From f74f7b1f1aa8788130c2b73cfdc718b7a5fbe907 Mon Sep 17 00:00:00 2001 From: Max Leiter Date: Fri, 6 May 2022 21:40:30 -0700 Subject: [PATCH] code review: don't create auth token if using header auth --- server/src/lib/middleware/is-signed-in.ts | 96 +++++++++++------------ server/src/lib/middleware/secret-key.ts | 2 +- server/src/routes/auth.ts | 4 - 3 files changed, 45 insertions(+), 57 deletions(-) diff --git a/server/src/lib/middleware/is-signed-in.ts b/server/src/lib/middleware/is-signed-in.ts index 48e2082d..0d408de4 100644 --- a/server/src/lib/middleware/is-signed-in.ts +++ b/server/src/lib/middleware/is-signed-in.ts @@ -12,7 +12,7 @@ export interface UserJwtRequest extends Request { user?: User } -export default async function authenticateToken( +export default async function isSignedIn( req: UserJwtRequest, res: Response, next: NextFunction @@ -35,59 +35,51 @@ export default async function authenticateToken( await user.save() } - if (!token) { - const token = jwt.sign({ id: user.id }, config.jwt_secret, { - expiresIn: "2d" - }) - const authToken = new AuthToken({ - userId: user.id, - token: token - }) - await authToken.save() + req.user = user + next() + } else { + if (token == null) return res.sendStatus(401) + + const authToken = await AuthToken.findOne({ where: { token: token } }) + if (authToken == null) { + return res.sendStatus(401) } - } - - if (token == null) return res.sendStatus(401) - - const authToken = await AuthToken.findOne({ where: { token: token } }) - if (authToken == null) { - return res.sendStatus(401) - } - - if (authToken.deletedAt) { - return res.sendStatus(401).json({ - message: "Token is no longer valid" - }) - } - - jwt.verify(token, config.jwt_secret, async (err: any, user: any) => { - if (err) { - if (config.header_auth) { - // if the token has expired or is invalid, we need to delete it and generate a new one - authToken.destroy() - const token = jwt.sign({ id: user.id }, config.jwt_secret, { - expiresIn: "2d" - }) - const newToken = new AuthToken({ - userId: user.id, - token: token - }) - await newToken.save() - } else { + + if (authToken.deletedAt) { + return res.sendStatus(401).json({ + message: "Token is no longer valid" + }) + } + + jwt.verify(token, config.jwt_secret, async (err: any, user: any) => { + if (err) { + if (config.header_auth) { + // if the token has expired or is invalid, we need to delete it and generate a new one + authToken.destroy() + const token = jwt.sign({ id: user.id }, config.jwt_secret, { + expiresIn: "2d" + }) + const newToken = new AuthToken({ + userId: user.id, + token: token + }) + await newToken.save() + } else { + return res.sendStatus(403) + } + } + + const userObj = await UserModel.findByPk(user.id, { + attributes: { + exclude: ["password"] + } + }) + if (!userObj) { return res.sendStatus(403) } - } - - const userObj = await UserModel.findByPk(user.id, { - attributes: { - exclude: ["password"] - } + req.user = user + + next() }) - if (!userObj) { - return res.sendStatus(403) - } - req.user = user - - next() - }) + } } diff --git a/server/src/lib/middleware/secret-key.ts b/server/src/lib/middleware/secret-key.ts index f29b039c..f36dd7a9 100644 --- a/server/src/lib/middleware/secret-key.ts +++ b/server/src/lib/middleware/secret-key.ts @@ -1,7 +1,7 @@ import config from "@lib/config" import { NextFunction, Request, Response } from "express" -export default function authenticateToken( +export default function secretKey( req: Request, res: Response, next: NextFunction diff --git a/server/src/routes/auth.ts b/server/src/routes/auth.ts index 15bd01ec..95ef5b2f 100644 --- a/server/src/routes/auth.ts +++ b/server/src/routes/auth.ts @@ -95,10 +95,6 @@ auth.post( } }), async (req, res) => { - if (config.header_auth) { - - } - const error = "User does not exist or password is incorrect" const errorToThrow = new Error(error) try {