diff --git a/app/routes.js b/app/routes.js index 78474aa..868f562 100644 --- a/app/routes.js +++ b/app/routes.js @@ -12,7 +12,19 @@ var path = require('path'); var jwt = require('express-jwt'); var jwtauth = jwt({ secret: fs.readFileSync(path.join(__dirname, '../jwt.pem'), 'utf8'), - userProperty: 'payload' + userProperty: 'payload', + getToken: function(req) { + if (req.headers.authorization && req.headers.authorization.split(' ')[0] === 'Bearer') { + // First check Authorization header + return req.headers.authorization.split(' ')[1]; + } else if (req.cookies && req.cookies['shimapan-token']) { + // Get from cookies as fallback + return req.cookies['shimapan-token']; + } + + // no token received + return null; + } }); module.exports = function(app) { @@ -23,8 +35,8 @@ module.exports = function(app) { app.use('/api/auth', auth); app.use('/register', register); app.use('/login', login); - app.use('/panel', panel); - app.use('/panel*', panel); + app.use('/panel', jwtauth, panel); + app.use('/panel*', jwtauth, panel); app.use(function(err, req, res, next) { if (err.name === 'UnauthorizedError') { diff --git a/app/routes/auth.js b/app/routes/auth.js index 7554092..995a051 100644 --- a/app/routes/auth.js +++ b/app/routes/auth.js @@ -16,14 +16,14 @@ function checkUsername(username, callback) { if (username.length > 30) return callback(null, false); if (striptags(username) !== username) return callback(null, false); - User.find({username: username}).limit(1).count(function(err, count) { + User.find({username: username}).limit(1).count(function (err, count) { if (err) return callback(err); (count === 0) ? callback(null, true) : callback(null, false); }); } function checkInvite(code, callback) { - Invite.findOne({code: code}, function(err, invite) { + Invite.findOne({code: code}, function (err, invite) { if (err) return callback(err); if (!invite || invite.used || invite.exp < new Date()) callback(null, false); @@ -33,25 +33,25 @@ function checkInvite(code, callback) { } function useInvite(code, username) { - Invite.updateOne({code: code}, {recipient: username, used: new Date()}, function(err, res) { + Invite.updateOne({code: code}, {recipient: username, used: new Date()}, function (err, res) { if (err) throw err; }); } -router.post('/register', function(req, res) { +router.post('/register', function (req, res) { // Validate the parameters async.parallel({ - userCheck: function(callback) { - checkUsername(req.body.username, function(err, valid) { + userCheck: function (callback) { + checkUsername(req.body.username, function (err, valid) { callback(err, valid); }); }, - inviteCheck: function(callback) { - checkInvite(req.body.invite, function(err, valid, invite) { + inviteCheck: function (callback) { + checkInvite(req.body.invite, function (err, valid, invite) { callback(err, {valid: valid, invite: invite}); }); } - }, function(err, result) { + }, function (err, result) { if (!result.userCheck) { res.status(401).json({'message': 'Invalid username.'}); } else if (!result.inviteCheck.valid) { @@ -64,27 +64,44 @@ router.post('/register', function(req, res) { user.date = new Date(); user.setPassword(req.body.password); - user.save(function(err) { - if (err) + user.save(function (err) { + if (err) { res.status(500).json({'message': 'Internal server error.'}); - else - res.status(200).json({'token': user.genJwt()}); - }) + } else { + res.status(200) + .cookie('shimapan-token', user.genJwt(), { + expires: new Date(Date.now() + 604800000), + httpOnly: true + }) + .json({'token': user.genJwt()}); + } + }); } }); }); -router.post('/login', function(req, res) { - passport.authenticate('local', function(err, user, info) { - if (err) +router.post('/login', function (req, res) { + passport.authenticate('local', function (err, user, info) { + if (err) { res.status(500).json(err); - else if (user) - res.status(200).json({'token': user.genJwt() }); - else + } else if (user) { + res.status(200) + .cookie('shimapan-token', user.genJwt(), { + expires: new Date(Date.now() + 604800000), + httpOnly: true + }) + .json({'token': user.genJwt()}); + } else { res.status(401).json(info); + } })(req, res); }); +router.get('/logout', function(req, res) { + res.clearCookie('shimapan-token'); + res.status(200).json({'message': 'Successfully logged out.'}); +}); + module.exports = router; \ No newline at end of file diff --git a/public/js/services/AuthSvc.js b/public/js/services/AuthSvc.js index 7b33a5d..355abb3 100644 --- a/public/js/services/AuthSvc.js +++ b/public/js/services/AuthSvc.js @@ -42,7 +42,12 @@ angular.module('AuthSvc', []).service('AuthService', ['$http', '$window', functi }; this.logout = function() { $window.localStorage.removeItem('shimapan-token'); - $window.location.href = '/'; + $http({ + method: 'GET', + url: '/api/auth/logout' + }).then(function(res) { + $window.location.href = '/'; + }); }; this.isLoggedIn = function() { var payload = decodeToken(getToken()); diff --git a/server.js b/server.js index 7022da0..4ccf38c 100644 --- a/server.js +++ b/server.js @@ -4,6 +4,7 @@ var methodOverride = require('method-override'); var mongoose = require('mongoose'); var morgan = require('morgan'); var passport = require('passport'); +var cookieParser = require('cookie-parser'); var app = express(); @@ -21,6 +22,7 @@ db.on('error', function(err) { require('./config/passport.js'); +app.use(cookieParser()); app.use(bodyParser.json()); app.use(bodyParser.json({ type: 'application/json' })); app.use(bodyParser.urlencoded({ extended: true }));