forked from projects/fipamo
token encyrption working. never send token to the front end.
This commit is contained in:
parent
f3339089ff
commit
0f6ce7c3d8
4 changed files with 42 additions and 12 deletions
|
@ -30,7 +30,7 @@ router.get('/status', function(req, res) {
|
||||||
res.json({
|
res.json({
|
||||||
type: DataEvent.API_REQUEST_GOOD,
|
type: DataEvent.API_REQUEST_GOOD,
|
||||||
message: 'Auth is Good',
|
message: 'Auth is Good',
|
||||||
token: session.token
|
token: session.hashToken
|
||||||
});
|
});
|
||||||
} else {
|
} else {
|
||||||
res.json({
|
res.json({
|
||||||
|
@ -60,10 +60,11 @@ router.post('/login', function(req, res) {
|
||||||
let session = req.session;
|
let session = req.session;
|
||||||
session.user = found;
|
session.user = found;
|
||||||
session.token = token;
|
session.token = token;
|
||||||
|
session.hashToken = hashToken(token);
|
||||||
res.json({
|
res.json({
|
||||||
type: DataEvent.REQUEST_GOOD,
|
type: DataEvent.REQUEST_GOOD,
|
||||||
message: 'Welcome Back',
|
message: 'Welcome Back',
|
||||||
token: session.token
|
token: session.hashToken
|
||||||
});
|
});
|
||||||
} else {
|
} else {
|
||||||
res.json({
|
res.json({
|
||||||
|
@ -80,3 +81,7 @@ module.exports = router;
|
||||||
function isValidPassword(user, password) {
|
function isValidPassword(user, password) {
|
||||||
return bCrypt.compareSync(password, user.password);
|
return bCrypt.compareSync(password, user.password);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function hashToken(token) {
|
||||||
|
return bCrypt.hashSync(token, bCrypt.genSaltSync(10), null);
|
||||||
|
}
|
||||||
|
|
|
@ -6,7 +6,9 @@ const multer = require('multer');
|
||||||
const fs = require('fs-extra');
|
const fs = require('fs-extra');
|
||||||
const moment = require('moment');
|
const moment = require('moment');
|
||||||
const jwt = require('jsonwebtoken');
|
const jwt = require('jsonwebtoken');
|
||||||
|
const bCrypt = require('bcrypt-nodejs');
|
||||||
const book = new Book();
|
const book = new Book();
|
||||||
|
const _ = require('lodash');
|
||||||
const uploadPath =
|
const uploadPath =
|
||||||
'./public/assets/images/blog/' + moment().format('YYYY') + '/' + moment().format('MM');
|
'./public/assets/images/blog/' + moment().format('YYYY') + '/' + moment().format('MM');
|
||||||
fs.ensureDir(uploadPath, () => {
|
fs.ensureDir(uploadPath, () => {
|
||||||
|
@ -42,17 +44,27 @@ router.get('/', (req, res) => {
|
||||||
Update Page
|
Update Page
|
||||||
*/
|
*/
|
||||||
router.post('/write/:task?', feature_upload, (req, res) => {
|
router.post('/write/:task?', feature_upload, (req, res) => {
|
||||||
/**
|
|
||||||
if (req.session.user) {
|
if (req.session.user) {
|
||||||
var member = req.session.user;
|
//Get enctrypted hashed token from header request
|
||||||
jwt.verify(req.session.token, member.key, function(err, decoded) {
|
let hash = req.headers['x-access-token'];
|
||||||
if (err) {
|
//Checks if token is a proper hash, if not reject
|
||||||
console('NOPE', err);
|
if (!isTokenValid(req.session.token, hash)) {
|
||||||
}
|
res.json({
|
||||||
console.log('YUP', decoded);
|
type: DataEvent.API_REQUEST_LAME,
|
||||||
});
|
message: 'Invalid Token. Auth Blocked'
|
||||||
|
});
|
||||||
|
} else {
|
||||||
|
//console.log('TOKEN IS GOOD');
|
||||||
|
var member = req.session.user;
|
||||||
|
jwt.verify(req.session.token, member.key, function(err, decoded) {
|
||||||
|
if (err) {
|
||||||
|
console('NOPE', err);
|
||||||
|
}
|
||||||
|
console.log('YUP', decoded);
|
||||||
|
});
|
||||||
|
}
|
||||||
}
|
}
|
||||||
*/
|
|
||||||
var feature = '';
|
var feature = '';
|
||||||
if (req.files.length > 0) {
|
if (req.files.length > 0) {
|
||||||
var path = req.files[0].path;
|
var path = req.files[0].path;
|
||||||
|
@ -141,3 +153,7 @@ router.post('/add-post-image', post_upload, function(req, res) {
|
||||||
});
|
});
|
||||||
|
|
||||||
module.exports = router;
|
module.exports = router;
|
||||||
|
|
||||||
|
function isTokenValid(token, hashedToken) {
|
||||||
|
return bCrypt.compareSync(token, hashedToken);
|
||||||
|
}
|
||||||
|
|
|
@ -135,7 +135,10 @@ export default class PostEditor {
|
||||||
)
|
)
|
||||||
.then(response => {
|
.then(response => {
|
||||||
let r = JSON.parse(response.request['response']);
|
let r = JSON.parse(response.request['response']);
|
||||||
if (r.type === DataEvent.PAGE_ERROR) {
|
if (
|
||||||
|
r.type === DataEvent.PAGE_ERROR ||
|
||||||
|
r.type === DataEvent.API_REQUEST_LAME
|
||||||
|
) {
|
||||||
notify.alert(r.message, false);
|
notify.alert(r.message, false);
|
||||||
} else {
|
} else {
|
||||||
if (r.type === DataEvent.PAGE_UPDATED) {
|
if (r.type === DataEvent.PAGE_UPDATED) {
|
||||||
|
|
|
@ -52,6 +52,12 @@ export default class APIUtils {
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
if (requestType == REQUEST_TYPE_PUT || requestType == REQUEST_TYPE_POST) {
|
if (requestType == REQUEST_TYPE_PUT || requestType == REQUEST_TYPE_POST) {
|
||||||
|
if (
|
||||||
|
eventType === DataEvent.API_PAGE_WRITE ||
|
||||||
|
eventType === DataEvent.API_IMAGES_UPLOAD ||
|
||||||
|
eventType === DataEvent.API_SETTINGS_WRITE
|
||||||
|
)
|
||||||
|
request.setRequestHeader('x-access-token', self.token);
|
||||||
switch (contentType) {
|
switch (contentType) {
|
||||||
case CONTENT_TYPE_JSON:
|
case CONTENT_TYPE_JSON:
|
||||||
request.setRequestHeader('Content-type', 'application/' + contentType);
|
request.setRequestHeader('Content-type', 'application/' + contentType);
|
||||||
|
|
Loading…
Reference in a new issue