From 5054d356fa8aba08f002168386c5d32e3d68120a Mon Sep 17 00:00:00 2001 From: timakasucces Date: Sat, 19 Jan 2019 20:44:15 +0300 Subject: [PATCH] added secret to password, md5 hashing, removed promise from verifyToken, deleted links when not authorized --- config/index.js | 3 +- package.json | 1 + src/routes/auth.js | 8 ++++-- src/routes/home.js | 13 ++------- src/routes/middlewares/token.js | 18 +++++++----- src/routes/pages.js | 47 ++++++++++++-------------------- src/views/components/header.twig | 2 -- src/views/pages/page.twig | 4 --- yarn.lock | 21 +++++++++++++- 9 files changed, 59 insertions(+), 58 deletions(-) diff --git a/config/index.js b/config/index.js index 42e364b..47bff79 100644 --- a/config/index.js +++ b/config/index.js @@ -15,7 +15,8 @@ if (fs.existsSync(path.resolve(__dirname, configPath))) { } else { config = { database: '.db', - port: 3000 + port: 3000, + secret: 'secret' }; } diff --git a/package.json b/package.json index d554c3c..9b3547d 100644 --- a/package.json +++ b/package.json @@ -21,6 +21,7 @@ "express": "~4.16.0", "http-errors": "~1.7.1", "jsonwebtoken": "^8.4.0", + "md5": "^2.2.1", "module-dispatcher": "^1.0.2", "morgan": "~1.9.0", "multer": "^1.3.1", diff --git a/src/routes/auth.js b/src/routes/auth.js index 63a6060..ca15acb 100644 --- a/src/routes/auth.js +++ b/src/routes/auth.js @@ -2,6 +2,8 @@ const express = require('express'); const router = express.Router(); const { password: db } = require('../utils/database/index'); const jwt = require('jsonwebtoken'); +const config = require('../../config/index'); +const md5 = require('md5'); /* GET authorization page. */ router.get('/auth', function (req, res, next) { @@ -9,20 +11,20 @@ router.get('/auth', function (req, res, next) { }); router.post('/auth', async (req, res) => { - const passwordDoc = await db.findOne({password: req.body.password}); + const passwordDoc = await db.findOne({password: md5(req.body.password)}); if (passwordDoc !== null) { const token = jwt.sign({ 'iss': 'Codex Team', 'sub': 'auth', 'iat': Date.now() - }, passwordDoc.password); + }, passwordDoc.password + config.secret); res.cookie('authToken', token); res.redirect('/'); } else { - res.render('auth', { title: 'Login page', header: 'Wrong password!
Try once more' }); + res.render('auth', { title: 'Login page', header: 'Wrong password' }); } }); diff --git a/src/routes/home.js b/src/routes/home.js index 5e78936..05eed38 100644 --- a/src/routes/home.js +++ b/src/routes/home.js @@ -3,18 +3,9 @@ const verifyToken = require('./middlewares/token'); const router = express.Router(); /* GET home page. */ -router.get('/', async function (req, res, next) { - let isAuthorized = false; +router.get('/', async function (req, res) { + const isAuthorized = await verifyToken(req.cookies.authToken); - await verifyToken(req.cookies.authToken).then( - async () => { - console.log('Authorized user entered page'); - isAuthorized = true; - }, - () => { - console.log('Not authorized'); - } - ); res.render('index', { title: 'Express', isAuthorized: isAuthorized }); }); diff --git a/src/routes/middlewares/token.js b/src/routes/middlewares/token.js index 3050f1a..7f5d3e5 100644 --- a/src/routes/middlewares/token.js +++ b/src/routes/middlewares/token.js @@ -1,14 +1,18 @@ require('dotenv').config(); +const config = require('../../../config/index'); const jwt = require('jsonwebtoken'); module.exports = function verifyToken(token) { - return new Promise((resolve, reject) => { - jwt.verify(token, process.env.PASSWORD, (err, decodedToken) => { - if (err || !decodedToken) { - return reject(err); - } - resolve(decodedToken); - }); + let isAuthorized = false; + + jwt.verify(token, process.env.PASSWORD + config.secret, (err, decodedToken) => { + if (err || !decodedToken) { + return (err); + } else { + isAuthorized = true; + } }); + + return isAuthorized; }; diff --git a/src/routes/pages.js b/src/routes/pages.js index 0d950cd..9c64db8 100644 --- a/src/routes/pages.js +++ b/src/routes/pages.js @@ -27,27 +27,26 @@ router.get('/page/new', async (req, res) => { * Edit page form */ router.get('/page/edit/:id', async (req, res, next) => { - verifyToken(req.cookies.authToken).then( - async () => { - const pageId = req.params.id; + const isAuthorized = await verifyToken(req.cookies.authToken); - try { - let page = await Pages.get(pageId); - let pagesAvailable = await Pages.getAllExceptChildrens(pageId); + if (isAuthorized) { + const pageId = req.params.id; - res.render('pages/form', { - pagesAvailable, - page - }); - } catch (error) { - res.status(404); - next(error); - } - }, - () => { - res.render('auth', { title: 'Login page', header: 'Enter password to do this!' }); + try { + let page = await Pages.get(pageId); + let pagesAvailable = await Pages.getAllExceptChildrens(pageId); + + res.render('pages/form', { + pagesAvailable, + page + }); + } catch (error) { + res.status(404); + next(error); } - ); + } else { + res.render('auth', { title: 'Login page', header: 'Enter password to do this!' }); + } }); /** @@ -55,17 +54,7 @@ router.get('/page/edit/:id', async (req, res, next) => { */ router.get('/page/:id', async (req, res, next) => { const pageId = req.params.id; - let isAuthorized = false; - - await verifyToken(req.cookies.authToken).then( - async () => { - console.log('Authorized user entered page'); - isAuthorized = true; - }, - () => { - console.log('Not authorized'); - } - ); + let isAuthorized = await verifyToken(req.cookies.authToken); try { let page = await Pages.get(pageId); diff --git a/src/views/components/header.twig b/src/views/components/header.twig index 7c54e31..aecdbd1 100644 --- a/src/views/components/header.twig +++ b/src/views/components/header.twig @@ -9,8 +9,6 @@ {{ svg('plus') }} Add Page - {% else %} - Authorize {% endif %} {% for option in config.menu %} diff --git a/src/views/pages/page.twig b/src/views/pages/page.twig index 1178c08..f0e5d33 100644 --- a/src/views/pages/page.twig +++ b/src/views/pages/page.twig @@ -17,10 +17,6 @@ Edit - {% else %} - - Authorize to edit - {% endif %} diff --git a/yarn.lock b/yarn.lock index c94db1b..f195ea4 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1506,6 +1506,11 @@ chardet@^0.7.0: resolved "https://registry.yarnpkg.com/chardet/-/chardet-0.7.0.tgz#90094849f0937f2eedc2425d0d28a9e5f0cbad9e" integrity sha512-mT8iDcrh03qDGRRmoA2hmBJnxpllMR+0/0qlzjqZES6NdiWDcZkCNAk4rPFZ9Q85r27unkiNNg8ZOiwZXBHwcA== +charenc@~0.0.1: + version "0.0.2" + resolved "https://registry.yarnpkg.com/charenc/-/charenc-0.0.2.tgz#c0a1d2f3a7092e03774bfa83f14c0fc5790a8667" + integrity sha1-wKHS86cJLgN3S/qD8UwPxXkKhmc= + check-error@^1.0.2: version "1.0.2" resolved "https://registry.yarnpkg.com/check-error/-/check-error-1.0.2.tgz#574d312edd88bb5dd8912e9286dd6c0aed4aac82" @@ -1922,6 +1927,11 @@ cross-spawn@^6.0.0, cross-spawn@^6.0.5: shebang-command "^1.2.0" which "^1.2.9" +crypt@~0.0.1: + version "0.0.2" + resolved "https://registry.yarnpkg.com/crypt/-/crypt-0.0.2.tgz#88d7ff7ec0dfb86f713dc87bbb42d044d3e6c41b" + integrity sha1-iNf/fsDfuG9xPch7u0LQRNPmxBs= + crypto-browserify@^3.11.0: version "3.12.0" resolved "https://registry.yarnpkg.com/crypto-browserify/-/crypto-browserify-3.12.0.tgz#396cf9f3137f03e4b8e532c58f698254e00f80ec" @@ -3540,7 +3550,7 @@ is-binary-path@^1.0.0: dependencies: binary-extensions "^1.0.0" -is-buffer@^1.1.5: +is-buffer@^1.1.5, is-buffer@~1.1.1: version "1.1.6" resolved "https://registry.yarnpkg.com/is-buffer/-/is-buffer-1.1.6.tgz#efaa2ea9daa0d7ab2ea13a97b2b8ad51fefbe8be" integrity sha512-NcdALwpXkTm5Zvvbk7owOUSvVvBKDgKP5/ewfXEznmQFfs4ZRmanOeKBTjRVjka3QFoN6XJ+9F3USqfHqTaU5w== @@ -4198,6 +4208,15 @@ md5.js@^1.3.4: inherits "^2.0.1" safe-buffer "^5.1.2" +md5@^2.2.1: + version "2.2.1" + resolved "https://registry.yarnpkg.com/md5/-/md5-2.2.1.tgz#53ab38d5fe3c8891ba465329ea23fac0540126f9" + integrity sha1-U6s41f48iJG6RlMp6iP6wFQBJvk= + dependencies: + charenc "~0.0.1" + crypt "~0.0.1" + is-buffer "~1.1.1" + mdn-data@~1.1.0: version "1.1.4" resolved "https://registry.yarnpkg.com/mdn-data/-/mdn-data-1.1.4.tgz#50b5d4ffc4575276573c4eedb8780812a8419f01"