From: Benjamin Auder <benjamin.auder@somewhere>
Date: Tue, 26 Mar 2019 15:46:02 +0000 (+0100)
Subject: Fix authentication
X-Git-Url: https://git.auder.net/doc/%7B%7B%20asset%28%27mixstore/current/img/common.css?a=commitdiff_plain;h=deca03e8aeb7cac9c19b0d43b4642b27299695b5;p=vchess.git

Fix authentication
---

diff --git a/client/src/components/UpsertUser.vue b/client/src/components/UpsertUser.vue
index 46f3bfe8..8d0b7369 100644
--- a/client/src/components/UpsertUser.vue
+++ b/client/src/components/UpsertUser.vue
@@ -26,7 +26,7 @@ div
           i.material-icons send
         button(v-if="stage!='Update'" @click="toggleStage()")
           span {{ stage=="Login" ? "Register" : "Login" }}
-        button(v-else onClick="location.replace('/logout')")
+        button(v-else @click="doLogout()")
           span Logout
       #dialog(:style="{display: displayInfo}") {{ infoMsg }}
 </template>
@@ -39,9 +39,9 @@ export default {
   name: 'my-upsert-user',
   data: function() {
     return {
-      user: Object.assign({}, store.state.user),
+      user: store.state.user,
       nameOrEmail: "", //for login
-      stage: (store.state.user.id > 0 ? "Update" : "Login"), //TODO?
+      logStage: "Login", //or Register
       infoMsg: "",
       enterTime: Number.MAX_SAFE_INTEGER, //for a basic anti-bot strategy
     };
@@ -61,6 +61,9 @@ export default {
     displayInfo: function() {
       return (this.infoMsg.length > 0 ? "block" : "none");
     },
+    stage: function() {
+      return this.user.id > 0 ? "Update" : this.logStage;
+    },
   },
   methods: {
     trySetEnterTime: function(event) {
@@ -69,7 +72,7 @@ export default {
     },
     toggleStage: function() {
       // Loop login <--> register (update is for logged-in users)
-      this.stage = (this.stage == "Login" ? "Register" : "Login");
+      this.logStage = (this.logStage == "Login" ? "Register" : "Login");
     },
     ajaxUrl: function() {
       switch (this.stage)
@@ -137,6 +140,18 @@ export default {
         }
       );
     },
+    doLogout: function() {
+      ajax(
+        "/logout",
+        "GET",
+        () => {
+          this.user.id = 0;
+          this.user.name = "";
+          this.user.email = "";
+          this.user.notify = false;
+        }
+      );
+    },
   },
 };
 </script>
diff --git a/client/src/router.js b/client/src/router.js
index 89bdf738..0f038497 100644
--- a/client/src/router.js
+++ b/client/src/router.js
@@ -32,13 +32,11 @@ export default new Router({
       path: "/authenticate/:token",
       name: "authenticate",
       beforeEnter: (to, from, next) => {
-        console.log("ajax call authenticate");
         ajax(
           "/authenticate",
           "GET",
           {token: to.params["token"]},
           (res) => {
-            console.log(res);
             store.state.user.id = res.id;
             store.state.user.name = res.name;
             store.state.user.email = res.email;
@@ -48,25 +46,8 @@ export default new Router({
           }
         );
       },
-      redirect: "/",
-    },
-    {
-      path: "/logout",
-      name: "logout",
-      beforeEnter: (to, from, next) => {
-        ajax(
-          "/logout",
-          "GET",
-          () => {
-            store.state.user.id = 0;
-            store.state.user.name = "";
-            store.state.user.email = "";
-            store.state.user.notify = false;
-            next();
-          }
-        );
-      },
-      redirect: "/",
+      component: Hall,
+      //redirect: "/", //problem: redirection before end of AJAX request
     },
 //    {
 //      path: "/about",
diff --git a/client/src/utils/ajax.js b/client/src/utils/ajax.js
index 0a50a104..1d181fa2 100644
--- a/client/src/utils/ajax.js
+++ b/client/src/utils/ajax.js
@@ -47,9 +47,8 @@ export function ajax(url, method, data, success, error)
 	}
 	xhr.open(method, params.serverUrl + url, true);
 	xhr.setRequestHeader('X-Requested-With', "XMLHttpRequest");
-	// Next line because logout and authenticate set (cross-domain in dev mode) cookies
-  if (url.startsWith("/authenticate") || url.startsWith("/logout"))
-    xhr.withCredentials = true;
+	// Next line to allow cross-domain cookies in dev mode (TODO: if...)
+  xhr.withCredentials = true;
   if (["POST","PUT"].includes(method))
 	{
 		xhr.setRequestHeader("Content-Type", "application/json;charset=UTF-8");
diff --git a/server/routes/all.js b/server/routes/all.js
index 982f2a46..45eb21ba 100644
--- a/server/routes/all.js
+++ b/server/routes/all.js
@@ -1,4 +1,10 @@
 var router = require("express").Router();
+var access = require("../utils/access");
+
+// To avoid a weird preflight AJAX request error in dev mode...
+router.get("/", access.ajax, (req,res) => {
+  res.json({});
+});
 
 router.use("/", require("./challenges"));
 //router.use("/", require("./games"));
diff --git a/server/routes/users.js b/server/routes/users.js
index 4b142d71..d633d811 100644
--- a/server/routes/users.js
+++ b/server/routes/users.js
@@ -17,7 +17,6 @@ router.get("/whoami", access.ajax, (req,res) => {
     });
   };
   const anonymous = {name:"", email:"", id:0, notify:false};
-  console.log(req.cookies); //TODO: cookie not found after authenticate ?
 	if (!req.cookies.token)
     return callback(anonymous);
   UserModel.getOne("sessionToken", req.cookies.token, function(err, user) {
@@ -42,9 +41,7 @@ function setAndSendLoginToken(subject, to, res)
 			params.siteURL + "/#/authenticate/" + token + "\\n" +
 			"Token will expire in " + params.token.expire/(1000*60) + " minutes."
 		sendEmail(params.mail.noreply, to.email, subject, body, err => {
-      // "id" is generally the only info missing on client side,
-			// but the name is also unknown if log-in with the email.
-			res.json(err || {id: to.id, name: to.name});
+			res.json(err || {});
 		});
 	});
 }