summaryrefslogtreecommitdiffstats
path: root/server
diff options
context:
space:
mode:
Diffstat (limited to 'server')
-rw-r--r--server/api/authentication.js13
-rw-r--r--server/api/users.js18
-rw-r--r--server/lib/authentication.js68
3 files changed, 64 insertions, 35 deletions
diff --git a/server/api/authentication.js b/server/api/authentication.js
index 18158ce..60b04f9 100644
--- a/server/api/authentication.js
+++ b/server/api/authentication.js
@@ -5,6 +5,14 @@ var express = require('express')
var noAuthRouter = express.Router()
var authentication = require(path.join(__appdir, 'lib', 'authentication'))
+// Setup method for checking if setup is possible.
+noAuthRouter.get('/setup', (req, res) => {
+ db.user.findAll().then(users => {
+ if (users.length > 0) res.status(403).send({ status: 'USERTABLE_NOT_EMPTY', error_message: 'The user table is not empty, unauthorized creation is forbidden.' })
+ else res.send({ status: 'SUCCESS' })
+ })
+})
+
noAuthRouter.post('/token', (req, res) => {
authentication.loginToken(req, res)
})
@@ -20,9 +28,8 @@ noAuthRouter.post('/logout', (req, res) => {
// Setup method for creating the initial root account.
noAuthRouter.post('/setup', (req, res) => {
db.user.findAll().then(users => {
- if (users.length > 0) res.status(500).send({ status: 'USERTABLE_NOT_EMPTY', error_message: 'The user table is not empty, unauthorized creation is forbidden.' })
- else if (req.body.username) return authentication.signup(req, res)
- else res.send({ status: 'SUCCESS' })
+ if (users.length > 0) res.status(403).send({ status: 'USERTABLE_NOT_EMPTY', error_message: 'The user table is not empty, unauthorized creation is forbidden.' })
+ else authentication.signup(req, res)
})
})
diff --git a/server/api/users.js b/server/api/users.js
index 663f88e..c5eb822 100644
--- a/server/api/users.js
+++ b/server/api/users.js
@@ -71,7 +71,17 @@ router.postAsync(['/', '/:id'], async (req, res) => {
else {
let user
user = await db.user.findOne({ where: { id: req.params.id } })
- if (user) await user.update(req.body)
+ if (user) {
+ await user.update({
+ username: req.body.username,
+ name: req.body.name,
+ email: req.body.email
+ })
+
+ if (req.body.password) {
+ return authentication.changePassword(req, res)
+ }
+ }
res.status(200).end()
}
}
@@ -79,7 +89,11 @@ router.postAsync(['/', '/:id'], async (req, res) => {
// Post request for changing the password.
router.post('/:id/password', (req, res) => {
- authentication.changePassword(req, res)
+ // Check if passwords are set.
+ if (req.body.passwordCurrent && req.body.password) {
+ if (req.body.passwordCurrent === req.body.password) return res.status(500).send({ auth: false, status: 'PASSWORD_ERROR', error_message: 'The provided password must be different than the old password.' })
+ return authentication.changePassword(req, res)
+ } else res.status(400).send({ auth: false, status: 'PASSWORD_MISSING', error_message: 'This service requires the current and the new password.' })
})
// Post request for chaning the user info. (name, email)
diff --git a/server/lib/authentication.js b/server/lib/authentication.js
index b9c87d1..9a91850 100644
--- a/server/lib/authentication.js
+++ b/server/lib/authentication.js
@@ -54,11 +54,15 @@ async function signup (req, res) {
var userPassword = Buffer.from(params.password)
// Register user
- const hash = await pwd.hash(userPassword)
- // if (err) return res.status(500).send({ auth: false, status: 'PASSWORD_HASH_ERROR', error_message: 'Hashing the password failed.' })
+ try {
+ var hash = await pwd.hash(userPassword)
+ } catch (error) {
+ return res.status(500).send({ auth: false, status: 'PASSWORD_HASH_ERROR', error_message: 'Hashing the password failed.' })
+ }
// Saving the non improved hash and creating the user in the db.
const newUser = await db.user.create({ username: params.username, password: hash, email: params.email, name: params.name })
+
// TODO: Username could also be used because those are unique as well.
var userId = newUser.id
@@ -77,34 +81,38 @@ function logout (req, res) {
// Maybe use express-jwt and use the rewoke function.
}
-function changePassword (req, res) {
- // Check if the new password is different.
- if (req.body.passwordCurrent === req.body.passwordNew) return res.status(500).send({ auth: false, status: 'PASSWORD_ERROR', error_message: 'The provided password must be different than the old password.' })
-
+async function changePassword (req, res) {
// 1. Get the user and verify it's existence.
- db.user.findOne({ where: { id: req.params.id } }).then(user => {
- if (user) {
- const pwCurrent = Buffer.from(req.body.passwordCurrent)
- const pwNew = Buffer.from(req.body.passwordNew)
- // 2. Verify the current hast with the provided current password.
- verifyHash(res, pwCurrent, Buffer.from(user.password), user.id, () => {
- // 3. Check if the new provided password fullfills the requirements
- if (validatePassword(req.body.passwordNew)) {
- // 4. Calculate the new password hash.
- pwd.hash(pwNew, (err, hash) => {
- if (err) return res.status(500).send({ auth: false, status: 'PASSWORD_HASH_ERROR', error_message: 'Hashing the password failed.' })
- // 5. Write the hash in the db
- user.update({ password: hash }).then(() => {
- // 6. Verify & improving the hash.
- verifyHash(res, pwNew, hash, user.id, () => {
- res.status(200).send({ auth: true, status: 'VALID' })
- })
- })
- })
- } else res.send({ status: 'PASSWORD_REQUIREMENTS', error_message: 'The provided password doesn\'t fullfill the requirements' })
- })
- } else res.send({ status: 'INVALID_USER', error_message: 'There is no user with the provided id.' })
- })
+ let user = await db.user.findOne({ where: { id: req.params.id } })
+ if (!user) return res.send({ status: 'INVALID_USER', error_message: 'There is no user with the provided id.' })
+
+ const pwNew = Buffer.from(req.body.password)
+
+ // 2. Only if the current password is set we have to check if it's valid.
+ // This is because root can set passwords witout having the old ones.
+ // But the authentication if you can call this function without the currentPasswords needs to be in the API.
+ if (req.body.passwordCurrent) {
+ // Verify the current hast with the provided current password.
+ const pwCurrent = Buffer.from(req.body.passwordCurrent)
+ await verifyHash(res, pwCurrent, Buffer.from(user.password), user.id)
+ }
+
+ // 3. Check if the new provided password fullfills the requirements
+ if (!validatePassword(req.body.password)) return res.send({ status: 'PASSWORD_REQUIREMENTS', error_message: 'The provided password doesn\'t fullfill the requirements' })
+
+ // 4. Calculate the new password hash.
+ try {
+ var hash = await pwd.hash(pwNew)
+ } catch (error) {
+ return res.status(500).send({ auth: false, status: 'PASSWORD_HASH_ERROR', error_message: 'Hashing the password failed.' })
+ }
+
+ // 5. Write the hash in the dbW
+ await user.update({ password: hash })
+
+ // 6. Verify & improving the hash.
+ await verifyHash(res, pwNew, hash, user.id)
+ res.status(200).send({ auth: true, status: 'VALID' })
}
// Middleware function.
@@ -185,7 +193,7 @@ function verifyUser (res, username, password, callback) {
}
// The verify hash function from the secure-passwords with error handling.
-function verifyHash (res, password, hash, userId, callback) {
+function verifyHash (res, password, hash, userId, callback = () => {}) {
// Check if the hash in the database fullfills the requirements needed for pwd.verify.
// Hash will be a Buffer of length SecurePassword.HASH_BYTES.
if (hash.length !== securePassword.HASH_BYTES) return res.status(401).send({ auth: false, status: 'DATABASE_HASH_INVALID', error_message: 'The hash in the database is corrupted.' })