From 0f6ce7c3d834f0ef164c8381f1c4fcc267e0c519 Mon Sep 17 00:00:00 2001 From: Ro Date: Mon, 2 Dec 2019 17:59:04 -0800 Subject: [PATCH] token encyrption working. never send token to the front end. --- brain/api/v1/auth.js | 9 ++++++-- brain/api/v1/pages.js | 34 +++++++++++++++++++++++-------- src/com/controllers/PageEditor.js | 5 ++++- src/com/utils/APIUtils.js | 6 ++++++ 4 files changed, 42 insertions(+), 12 deletions(-) diff --git a/brain/api/v1/auth.js b/brain/api/v1/auth.js index 9522f2d..ada0306 100644 --- a/brain/api/v1/auth.js +++ b/brain/api/v1/auth.js @@ -30,7 +30,7 @@ router.get('/status', function(req, res) { res.json({ type: DataEvent.API_REQUEST_GOOD, message: 'Auth is Good', - token: session.token + token: session.hashToken }); } else { res.json({ @@ -60,10 +60,11 @@ router.post('/login', function(req, res) { let session = req.session; session.user = found; session.token = token; + session.hashToken = hashToken(token); res.json({ type: DataEvent.REQUEST_GOOD, message: 'Welcome Back', - token: session.token + token: session.hashToken }); } else { res.json({ @@ -80,3 +81,7 @@ module.exports = router; function isValidPassword(user, password) { return bCrypt.compareSync(password, user.password); } + +function hashToken(token) { + return bCrypt.hashSync(token, bCrypt.genSaltSync(10), null); +} diff --git a/brain/api/v1/pages.js b/brain/api/v1/pages.js index 78fc00a..02654bb 100644 --- a/brain/api/v1/pages.js +++ b/brain/api/v1/pages.js @@ -6,7 +6,9 @@ const multer = require('multer'); const fs = require('fs-extra'); const moment = require('moment'); const jwt = require('jsonwebtoken'); +const bCrypt = require('bcrypt-nodejs'); const book = new Book(); +const _ = require('lodash'); const uploadPath = './public/assets/images/blog/' + moment().format('YYYY') + '/' + moment().format('MM'); fs.ensureDir(uploadPath, () => { @@ -42,17 +44,27 @@ router.get('/', (req, res) => { Update Page */ router.post('/write/:task?', feature_upload, (req, res) => { - /** if (req.session.user) { - var member = req.session.user; - jwt.verify(req.session.token, member.key, function(err, decoded) { - if (err) { - console('NOPE', err); - } - console.log('YUP', decoded); - }); + //Get enctrypted hashed token from header request + let hash = req.headers['x-access-token']; + //Checks if token is a proper hash, if not reject + if (!isTokenValid(req.session.token, hash)) { + res.json({ + type: DataEvent.API_REQUEST_LAME, + message: 'Invalid Token. Auth Blocked' + }); + } else { + //console.log('TOKEN IS GOOD'); + var member = req.session.user; + jwt.verify(req.session.token, member.key, function(err, decoded) { + if (err) { + console('NOPE', err); + } + console.log('YUP', decoded); + }); + } } - */ + var feature = ''; if (req.files.length > 0) { var path = req.files[0].path; @@ -141,3 +153,7 @@ router.post('/add-post-image', post_upload, function(req, res) { }); module.exports = router; + +function isTokenValid(token, hashedToken) { + return bCrypt.compareSync(token, hashedToken); +} diff --git a/src/com/controllers/PageEditor.js b/src/com/controllers/PageEditor.js index e3008e3..bd8971e 100644 --- a/src/com/controllers/PageEditor.js +++ b/src/com/controllers/PageEditor.js @@ -135,7 +135,10 @@ export default class PostEditor { ) .then(response => { let r = JSON.parse(response.request['response']); - if (r.type === DataEvent.PAGE_ERROR) { + if ( + r.type === DataEvent.PAGE_ERROR || + r.type === DataEvent.API_REQUEST_LAME + ) { notify.alert(r.message, false); } else { if (r.type === DataEvent.PAGE_UPDATED) { diff --git a/src/com/utils/APIUtils.js b/src/com/utils/APIUtils.js index 7f93541..2942743 100644 --- a/src/com/utils/APIUtils.js +++ b/src/com/utils/APIUtils.js @@ -52,6 +52,12 @@ export default class APIUtils { } }; if (requestType == REQUEST_TYPE_PUT || requestType == REQUEST_TYPE_POST) { + if ( + eventType === DataEvent.API_PAGE_WRITE || + eventType === DataEvent.API_IMAGES_UPLOAD || + eventType === DataEvent.API_SETTINGS_WRITE + ) + request.setRequestHeader('x-access-token', self.token); switch (contentType) { case CONTENT_TYPE_JSON: request.setRequestHeader('Content-type', 'application/' + contentType);