var db = require("../utils/database");
var maild = require("../utils/mailer.js");
+var TokenGen = require("../utils/tokenGenerator");
/*
* Structure:
db.serialize(function() {
db.get(
"SELECT * FROM Users " +
- "WHERE " + by " = " + delimiter + value + delimiter,
+ "WHERE " + by + " = " + delimiter + value + delimiter,
callback);
});
}
});
}
-exports.setSessionToken = function(token, uid, cb)
+// Set session token only if empty (first login)
+// TODO: weaker security (but avoid to re-login everywhere after each logout)
+exports.trySetSessionToken = function(uid, cb)
{
// Also empty the login token to invalidate future attempts
db.serialize(function() {
- db.run(
- "UPDATE Users " +
- "SET loginToken = NULL AND sessionToken = " + token + " " +
- "WHERE id = " + uid);
+ db.get(
+ "SELECT sessionToken " +
+ "FROM Users " +
+ "WHERE id = " + uid, (err,token) => {
+ if (!!err)
+ return cb(err);
+ const newToken = token || TokenGen.generate(params.token.length);
+ db.run(
+ "UPDATE Users " +
+ "SET loginToken = NULL " +
+ (!token ? "AND sessionToken = " + newToken + " " : "") +
+ "WHERE id = " + uid);
+ cb(null, newToken);
+ });
});
}
-exports.updateSettings = function(name, email, notify, cb)
+exports.updateSettings = function(user, cb)
{
db.serialize(function() {
db.run(
"UPDATE Users " +
- "SET name = " + name +
- " AND email = " + email +
- " AND notify = " + notify + " " +
- "WHERE id = " + uid);
+ "SET name = " + user.name +
+ " AND email = " + user.email +
+ " AND notify = " + user.notify + " " +
+ "WHERE id = " + user._id);
});
}
var router = require("express").Router();
var UserModel = require('../models/User');
-var maild = require('../utils/mailer');
+var sendEmail = require('../utils/mailer');
var TokenGen = require("../utils/tokenGenerator");
var access = require("../utils/access");
+var params = require("../config/parameters");
// to: object user
function setAndSendLoginToken(subject, to, res)
{
// Set login token and send welcome(back) email with auth link
let token = TokenGen.generate(params.token.length);
- UserModel.setLoginToken(token, to._id, to.ip, (err,ret) => {
+ UserModel.setLoginToken(token, to._id, (err,ret) => {
access.checkRequest(res, err, ret, "Cannot set login token", () => {
- maild.send({
- from: params.mail.from,
- to: to.email,
- subject: subject,
- body: "Hello " + to.initials + "!\n" +
- "Access your account here: " +
- params.siteURL + "/authenticate?token=" + token + "\\n" +
- "Token will expire in " + params.token.expire/(1000*60) + " minutes."
- }, err => {
+ const body =
+ "Hello " + to.initials + "!\n" +
+ "Access your account here: " +
+ params.siteURL + "/authenticate?token=" + token + "\\n" +
+ "Token will expire in " + params.token.expire/(1000*60) + " minutes."
+ sendEmail(params.mail.from, to.email, subject, body, err => {
res.json(err || {});
});
});
return res.json({errmsg: error});
UserModel.create(name, email, (err,user) => {
access.checkRequest(res, err, user, "Registration failed", () => {
- user.ip = req.ip;
setAndSendLoginToken("Welcome to " + params.siteURL, user, res);
});
});
router.put('/sendtoken', access.unlogged, access.ajax, (req,res) => {
let email = decodeURIComponent(req.body.email);
let error = checkObject({email:email}, "User");
- console.log(email)
if (error.length > 0)
return res.json({errmsg: error});
- UserModel.getByEmail(email, (err,user) => {
+ UserModel.getOne("email", email, (err,user) => {
access.checkRequest(res, err, user, "Unknown user", () => {
setAndSendLoginToken("Token for " + params.siteURL, user, res);
});
router.get('/authenticate', access.unlogged, (req,res) => {
UserModel.getByLoginToken(req.query.token, (err,user) => {
access.checkRequest(res, err, user, "Invalid token", () => {
- if (user.loginToken.ip != req.ip)
- return res.json({errmsg: "IP address mismatch"});
- let now = new Date();
- let tsNow = now.getTime();
+ let tsNow = Date.now();
// If token older than params.tokenExpire, do nothing
- if (user.loginToken.timestamp + params.token.expire < tsNow)
+ if (Date.now() > user.loginTime + params.token.expire)
return res.json({errmsg: "Token expired"});
- // Generate and update session token + destroy login token
- let token = TokenGen.generate(params.token.length);
- UserModel.setSessionToken(token, user._id, (err,ret) => {
+ // Generate session token (if not exists) + destroy login token
+ UserModel.trySetSessionToken(user._id, (err,token) => {
if (!!err)
return res.json(err);
// Set cookie
res.cookie("token", token, {
httpOnly: true,
+ secure: true,
maxAge: params.cookieExpire
});
res.redirect("/");
});
router.put('/settings', access.logged, access.ajax, (req,res) => {
- let user = JSON.parse(req.body.user);
- let error = checkObject(user, "User");
- if (error.length > 0)
- return res.json({errmsg: error});
- user._id = ObjectID(req.user._id);
+ const user = JSON.parse(req.body.user);
+ // TODO: either verify email + name, or re-apply the following logic:
+ //let error = checkObject(user, "User");
+ //if (error.length > 0)
+ // return res.json({errmsg: error});
+ user._id = req.user._id; //TODO:
UserModel.updateSettings(user, (err,ret) => {
access.checkRequest(res, err, ret, "Settings update failed", () => {
res.json({});
});
});
+// Logout on server because the token cookie is secured + http-only
router.get('/logout', access.logged, (req,res) => {
- // TODO: cookie + redirect is enough (https, secure cookie
- // https://www.information-security.fr/securite-sites-web-lutilite-flags-secure-httponly/ )
- UserModel.logout(req.cookies.token, (err,ret) => {
- access.checkRequest(res, err, ret, "Logout failed", () => {
- res.clearCookie("token");
- req.user = null;
- res.redirect('/');
- });
- });
+ res.clearCookie("token");
+ res.redirect('/');
});
module.exports = router;
projects / vchess.git / commitdiff