From 636ee927864abc8e6754e97889f2bc4a126da83b Mon Sep 17 00:00:00 2001 From: Paolo Arena Date: Sat, 9 Feb 2019 18:03:14 +0100 Subject: [PATCH] - Manage multiple login, in different browsers... Multi Token... --- server/middleware/authenticate.js | 19 +++++++++++++------ server/models/user.js | 22 ++++++++++++++-------- server/router/index_router.js | 2 +- server/router/todos_router.js | 12 ++++++++---- server/router/users_router.js | 10 ++++++---- server/server.js | 1 - server/tests/server.test.js | 9 +++++---- server/tools/server_constants.js | 3 +++ 8 files changed, 50 insertions(+), 28 deletions(-) diff --git a/server/middleware/authenticate.js b/server/middleware/authenticate.js index 93fd966..0e1d979 100644 --- a/server/middleware/authenticate.js +++ b/server/middleware/authenticate.js @@ -1,3 +1,5 @@ +const server_constants = require('../tools/server_constants'); + var {User} = require('../models/user'); const tools = require('../tools/general'); @@ -5,20 +7,25 @@ const tools = require('../tools/general'); var authenticate = (req, res, next) => { var token = req.header('x-auth'); - tools.mylogshow("TOKEN = " + token); + const useragent = req.get('User-Agent'); - User.findByToken(token).then((user) => { + tools.mylog("TOKEN = ", token); + tools.mylog("USER-AGENT = ", useragent); + + User.findByToken(token, 'auth ' + useragent).then((user) => { if (!user) { - return Promise.reject(); + tools.mylogshow("TOKEN NOT FOUND! Maybe Connected to other Page"); + return Promise.reject(server_constants.RIS_CODE_HTTP_INVALID_TOKEN); + // res.status().send(); } - tools.mylogshow('userid', user._id) + tools.mylog('userid', user._id); req.user = user; req.token = token; next(); }).catch((e) => { - tools.mylogshow("ERR = " + e); - res.status(401).send(); + tools.mylogshow("ERR =", e); + res.status(server_constants.RIS_CODE_HTTP_INVALID_TOKEN).send(); }); }; diff --git a/server/models/user.js b/server/models/user.js index 4f6c15a..a74e8ef 100644 --- a/server/models/user.js +++ b/server/models/user.js @@ -4,6 +4,8 @@ const validator = require('validator'); const jwt = require('jsonwebtoken'); const _ = require('lodash'); +const tools = require('../tools/general'); + mongoose.Promise = global.Promise; mongoose.level = "F"; @@ -80,19 +82,23 @@ UserSchema.methods.toJSON = function () { return _.pick(userObject, ['_id', 'email', 'verified_email', 'username', 'userId']); }; -UserSchema.methods.generateAuthToken = function () { +UserSchema.methods.generateAuthToken = function (req) { // console.log("GENERA TOKEN : "); var user = this; - var access = 'auth'; + + const useragent = req.get('User-Agent'); + tools.mylog("GENERATE USER-AGENT = ", useragent); + + var access = 'auth ' + useragent; var token = jwt.sign({ _id: user._id.toHexString(), access }, process.env.SIGNCODE).toString(); - // CANCELLA I PRECEDENTI ! - user.tokens = []; + // CANCELLA IL PRECEDENTE ! + user.tokens = user.tokens.filter(function(tok) { return tok.access !== access; }); user.tokens.push({ access, token }); return user.save() .then(() => { - //console.log("TOKEN USCITA : " + token) + console.log("TOKEN CREATO IN LOGIN : " + token) return token; }) .catch(err => { @@ -100,20 +106,20 @@ UserSchema.methods.generateAuthToken = function () { }); }; -UserSchema.statics.findByToken = function (token) { +UserSchema.statics.findByToken = function (token, typeaccess) { var User = this; var decoded; try { decoded = jwt.verify(token, process.env.SIGNCODE); } catch (e) { - return Promise.reject(); + return Promise.resolve(null); } return User.findOne({ '_id': decoded._id, 'tokens.token': token, - 'tokens.access': 'auth' + 'tokens.access': typeaccess }); }; diff --git a/server/router/index_router.js b/server/router/index_router.js index 2b288b3..7e703d9 100644 --- a/server/router/index_router.js +++ b/server/router/index_router.js @@ -87,7 +87,7 @@ router.post(process.env.LINK_UPDATE_PASSWORD, (req, res) => { user.password = password; // Crea token - user.generateAuthToken().then(token => { + user.generateAuthToken(req).then(token => { user.tokenforgot = ''; // Svuota il tokenforgot perché non ti servirà più... // Salva lo User diff --git a/server/router/todos_router.js b/server/router/todos_router.js index 78aafc6..33cecbe 100644 --- a/server/router/todos_router.js +++ b/server/router/todos_router.js @@ -38,7 +38,7 @@ router.post('/', authenticate, (req, res) => { return res.status(404).send({ code: server_constants.RIS_CODE_TODO_CREATING_NOTMYUSER }); } - tools.mylog('POST ', todo.descr); + tools.mylog('POST :', todo.descr, todo._id); todo.modified = false; if (!todo.descr) { @@ -51,7 +51,7 @@ router.post('/', authenticate, (req, res) => { let idobj = writeresult._id; Todo.findById(idobj) .then(record => { - tools.mylog('REC SAVED :', record); + tools.mylog('REC SAVED :', record.descr); res.send({record}); }) }).catch((e) => { @@ -154,6 +154,8 @@ router.patch('/:id', authenticate, (req, res) => { todo.modified = false; + tools.mylog('PATCH ', todo.descr, todo._id); + res.send({todo}); }).catch((e) => { res.status(400).send(); @@ -178,7 +180,7 @@ router.get('/:userId', authenticate, (req, res) => { // Extract all the todos of the userId only Todo.findAllByUserId(userId).then((todos) => { - tools.mylog('todos', todos) + // tools.mylog('todos', todos) res.send({ todos }); }).catch((e) => { console.log(e); @@ -187,7 +189,7 @@ router.get('/:userId', authenticate, (req, res) => { }); -router.delete('/:id', (req, res) => { +router.delete('/:id', authenticate, (req, res) => { var id = req.params.id; if (!ObjectID.isValid(id)) { @@ -199,6 +201,8 @@ router.delete('/:id', (req, res) => { return res.status(404).send(); } + tools.mylog('DELETED ', todo.descr, todo._id); + res.send({todo}); }).catch((e) => { res.status(400).send(); diff --git a/server/router/users_router.js b/server/router/users_router.js index f9ce974..fc2822d 100644 --- a/server/router/users_router.js +++ b/server/router/users_router.js @@ -36,7 +36,7 @@ router.post('/', (req, res) => { tools.mylog("TROVATO USERNAME ? ", user.username, usertrovato); if (usertrovato !== null) { - return user.generateAuthToken(); + return user.generateAuthToken(req); } else { res.status(11100).send(); return 0; @@ -76,7 +76,7 @@ router.post('/login', (req, res) => { var body = _.pick(req.body, ['username', 'password', 'idapp', 'keyappid', 'lang']); var user = new User(body); - tools.mylog("username: " + user.username + " pwd = " + user.password); + tools.mylog("LOGIN: username: " + user.username + " pwd = " + user.password); tools.mylog("user REC:", user); @@ -91,7 +91,7 @@ router.post('/login', (req, res) => { tools.mylogshow("NOT FOUND !"); res.status(404).send({ code: server_constants.RIS_CODE_LOGIN_ERR }); } else { - return user.generateAuthToken().then((token) => { + return user.generateAuthToken(req).then((token) => { var usertosend = User(); usertosend.username = user.username; usertosend.email = user.email; @@ -105,10 +105,12 @@ router.post('/login', (req, res) => { // tools.mylog(usertosend); res.header('x-auth', token).send({usertosend, code: server_constants.RIS_CODE_OK}); // tools.mylog("TROVATOOO!"); + + tools.mylog('FINE LOGIN') }); } }).catch((e) => { - tools.mylog("ERR: " + e); + tools.mylog("ERRORE IN LOGIN: " + e); res.status(400).send({ code: server_constants.RIS_CODE_LOGIN_ERR_GENERIC }); }); }); diff --git a/server/server.js b/server/server.js index 7ea8da4..56556b2 100644 --- a/server/server.js +++ b/server/server.js @@ -120,4 +120,3 @@ if (process.env.NODE_ENV === 'production') { //}); module.exports = { app }; - diff --git a/server/tests/server.test.js b/server/tests/server.test.js index 9be79fd..4c72d3c 100644 --- a/server/tests/server.test.js +++ b/server/tests/server.test.js @@ -170,12 +170,12 @@ describe('DELETE /users/me/token', () => { }); }); - it('should return 401 deleting an invalid token', (done) => { + it('should return 403 deleting with an invalid token', (done) => { request(app) .delete('/users/me/token') .set('x-auth', users[0].tokens[0].token + '1') .send() - .expect(401) + .expect(403) .end((err, res) => { if (err) { return done(err); @@ -276,14 +276,15 @@ describe('GET /todos/:id', () => { .end(done); }); - it('should return [] if user not found', (done) => { + it('FORBIDDEN ! should return [] if user not found', (done) => { var hexId = new ObjectID().toHexString(); request(app) - .get(`/todos/${users[0]._id + '111'}`) + .get(`/todos/${hexId}`) .set('x-auth', users[0].tokens[0].token) .expect(404) .expect((res) => { + console.log('res', res.status) expect(res.body.todos).toBe(undefined); }) .end(done); diff --git a/server/tools/server_constants.js b/server/tools/server_constants.js index cbac4f8..636e38b 100644 --- a/server/tools/server_constants.js +++ b/server/tools/server_constants.js @@ -10,4 +10,7 @@ module.exports = Object.freeze({ RIS_CODE_OK: 1, RIS_CODE_LOGIN_OK: 1, + + RIS_CODE_HTTP_INVALID_TOKEN: 403, + });