Authentication (#22)

* Authorization added * added secret to password, md5 hashing, removed promise from verifyToken, deleted links when not authorized * added dbinsert script * turned verifyToken to middleware, added description for dbinsert, added hidden csrf field in auth form * added middlewares, user model and controller * JSDoc fix * wrong password processing fix * added comments to dbinsert script, moved salt and passHash to singe db doc * Moved salt to .env, upgradedscript for generating password was, fixed comments and JSDoc * Deleted using salt (now user is only one), changed verifying password to bcrypt.compare, added httpyOnly property to jwt cookie
2025-07-22 14:49:41 +02:00 · 2019-03-06 13:22:57 +03:00 · 2019-03-06 13:22:57 +03:00 · 58d3892d8f
commit 58d3892d8f
parent 718be6d2f6
33 changed files with 1464 additions and 58 deletions
--- a/src/routes/auth.js
+++ b/src/routes/auth.js
@ -0,0 +1,54 @@
+require('dotenv').config();
+
+const express = require('express');
+const bodyParser = require('body-parser');
+const jwt = require('jsonwebtoken');
+const router = express.Router();
+const Users = require('../controllers/users');
+const config = require('../../config/index');
+const bcrypt = require('bcrypt');
+const csrf = require('csurf');
+const csrfProtection = csrf({ cookie: true });
+const parseForm = bodyParser.urlencoded({ extended: false });
+
+/**
+ * Authorization page
+ */
+router.get('/auth', csrfProtection, function (req, res) {
+  res.render('auth', {
+    title: 'Login page',
+    header: 'Enter password',
+    csrfToken: req.csrfToken()
+  });
+});
+
+/**
+ * Process given password
+ */
+router.post('/auth', parseForm, csrfProtection, async (req, res) => {
+  let userDoc = await Users.get();
+
+  const passHash = userDoc.passHash;
+
+  bcrypt.compare(req.body.password, passHash, async (err, result) => {
+    if (err || result === false) {
+      res.render('auth', {
+        title: 'Login page',
+        header: 'Wrong password',
+        csrfToken: req.csrfToken()
+      });
+    }
+
+    const token = jwt.sign({
+      'iss': 'Codex Team',
+      'sub': 'auth',
+      'iat': Date.now()
+    }, passHash + config.secret);
+
+    res.cookie('authToken', token, { httpOnly: true });
+
+    res.redirect('/');
+  });
+});
+
+module.exports = router;