shimapan/app/routes/auth.js

const express = require('express');
const router = express.Router();
const config = require('config');

const ModelPath = '../models/';
const User = require(ModelPath + 'User.js');
const Invite = require(ModelPath + 'Invite.js');

const passport = require('passport');

const canonicalizeRequest = require('../util/canonicalize').canonicalizeRequest;
const requireAuth = require('../util/auth').requireAuth;
const wrap = require('../util/wrap.js');
const verifyBody = require('../util/verifyBody');

// Wraps passport.authenticate to return a promise
const authenticate = (req, res, next) => {
    return new Promise((resolve) => {
        passport.authenticate('local', (err, user) => {
            resolve(user);
        })(req, res, next);
    });
};

// Wraps passport session creation for async usage
const login = (user, req) => {
    return new Promise((resolve) => {
        req.login(user, resolve);
    });
};

// Query the database for a valid invite code. An error message property is set if invalid.
const validateInvite = wrap(async (req, res, next) => {
    const invite = await Invite.findOne({code: req.body.invite}).catch(next);

    if (!invite)
        return res.status(422).json({message: 'Invalid invite code.'});

    if (invite.used)
        return res.status(422).json({message: 'Invite already used.'});

    if (invite.expires != null && invite.expires < Date.now())
        return res.status(422).json({message: 'Invite expired.'});

    req.invite = invite;
    next();
});

// Check if the requested username is valid
const validateUsername = wrap(async (req, res, next) => {
    const username = req.body.username;

    if (username.length > config.get('User.Username.maxLength'))
        return res.status(422).json({message: 'Username too long.'});

    const restrictedRegex = new RegExp(config.get('User.Username.restrictedChars'), 'g');
    if (username !== req.sanitize(username).replace(restrictedRegex, ''))
        return res.status(422).json({message: 'Username contains invalid characters.'});

    const count = await User.countDocuments({username: username}).catch(next);
    if (count !== 0)
        return res.status(422).json({message: 'Username in use.'});

    next();
});

const registerProps = [
    {name: 'displayname', type: 'string'},
    {name: 'password', type: 'string'},
    {name: 'invite', type: 'string'}];
router.post('/register',
    verifyBody(registerProps), canonicalizeRequest,
    validateInvite, validateUsername,
    wrap(async (req, res, next) => {
    // Update the database
    await Promise.all([
        User.register({
            username: req.body.username,
            displayname: req.body.displayname,
            scope: req.invite.scope,
            date: Date.now()
        }, req.body.password).catch(next),
        Invite.updateOne({code: req.invite.code}, {recipient: req.body.username, used: Date.now()}).catch(next)
    ]);

    res.status(200).json({'message': 'Registration successful.'});
}));

const loginProps = [
    {name: 'username', type: 'string', optional: true},
    {name: 'displayname', type: 'string', optional: true},
    {name: 'password', type: 'string'}];
router.post('/login', verifyBody(loginProps), canonicalizeRequest, wrap(async (req, res, next) => {
    // Authenticate
    const user = await authenticate(req, res, next);
    if (!user)
        return res.status(401).json({'message': 'Unauthorized.'});

    // Create session
    await login(user, req);

    // Set session vars
    req.session.passport.displayname = user.displayname;
    req.session.passport.scope = user.scope;

    res.status(200).json({'message': 'Logged in.'});
}));

router.post('/logout', function (req, res) {
    if (!req.isAuthenticated())
        return res.status(400).json({message: 'Not logged in.'});

    req.logout();
    res.status(200).json({'message': 'Logged out.'});
});

router.get('/whoami', requireAuth(), (req, res) => {
    res.status(200).json({
        user: req.username,
        display: req.displayname,
        scope: req.scope,
        key: req.key
    });
});

module.exports = router;
Properly async-ify registration code 2018-07-25 01:45:05 -04:00			`const express = require('express');`
			`const router = express.Router();`
Replace constants with configurable values 2018-07-26 17:34:47 -04:00			`const config = require('config');`
Refactor all base auth routes, allowing for case insensitivity and unicode usernames. 2018-01-15 15:29:32 -05:00
Make use of username/displayname field consistent throughout api 2018-07-26 19:40:42 -04:00			`const ModelPath = '../models/';`
			`const User = require(ModelPath + 'User.js');`
			`const Invite = require(ModelPath + 'Invite.js');`

			`const passport = require('passport');`

Rewrite User tests to be async 2018-07-25 18:45:38 -04:00			`const canonicalizeRequest = require('../util/canonicalize').canonicalizeRequest;`
Separate out logic in requireAuth and make one unified auth.js include 2018-07-29 19:59:24 -04:00			`const requireAuth = require('../util/auth').requireAuth;`
Change wrap to only export itself 2018-07-26 21:52:47 -04:00			`const wrap = require('../util/wrap.js');`
Rewrite auth router to use middleware for verification 2018-07-28 18:22:48 -04:00			`const verifyBody = require('../util/verifyBody');`
Properly async-ify registration code 2018-07-25 01:45:05 -04:00
Rewrite User tests to be async 2018-07-25 18:45:38 -04:00			`// Wraps passport.authenticate to return a promise`
Rewrite auth router to use middleware for verification 2018-07-28 18:22:48 -04:00			`const authenticate = (req, res, next) => {`
Rewrite User tests to be async 2018-07-25 18:45:38 -04:00			`return new Promise((resolve) => {`
			`passport.authenticate('local', (err, user) => {`
			`resolve(user);`
			`})(req, res, next);`
			`});`
Rewrite auth router to use middleware for verification 2018-07-28 18:22:48 -04:00			`};`
Properly async-ify registration code 2018-07-25 01:45:05 -04:00
Rewrite User tests to be async 2018-07-25 18:45:38 -04:00			`// Wraps passport session creation for async usage`
Rewrite auth router to use middleware for verification 2018-07-28 18:22:48 -04:00			`const login = (user, req) => {`
Rewrite User tests to be async 2018-07-25 18:45:38 -04:00			`return new Promise((resolve) => {`
			`req.login(user, resolve);`
			`});`
Rewrite auth router to use middleware for verification 2018-07-28 18:22:48 -04:00			`};`
Clean up and parallelize auth code 2017-10-12 12:50:02 -04:00
Properly async-ify registration code 2018-07-25 01:45:05 -04:00			`// Query the database for a valid invite code. An error message property is set if invalid.`
Rewrite auth router to use middleware for verification 2018-07-28 18:22:48 -04:00			`const validateInvite = wrap(async (req, res, next) => {`
			`const invite = await Invite.findOne({code: req.body.invite}).catch(next);`
Properly async-ify registration code 2018-07-25 01:45:05 -04:00
			`if (!invite)`
Rewrite auth router to use middleware for verification 2018-07-28 18:22:48 -04:00			`return res.status(422).json({message: 'Invalid invite code.'});`
Properly async-ify registration code 2018-07-25 01:45:05 -04:00
			`if (invite.used)`
Rewrite auth router to use middleware for verification 2018-07-28 18:22:48 -04:00			`return res.status(422).json({message: 'Invite already used.'});`
Properly async-ify registration code 2018-07-25 01:45:05 -04:00
Change exp field to expires 2018-07-27 14:23:23 -04:00			`if (invite.expires != null && invite.expires < Date.now())`
Rewrite auth router to use middleware for verification 2018-07-28 18:22:48 -04:00			`return res.status(422).json({message: 'Invite expired.'});`
Add invite codes for registering 2017-10-11 12:55:46 -04:00
Rewrite auth router to use middleware for verification 2018-07-28 18:22:48 -04:00			`req.invite = invite;`
			`next();`
			`});`
Properly async-ify registration code 2018-07-25 01:45:05 -04:00
Rewrite auth router to use middleware for verification 2018-07-28 18:22:48 -04:00			`// Check if the requested username is valid`
			`const validateUsername = wrap(async (req, res, next) => {`
			`const username = req.body.username;`
Add checks for bad requests in auth.js to prevent 500 2018-07-28 12:53:49 -04:00
Rewrite auth router to use middleware for verification 2018-07-28 18:22:48 -04:00			`if (username.length > config.get('User.Username.maxLength'))`
			`return res.status(422).json({message: 'Username too long.'});`
Add checks for bad requests in auth.js to prevent 500 2018-07-28 12:53:49 -04:00
Rewrite auth router to use middleware for verification 2018-07-28 18:22:48 -04:00			`const restrictedRegex = new RegExp(config.get('User.Username.restrictedChars'), 'g');`
			`if (username !== req.sanitize(username).replace(restrictedRegex, ''))`
			`return res.status(422).json({message: 'Username contains invalid characters.'});`
Add checks for bad requests in auth.js to prevent 500 2018-07-28 12:53:49 -04:00
Rewrite auth router to use middleware for verification 2018-07-28 18:22:48 -04:00			`const count = await User.countDocuments({username: username}).catch(next);`
			`if (count !== 0)`
			`return res.status(422).json({message: 'Username in use.'});`
Properly async-ify registration code 2018-07-25 01:45:05 -04:00
Rewrite auth router to use middleware for verification 2018-07-28 18:22:48 -04:00			`next();`
			`});`
Properly async-ify registration code 2018-07-25 01:45:05 -04:00
Rewrite auth router to use middleware for verification 2018-07-28 18:22:48 -04:00			`const registerProps = [`
			`{name: 'displayname', type: 'string'},`
			`{name: 'password', type: 'string'},`
			`{name: 'invite', type: 'string'}];`
			`router.post('/register',`
Verify the request before attempting to canonicalize it 2018-07-29 10:57:27 -04:00			`verifyBody(registerProps), canonicalizeRequest,`
Rewrite auth router to use middleware for verification 2018-07-28 18:22:48 -04:00			`validateInvite, validateUsername,`
			`wrap(async (req, res, next) => {`
Rewrite User tests to be async 2018-07-25 18:45:38 -04:00			`// Update the database`
			`await Promise.all([`
			`User.register({`
			`username: req.body.username,`
Make use of username/displayname field consistent throughout api 2018-07-26 19:40:42 -04:00			`displayname: req.body.displayname,`
Rewrite auth router to use middleware for verification 2018-07-28 18:22:48 -04:00			`scope: req.invite.scope,`
Rewrite User tests to be async 2018-07-25 18:45:38 -04:00			`date: Date.now()`
Rewrite auth router to use middleware for verification 2018-07-28 18:22:48 -04:00			`}, req.body.password).catch(next),`
			`Invite.updateOne({code: req.invite.code}, {recipient: req.body.username, used: Date.now()}).catch(next)`
Rewrite User tests to be async 2018-07-25 18:45:38 -04:00			`]);`
Properly async-ify registration code 2018-07-25 01:45:05 -04:00
			`res.status(200).json({'message': 'Registration successful.'});`
			`}));`
Work on stuff... 2017-10-11 10:15:19 -04:00
Fix login body verification 2018-07-29 11:00:14 -04:00			`const loginProps = [`
			`{name: 'username', type: 'string', optional: true},`
			`{name: 'displayname', type: 'string', optional: true},`
			`{name: 'password', type: 'string'}];`
Verify the request before attempting to canonicalize it 2018-07-29 10:57:27 -04:00			`router.post('/login', verifyBody(loginProps), canonicalizeRequest, wrap(async (req, res, next) => {`
Rewrite User tests to be async 2018-07-25 18:45:38 -04:00			`// Authenticate`
			`const user = await authenticate(req, res, next);`
			`if (!user)`
			`return res.status(401).json({'message': 'Unauthorized.'});`

			`// Create session`
			`await login(user, req);`

Make requireAuth() add request variables 2018-07-26 13:15:54 -04:00			`// Set session vars`
Make use of username/displayname field consistent throughout api 2018-07-26 19:40:42 -04:00			`req.session.passport.displayname = user.displayname;`
Rewrite User tests to be async 2018-07-25 18:45:38 -04:00			`req.session.passport.scope = user.scope;`

			`res.status(200).json({'message': 'Logged in.'});`
			`}));`
Work on stuff... 2017-10-11 10:15:19 -04:00
Make requireAuth() add request variables 2018-07-26 13:15:54 -04:00			`router.post('/logout', function (req, res) {`
Add checks for bad requests in auth.js to prevent 500 2018-07-28 12:53:49 -04:00			`if (!req.isAuthenticated())`
			`return res.status(400).json({message: 'Not logged in.'});`

Work on stuff 2017-10-18 13:31:08 -04:00			`req.logout();`
			`res.status(200).json({'message': 'Logged out.'});`
Add fallback cookie auth method 2017-10-14 17:49:11 -04:00			`});`

Make requireAuth() add request variables 2018-07-26 13:15:54 -04:00			`router.get('/whoami', requireAuth(), (req, res) => {`
Rewrite User tests to be async 2018-07-25 18:45:38 -04:00			`res.status(200).json({`
Make use of username/displayname field consistent throughout api 2018-07-26 19:40:42 -04:00			`user: req.username,`
			`display: req.displayname,`
			`scope: req.scope,`
			`key: req.key`
Rewrite User tests to be async 2018-07-25 18:45:38 -04:00			`});`
Work on stuff 2017-10-18 13:31:08 -04:00			`});`
Work on stuff... 2017-10-11 10:15:19 -04:00
			`module.exports = router;`