Docker/codex.docs
Docker/codex.docs
1
0
Fork 0
mirror of https://github.com/codex-team/codex.docs.git synced 2025-07-19 05:09:41 +02:00
Code Issues Releases Activity

Auth fix (#54)

Browse source 
* Authorization added

* added secret to password, md5 hashing, removed promise from verifyToken, deleted links when not authorized

* added dbinsert script

* turned verifyToken to middleware, added description for dbinsert, added hidden csrf field in auth form

* added middlewares, user model and controller

* JSDoc fix

* wrong password processing fix

* added comments to dbinsert script, moved salt and passHash to singe db doc

* Moved salt to .env, upgradedscript for generating password was, fixed comments and JSDoc

* Deleted using salt (now user is only one), changed verifying password to bcrypt.compare, added httpyOnly property to jwt cookie

* Added verifyToken middleware to aliases route, added check for user existance on POST/auth

* Added message "password not set" to client
This commit is contained in:
Timur Kazantaev 2019-03-07 19:46:37 +03:00 committed by GitHub
parent d4302c50f6
commit 717fd3fe38
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 11 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

3
src/routes/aliases.js
View file

@ -3,13 +3,14 @@ const router = express.Router();
const Aliases = require('../controllers/aliases'); const Aliases = require('../controllers/aliases');
const Pages = require('../controllers/pages'); const Pages = require('../controllers/pages');
const Alias = require('../models/alias'); const Alias = require('../models/alias');
const verifyToken = require('./middlewares/token');
/** /**
* GET /* * GET /*
* *
* Return document with given alias * Return document with given alias
*/ */
router.get('*', async (req, res) => { router.get('*', verifyToken, async (req, res) => {
try { try {
const alias = await Aliases.get(req.originalUrl.slice(1)); // Cuts first '/' character const alias = await Aliases.get(req.originalUrl.slice(1)); // Cuts first '/' character

8
src/routes/auth.js
View file

@ -28,6 +28,14 @@ router.get('/auth', csrfProtection, function (req, res) {
router.post('/auth', parseForm, csrfProtection, async (req, res) => { router.post('/auth', parseForm, csrfProtection, async (req, res) => {
let userDoc = await Users.get(); let userDoc = await Users.get();
if (!userDoc) {
res.render('auth', {
title: 'Login page',
header: 'Password not set',
csrfToken: req.csrfToken()
});
}
const passHash = userDoc.passHash; const passHash = userDoc.passHash;
bcrypt.compare(req.body.password, passHash, async (err, result) => { bcrypt.compare(req.body.password, passHash, async (err, result) => {

2
src/routes/middlewares/token.js
View file

@ -15,7 +15,7 @@ module.exports = async function verifyToken(req, res, next) {
if (!userDoc) { if (!userDoc) {
res.locals.isAuthorized = false; res.locals.isAuthorized = false;
next() next();
} }
jwt.verify(token, userDoc.passHash + config.secret, (err, decodedToken) => { jwt.verify(token, userDoc.passHash + config.secret, (err, decodedToken) => {