From 6471511909de79c1f3739ba9d6a5b45b7eb1fadb Mon Sep 17 00:00:00 2001 From: Jannik Schönartz Date: Mon, 4 Mar 2019 00:14:38 +0000 Subject: [authentication] Restructure api to match our new error code standard Moved most of the res.send from the lib to the api Fixed frontend to match the new api --- server/api/authentication.js | 55 ++++++++++++++++++++++++++++++++++++++------ 1 file changed, 48 insertions(+), 7 deletions(-) (limited to 'server/api/authentication.js') diff --git a/server/api/authentication.js b/server/api/authentication.js index 60b08a1..2aa5101 100644 --- a/server/api/authentication.js +++ b/server/api/authentication.js @@ -14,29 +14,70 @@ noAuthRouter.get('/setup', (req, res) => { }) }) -noAuthRouter.post('/token', (req, res) => { - authentication.loginToken(req, res) +// Authentification method for the API using the authorization header. (GET) +noAuthRouter.postAsync('/token', async (req, res) => { + const body = req.body + const result = await authentication.verifyUser(body.username, body.password) + const code = result.code + delete result.code + return res.status(code).send(result) }) -noAuthRouter.post('/login', (req, res) => { - authentication.loginCookie(req, res) +/* + * username + * password + * + * @return: Return an object with the jwt. { token: } + */ +noAuthRouter.postAsync('/cookies', async (req, res) => { + const body = req.body + const result = await authentication.verifyUser(body.username, body.password) + const code = result.code + delete result.code + if (code !== 200) return res.status(code).send(result) + else { + // The token has the form header.payload.signature + // We split the cookie in header.payload and signature in two seperate cookies. + // The signature cookie is httpOnly so JavaScript never has access to the full cookie. + // Read more at: https://medium.com/lightrail/getting-token-authentication-right-in-a-stateless-single-page-application-57d0c6474e3 + const split = result.token.split('.') + const headerPayload = split[0] + '.' + split[1] + const signature = split[2] + res.cookie('jwt_hp', headerPayload, { secure: true, httpOnly: false, sameSite: 'strict' }) + res.cookie('jwt_s', signature, { secure: true, httpOnly: true, sameSite: 'strict' }) + return res.send() + } }) +// Logout method for the frontend. Deleting the cookies by overwriting them. noAuthRouter.post('/logout', (req, res) => { - authentication.logout(req, res) + // End session properly. + res.clearCookie('jwt_hp') + res.clearCookie('jwt_s') + // TODO: blacklisting jwt ? + // authentication.logout() + // TODO: Implement.. blacklisting for jwt's and destroy the cookies.. + // Maybe use express-jwt and use the rewoke function. + return res.status(200).send() }) // Setup method for creating the initial root account. noAuthRouter.postAsync('/setup', async (req, res) => { + const body = req.body const users = await db.user.findAll() if (users.length > 0) res.status(403).send({ status: 'USERTABLE_NOT_EMPTY', error_message: 'The user table is not empty, unauthorized creation is forbidden.' }) else { - const user = await authentication.signup(req, res) + const result = await authentication.signup(body) + const code = result.code + delete result.code + if (result.error) return res.status(code).send(result) + + const user = await db.user.findOne({ where: { id: result.id } }) const roleDb = await db.role.create({ name: user.username, descr: 'Superadmin' }) const permission = await db.permission.findOne({ where: { name: 'superadmin' } }) await roleDb.addPermissions(permission.id) await user.addRoles(roleDb.id) - res.status(200).send({ auth: true, status: 'VALID' }) + res.send() } }) -- cgit v1.2.3-55-g7522