Project Auth - Aunt Authy, strict but fair #345

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

kathinka wants to merge 41 commits into Technigo:master from kathinka:master

.env.example

-Original file line number
+Diff line change
@@ -0,0 +1,3 @@
+    VITE_API_KEY=
+    MONGO_URL=
+    SECRET=

backend/.env.example

Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		MONGO_URL=
		SECRET=

backend/middleware/Middleware.js

-Original file line number
+Diff line change
@@ -0,0 +1,122 @@
+    import User from "../model/user-model";
+    import dotenv from "dotenv";
+    import Blacklist from "../model/blacklist-model";
+    import jwt from "jsonwebtoken";
+    dotenv.config();
+    const SECRET = process.env.SECRET || "toast is the best secret";
+    const authenticateUser = async (req, res, next) => {
+      // Get the token from the request headers
+      const bearerHeader = req.headers["authorization"];
+      //check if token is undefined, because if it is, we don't have any time for that - bzzzt!
+      if (typeof bearerHeader !== "undefined") {
+        //split the token like a lumberjack, and separate the bearer from the token
+        const bearer = bearerHeader.split(" ");
+        // Check if the bearer array has exactly 2 elements and the first element is 'Bearer'
+        if (bearer.length === 2 && bearer[0] === "Bearer") {
+          const bearerToken = bearer[1];
+          try {
+            //decode the token 🤫
+            const decoded = jwt.verify(bearerToken, SECRET);
+            // find user with the decoded id
+            const user = await User.findById(decoded.id);
+            //check if user exists and ready to party like a request object
+            if (user) {
+              req.user = user;
+              req.user.accessToken = bearerToken; // Set the access token for the user
+              //move to the next middleware -> authorizeUser or isLoggedIn to see if token is valid (not stored in blacklist)
+              next();
+            } else {
+              res.status(401).json({
+                loggedOut: true,
+                message: "you must log in to gain access",
+              });
+            }
+          } catch (err) {
+            res.status(403).json({ loggedOut: true, message: "Invalid token" });
+          }
+        } else {
+          res.status(403).json({
+            loggedOut: true,
+            message:
+              "Invalid Authorization header format. It should be 'Bearer <token>'",
+          });
+        }
+      } else {
+        res.status(403).json({ loggedOut: true, message: "No token provided" });
+      }
+    };
+    // authorize user
+    const authorizeUser = (roles) => {
+      return (req, res, next) => {
+        //check if user role is in the roles array and can hang out with the cool kids
+        if (!roles.includes(req.user.role)) {
+          return res.status(403).json({
+            message: `You are not authorized to access this page. Required roles: ${roles.join(
+              ", "
+            )}`,
+          });
+        }
+        next();
+      };
+    };
+    //check if user is logged in and the token is not in the blacklist
+    const isLoggedIn = async (req, res, next) => {
+      if (req.user) {
+        try {
+          // Query the database to check if the token exists in the blacklist
+          const tokenInBlacklist = await Blacklist.findOne({
+            token: req.user.accessToken,
+          });
+          // If the token is in the blacklist, return a 401 status
+          if (tokenInBlacklist) {
+            return res
+              .status(401)
+              .json({ message: "This token has been invalidated" });
+          }
+          // If the token is not in the blacklist, proceed to the next middleware function or route handler
+          next();
+        } catch (error) {
+          // If there's an error while querying the database, return a 500 status with a detailed error message
+          return res.status(500).json({
+            message: "Error retrieving token blacklist",
+            error: error.message,
+          });
+        }
+      } else {
+        // If the user is not logged in, return a 403 status
+        res.status(403).json({ message: "No user logged in" });
+      }
+    };
+    //log out user
+    const logoutUser = async (req, res, next) => {
+      try {
+        if (!req.user || !req.user.accessToken) {
+          return res.status(400).json({ message: "Invalid user or access token" });
+        }
+        // Add the token to the blacklist, so it can't be used again
+        const token = req.user.accessToken;
+        const blacklistEntry = new Blacklist({ token: token });
+        await blacklistEntry.save();
+        //remove the access token from the user, this was a one time thing baby- you got to let it go
+        req.user.accessToken = null;
+        await req.user.save();
+        //tell the user they are logged out, because we are polite like that, and dont ghost people
+        res.json({ message: "You are now logged out" });
+      } catch (error) {
+        // if we can let that user go, we will let them know - but if we can't, we will let the console know
+        res.status(500).json({
+          message: "An error occurred while logging out",
+          error: error.message,
+        });
+      }
+    };
+    export { authenticateUser, authorizeUser, logoutUser, isLoggedIn };

backend/model/blacklist-model.js

-Original file line number
+Diff line change
@@ -0,0 +1,14 @@
+    import mongoose from "mongoose";
+    const BlacklistSchema = new mongoose.Schema({
+      token: {
+        type: String,
+        required: true,
+        unique: true,
+      },
+    });
+    const Blacklist = mongoose.model("Blacklist", BlacklistSchema);
+    // Export the model
+    export default Blacklist;

backend/model/user-model.js

-Original file line number
+Diff line change
@@ -0,0 +1,50 @@
+    import mongoose from "mongoose";
+    import bcryptjs from "bcryptjs";
+    const SALT_ROUNDS = 12; // make this configurable so we can adjust the security level if needed
+    // Create a schema
+    const userSchema = new mongoose.Schema({
+      name: {
+        type: String,
+        required: [true, "Name is required"],
+        minlength: [2, "Name must be at least 2 characters"],
+        maxlength: [30, "Name must be at most 30 characters"],
+      },
+      email: {
+        type: String,
+        required: [true, "Email is required"],
+        unique: true,
+        match: [/\S+@\S+\.\S+/, "Email is invalid"],
+      },
+      password: {
+        type: String,
+        required: [true, "Password is required"],
+        minlength: [5, "Password must be at least 5 characters"],
+      },
+      role: {
+        type: String,
+        enum: ["user", "writer", "editor", "admin"],
+        default: "user",
+      },
+      refreshToken: {
+        type: String,
+        default: null,
+      },
+    });
+    //use matchPassword method to compare the entered password with the hashed password in the database
+    userSchema.methods.matchPassword = async function (enteredPassword) {
+      return await bcryptjs.compare(enteredPassword, this.password);
+    };
+    //add a pre-save hook to hash the password *before* saving it to the database so we don't store the password in plain text because we are mysterious and security conscious
+    userSchema.pre("save", async function (next) {
+      // we only hash the password if it has been modified (or is new)
+      if (!this.isModified("password")) {
+        next();
+      }
+      // hash the password before saving it to the database with the SALT_ROUNDS we can easoly adjust the security level.
+      this.password = await bcryptjs.hash(this.password, SALT_ROUNDS);
+    });
+    export default mongoose.model("User", userSchema);

backend/package.json

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -1,7 +1,7 @@
  
    {

      "name": "project-auth-backend",

      "version": "1.0.0",

      "description": "Starter project to get up and running with express quickly",

      "description": "Project Aunt Authy - a test project for authentication - authentication with JWT, bcryptjs, express, mongoose, and one strict Aunt Authy",

      "scripts": {

        "start": "babel-node server.js",

        "dev": "nodemon server.js --exec babel-node"

    @@ -12,8 +12,17 @@
  
        "@babel/core": "^7.17.9",

        "@babel/node": "^7.16.8",

        "@babel/preset-env": "^7.16.11",

        "atob": "^2.1.2",

        "bcryptjs": "^2.4.3",

        "cookie-parser": "^1.4.6",

        "cors": "^2.8.5",

        "csurf": "^1.11.0",

        "dompurify": "^3.1.4",

        "dotenv": "^16.4.5",

        "express": "^4.17.3",

        "express-list-endpoints": "^7.1.0",

        "express-session": "^1.18.0",

        "jsonwebtoken": "^9.0.2",

        "mongoose": "^8.0.0",

        "nodemon": "^3.0.1"

      }

backend/routes/adminRoutes.js

-Original file line number
+Diff line change
@@ -0,0 +1,137 @@
+    import express from "express";
+    import User from "../model/user-model";
+    import { authenticateUser, authorizeUser } from "../middleware/Middleware";
+    import dotenv from "dotenv";
+    dotenv.config();
+    const SECRET = process.env.SECRET || "toast is the best secret";
+    const adminRouter = express.Router();
+    adminRouter.use(authenticateUser, authorizeUser(["admin"]));
+    // get all users in the database
+    adminRouter.get("/users", async (req, res) => {
+      try {
+        const users = await User.find();
+        res.json(users);
+      } catch (error) {
+        res.status(500).json({
+          message: "An error occurred while fetching users",
+          error: error.message,
+        });
+      }
+    });
+    // route for getting content behind authorization find me at /admin
+    adminRouter.get("/", (req, res) => {
+      // This code will only run if the user is an admin
+      res.render("admin");
+    });
+    //admin add user - find me at /admin/users
+    adminRouter.post("/users", async (req, res) => {
+      try {
+        const { name, email, role, password } = req.body;
+        if (!name || !email || !role || !password) {
+          return res.status(400).json({ error: "All fields are required" });
+        }
+        const existingUser = await User.findOne({ email });
+        if (existingUser) {
+          return res
+            .status(400)
+            .send({ message: "User with this email already exists" });
+        }
+        const newUser = new User({
+          name,
+          email,
+          role,
+          password,
+        });
+        const savedUser = await newUser.save();
+        res.json(savedUser);
+      } catch (error) {
+        res.status(500).json({
+          error: "An error occurred while adding the user"
+        });
+      }
+    });
+    //admin update user -  find me at /admin/users/:id
+    adminRouter.put("/users/:id", async (req, res) => {
+      try {
+        const { id } = req.params;
+        const { name, email, role, password } = req.body;
+        if (!(name || email || role || password)) {
+          return res.status(400).json({
+            error: "At least one field is required to update user data",
+          });
+        }
+        const user = await User.findById(id);
+        if (!user) {
+          return res.status(404).json({ error: "User not found" });
+        }
+        if (name) user.name = name;
+        if (email) user.email = email;
+        if (role) user.role = role;
+        if (password) user.password = password;
+        const updatedUser = await user.save();
+        res.json(updatedUser);
+      } catch (error) {
+        console.error(error);
+        res.status(500).json({
+          error: "An error occurred while updating the user",
+          error: error.message,
+        });
+      }
+    });
+    //endpoint for only updating the user role - find me at admin/users/:id
+    adminRouter.patch("/users/:id", async (req, res) => {
+      try {
+        const { id } = req.params;
+        const { role } = req.body;
+        const updatedUser = await User.findByIdAndUpdate(
+          id,
+          { role },
+          { new: true }
+        );
+        if (updatedUser) {
+          res.json({
+            message: "User role updated",
+            success: true,
+            response: updatedUser,
+          });
+        } else {
+          res.status(404).json({ message: "User not found", error: error.message });
+        }
+      } catch (error) {
+        res.status(500).json({
+          message: "An error occurred while updating the user",
+          error: error.message,
+        });
+      }
+    });
+    //delete user - find me at /admin/users/:id
+    adminRouter.delete("/users/:id", async (req, res) => {
+      try {
+        const { id } = req.params;
+        const deletedUser = await User.findByIdAndDelete(id);
+        if (deletedUser) {
+          res.json({ message: "user deleted", deletedUser });
+        } else {
+          res.status(404).json({ message: "User not found", error: error.message });
+        }
+      } catch (error) {
+        res.status(500).json({
+          message: "An error occurred while deleting the user",
+          error: error.message,
+        });
+      }
+    });
+    export default adminRouter;

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Project Auth - Aunt Authy, strict but fair #345

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Project Auth - Aunt Authy, strict but fair #345

Are you sure you want to change the base?

Uh oh!

Project Auth - Aunt Authy, strict but fair #345

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!