codex.docs/src/routes/auth.js

require('dotenv').config();

const express = require('express');
const bodyParser = require('body-parser');
const jwt = require('jsonwebtoken');
const router = express.Router();
const Users = require('../controllers/users');
const config = require('../../config/index');
const bcrypt = require('bcrypt');
const csrf = require('csurf');
const csrfProtection = csrf({ cookie: true });
const parseForm = bodyParser.urlencoded({ extended: false });

/**
 * Authorization page
 */
router.get('/auth', csrfProtection, function (req, res) {
  res.render('auth', {
    title: 'Login page',
    header: 'Enter password',
    csrfToken: req.csrfToken()
  });
});

/**
 * Process given password
 */
router.post('/auth', parseForm, csrfProtection, async (req, res) => {
  let userDoc = await Users.get();

  const passHash = userDoc.passHash;

  bcrypt.compare(req.body.password, passHash, async (err, result) => {
    if (err || result === false) {
      res.render('auth', {
        title: 'Login page',
        header: 'Wrong password',
        csrfToken: req.csrfToken()
      });
    }

    const token = jwt.sign({
      'iss': 'Codex Team',
      'sub': 'auth',
      'iat': Date.now()
    }, passHash + config.secret);

    res.cookie('authToken', token, { httpOnly: true });

    res.redirect('/');
  });
});

module.exports = router;
Authentication (#22) * Authorization added * added secret to password, md5 hashing, removed promise from verifyToken, deleted links when not authorized * added dbinsert script * turned verifyToken to middleware, added description for dbinsert, added hidden csrf field in auth form * added middlewares, user model and controller * JSDoc fix * wrong password processing fix * added comments to dbinsert script, moved salt and passHash to singe db doc * Moved salt to .env, upgradedscript for generating password was, fixed comments and JSDoc * Deleted using salt (now user is only one), changed verifying password to bcrypt.compare, added httpyOnly property to jwt cookie 2019-03-06 13:22:57 +03:00			`require('dotenv').config();`

			`const express = require('express');`
			`const bodyParser = require('body-parser');`
			`const jwt = require('jsonwebtoken');`
			`const router = express.Router();`
			`const Users = require('../controllers/users');`
			`const config = require('../../config/index');`
			`const bcrypt = require('bcrypt');`
			`const csrf = require('csurf');`
			`const csrfProtection = csrf({ cookie: true });`
			`const parseForm = bodyParser.urlencoded({ extended: false });`

			`/**`
			`* Authorization page`
			`*/`
			`router.get('/auth', csrfProtection, function (req, res) {`
			`res.render('auth', {`
			`title: 'Login page',`
			`header: 'Enter password',`
			`csrfToken: req.csrfToken()`
			`});`
			`});`

			`/**`
			`* Process given password`
			`*/`
			`router.post('/auth', parseForm, csrfProtection, async (req, res) => {`
			`let userDoc = await Users.get();`

			`const passHash = userDoc.passHash;`

			`bcrypt.compare(req.body.password, passHash, async (err, result) => {`
			`if (err \|\| result === false) {`
			`res.render('auth', {`
			`title: 'Login page',`
			`header: 'Wrong password',`
			`csrfToken: req.csrfToken()`
			`});`
			`}`

			`const token = jwt.sign({`
			`'iss': 'Codex Team',`
			`'sub': 'auth',`
			`'iat': Date.now()`
			`}, passHash + config.secret);`

			`res.cookie('authToken', token, { httpOnly: true });`

			`res.redirect('/');`
			`});`
			`});`

			`module.exports = router;`