Angular Security course

Author: jhades

server/create-user.route.ts

@@ -4,11 +4,8 @@ import {USERS} from "./database-data";
 import * as argon2 from 'argon2';
 import {validatePassword} from "./password-validation";
 import {sessionStore} from "./session-storage";
+import {initializeUserSession, randomBytes} from "./security.utils";
 
-const util = require('util');
-const crypto = require('crypto');
-
-const randomBytes = util.promisify(crypto.randomBytes);
 
 
 export function createUser(req: Request, res: Response) {
@@ -31,23 +28,13 @@ export function createUser(req: Request, res: Response) {
 
 async function createUserAndSession(res: Response, credentials) {
 
-    const sessionId = await randomBytes(32).then(bytes => bytes.toString('hex'));
-
-    console.log("sessionId", sessionId);
-
     const passwordDigest = await argon2.hash(credentials.password);
 
     console.log("passwordDigest", passwordDigest);
 
     const user = db.createUser(credentials.email, passwordDigest);
 
-    sessionStore.createSession(sessionId, user);
-
-    console.log(USERS);
-
-    res.cookie("SESSIONID", sessionId, {httpOnly: true, secure: true});
-
-    res.status(200).json({id: user.id, email: user.email});
+    return initializeUserSession(user, res);
 
 }
 

server/database.ts

@@ -2,7 +2,6 @@
 import * as _ from 'lodash';
 import {LESSONS, USERS} from "./database-data";
 import {DbUser} from "./db-user";
-import {User} from "../src/app/model/user";
 
 
 class InMemoryDatabase {
@@ -13,7 +12,6 @@ class InMemoryDatabase {
         return _.values(LESSONS);
     }
 
-
     createUser(email:string,passwordDigest:string) {
 
         const usersPerEmail = _.keyBy( _.values(USERS), "email" );
@@ -36,11 +34,24 @@ class InMemoryDatabase {
 
         USERS[id] = user;
 
+        console.log(USERS);
+
         return user;
     }
 
 
+    findUserByEmail(email:string) :DbUser {
+
+        const users = _.values(USERS);
+
+        return _.find(users, user => user.email === email);
+    }
 
 }
 
-export const db = new InMemoryDatabase();
+
+
+
+export const db = new InMemoryDatabase();
+
+

server/get-user.route.ts

@@ -17,8 +17,4 @@ export function getUser(req:Request, res:Response) {
         res.sendStatus(204);
     }
 
-
-
-
-
 }

server/login.route.ts

@@ -0,0 +1,43 @@
+
+import {Request, Response} from "express";
+import {db} from "./database";
+import * as argon2 from 'argon2';
+import {DbUser} from "./db-user";
+import {initializeUserSession, randomBytes} from "./security.utils";
+import {sessionStore} from "./session-storage";
+import {User} from "../src/app/model/user";
+
+
+export function login(req: Request, res: Response) {
+
+    const credentials = req.body;
+
+    const user = db.findUserByEmail(credentials.email);
+
+    if (!user) {
+        res.sendStatus(403);
+    }
+    else {
+
+        validatePassword(user, credentials.password)
+            .then(isPasswordValid => {
+
+                if (isPasswordValid) {
+                    initializeUserSession(user, res);
+                }
+                else {
+                    res.sendStatus(403);
+                }
+            });
+
+    }
+
+}
+
+
+async function validatePassword(user: DbUser, password:string) {
+    return argon2.verify(user.passwordDigest, password);
+}
+
+
+

server/security.utils.ts

@@ -0,0 +1,27 @@
+
+
+import {User} from "../src/app/model/user";
+import {sessionStore} from "./session-storage";
+const util = require('util');
+const crypto = require('crypto');
+import {Response} from "express";
+
+
+
+export const randomBytes = util.promisify(crypto.randomBytes);
+
+
+
+
+export async function initializeUserSession(user:User, res:Response) {
+
+    const sessionId = await randomBytes(32).then(bytes => bytes.toString('hex'));
+    console.log("sessionId", sessionId);
+
+    sessionStore.createSession(sessionId, user);
+
+    res.cookie("SESSIONID", sessionId, {httpOnly: true, secure: true});
+
+    res.status(200).json({id: user.id, email: user.email});
+}
+

server/server.ts

@@ -8,6 +8,7 @@ import {readAllLessons} from "./read-all-lessons.route";
 import {createUser} from "./create-user.route";
 import {getUser} from "./get-user.route";
 import {logout} from "./logout.route";
+import {login} from "./login.route";
 const bodyParser = require('body-parser');
 const cookieParser = require('cookie-parser');
 
@@ -39,7 +40,8 @@ app.route('/api/user')
 app.route('/api/logout')
     .post(logout);
 
-
+app.route('/api/login')
+    .post(login);
 
 if (options.secure) {
 

server/session-storage.ts

@@ -61,9 +61,6 @@ class SessionStore {
 
 }
 
-
-
-
 export const sessionStore = new SessionStore();
 
 

src/app/lessons/lessons.component.html

@@ -1,7 +1,7 @@
 
-<h2>All Lessons</h2>
+<div class="lessons-list-container v-h-center-block-parent" *ngIf="isLoggedIn$ | async">
 
-<div class="lessons-list-container v-h-center-block-parent">
+    <h2>All Lessons</h2>
 
     <table class="table lessons-list card card-strong">
         <tbody>

src/app/lessons/lessons.component.ts

@@ -1,23 +1,26 @@
-import { Component, OnInit } from '@angular/core';
+import {Component, OnInit} from '@angular/core';
 import {LessonsService} from "../services/lessons.service";
 import {Observable} from "rxjs/Observable";
 import {Lesson} from "../model/lesson";
+import {AuthService} from "../services/auth.service";
 
 @Component({
-  selector: 'lessons',
-  templateUrl: './lessons.component.html',
-  styleUrls: ['./lessons.component.css']
+    selector: 'lessons',
+    templateUrl: './lessons.component.html',
+    styleUrls: ['./lessons.component.css']
 })
 export class LessonsComponent implements OnInit {
 
-  lessons$: Observable<Lesson[]>;
+    lessons$: Observable<Lesson[]>;
+    isLoggedIn$: Observable<boolean>;
 
-  constructor(private lessonsService:LessonsService) {
+    constructor(private lessonsService: LessonsService, private authService: AuthService) {
 
-  }
+    }
 
-  ngOnInit() {
-      this.lessons$ = this.lessonsService.loadAllLessons().catch(err => Observable.of([]));
-  }
+    ngOnInit() {
+        this.lessons$ = this.lessonsService.loadAllLessons().catch(err => Observable.of([]));
+        this.isLoggedIn$ = this.authService.isLoggedIn$;
+    }
 
 }

src/app/login/login.component.html

@@ -1,3 +1,10 @@
+
+<div class="messages messages-error" *ngIf="errors?.length">
+    <div class="messages-container">
+        <div *ngFor="let error of errors">{{messagePerErrorCode[error]}}</div>
+    </div>
+</div>
+
 <form autocomplete="off" novalidate [formGroup]="form">
 
     <fieldset>

src/app/login/login.component.ts

@@ -1,6 +1,7 @@
 import { Component, OnInit } from '@angular/core';
 import {FormBuilder, FormGroup, Validators} from "@angular/forms";
 import {AuthService} from "../services/auth.service";
+import {Router} from "@angular/router";
 
 @Component({
   selector: 'login',
@@ -11,7 +12,13 @@ export class LoginComponent implements OnInit {
 
     form:FormGroup;
 
-    constructor(private fb:FormBuilder, private authService: AuthService) {
+    messagePerErrorCode = {
+        loginfailed: "Invalid credentials"
+    };
+
+    errors = [];
+
+    constructor(private fb:FormBuilder, private authService: AuthService, private router: Router) {
 
         this.form = this.fb.group({
             email: ['',Validators.required],
@@ -22,17 +29,24 @@ export class LoginComponent implements OnInit {
 
     ngOnInit() {
 
-
-
     }
 
-
     login() {
 
-        const formValue = this.form.value;
+        const val = this.form.value;
 
+        if (val.email && val.password) {
 
+            this.authService.login(val.email, val.password)
+                .subscribe(
+                    () => {
+                        console.log("User logged in successfully");
+                        this.router.navigateByUrl('/');
+                    },
+                    response => this.errors = response.error.errors
+                );
 
+        }
 
 
     }

src/app/services/auth.service.ts

@@ -32,6 +32,12 @@ export class AuthService {
             .do(user => this.subject.next(user));
     }
 
+    login(email: string, password: string) {
+        return this.http.post<User>('/api/login', {email, password})
+            .shareReplay()
+            .do(user => this.subject.next(user));
+    }
+
     logout(): Observable<any> {
         return this.http.post('/api/logout', null)
             .shareReplay()

src/app/signup/signup.component.ts

@@ -23,13 +23,11 @@ export class SignupComponent implements OnInit {
 
 
     constructor(private fb: FormBuilder, private authService: AuthService, private router:Router) {
-
         this.form = this.fb.group({
             email: ['',Validators.required],
             password: ['',Validators.required],
             confirm: ['',Validators.required]
         });
-
     }