summaryrefslogtreecommitdiffstats
path: root/server/api/authentication.js
diff options
context:
space:
mode:
Diffstat (limited to 'server/api/authentication.js')
-rw-r--r--server/api/authentication.js55
1 files changed, 48 insertions, 7 deletions
diff --git a/server/api/authentication.js b/server/api/authentication.js
index 60b08a1..2aa5101 100644
--- a/server/api/authentication.js
+++ b/server/api/authentication.js
@@ -14,29 +14,70 @@ noAuthRouter.get('/setup', (req, res) => {
})
})
-noAuthRouter.post('/token', (req, res) => {
- authentication.loginToken(req, res)
+// Authentification method for the API using the authorization header. (GET)
+noAuthRouter.postAsync('/token', async (req, res) => {
+ const body = req.body
+ const result = await authentication.verifyUser(body.username, body.password)
+ const code = result.code
+ delete result.code
+ return res.status(code).send(result)
})
-noAuthRouter.post('/login', (req, res) => {
- authentication.loginCookie(req, res)
+/*
+ * username
+ * password
+ *
+ * @return: Return an object with the jwt. { token:<TOKEN> }
+ */
+noAuthRouter.postAsync('/cookies', async (req, res) => {
+ const body = req.body
+ const result = await authentication.verifyUser(body.username, body.password)
+ const code = result.code
+ delete result.code
+ if (code !== 200) return res.status(code).send(result)
+ else {
+ // The token has the form header.payload.signature
+ // We split the cookie in header.payload and signature in two seperate cookies.
+ // The signature cookie is httpOnly so JavaScript never has access to the full cookie.
+ // Read more at: https://medium.com/lightrail/getting-token-authentication-right-in-a-stateless-single-page-application-57d0c6474e3
+ const split = result.token.split('.')
+ const headerPayload = split[0] + '.' + split[1]
+ const signature = split[2]
+ res.cookie('jwt_hp', headerPayload, { secure: true, httpOnly: false, sameSite: 'strict' })
+ res.cookie('jwt_s', signature, { secure: true, httpOnly: true, sameSite: 'strict' })
+ return res.send()
+ }
})
+// Logout method for the frontend. Deleting the cookies by overwriting them.
noAuthRouter.post('/logout', (req, res) => {
- authentication.logout(req, res)
+ // End session properly.
+ res.clearCookie('jwt_hp')
+ res.clearCookie('jwt_s')
+ // TODO: blacklisting jwt ?
+ // authentication.logout()
+ // TODO: Implement.. blacklisting for jwt's and destroy the cookies..
+ // Maybe use express-jwt and use the rewoke function.
+ return res.status(200).send()
})
// Setup method for creating the initial root account.
noAuthRouter.postAsync('/setup', async (req, res) => {
+ const body = req.body
const users = await db.user.findAll()
if (users.length > 0) res.status(403).send({ status: 'USERTABLE_NOT_EMPTY', error_message: 'The user table is not empty, unauthorized creation is forbidden.' })
else {
- const user = await authentication.signup(req, res)
+ const result = await authentication.signup(body)
+ const code = result.code
+ delete result.code
+ if (result.error) return res.status(code).send(result)
+
+ const user = await db.user.findOne({ where: { id: result.id } })
const roleDb = await db.role.create({ name: user.username, descr: 'Superadmin' })
const permission = await db.permission.findOne({ where: { name: 'superadmin' } })
await roleDb.addPermissions(permission.id)
await user.addRoles(roleDb.id)
- res.status(200).send({ auth: true, status: 'VALID' })
+ res.send()
}
})