1f3739ba9d6a5b45b7eb1fadb.tar.gz
bas-6471511909de79c1f3739ba9d6a5b45b7eb1fadb.tar.xz
bas-6471511909de79c1f3739ba9d6a5b45b7eb1fadb.zip
[authentication] Restructure api to match our new error code standard
Moved most of the res.send from the lib to the api Fixed frontend to match the new api
Diffstat (limited to 'server/api/authentication.js')
-rw-r--r--server/api/authentication.js55
1 files changed, 48 insertions, 7 deletions
diff --git a/server/api/authentication.js b/server/api/authentication.js
index 60b08a1..2aa5101 100644
--- a/server/api/authentication.js
+++ b/server/api/authentication.js
@@ -14,29 +14,70 @@ noAuthRouter.get('/setup', (req, res) => {
})
})
-noAuthRouter.post('/token', (req, res) => {
- authentication.loginToken(req, res)
+// Authentification method for the API using the authorization header. (GET)
+noAuthRouter.postAsync('/token', async (req, res) => {
+ const body = req.body
+ const result = await authentication.verifyUser(body.username, body.password)
+ const code = result.code
+ delete result.code
+ return res.status(code).send(result)
})
-noAuthRouter.post('/login', (req, res) => {
- authentication.loginCookie(req, res)
+/*
+ * username
+ * password
+ *
+ * @return: Return an object with the jwt. { token:<TOKEN> }
+ */
+noAuthRouter.postAsync('/cookies', async (req, res) => {
+ const body = req.body
+ const result = await authentication.verifyUser(body.username, body.password)
+ const code = result.code
+ delete result.code
+ if (code !== 200) return res.status(code).send(result)
+ else {
+ // The token has the form header.payload.signature
+ // We split the cookie in header.payload and signature in two seperate cookies.
+ // The signature cookie is httpOnly so JavaScript never has access to the full cookie.
+ // Read more at: https://medium.com/lightrail/getting-token-authentication-right-in-a-stateless-single-page-application-57d0c6474e3
+ const split = result.token.split('.')
+ const headerPayload = split[0] + '.' + split[1]
+ const signature = split[2]
+ res.cookie('jwt_hp', headerPayload, { secure: true, httpOnly: false, sameSite: 'strict' })
+ res.cookie('jwt_s', signature, { secure: true, httpOnly: true, sameSite: 'strict' })
+ return res.send()
+ }
})
+// Logout method for the frontend. Deleting the cookies by overwriting them.
noAuthRouter.post('/logout', (req, res) => {
- authentication.logout(req, res)
+ // End session properly.
+ res.clearCookie('jwt_hp')
+ res.clearCookie('jwt_s')
+ // TODO: blacklisting jwt ?
+ // authentication.logout()
+ // TODO: Implement.. blacklisting for jwt's and destroy the cookies..
+ // Maybe use express-jwt and use the rewoke function.
+ return res.status(200).send()
})
// Setup method for creating the initial root account.
noAuthRouter.postAsync('/setup', async (req, res) => {
+ const body = req.body
const users = await db.user.findAll()
if (users.length > 0) res.status(403).send({ status: 'USERTABLE_NOT_EMPTY', error_message: 'The user table is not empty, unauthorized creation is forbidden.' })
else {
- const user = await authentication.signup(req, res)
+ const result = await authentication.signup(body)
+ const code = result.code
+ delete result.code
+ if (result.error) return res.status(code).send(result)
+
+ const user = await db.user.findOne({ where: { id: result.id } })
const roleDb = await db.role.create({ name: user.username, descr: 'Superadmin' })
const permission = await db.permission.findOne({ where: { name: 'superadmin' } })
await roleDb.addPermissions(permission.id)
await user.addRoles(roleDb.id)
- res.status(200).send({ auth: true, status: 'VALID' })
+ res.send()
}
})