Auth fix (#54)

* Authorization added * added secret to password, md5 hashing, removed promise from verifyToken, deleted links when not authorized * added dbinsert script * turned verifyToken to middleware, added description for dbinsert, added hidden csrf field in auth form * added middlewares, user model and controller * JSDoc fix * wrong password processing fix * added comments to dbinsert script, moved salt and passHash to singe db doc * Moved salt to .env, upgradedscript for generating password was, fixed comments and JSDoc * Deleted using salt (now user is only one), changed verifying password to bcrypt.compare, added httpyOnly property to jwt cookie * Added verifyToken middleware to aliases route, added check for user existance on POST/auth * Added message "password not set" to client
2025-07-19 05:09:41 +02:00 · 2019-03-07 19:46:37 +03:00 · 2019-03-07 19:46:37 +03:00 · 717fd3fe38
commit 717fd3fe38
parent d4302c50f6
3 changed files with 11 additions and 2 deletions
--- a/src/routes/aliases.js
+++ b/src/routes/aliases.js
@ -3,13 +3,14 @@ const router = express.Router();
 const Aliases = require('../controllers/aliases');
 const Pages = require('../controllers/pages');
 const Alias = require('../models/alias');
+const verifyToken = require('./middlewares/token');

 /**
 * GET /*
 *
 * Return document with given alias
 */
-router.get('*', async (req, res) => {
+router.get('*', verifyToken, async (req, res) => {
  try {
    const alias = await Aliases.get(req.originalUrl.slice(1)); // Cuts first '/' character

--- a/src/routes/auth.js
+++ b/src/routes/auth.js
@ -28,6 +28,14 @@ router.get('/auth', csrfProtection, function (req, res) {
 router.post('/auth', parseForm, csrfProtection, async (req, res) => {
  let userDoc = await Users.get();

+  if (!userDoc) {
+    res.render('auth', {
+      title: 'Login page',
+      header: 'Password not set',
+      csrfToken: req.csrfToken()
+    });
+  }
+
  const passHash = userDoc.passHash;

  bcrypt.compare(req.body.password, passHash, async (err, result) => {
--- a/src/routes/middlewares/token.js
+++ b/src/routes/middlewares/token.js
@ -15,7 +15,7 @@ module.exports = async function verifyToken(req, res, next) {

  if (!userDoc) {
    res.locals.isAuthorized = false;
-    next()
+    next();
  }

  jwt.verify(token, userDoc.passHash + config.secret, (err, decodedToken) => {