Authentication (#22)

* Authorization added * added secret to password, md5 hashing, removed promise from verifyToken, deleted links when not authorized * added dbinsert script * turned verifyToken to middleware, added description for dbinsert, added hidden csrf field in auth form * added middlewares, user model and controller * JSDoc fix * wrong password processing fix * added comments to dbinsert script, moved salt and passHash to singe db doc * Moved salt to .env, upgradedscript for generating password was, fixed comments and JSDoc * Deleted using salt (now user is only one), changed verifying password to bcrypt.compare, added httpyOnly property to jwt cookie
2025-07-19 13:19:42 +02:00 · 2019-03-06 13:22:57 +03:00 · 2019-03-06 13:22:57 +03:00 · 58d3892d8f
commit 58d3892d8f
parent 718be6d2f6
33 changed files with 1464 additions and 58 deletions
--- a/README.md
+++ b/README.md
@ -42,3 +42,9 @@ $ yarn lint
 ```
 $ yarn test
 ```
 ### Authentication
 To manage pages you need to authorize (available on `/auth`).
 To generate password use `yarn generatePassword [password]` command.
--- a/config/index.js
+++ b/config/index.js
@ -15,7 +15,8 @@ if (fs.existsSync(path.resolve(__dirname, configPath))) {
 } else {
  config = {
    database: '.db',
-    port: 3000
+    port: 3000,
    secret: 'secret'
  };
 }
--- a/generatePassword.js
+++ b/generatePassword.js
@ -0,0 +1,45 @@
 #!/usr/bin/env node
 let { password: db } = require('./src/utils/database');
 const program = require('commander');
 const bcrypt = require('bcrypt');
 const saltRounds = 12;
 /**
 * Script for generating password, that will be used to create and edit pages in CodeX.Docs.
 * Hashes password with bcrypt and inserts it to the database.
 * @see {https://github.com/tj/commander.js | CommanderJS}
 */
 program
  .description('Application for generating password, that will be used to create and edit pages in CodeX.Docs.')
  .usage('[password]')
  .arguments('<password>')
  .action(async function (password) {
    bcrypt.hash(password, saltRounds, async (error, hash) => {
      if (error) {
        return 'Hash generating error';
      }
      const userDoc = { passHash: hash };
      await db.remove({}, {multi: true});
      await db.insert(userDoc);
      console.log('Password was successfully generated');
    });
  });
 program.on('--help', () => {
  console.log('');
  console.log('Example:');
  console.log('yarn generatePassword qwerty');
  console.log('');
 });
 program.parse(process.argv);
 if (process.argv.length !== 3) {
  console.error('Invalid command: %s\nSee --help or -h for a list of available commands.', program.args.join(' '));
  process.exit(1);
 }
--- a/package.json
+++ b/package.json
@ -1,6 +1,7 @@
 {
  "name": "codex.docs",
  "version": "0.0.0",
  "bin": { "generatePassword": "bin/generatePassword.js"},
  "private": true,
  "scripts": {
    "start": "cross-env NODE_ENV=production nodemon ./bin/www",
@ -8,20 +9,26 @@
    "test": "cross-env NODE_ENV=testing mocha --recursive ./test",
    "lint": "eslint --fix --cache ./src/**/*.js",
    "build": "webpack ./src/frontend/js/app.js --o='./public/dist/[name].bundle.js' --output-library=Docs --output-public-path=/dist/ -p --watch",
-    "precommit": "yarn lint && yarn test --exit"
+    "precommit": "yarn lint && yarn test --exit",
    "generatePassword": "node ./generatePassword.js"
  },
  "dependencies": {
    "@babel/polyfill": "^7.0.0",
    "bcrypt": "^3.0.3",
    "body-parser": "latest",
    "codex.editor": "^2.8.1",
    "codex.editor.delimiter": "^1.0.2",
    "codex.editor.embed": "^2.1.2",
    "codex.editor.header": "^2.0.5",
    "commander": "^2.19.0",
    "codex.editor.image": "^2.0.3",
    "codex.editor.quote": "^2.1.5",
    "codex.editor.raw": "^2.0.2",
    "cookie-parser": "~1.4.3",
    "csurf": "^1.9.0",
    "debug": "~4.1.0",
    "dotenv": "^6.2.0",
    "jsonwebtoken": "^8.4.0",
    "eslint-plugin-standard": "^4.0.0",
    "express": "~4.16.0",
    "http-errors": "~1.7.1",
--- a/src/app.js
+++ b/src/app.js
@ -19,7 +19,7 @@ require('./utils/twig');
 app.use(logger('dev'));
 app.use(express.json());
-app.use(express.urlencoded({extended: true}));
+app.use(express.urlencoded({ extended: true }));
 app.use(cookieParser());
 app.use(express.static(path.join(__dirname, '../public')));
--- a/src/controllers/pages.js
+++ b/src/controllers/pages.js
@ -49,7 +49,7 @@ class Pages {
   * @param {string} parent - id of current page
   * @returns {Promise<Page[]>}
   */
-  static async getAllExceptChildrens(parent) {
+  static async getAllExceptChildren(parent) {
    let pagesAvailable = this.removeChildren(await Pages.getAll(), parent);
    return pagesAvailable.filter((item) => item !== null);
--- a/src/controllers/users.js
+++ b/src/controllers/users.js
@ -0,0 +1,21 @@
 const Model = require('../models/user');
 /**
 * @class Users
 * @classdesc Users controller
 */
 class Users {
  /**
   * @static
   * Find and return user model.
   *
   * @returns {Promise<User>}
   */
  static async get() {
    const userDoc = await Model.get();
    return userDoc;
  }
 }
 module.exports = Users;
--- a/src/frontend/js/classes/codeStyler.js
+++ b/src/frontend/js/classes/codeStyler.js
@ -2,6 +2,7 @@ import hljs from 'highlight.js/lib/highlight';
 import javascript from 'highlight.js/lib/languages/javascript';
 import xml from 'highlight.js/lib/languages/xml';
 import json from 'highlight.js/lib/languages/json';
 // eslint-disable-next-line
 import style from 'highlight.js/styles/atom-one-dark.css';
 /**
@ -13,7 +14,7 @@ export default class CodeStyler {
   * @param {string} selector - CSS selector for code blocks
   * @param {string[]} languages - list of languages to highlight, see hljs.listLanguages()
   */
-  constructor({selector, languages = [ 'javascript', 'xml', 'json' ]}) {
+  constructor({ selector, languages = ['javascript', 'xml', 'json'] }) {
    this.codeBlocksSelector = selector;
    this.languages = languages;
    this.langsAvailable = {
--- a/src/frontend/js/classes/editor.js
+++ b/src/frontend/js/classes/editor.js
@ -11,7 +11,6 @@ import Delimiter from 'codex.editor.delimiter';
 import InlineCode from 'codex.editor.inline-code';
 import List from 'codex.editor.list';
 import RawTool from 'codex.editor.raw';
 import ImageTool from 'codex.editor.image';
 import Embed from 'codex.editor.embed';
 /**
--- a/src/frontend/js/modules/page.js
+++ b/src/frontend/js/modules/page.js
@ -27,7 +27,7 @@ export default class Writing {
   * Init code highlighting
   */
  async createCodeStyling() {
-    const {default: CodeStyler} = await import(/* webpackChunkName: "code-styling" */ './../classes/codeStyler');
+    const { default: CodeStyler } = await import(/* webpackChunkName: "code-styling" */ './../classes/codeStyler');
    return new CodeStyler({
      selector: '.block-code'
--- a/src/frontend/js/modules/writing.js
+++ b/src/frontend/js/modules/writing.js
@ -64,7 +64,8 @@ export default class Writing {
    if (this.nodes.removeButton) {
      this.nodes.removeButton.addEventListener('click', () => {
-        const isUserAgree = confirm("Are you sure?");
+        const isUserAgree = window.confirm('Are you sure?');
        if (!isUserAgree) {
          return;
        }
@ -83,7 +84,7 @@ export default class Writing {
   * @return {Promise<Editor>}
   */
  async loadEditor() {
-    const {default: Editor} = await import(/* webpackChunkName: "editor" */ './../classes/editor');
+    const { default: Editor } = await import(/* webpackChunkName: "editor" */ './../classes/editor');
    const editorConfig = this.page ? {
      data: this.page.body
@ -119,6 +120,7 @@ export default class Writing {
    /** get ordering selector value */
    let putAbovePageId = null;
    if (this.nodes.putAboveIdSelector) {
      putAbovePageId = this.nodes.putAboveIdSelector.value;
    }
--- a/src/models/page.js
+++ b/src/models/page.js
@ -89,7 +89,7 @@ class Page {
  /**
   * Return PageData object
   *
-   * @returns {PageData}
+   * @return {PageData}
   */
  get data() {
    return {
--- a/src/models/user.js
+++ b/src/models/user.js
@ -0,0 +1,36 @@
 const { password: db } = require('../utils/database/index');
 /**
 * @class User
 * @class User model
 *
 * @property {string} passHash - hashed password
 */
 class User {
  /**
   * Find and return model of user.
   * User is only one.
   *
   * @returns {Promise<User>}
   */
  static async get() {
    const data = await db.findOne({});
    if (!data) {
      return null;
    }
    return new User(data);
  }
  /**
   * @constructor
   *
   * @param {Object} userData
   */
  constructor(userData) {
    this.passHash = userData.passHash;
  }
 }
 module.exports = User;
--- a/src/routes/api/pages.js
+++ b/src/routes/api/pages.js
@ -8,6 +8,7 @@ const PagesOrder = require('../../controllers/pagesOrder');
 *
 * Return PageData of page with given id
 */
 router.get('/page/:id', async (req, res) => {
  try {
    const page = await Pages.get(req.params.id);
@ -52,8 +53,8 @@ router.get('/pages', async (req, res) => {
 */
 router.put('/page', multer.any(), async (req, res) => {
  try {
-    const {title, body, parent} = req.body;
+    const { title, body, parent } = req.body;
-    const page = await Pages.insert({title, body, parent});
+    const page = await Pages.insert({ title, body, parent });
    /** push to the orders array */
    await PagesOrder.push(parent, page._id);
@ -76,10 +77,10 @@ router.put('/page', multer.any(), async (req, res) => {
 * Update page data in the database
 */
 router.post('/page/:id', multer.any(), async (req, res) => {
-  const {id} = req.params;
+  const { id } = req.params;
  try {
-    const {title, body, parent, putAbovePageId, uri} = req.body;
+    const { title, body, parent, putAbovePageId, uri } = req.body;
    const pages = await Pages.getAll();
    let page = await Pages.get(id);
@ -87,12 +88,13 @@ router.post('/page/:id', multer.any(), async (req, res) => {
      await PagesOrder.move(page._parent, parent, id);
    } else {
      if (putAbovePageId && putAbovePageId !== '0') {
-        const unordered = pages.filter( _page => _page._parent === page._parent).map(_page => _page._id);
+        const unordered = pages.filter(_page => _page._parent === page._parent).map(_page => _page._id);
        await PagesOrder.update(unordered, page._id, page._parent, putAbovePageId);
      }
    }
-    page = await Pages.update(id, {title, body, parent, uri});
+    page = await Pages.update(id, { title, body, parent, uri });
    res.json({
      success: true,
      result: page
@ -119,12 +121,13 @@ router.delete('/page/:id', async (req, res) => {
    const pageAfterId = parentPageOrder.getPageAfter(page._id);
    let pageToRedirect;
    if (pageBeforeId) {
      pageToRedirect = await Pages.get(pageBeforeId);
    } else if (pageAfterId) {
      pageToRedirect = await Pages.get(pageAfterId);
    } else {
-      pageToRedirect = page._parent !== "0" ? await Pages.get(page._parent) : null;
+      pageToRedirect = page._parent !== '0' ? await Pages.get(page._parent) : null;
    }
    /**
@ -133,10 +136,12 @@ router.delete('/page/:id', async (req, res) => {
     * @param startFrom
     * @returns {Promise<void>}
     */
-    async function deleteRecursively(startFrom) {
+    const deleteRecursively = async function (startFrom) {
      let order = [];
      try {
        const children = await PagesOrder.get(startFrom);
        order = children.order;
      } catch (e) {}
@ -148,7 +153,7 @@ router.delete('/page/:id', async (req, res) => {
      try {
        await PagesOrder.remove(startFrom);
      } catch (e) {}
-    }
+    };
    await deleteRecursively(req.params.id);
--- a/src/routes/auth.js
+++ b/src/routes/auth.js
@ -0,0 +1,54 @@
 require('dotenv').config();
 const express = require('express');
 const bodyParser = require('body-parser');
 const jwt = require('jsonwebtoken');
 const router = express.Router();
 const Users = require('../controllers/users');
 const config = require('../../config/index');
 const bcrypt = require('bcrypt');
 const csrf = require('csurf');
 const csrfProtection = csrf({ cookie: true });
 const parseForm = bodyParser.urlencoded({ extended: false });
 /**
 * Authorization page
 */
 router.get('/auth', csrfProtection, function (req, res) {
  res.render('auth', {
    title: 'Login page',
    header: 'Enter password',
    csrfToken: req.csrfToken()
  });
 });
 /**
 * Process given password
 */
 router.post('/auth', parseForm, csrfProtection, async (req, res) => {
  let userDoc = await Users.get();
  const passHash = userDoc.passHash;
  bcrypt.compare(req.body.password, passHash, async (err, result) => {
    if (err || result === false) {
      res.render('auth', {
        title: 'Login page',
        header: 'Wrong password',
        csrfToken: req.csrfToken()
      });
    }
    const token = jwt.sign({
      'iss': 'Codex Team',
      'sub': 'auth',
      'iat': Date.now()
    }, passHash + config.secret);
    res.cookie('authToken', token, { httpOnly: true });
    res.redirect('/');
  });
 });
 module.exports = router;
--- a/src/routes/home.js
+++ b/src/routes/home.js
@ -1,9 +1,10 @@
 const express = require('express');
 const verifyToken = require('./middlewares/token');
 const router = express.Router();
 /* GET home page. */
-router.get('/', function (req, res, next) {
+router.get('/', verifyToken, async (req, res) => {
-  res.render('pages/index');
+  res.render('pages/index', { isAuthorized: res.locals.isAuthorized });
 });
 module.exports = router;
--- a/src/routes/index.js
+++ b/src/routes/index.js
@ -3,6 +3,7 @@ const router = express.Router();
 const home = require('./home');
 const pages = require('./pages');
 const auth = require('./auth');
 const aliases = require('./aliases');
 const api = require('./api');
@ -10,6 +11,7 @@ const pagesMiddleware = require('./middlewares/pages');
 router.use('/', pagesMiddleware, home);
 router.use('/', pagesMiddleware, pages);
 router.use('/', pagesMiddleware, auth);
 router.use('/api', api);
 router.use('/', aliases);
--- a/src/routes/middlewares/locals.js
+++ b/src/routes/middlewares/locals.js
@ -0,0 +1,13 @@
 /**
 * Middleware for checking locals.isAuthorized property, which allows to edit/create pages
 * @param req
 * @param res
 * @param next
 */
 module.exports = function allowEdit(req, res, next) {
  if (res.locals.isAuthorized) {
    next();
  } else {
    res.redirect('/auth');
  }
 };
--- a/src/routes/middlewares/pages.js
+++ b/src/routes/middlewares/pages.js
@ -22,14 +22,15 @@ function createMenuTree(parentPageId, pages, pagesOrder, level = 1, currentLevel
   * otherwise just find all pages includes parent tree
   */
  let ordered = [];
  if (childrenOrder) {
-    ordered = childrenOrder.order.map( pageId => {
+    ordered = childrenOrder.order.map(pageId => {
-      return pages.find( page => page._id === pageId);
+      return pages.find(page => page._id === pageId);
    });
  }
-  const unordered = pages.filter( page => page._parent === parentPageId);
+  const unordered = pages.filter(page => page._parent === parentPageId);
-  const branch = [...new Set([...ordered, ...unordered])];
+  const branch = [ ...new Set([...ordered, ...unordered]) ];
  /**
   * stop recursion when we got the passed max level
@ -41,12 +42,11 @@ function createMenuTree(parentPageId, pages, pagesOrder, level = 1, currentLevel
  /**
   * Each parents children can have subbranches
   */
-  return branch.filter(page => page && page._id).map( page => {
+  return branch.filter(page => page && page._id).map(page => {
    return Object.assign({
      children: createMenuTree(page._id, pages, pagesOrder, level, currentLevel + 1)
    }, page.data);
  });
 }
 /**
@ -55,15 +55,17 @@ function createMenuTree(parentPageId, pages, pagesOrder, level = 1, currentLevel
 * @param res
 * @param next
 */
-module.exports = asyncMiddleware(async function (req, res, next) {
+module.exports = asyncMiddleware(async (req, res, next) => {
  /**
   * Pages without parent
   * @type {string}
   */
  const parentIdOfRootPages = '0';
  try {
    const pages = await Pages.getAll();
    const pagesOrder = await PagesOrder.getAll();
    res.locals.menu = createMenuTree(parentIdOfRootPages, pages, pagesOrder, 2);
  } catch (error) {
    console.log('Can not load menu:', error);
--- a/src/routes/middlewares/token.js
+++ b/src/routes/middlewares/token.js
@ -0,0 +1,25 @@
 require('dotenv').config();
 const config = require('../../../config/index');
 const jwt = require('jsonwebtoken');
 const Users = require('../../controllers/users');
 /**
 * Middleware for checking jwt token
 * @param req
 * @param res
 * @param next
 */
 module.exports = async function verifyToken(req, res, next) {
  let token = req.cookies.authToken;
  const userDoc = await Users.get();
  if (!userDoc) {
    res.locals.isAuthorized = false;
    next()
  }
  jwt.verify(token, userDoc.passHash + config.secret, (err, decodedToken) => {
    res.locals.isAuthorized = !(err || !decodedToken);
    next();
  });
 };
--- a/src/routes/pages.js
+++ b/src/routes/pages.js
@ -3,10 +3,13 @@ const router = express.Router();
 const Pages = require('../controllers/pages');
 const PagesOrder = require('../controllers/pagesOrder');
 const verifyToken = require('./middlewares/token');
 const allowEdit = require('./middlewares/locals');
 /**
 * Create new page form
 */
-router.get('/page/new', async (req, res) => {
+router.get('/page/new', verifyToken, allowEdit, async (req, res, next) => {
  let pagesAvailable = await Pages.getAll();
  res.render('pages/form', {
@ -18,7 +21,7 @@ router.get('/page/new', async (req, res) => {
 /**
 * Edit page form
 */
-router.get('/page/edit/:id', async (req, res, next) => {
+router.get('/page/edit/:id', verifyToken, allowEdit, async (req, res, next) => {
  const pageId = req.params.id;
  try {
@ -40,7 +43,7 @@ router.get('/page/edit/:id', async (req, res, next) => {
 /**
 * View page
 */
-router.get('/page/:id', async (req, res, next) => {
+router.get('/page/:id', verifyToken, async (req, res, next) => {
  const pageId = req.params.id;
  try {
--- a/src/utils/asyncMiddleware.js
+++ b/src/utils/asyncMiddleware.js
@ -3,7 +3,7 @@
 * @param fn
 * @return {function(*=, *=, *=)}
 */
-module.exports = function asyncMiddlware(fn) {
+module.exports = function asyncMiddleware(fn) {
  return (req, res, next) => {
    Promise.resolve(fn(req, res, next))
      .catch(next);
--- a/src/utils/database/aliases.js
+++ b/src/utils/database/aliases.js
@ -1,6 +1,6 @@
 const Datastore = require('nedb');
 const config = require('../../../config');
-const db = new Datastore({filename: `./${config.database}/aliases.db`, autoload: true});
+const db = new Datastore({ filename: `./${config.database}/aliases.db`, autoload: true });
 module.exports = db;
--- a/src/utils/database/index.js
+++ b/src/utils/database/index.js
@ -1,4 +1,5 @@
 const pages = require('./pages');
 const password = require('./password');
 const aliases = require('./aliases');
 const pagesOrder = require('./pagesOrder');
@ -145,6 +146,7 @@ class Database {
 module.exports = {
  class: Database,
  pages: new Database(pages),
  password: new Database(password),
  aliases: new Database(aliases),
  pagesOrder: new Database(pagesOrder)
 };
--- a/src/utils/database/pages.js
+++ b/src/utils/database/pages.js
@ -1,6 +1,6 @@
 const Datastore = require('nedb');
 const config = require('../../../config');
-const db = new Datastore({filename: `./${config.database}/pages.db`, autoload: true});
+const db = new Datastore({ filename: `./${config.database}/pages.db`, autoload: true });
 module.exports = db;
--- a/src/utils/database/pagesOrder.js
+++ b/src/utils/database/pagesOrder.js
@ -1,5 +1,5 @@
 const Datastore = require('nedb');
 const config = require('../../../config');
-const db = new Datastore({filename: `./${config.database}/pagesOrder.db`, autoload: true});
+const db = new Datastore({ filename: `./${config.database}/pagesOrder.db`, autoload: true });
 module.exports = db;
--- a/src/utils/database/password.js
+++ b/src/utils/database/password.js
@ -0,0 +1,6 @@
 const Datastore = require('nedb');
 const config = require('../../../config');
 const db = new Datastore({ filename: `./${config.database}/password.db`, autoload: true });
 module.exports = db;
--- a/src/views/auth.twig
+++ b/src/views/auth.twig
@ -0,0 +1,11 @@
 {% extends 'layout.twig' %}
 {% block body %}
  <h1>{{header}}</h1>
  <form method="post" action="/auth">
    <input type="hidden" name="_csrf" value={{csrfToken}}>
    <input type="password" name="password" placeholder="Password">
    <input type="submit" value="login">
  </form>
 {% endblock %}
--- a/src/views/components/header.twig
+++ b/src/views/components/header.twig
@ -3,12 +3,14 @@
    {{ config.title }}
  </a>
  <ul class="docs-header__menu">
-    <li class="docs-header__menu-add">
+    {% if isAuthorized == true %}
-      <a class="docs-header__button" href="/page/new">
+      <li class="docs-header__menu-add">
-        {{ svg('plus') }}
+          <a class="docs-header__button" href="/page/new">
-        Add Page
+            {{ svg('plus') }}
-      </a>
+            Add Page
-    </li>
+          </a>
      </li>
    {% endif %}
    {% for option in config.menu %}
      <li>
        <a
--- a/src/views/layout.twig
+++ b/src/views/layout.twig
@ -9,7 +9,7 @@
    <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no" />
  </head>
  <body>
-    {% include "components/header.twig" %}
+    {% include "components/header.twig" with res.locals.isAuthorized %}
    <div class="docs">
      <aside class="docs__aside">
        {% include "components/aside.twig" %}
--- a/src/views/pages/page.twig
+++ b/src/views/pages/page.twig
@ -18,9 +18,11 @@
      {% endif %}
      <time class="page__header-time">
        Last edit {{ (page.body.time / 1000)  | date("M d Y") }}
-        <a href="/page/edit/{{ page._id }}" class="page__header-button">
+        {% if isAuthorized == true %}
-          Edit
+          <a href="/page/edit/{{ page._id }}" class="page__header-button">
-        </a>
+            Edit
          </a>
        {% endif %}
      </time>
    </header>
    <h1 class="page__title">
--- a/test/express.js
+++ b/test/express.js
@ -1,19 +1,17 @@
-const {app} = require('../bin/www');
+const { app } = require('../bin/www');
 const chai = require('chai');
 const chaiHTTP = require('chai-http');
-const {expect} = chai;
+const { expect } = chai;
 chai.use(chaiHTTP);
 describe('Express app', () => {
-  it('App is available', (done) => {
+  it('App is available', async () => {
-    chai
+    let agent = chai.request.agent(app);
-      .request(app)
+
-      .get('/')
+    const result = await agent
-      .end((err, res) => {
+      .get('/');
-        expect(err).to.be.null;
+
-        expect(res).to.have.status(200);
+    expect(result).to.have.status(200);
        done();
      });
  });
 });
--- a/yarn.lock
+++ b/yarn.lock