Angular Security course

Author: jhades

demos/jwt-check-hs256.js

@@ -3,7 +3,7 @@ var jwt = require('jsonwebtoken');
 
 
 // verify an existing JWT
-var existingToken = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6InRlc3RAbWFpbGluYXRvci5jb20iLCJpYXQiOjE1MDI4ODAzNTJ9.uXXUBgipNmjvb4UvEnQ0LOdO8aKxne9Wg01jcoj3YWE';
+var existingToken = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhbGdvcml0aG0iOiJIUzI1NiIsImRhdGEiOnsidXNlcklkIjoxfSwiaWF0IjoxNTAyODgxOTIxfQ.6ayBjYiaTMJ8Z3tYx6VfueFLDN1U8SFl94B7U3ZWO6Q';
 
 
 var secretKey = 'secret-key';
@@ -18,10 +18,4 @@ console.log("Decoded JWT:", verify);
 
 
 
-//const wrong = jwt.verify(existingToken, 'wrong-secret');
-
-//console.log(":", wrong);
-
-
-
 

demos/jwt-hs256.js

@@ -6,12 +6,15 @@ var jwt = require('jsonwebtoken');
 var secretKey = 'secret-key';
 
 var payload = {
-  email: 'test@mailinator.com'
+  userId: 1
 };
 
 
 // create a JWT
-var newToken = jwt.sign(payload, secretKey, {algorithm: 'HS256' });
+var newToken = jwt.sign({
+    algorithm: 'HS256',
+    data: payload
+}, secretKey);
 
 console.log("JWT created:", newToken);
 

demos/jwt-rs256.js

@@ -6,11 +6,14 @@ var fs = require('fs');
 var privateKey = fs.readFileSync('./demos/private.key');
 
 var payload = {
-  email: 'test@mailinator.com'
+  userId: 1
 };
 
 
-var token = jwt.sign(payload, privateKey, {algorithm: 'RS256' });
+var token = jwt.sign({
+    algorithm: 'RS256',
+    data: payload
+}, privateKey);
 
 
 console.log('RSA 256 JWT', token);

server/create-user.route.ts

@@ -1,11 +1,11 @@
 
 import {Request, Response} from "express";
 import {db} from "./database";
-import {USERS} from "./database-data";
 import * as argon2 from 'argon2';
 import {validatePassword} from "./password-validation";
-import {randomBytes} from "./security.utils";
-import {sessionStore} from "./session-store";
+import moment = require("moment");
+import {createSessionToken} from "./security.utils";
+
 
 
 
@@ -32,13 +32,9 @@ async function createUserAndSession(res:Response, credentials) {
 
     const user = db.createUser(credentials.email, passwordDigest);
 
-    const sessionId = await randomBytes(32).then(bytes => bytes.toString('hex'));
-
-    console.log("sessionId",sessionId );
+    const sessionToken = await createSessionToken(user.id);
 
-    sessionStore.createSession(sessionId, user);
-
-    res.cookie("SESSIONID", sessionId, {httpOnly:true, secure:true});
+    res.cookie("SESSIONID", sessionToken, {httpOnly:true, secure:true});
 
     res.status(200).json({id:user.id, email:user.email});
 }
@@ -47,6 +43,6 @@ async function createUserAndSession(res:Response, credentials) {
 
 
 
-
+// eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhbGdvcml0aG0iOiJSUzI1NiIsImV4cCI6MTUwMjg4NTI4My4wMzEsInN1YmplY3QiOjEsImlhdCI6MTUwMjg4NTE2M30.BfdcIp8RY97W0Fzznbx0efQdWT2_YropraA5ofKUXPQ
 
 

server/get-user.route.ts

@@ -1,15 +1,15 @@
 
 
 import {Request, Response} from "express";
-import {sessionStore} from "./session-store";
 
 
 
 export function getUser(req:Request, res:Response) {
 
     const sessionId = req.cookies['SESSIONID'];
 
-    const user = sessionStore.findUserBySessionId(sessionId);
+    //TODO
+    const user = {};
 
 
     if (user) {

server/login.route.ts

@@ -5,8 +5,7 @@ import {db} from "./database";
 import * as argon2 from 'argon2';
 import {User} from "../src/app/model/user";
 import {DbUser} from "./db-user";
-import {randomBytes} from "./security.utils";
-import {sessionStore} from "./session-store";
+import {createSessionToken, randomBytes} from "./security.utils";
 
 
 
@@ -29,11 +28,11 @@ async function loginAndBuildResponse(credentials:any, user:DbUser,  res: Respons
 
     try {
 
-        const sessionId = await attemptLogin(credentials, user);
+        const sessionToken = await attemptLogin(credentials, user);
 
         console.log("Login successful");
 
-        res.cookie("SESSIONID", sessionId, {httpOnly:true, secure:true});
+        res.cookie("SESSIONID", sessionToken, {httpOnly:true, secure:true});
 
         res.status(200).json({id:user.id, email:user.email});
 
@@ -58,13 +57,7 @@ async function attemptLogin(credentials:any, user:DbUser) {
         throw new Error("Password Invalid");
     }
 
-    const sessionId = await randomBytes(32).then(bytes => bytes.toString('hex'));
-
-    console.log("sessionId",sessionId );
-
-    sessionStore.createSession(sessionId, user);
-
-    return sessionId;
+    return createSessionToken(user.id);
 }
 
 

server/logout.route.ts

@@ -1,16 +1,13 @@
 
 
 import {Request, Response} from 'express';
-import {sessionStore} from "./session-store";
 
 
 
 export function logout(req: Request, res: Response) {
 
     const sessionId = req.cookies['SESSIONID'];
 
-    sessionStore.destroySession(sessionId);
-
     res.clearCookie("SESSIONID");
 
     res.sendStatus(200);

server/read-all-lessons.route.ts

@@ -1,13 +1,13 @@
 
 import {db} from "./database";
-import {sessionStore} from "./session-store";
 
 
 export function readAllLessons(req, res) {
 
     const sessionId = req.cookies["SESSIONID"];
 
-    const isSessionValid = sessionStore.isSessionValid(sessionId);
+    //TODO
+    const isSessionValid = true;
 
     if (!isSessionValid) {
         res.sendStatus(403);

server/security.utils.ts

@@ -1,10 +1,25 @@
 
 
 
+import moment = require("moment");
 const util = require('util');
 const crypto = require('crypto');
+import * as jwt from 'jsonwebtoken';
+import * as fs from "fs";
 
 
+
+const RSA_PRIVATE_KEY = fs.readFileSync('./demos/private.key');
+
 export const randomBytes = util.promisify(crypto.randomBytes);
 
 
+
+export async function createSessionToken(userId:number) {
+    return jwt.sign(
+        {
+            algorithm: 'RS256',
+            exp: (moment().add(2,"minutes").toDate().getTime() / 1000),
+            subject: userId
+        }, RSA_PRIVATE_KEY);
+}