forked from projects/fipamo
token encyrption working. never send token to the front end.
This commit is contained in:
parent
f3339089ff
commit
0f6ce7c3d8
4 changed files with 42 additions and 12 deletions
|
@ -30,7 +30,7 @@ router.get('/status', function(req, res) {
|
|||
res.json({
|
||||
type: DataEvent.API_REQUEST_GOOD,
|
||||
message: 'Auth is Good',
|
||||
token: session.token
|
||||
token: session.hashToken
|
||||
});
|
||||
} else {
|
||||
res.json({
|
||||
|
@ -60,10 +60,11 @@ router.post('/login', function(req, res) {
|
|||
let session = req.session;
|
||||
session.user = found;
|
||||
session.token = token;
|
||||
session.hashToken = hashToken(token);
|
||||
res.json({
|
||||
type: DataEvent.REQUEST_GOOD,
|
||||
message: 'Welcome Back',
|
||||
token: session.token
|
||||
token: session.hashToken
|
||||
});
|
||||
} else {
|
||||
res.json({
|
||||
|
@ -80,3 +81,7 @@ module.exports = router;
|
|||
function isValidPassword(user, password) {
|
||||
return bCrypt.compareSync(password, user.password);
|
||||
}
|
||||
|
||||
function hashToken(token) {
|
||||
return bCrypt.hashSync(token, bCrypt.genSaltSync(10), null);
|
||||
}
|
||||
|
|
|
@ -6,7 +6,9 @@ const multer = require('multer');
|
|||
const fs = require('fs-extra');
|
||||
const moment = require('moment');
|
||||
const jwt = require('jsonwebtoken');
|
||||
const bCrypt = require('bcrypt-nodejs');
|
||||
const book = new Book();
|
||||
const _ = require('lodash');
|
||||
const uploadPath =
|
||||
'./public/assets/images/blog/' + moment().format('YYYY') + '/' + moment().format('MM');
|
||||
fs.ensureDir(uploadPath, () => {
|
||||
|
@ -42,17 +44,27 @@ router.get('/', (req, res) => {
|
|||
Update Page
|
||||
*/
|
||||
router.post('/write/:task?', feature_upload, (req, res) => {
|
||||
/**
|
||||
if (req.session.user) {
|
||||
var member = req.session.user;
|
||||
jwt.verify(req.session.token, member.key, function(err, decoded) {
|
||||
if (err) {
|
||||
console('NOPE', err);
|
||||
}
|
||||
console.log('YUP', decoded);
|
||||
});
|
||||
//Get enctrypted hashed token from header request
|
||||
let hash = req.headers['x-access-token'];
|
||||
//Checks if token is a proper hash, if not reject
|
||||
if (!isTokenValid(req.session.token, hash)) {
|
||||
res.json({
|
||||
type: DataEvent.API_REQUEST_LAME,
|
||||
message: 'Invalid Token. Auth Blocked'
|
||||
});
|
||||
} else {
|
||||
//console.log('TOKEN IS GOOD');
|
||||
var member = req.session.user;
|
||||
jwt.verify(req.session.token, member.key, function(err, decoded) {
|
||||
if (err) {
|
||||
console('NOPE', err);
|
||||
}
|
||||
console.log('YUP', decoded);
|
||||
});
|
||||
}
|
||||
}
|
||||
*/
|
||||
|
||||
var feature = '';
|
||||
if (req.files.length > 0) {
|
||||
var path = req.files[0].path;
|
||||
|
@ -141,3 +153,7 @@ router.post('/add-post-image', post_upload, function(req, res) {
|
|||
});
|
||||
|
||||
module.exports = router;
|
||||
|
||||
function isTokenValid(token, hashedToken) {
|
||||
return bCrypt.compareSync(token, hashedToken);
|
||||
}
|
||||
|
|
|
@ -135,7 +135,10 @@ export default class PostEditor {
|
|||
)
|
||||
.then(response => {
|
||||
let r = JSON.parse(response.request['response']);
|
||||
if (r.type === DataEvent.PAGE_ERROR) {
|
||||
if (
|
||||
r.type === DataEvent.PAGE_ERROR ||
|
||||
r.type === DataEvent.API_REQUEST_LAME
|
||||
) {
|
||||
notify.alert(r.message, false);
|
||||
} else {
|
||||
if (r.type === DataEvent.PAGE_UPDATED) {
|
||||
|
|
|
@ -52,6 +52,12 @@ export default class APIUtils {
|
|||
}
|
||||
};
|
||||
if (requestType == REQUEST_TYPE_PUT || requestType == REQUEST_TYPE_POST) {
|
||||
if (
|
||||
eventType === DataEvent.API_PAGE_WRITE ||
|
||||
eventType === DataEvent.API_IMAGES_UPLOAD ||
|
||||
eventType === DataEvent.API_SETTINGS_WRITE
|
||||
)
|
||||
request.setRequestHeader('x-access-token', self.token);
|
||||
switch (contentType) {
|
||||
case CONTENT_TYPE_JSON:
|
||||
request.setRequestHeader('Content-type', 'application/' + contentType);
|
||||
|
|
Loading…
Reference in a new issue