From d63323d37fdc5fdc5a8c5705fcdf01960c5aff62 Mon Sep 17 00:00:00 2001
From: timakasucces <timakasucces@users.noreply.github.com>
Date: Fri, 1 Mar 2019 21:37:22 +0300
Subject: [PATCH] Deleted using salt (now user is only one), changed verifying
 password to bcrypt.compare, added httpyOnly property to jwt cookie

---
 generatePassword.js | 41 ++++++++++++-----------------------------
 package.json        |  3 ++-
 src/routes/auth.js  | 40 ++++++++++++++++++++++------------------
 3 files changed, 36 insertions(+), 48 deletions(-)

diff --git a/generatePassword.js b/generatePassword.js
index c0152e7..9b5d32e 100644
--- a/generatePassword.js
+++ b/generatePassword.js
@@ -1,10 +1,10 @@
 #!/usr/bin/env node
 
-let { password: db } = require('../src/utils/database');
+let { password: db } = require('./src/utils/database');
 const program = require('commander');
 
 const bcrypt = require('bcrypt');
-const saltRounds = 10;
+const saltRounds = 12;
 
 /**
  * Script for generating password, that will be used to create and edit pages in CodeX.Docs.
@@ -16,47 +16,30 @@ program
   .usage('[password]')
   .arguments('<password>')
   .action(async function (password) {
-    let userDoc = null;
-
-    bcrypt.genSalt(saltRounds, function (err1, salt) {
-      if (err1) {
-        return ('Salt generation error');
+    bcrypt.hash(password, saltRounds, async (error, hash) => {
+      if (error) {
+        return 'Hash generating error';
       }
 
-      bcrypt.hash(password, salt, async (err2, hash) => {
-        if (err2) {
-          return ('Hash generation error');
-        }
-        await db.remove({}, {multi: true});
+      const userDoc = { passHash: hash };
 
-        userDoc = { passHash: hash };
+      await db.remove({}, {multi: true});
+      await db.insert(userDoc);
 
-        await db.insert(userDoc);
-        console.log('Password was successfully generated');
-
-        console.log('Salt:', salt);
-        console.log('Insert the salt in to the SALT field in .env file');
-      });
+      console.log('Password was successfully generated');
     });
   });
 
-program.parse(process.argv);
-
 program.on('--help', () => {
-  console.log('');
-  console.log("Don't forget to insert salt value to the .env file after adding a new password!");
   console.log('');
   console.log('Example:');
-  console.log('node generatePassword qwerty');
+  console.log('yarn generatePassword qwerty');
   console.log('');
 });
 
-program.on('command:*', function () {
-  console.error('Invalid command: %s\nSee --help or -h for a list of available commands.', program.args.join(' '));
-  process.exit(1);
-});
+program.parse(process.argv);
 
-if (process.argv.length === 2) {
+if (process.argv.length !== 3) {
   console.error('Invalid command: %s\nSee --help or -h for a list of available commands.', program.args.join(' '));
   process.exit(1);
 }
diff --git a/package.json b/package.json
index e875bfd..cdf6f0a 100644
--- a/package.json
+++ b/package.json
@@ -9,7 +9,8 @@
     "test": "cross-env NODE_ENV=testing mocha --recursive ./test",
     "lint": "eslint --fix --cache ./src/**/*.js",
     "build": "webpack ./src/frontend/js/app.js --o='./public/dist/[name].bundle.js' --output-library=Docs --output-public-path=/dist/ -p --watch",
-    "precommit": "yarn lint && yarn test --exit"
+    "precommit": "yarn lint && yarn test --exit",
+    "generatePassword": "node ./generatePassword.js"
   },
   "dependencies": {
     "@babel/polyfill": "^7.0.0",
diff --git a/src/routes/auth.js b/src/routes/auth.js
index 62edfb2..5ba1b0a 100644
--- a/src/routes/auth.js
+++ b/src/routes/auth.js
@@ -15,35 +15,39 @@ const parseForm = bodyParser.urlencoded({ extended: false });
  * Authorization page
  */
 router.get('/auth', csrfProtection, function (req, res) {
-  res.render('auth', { title: 'Login page ', header: 'Enter password', csrfToken: req.csrfToken() });
+  res.render('auth', {
+    title: 'Login page',
+    header: 'Enter password',
+    csrfToken: req.csrfToken()
+  });
 });
 
 /**
  * Process given password
  */
 router.post('/auth', parseForm, csrfProtection, async (req, res) => {
-  let salt = process.env.SALT;
+  let userDoc = await Users.get();
 
-  bcrypt.hash(req.body.password, salt, async function (err, hash) {
-    if (err) {
-      res.status(500);
+  const passHash = userDoc.passHash;
+
+  bcrypt.compare(req.body.password, passHash, async (err, result) => {
+    if (err || result === false) {
+      res.render('auth', {
+        title: 'Login page',
+        header: 'Wrong password',
+        csrfToken: req.csrfToken()
+      });
     }
 
-    const userDoc = await Users.get();
+    const token = jwt.sign({
+      'iss': 'Codex Team',
+      'sub': 'auth',
+      'iat': Date.now()
+    }, passHash + config.secret);
 
-    if (userDoc) {
-      const token = jwt.sign({
-        'iss': 'Codex Team',
-        'sub': 'auth',
-        'iat': Date.now()
-      }, userDoc.passHash + config.secret);
+    res.cookie('authToken', token, { httpOnly: true });
 
-      res.cookie('authToken', token);
-
-      res.redirect('/');
-    } else {
-      res.render('auth', { title: 'Login page', header: 'Wrong password', csrfToken: req.csrfToken() });
-    }
+    res.redirect('/');
   });
 });