neonexus
diff --git a/‎api/controllers/admin/create-api-token.js
Lines changed: 10 additions & 3 deletions b/‎api/controllers/admin/create-api-token.js
Lines changed: 10 additions & 3 deletions
diff --git a/‎api/controllers/admin/login.js
Lines changed: 1 addition & 1 deletion b/‎api/controllers/admin/login.js
Lines changed: 1 addition & 1 deletion
diff --git a/‎api/helpers/generate-uuid.js
Lines changed: 1 addition & 1 deletion b/‎api/helpers/generate-uuid.js
Lines changed: 1 addition & 1 deletion
diff --git a/‎api/helpers/is-email.js
Lines changed: 1 addition & 1 deletion b/‎api/helpers/is-email.js
Lines changed: 1 addition & 1 deletion
diff --git a/‎api/helpers/is-password-valid.js
Lines changed: 2 additions & 6 deletions b/‎api/helpers/is-password-valid.js
Lines changed: 2 additions & 6 deletions
diff --git a/‎api/helpers/set-or-remove-cookies.js
Lines changed: 2 additions & 2 deletions b/‎api/helpers/set-or-remove-cookies.js
Lines changed: 2 additions & 2 deletions
diff --git a/‎api/helpers/update-csrf.js
Lines changed: 2 additions & 2 deletions b/‎api/helpers/update-csrf.js
Lines changed: 2 additions & 2 deletions
diff --git a/‎api/hooks/request-logger.js
Lines changed: 2 additions & 2 deletions b/‎api/hooks/request-logger.js
Lines changed: 2 additions & 2 deletions
diff --git a/‎api/models/ApiToken.js
Lines changed: 40 additions & 0 deletions b/‎api/models/ApiToken.js
Lines changed: 40 additions & 0 deletions
diff --git a/‎api/policies/isLoggedIn.js
Lines changed: 20 additions & 0 deletions b/‎api/policies/isLoggedIn.js
Lines changed: 20 additions & 0 deletions
@@ -1,7 +1,7 @@
 module.exports = {
     friendlyName: 'Create API Token',
 
-    description: 'Get an API token, which replaces CSRF token usage.',
+    description: 'Get an API token, which replaces CSRF token / session cookie usage.',
 
     inputs: {},
 
@@ -17,8 +17,15 @@ module.exports = {
         }
     },
 
-    fn: (inputs, exits) => {
+    fn: async (inputs, exits, env) => {
+        const newToken = await ApiToken.create({
+            id: 'c', // required, auto-generated
+            user: env.req.session.user.id
+        }).fetch();
 
-        return exits.ok();
+        return exits.ok({
+            token: newToken.token,
+            __skipCSRF: true
+        });
     }
 };
@@ -46,7 +46,7 @@ module.exports = {
             return exits.badRequest(badEmailPass);
         }
 
-        const csrf = sails.helpers.generateCsrfToken();
+        const csrf = sails.helpers.generateCsrfTokenAndSecret();
         const newSession = await Session.create({
             id: 'c', // required, auto-generated
             user: foundUser.id,
 
@@ -1,4 +1,4 @@
-const { v4: uuidv4 } = require('uuid');
+const {v4: uuidv4} = require('uuid');
 
 module.exports = {
     friendlyName: 'Generate UUID',
 
@@ -16,7 +16,7 @@ module.exports = {
         success: {}
     },
 
-    fn: function(inputs, exits){
+    fn: function(inputs, exits) {
         // eslint-disable-next-line no-useless-escape
         const emailRegex = /^(([^<>()\[\]\\.,;:\s@"]+(\.[^<>()\[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/;
 
 
@@ -16,16 +16,12 @@ module.exports = {
 
     sync: true,
 
-    fn: function(inputs, exits){
+    fn: function(inputs, exits) {
         let errors = [],
             isPassPhrase = false;
 
-        if (!inputs.password) {
-            return ['Password can not be empty'];
-        }
-
         if (inputs.password.length < 7) {
-            errors.push('Password must be at least 8 characters');
+            errors.push('Password must be at least 7 characters');
         }
 
         if (inputs.password.length > 70) {
 
@@ -41,11 +41,11 @@ module.exports = {
                         : [inputs.data.cookies];
 
         cookies.map((cookie) => {
-            if (!_.isDefined(cookie.name) || !_.isString(cookie.name) || _.isEmpty(cookie.name)) {
+            if (_.isUndefined(cookie.name) || !_.isString(cookie.name) || _.isEmpty(cookie.name)) {
                 throw 'missingName';
             }
 
-            if (!_.isDefined(cookie.value)) {
+            if (_.isUndefined(cookie.value)) {
                 throw 'missingValue';
             }
 
 
@@ -23,8 +23,8 @@ module.exports = {
 
     fn: async (inputs, exits) => {
         // Do nothing if we don't have a session, or this is a GET request.
-        if (inputs.req.method === 'GET' || !inputs.req.session || !inputs.req.session.user || !inputs.req.session.id) {
-            return exits.success(inputs.data);
+        if (inputs.req.method === 'GET' || !inputs.req.session || !inputs.req.session.user || !inputs.req.session.id || inputs.data.__skipCSRF) {
+            return exits.success(_.omit(inputs.data, ['__skipCSRF']));
         }
 
         const foundSession = await Session.findOne({id: inputs.req.session.id});
 
@@ -3,7 +3,7 @@ const stringify = require('json-stringify-safe');
 module.exports = (sails) => {
     return {
 
-        initialize: function (cb) {
+        initialize: function(cb) {
             // Assign this hook object to the `hook` var.
             // This allows us to add/modify values that users of the hook can retrieve.
             //hook = this;
@@ -17,7 +17,7 @@ module.exports = (sails) => {
 
         routes: {
             before: {
-                '*': function (req, res, next) {
+                '*': function(req, res, next) {
                     if (req.method !== 'HEAD' && req.path !== '/__getcookie' && req.path !== '/') {
                         const bleep = '*******';
 
 
@@ -0,0 +1,40 @@
+module.exports = {
+    primaryKey: 'id',
+
+    attributes: {
+        id: {
+            type: 'string',
+            columnType: 'varchar(36)',
+            required: true
+        },
+
+        token: {
+            type: 'string',
+            unique: true
+        },
+
+        user: {
+            model: 'user',
+            required: true
+        },
+
+        createdAt: {
+            type: 'ref',
+            columnType: 'datetime',
+            autoCreatedAt: true
+        },
+
+        updatedAt: {
+            type: 'ref',
+            columnType: 'datetime',
+            autoUpdatedAt: true
+        }
+    },
+
+    beforeCreate: (obj, next) => {
+        obj.id = sails.helpers.generateUuid();
+        obj.token = sails.helpers.generateToken();
+
+        return next();
+    }
+};
@@ -20,6 +20,26 @@ module.exports = async function(req, res, next) {
 
         // Doesn't look like this session is valid, remove the cookie.
         res.clearCookie(sails.config.session.name, {signed: true, httpOnly: true, secure: sails.config.session.cookie.secure});
+    } else {
+        let token = req.headers['authorization'];
+
+        if (token.includes('Bearer ')) {
+            token = token.substring(7);
+        }
+
+        const foundToken = await sails.models.apitoken.findOne({
+            token
+        }).populate('user');
+
+        if (foundToken) {
+            await sails.models.apitoken.updateOne({
+                token
+            }).set({updatedAt: new Date()});
+
+            req.session = {user: foundToken.user};
+
+            return next();
+        }
     }
 
     return res.forbidden('You are not logged in');
Original file line number	Diff line number	Diff line change
`@@ -46,7 +46,7 @@ module.exports = {`
`46`	`46`	`return exits.badRequest(badEmailPass);`
`47`	`47`	`}`
`48`	`48`
`49`		`- const csrf = sails.helpers.generateCsrfToken();`
	`49`	`+ const csrf = sails.helpers.generateCsrfTokenAndSecret();`
`50`	`50`	`const newSession = await Session.create({`
`51`	`51`	`id: 'c', // required, auto-generated`
`52`	`52`	`user: foundUser.id,`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-const { v4: uuidv4 } = require('uuid');`
	`1`	`+const {v4: uuidv4} = require('uuid');`
`2`	`2`
`3`	`3`	`module.exports = {`
`4`	`4`	`friendlyName: 'Generate UUID',`
Original file line number	Diff line number	Diff line change
`@@ -41,11 +41,11 @@ module.exports = {`
`41`	`41`	`: [inputs.data.cookies];`
`42`	`42`
`43`	`43`	`cookies.map((cookie) => {`
`44`		`- if (!_.isDefined(cookie.name) \|\| !_.isString(cookie.name) \|\| _.isEmpty(cookie.name)) {`
	`44`	`+ if (_.isUndefined(cookie.name) \|\| !_.isString(cookie.name) \|\| _.isEmpty(cookie.name)) {`
`45`	`45`	`throw 'missingName';`
`46`	`46`	`}`
`47`	`47`
`48`		`- if (!_.isDefined(cookie.value)) {`
	`48`	`+ if (_.isUndefined(cookie.value)) {`
`49`	`49`	`throw 'missingValue';`
`50`	`50`	`}`
`51`	`51`
Original file line number	Diff line number	Diff line change
`@@ -23,8 +23,8 @@ module.exports = {`
`23`	`23`
`24`	`24`	`fn: async (inputs, exits) => {`
`25`	`25`	`// Do nothing if we don't have a session, or this is a GET request.`
`26`		`- if (inputs.req.method === 'GET' \|\| !inputs.req.session \|\| !inputs.req.session.user \|\| !inputs.req.session.id) {`
`27`		`- return exits.success(inputs.data);`
	`26`	`+ if (inputs.req.method === 'GET' \|\| !inputs.req.session \|\| !inputs.req.session.user \|\| !inputs.req.session.id \|\| inputs.data.__skipCSRF) {`
	`27`	`+ return exits.success(_.omit(inputs.data, ['__skipCSRF']));`
`28`	`28`	`}`
`29`	`29`
`30`	`30`	`const foundSession = await Session.findOne({id: inputs.req.session.id});`