summaryrefslogtreecommitdiffstats
path: root/server/lib/authentication.js
diff options
context:
space:
mode:
authorJannik Schönartz2019-02-23 06:37:14 +0100
committerJannik Schönartz2019-02-23 06:37:14 +0100
commitd2e1a80e2c7a4d807cb30899c0f2f20127396687 (patch)
tree1d648a3302acc9815404b2ed375b90f0dc518841 /server/lib/authentication.js
parent[webapp/router] Fix forwarding bug while loggedout calling / (diff)
downloadbas-d2e1a80e2c7a4d807cb30899c0f2f20127396687.tar.gz
bas-d2e1a80e2c7a4d807cb30899c0f2f20127396687.tar.xz
bas-d2e1a80e2c7a4d807cb30899c0f2f20127396687.zip
[Account] Add password change functionality
[server] Remove hased password from userinfo api Implement change password function [webapp] Fix z-index for the fixed tab bar (udo) Implement userinfo and change password in the account module
Diffstat (limited to 'server/lib/authentication.js')
-rw-r--r--server/lib/authentication.js36
1 files changed, 31 insertions, 5 deletions
diff --git a/server/lib/authentication.js b/server/lib/authentication.js
index 76e8b60..7b616d4 100644
--- a/server/lib/authentication.js
+++ b/server/lib/authentication.js
@@ -11,7 +11,7 @@ module.exports = { loginCookie, loginToken, logout, verifyToken, signup, changeP
// Authentifivation method for the frontend using secure httpOnly cookies. (POST)
function loginCookie (req, res) {
var params = req.body
- verifyUser(res, params.username, params.password, function (token) {
+ verifyUser(res, params.username, params.password, token => {
// The token has the form header.payload.signature
// We split the cookie in header.payload and signature in two seperate cookies.
// The signature cookie is httpOnly so JavaScript never has access to the full cookie.
@@ -55,7 +55,7 @@ function signup (req, res) {
pwd.hash(userPassword, function (err, hash) {
if (err) return res.status(500).send({ auth: false, status: 'PASSWORD_HASH_ERROR', error_message: 'Hashing the password failed.' })
// Saving the non improved hash and creating the user in the db.
- db.user.create({ username: params.username, password: hash, email: params.email, name: params.name }).then((userDb) => {
+ db.user.create({ username: params.username, password: hash, email: params.email, name: params.name }).then(userDb => {
// TODO: Username could also be used because those are unique as well.
var userId = userDb.id
// Verify & improving the hash.
@@ -78,7 +78,33 @@ function logout (req, res) {
}
function changePassword (req, res) {
- // TODO: IMPLEMENT
+ // Check if the new password is different.
+ if (req.body.passwordCurrent === req.body.passwordNew) return res.status(500).send({ auth: false, status: 'PASSWORD_ERROR', error_message: 'The provided password must be different than the old password.' })
+
+ // 1. Get the user and verify it's existence.
+ db.user.findOne({ where: { id: req.params.id } }).then(user => {
+ if (user) {
+ const pwCurrent = Buffer.from(req.body.passwordCurrent)
+ const pwNew = Buffer.from(req.body.passwordNew)
+ // 2. Verify the current hast with the provided current password.
+ verifyHash(res, pwCurrent, Buffer.from(user.password), user.id, () => {
+ // 3. Check if the new provided password fullfills the requirements
+ if (validatePassword(req.body.passwordNew)) {
+ // 4. Calculate the new password hash.
+ pwd.hash(pwNew, (err, hash) => {
+ if (err) return res.status(500).send({ auth: false, status: 'PASSWORD_HASH_ERROR', error_message: 'Hashing the password failed.' })
+ // 5. Write the hash in the db
+ user.update({ password: hash }).then(() => {
+ // 6. Verify & improving the hash.
+ verifyHash(res, pwNew, hash, user.id, () => {
+ res.status(200).send({ auth: true, status: 'VALID' })
+ })
+ })
+ })
+ } else res.send({ status: 'PASSWORD_REQUIREMENTS', error_message: 'The provided password doesn\'t fullfill the requirements' })
+ })
+ } else res.send({ status: 'INVALID_USER', error_message: 'There is no user with the provided id.' })
+ })
}
// Middleware function.
@@ -100,7 +126,7 @@ function verifyToken (req, res, next) {
}
// Verify the token with the secret.
- jwt.verify(token, config.secret, function (err) {
+ jwt.verify(token, config.secret, err => {
if (err) {
if (res) return res.status(500).send({ auth: false, status: 'TOKEN_INVALID', error_message: 'The provided token is invalid.' })
else return next(new Error('TOKEN_INVALID'))
@@ -136,7 +162,7 @@ function verifyUser (res, username, password, callback) {
var hash = Buffer.from(userDb.password)
// Verify & improving the hash.
- verifyHash(res, userPassword, hash, user.id, function () {
+ verifyHash(res, userPassword, hash, user.id, () => {
jwt.sign({ user }, config.secret, { expiresIn: '12h' }, (err, token) => {
if (err) return res.status(500).send({ auth: false, status: 'JWT_ERROR', error_message: 'Jwt sign failed.' })
return callback(token)