summaryrefslogtreecommitdiffstats
path: root/server/lib/authentication.js
diff options
context:
space:
mode:
authorJannik Schönartz2019-02-26 03:46:36 +0100
committerJannik Schönartz2019-02-26 03:46:36 +0100
commitcf1b40542c41b3c78e83650e4e73e596c85ff160 (patch)
treed10d2f5061815e95fc56e43f1675eb127416e255 /server/lib/authentication.js
parent[webapp/groups] fix wrong tabbar color (diff)
downloadbas-cf1b40542c41b3c78e83650e4e73e596c85ff160.tar.gz
bas-cf1b40542c41b3c78e83650e4e73e596c85ff160.tar.xz
bas-cf1b40542c41b3c78e83650e4e73e596c85ff160.zip
[account] Fix for the changePassword method
User upadate changes didn't hashed the new password correctly changePassword from promises reworked to async / await (much cleaner) Check weather the usertable is empty is now a get request and not mixed in the post request
Diffstat (limited to 'server/lib/authentication.js')
-rw-r--r--server/lib/authentication.js68
1 files changed, 38 insertions, 30 deletions
diff --git a/server/lib/authentication.js b/server/lib/authentication.js
index b9c87d1..9a91850 100644
--- a/server/lib/authentication.js
+++ b/server/lib/authentication.js
@@ -54,11 +54,15 @@ async function signup (req, res) {
var userPassword = Buffer.from(params.password)
// Register user
- const hash = await pwd.hash(userPassword)
- // if (err) return res.status(500).send({ auth: false, status: 'PASSWORD_HASH_ERROR', error_message: 'Hashing the password failed.' })
+ try {
+ var hash = await pwd.hash(userPassword)
+ } catch (error) {
+ return res.status(500).send({ auth: false, status: 'PASSWORD_HASH_ERROR', error_message: 'Hashing the password failed.' })
+ }
// Saving the non improved hash and creating the user in the db.
const newUser = await db.user.create({ username: params.username, password: hash, email: params.email, name: params.name })
+
// TODO: Username could also be used because those are unique as well.
var userId = newUser.id
@@ -77,34 +81,38 @@ function logout (req, res) {
// Maybe use express-jwt and use the rewoke function.
}
-function changePassword (req, res) {
- // Check if the new password is different.
- if (req.body.passwordCurrent === req.body.passwordNew) return res.status(500).send({ auth: false, status: 'PASSWORD_ERROR', error_message: 'The provided password must be different than the old password.' })
-
+async function changePassword (req, res) {
// 1. Get the user and verify it's existence.
- db.user.findOne({ where: { id: req.params.id } }).then(user => {
- if (user) {
- const pwCurrent = Buffer.from(req.body.passwordCurrent)
- const pwNew = Buffer.from(req.body.passwordNew)
- // 2. Verify the current hast with the provided current password.
- verifyHash(res, pwCurrent, Buffer.from(user.password), user.id, () => {
- // 3. Check if the new provided password fullfills the requirements
- if (validatePassword(req.body.passwordNew)) {
- // 4. Calculate the new password hash.
- pwd.hash(pwNew, (err, hash) => {
- if (err) return res.status(500).send({ auth: false, status: 'PASSWORD_HASH_ERROR', error_message: 'Hashing the password failed.' })
- // 5. Write the hash in the db
- user.update({ password: hash }).then(() => {
- // 6. Verify & improving the hash.
- verifyHash(res, pwNew, hash, user.id, () => {
- res.status(200).send({ auth: true, status: 'VALID' })
- })
- })
- })
- } else res.send({ status: 'PASSWORD_REQUIREMENTS', error_message: 'The provided password doesn\'t fullfill the requirements' })
- })
- } else res.send({ status: 'INVALID_USER', error_message: 'There is no user with the provided id.' })
- })
+ let user = await db.user.findOne({ where: { id: req.params.id } })
+ if (!user) return res.send({ status: 'INVALID_USER', error_message: 'There is no user with the provided id.' })
+
+ const pwNew = Buffer.from(req.body.password)
+
+ // 2. Only if the current password is set we have to check if it's valid.
+ // This is because root can set passwords witout having the old ones.
+ // But the authentication if you can call this function without the currentPasswords needs to be in the API.
+ if (req.body.passwordCurrent) {
+ // Verify the current hast with the provided current password.
+ const pwCurrent = Buffer.from(req.body.passwordCurrent)
+ await verifyHash(res, pwCurrent, Buffer.from(user.password), user.id)
+ }
+
+ // 3. Check if the new provided password fullfills the requirements
+ if (!validatePassword(req.body.password)) return res.send({ status: 'PASSWORD_REQUIREMENTS', error_message: 'The provided password doesn\'t fullfill the requirements' })
+
+ // 4. Calculate the new password hash.
+ try {
+ var hash = await pwd.hash(pwNew)
+ } catch (error) {
+ return res.status(500).send({ auth: false, status: 'PASSWORD_HASH_ERROR', error_message: 'Hashing the password failed.' })
+ }
+
+ // 5. Write the hash in the dbW
+ await user.update({ password: hash })
+
+ // 6. Verify & improving the hash.
+ await verifyHash(res, pwNew, hash, user.id)
+ res.status(200).send({ auth: true, status: 'VALID' })
}
// Middleware function.
@@ -185,7 +193,7 @@ function verifyUser (res, username, password, callback) {
}
// The verify hash function from the secure-passwords with error handling.
-function verifyHash (res, password, hash, userId, callback) {
+function verifyHash (res, password, hash, userId, callback = () => {}) {
// Check if the hash in the database fullfills the requirements needed for pwd.verify.
// Hash will be a Buffer of length SecurePassword.HASH_BYTES.
if (hash.length !== securePassword.HASH_BYTES) return res.status(401).send({ auth: false, status: 'DATABASE_HASH_INVALID', error_message: 'The hash in the database is corrupted.' })