added secret to password, md5 hashing, removed promise from verifyToken, deleted links when not authorized

2025-08-08 06:55:26 +02:00 · 2019-01-19 20:44:15 +03:00 · 2019-01-19 20:44:15 +03:00 · 5054d356fa
commit 5054d356fa
parent 5d6319915f
9 changed files with 59 additions and 58 deletions
--- a/config/index.js
+++ b/config/index.js
@ -15,7 +15,8 @@ if (fs.existsSync(path.resolve(__dirname, configPath))) {
 } else {
  config = {
    database: '.db',
-    port: 3000
+    port: 3000,
+    secret: 'secret'
  };
 }

--- a/package.json
+++ b/package.json
@ -21,6 +21,7 @@
    "express": "~4.16.0",
    "http-errors": "~1.7.1",
    "jsonwebtoken": "^8.4.0",
+    "md5": "^2.2.1",
    "module-dispatcher": "^1.0.2",
    "morgan": "~1.9.0",
    "multer": "^1.3.1",
--- a/src/routes/auth.js
+++ b/src/routes/auth.js
@ -2,6 +2,8 @@ const express = require('express');
 const router = express.Router();
 const { password: db } = require('../utils/database/index');
 const jwt = require('jsonwebtoken');
+const config = require('../../config/index');
+const md5 = require('md5');

 /* GET authorization page. */
 router.get('/auth', function (req, res, next) {
@ -9,20 +11,20 @@ router.get('/auth', function (req, res, next) {
 });

 router.post('/auth', async (req, res) => {
-  const passwordDoc = await db.findOne({password: req.body.password});
+  const passwordDoc = await db.findOne({password: md5(req.body.password)});

  if (passwordDoc !== null) {
    const token = jwt.sign({
      'iss': 'Codex Team',
      'sub': 'auth',
      'iat': Date.now()
-    }, passwordDoc.password);
+    }, passwordDoc.password + config.secret);

    res.cookie('authToken', token);

    res.redirect('/');
  } else {
-    res.render('auth', { title: 'Login page', header: 'Wrong password!<br \\/>Try once more' });
+    res.render('auth', { title: 'Login page', header: 'Wrong password' });
  }
 });

--- a/src/routes/home.js
+++ b/src/routes/home.js
@ -3,18 +3,9 @@ const verifyToken = require('./middlewares/token');
 const router = express.Router();

 /* GET home page. */
-router.get('/', async function (req, res, next) {
-  let isAuthorized = false;
+router.get('/', async function (req, res) {
+  const isAuthorized = await verifyToken(req.cookies.authToken);

-  await verifyToken(req.cookies.authToken).then(
-    async () => {
-      console.log('Authorized user entered page');
-      isAuthorized = true;
-    },
-    () => {
-      console.log('Not authorized');
-    }
-  );
  res.render('index', { title: 'Express', isAuthorized: isAuthorized });
 });

--- a/src/routes/middlewares/token.js
+++ b/src/routes/middlewares/token.js
@ -1,14 +1,18 @@
 require('dotenv').config();
+const config = require('../../../config/index');

 const jwt = require('jsonwebtoken');

 module.exports = function verifyToken(token) {
-  return new Promise((resolve, reject) => {
-    jwt.verify(token, process.env.PASSWORD, (err, decodedToken) => {
-      if (err || !decodedToken) {
-        return reject(err);
-      }
-      resolve(decodedToken);
-    });
+  let isAuthorized = false;
+
+  jwt.verify(token, process.env.PASSWORD + config.secret, (err, decodedToken) => {
+    if (err || !decodedToken) {
+      return (err);
+    } else {
+      isAuthorized = true;
+    }
  });
+
+  return isAuthorized;
 };
--- a/src/routes/pages.js
+++ b/src/routes/pages.js
@ -27,27 +27,26 @@ router.get('/page/new', async (req, res) => {
 * Edit page form
 */
 router.get('/page/edit/:id', async (req, res, next) => {
-  verifyToken(req.cookies.authToken).then(
-    async () => {
-      const pageId = req.params.id;
+  const isAuthorized = await verifyToken(req.cookies.authToken);

-      try {
-        let page = await Pages.get(pageId);
-        let pagesAvailable = await Pages.getAllExceptChildrens(pageId);
+  if (isAuthorized) {
+    const pageId = req.params.id;

-        res.render('pages/form', {
-          pagesAvailable,
-          page
-        });
-      } catch (error) {
-        res.status(404);
-        next(error);
-      }
-    },
-    () => {
-      res.render('auth', { title: 'Login page', header: 'Enter password to do this!' });
+    try {
+      let page = await Pages.get(pageId);
+      let pagesAvailable = await Pages.getAllExceptChildrens(pageId);
+
+      res.render('pages/form', {
+        pagesAvailable,
+        page
+      });
+    } catch (error) {
+      res.status(404);
+      next(error);
    }
-  );
+  } else {
+    res.render('auth', { title: 'Login page', header: 'Enter password to do this!' });
+  }
 });

 /**
@ -55,17 +54,7 @@ router.get('/page/edit/:id', async (req, res, next) => {
 */
 router.get('/page/:id', async (req, res, next) => {
  const pageId = req.params.id;
-  let isAuthorized = false;
-
-  await verifyToken(req.cookies.authToken).then(
-    async () => {
-      console.log('Authorized user entered page');
-      isAuthorized = true;
-    },
-    () => {
-      console.log('Not authorized');
-    }
-  );
+  let isAuthorized = await verifyToken(req.cookies.authToken);

  try {
    let page = await Pages.get(pageId);
--- a/src/views/components/header.twig
+++ b/src/views/components/header.twig
@ -9,8 +9,6 @@
          {{ svg('plus') }}
          Add Page
        </a>
-      {% else %}
-        <a class="docs-header__button" href="/auth">Authorize</a>
      {% endif %}
    </li>
    {% for option in config.menu %}
--- a/src/views/pages/page.twig
+++ b/src/views/pages/page.twig
@ -17,10 +17,6 @@
          <a href="/page/edit/{{ page._id }}" class="page__header-button">
            Edit
          </a>
-        {% else %}
-          <a href="/auth" class="page__header-button">
-            Authorize to edit
-          </a>
        {% endif %}
      </time>
    </header>
--- a/yarn.lock
+++ b/yarn.lock
@ -1506,6 +1506,11 @@ chardet@^0.7.0:
  resolved "https://registry.yarnpkg.com/chardet/-/chardet-0.7.0.tgz#90094849f0937f2eedc2425d0d28a9e5f0cbad9e"
  integrity sha512-mT8iDcrh03qDGRRmoA2hmBJnxpllMR+0/0qlzjqZES6NdiWDcZkCNAk4rPFZ9Q85r27unkiNNg8ZOiwZXBHwcA==

+charenc@~0.0.1:
+  version "0.0.2"
+  resolved "https://registry.yarnpkg.com/charenc/-/charenc-0.0.2.tgz#c0a1d2f3a7092e03774bfa83f14c0fc5790a8667"
+  integrity sha1-wKHS86cJLgN3S/qD8UwPxXkKhmc=
+
 check-error@^1.0.2:
  version "1.0.2"
  resolved "https://registry.yarnpkg.com/check-error/-/check-error-1.0.2.tgz#574d312edd88bb5dd8912e9286dd6c0aed4aac82"
@ -1922,6 +1927,11 @@ cross-spawn@^6.0.0, cross-spawn@^6.0.5:
    shebang-command "^1.2.0"
    which "^1.2.9"

+crypt@~0.0.1:
+  version "0.0.2"
+  resolved "https://registry.yarnpkg.com/crypt/-/crypt-0.0.2.tgz#88d7ff7ec0dfb86f713dc87bbb42d044d3e6c41b"
+  integrity sha1-iNf/fsDfuG9xPch7u0LQRNPmxBs=
+
 crypto-browserify@^3.11.0:
  version "3.12.0"
  resolved "https://registry.yarnpkg.com/crypto-browserify/-/crypto-browserify-3.12.0.tgz#396cf9f3137f03e4b8e532c58f698254e00f80ec"
@ -3540,7 +3550,7 @@ is-binary-path@^1.0.0:
  dependencies:
    binary-extensions "^1.0.0"

-is-buffer@^1.1.5:
+is-buffer@^1.1.5, is-buffer@~1.1.1:
  version "1.1.6"
  resolved "https://registry.yarnpkg.com/is-buffer/-/is-buffer-1.1.6.tgz#efaa2ea9daa0d7ab2ea13a97b2b8ad51fefbe8be"
  integrity sha512-NcdALwpXkTm5Zvvbk7owOUSvVvBKDgKP5/ewfXEznmQFfs4ZRmanOeKBTjRVjka3QFoN6XJ+9F3USqfHqTaU5w==
@ -4198,6 +4208,15 @@ md5.js@^1.3.4:
    inherits "^2.0.1"
    safe-buffer "^5.1.2"

+md5@^2.2.1:
+  version "2.2.1"
+  resolved "https://registry.yarnpkg.com/md5/-/md5-2.2.1.tgz#53ab38d5fe3c8891ba465329ea23fac0540126f9"
+  integrity sha1-U6s41f48iJG6RlMp6iP6wFQBJvk=
+  dependencies:
+    charenc "~0.0.1"
+    crypt "~0.0.1"
+    is-buffer "~1.1.1"
+
 mdn-data@~1.1.0:
  version "1.1.4"
  resolved "https://registry.yarnpkg.com/mdn-data/-/mdn-data-1.1.4.tgz#50b5d4ffc4575276573c4eedb8780812a8419f01"