Angular Security course

Author: jhades

demos/jwt-check-hs256.js

@@ -3,14 +3,14 @@ var jwt = require('jsonwebtoken');
 
 
 // verify an existing JWT
-var existingToken = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhbGdvcml0aG0iOiJIUzI1NiIsImRhdGEiOnsidXNlcklkIjoxfSwiaWF0IjoxNTAyODgxOTIxfQ.6ayBjYiaTMJ8Z3tYx6VfueFLDN1U8SFl94B7U3ZWO6Q';
+var existingToken = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiQWxpY2UiLCJpYXQiOjE1MDI4ODkxOTF9._tPQtlZz2GhXHXATn5W09K4XCG0Z5LyEQqikJf3qXF8';
 
 
 var secretKey = 'secret-key';
 
 
 
-const verify = jwt.verify(existingToken, secretKey, {algorithm: 'HS256' });
+const verify = jwt.verify(existingToken, secretKey);
 
 
 console.log("Decoded JWT:", verify);

demos/jwt-check-rs256.js

@@ -4,15 +4,15 @@ var fs = require('fs');
 
 
 // verify an existing JWT
-var existingToken = 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6InRlc3RAbWFpbGluYXRvci5jb20iLCJpYXQiOjE1MDI4ODAzODB9.LiZZp_SIy2TApLnJGjWfWhKUU0uc6oh5wJa5gLY4l82cmgB4MGMssxbagaIROmkmSA68tk57YihBmbz7d76lyV1dWw6HAZ6KttvkHnvk8Zyg0QethIG6TYPJ083H_xWUBTDDF-bQCXf3AgELMuKyUWqVONW294tW5n7vKqo41eMx-r372oxHdL9Du_GzZ2LJrWtxPnaIWh5hb0MiPz5KNKlWh0D4MBb-lEkmghc7QE69mIKJ2u3-ZYe_i3KGEclCZArKusmpxfhNbmfvU_JX2kF7ko4HS5qe4a7ZV04Bzgovz5TNZ-13j79jSWpWod3jA_xZZfLfMpgBhteWuxhImw';
+var existingToken = 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiQWxpY2UiLCJpYXQiOjE1MDI4OTA4NjYsImV4cCI6MTUwMjg5MDk4Niwic3ViIjoiMSJ9.SkF5CArLIU9A0MeCiv-HOiRctivGESnXHnxGSwc7lx1nBP0-qO7-r3LO4TVLlLydQBce0hQAbiik1lndgiR1V_8TN-dMGcpFYZlSv3gp4cJD5LNxl_fQ9CBhpznkNo6Yuys8DYIfL90uWpm0jjnSJh2hFDxbGwPaXTciJ0Xdj-QLq2hc_jHrRKaWlB6eCbs9P43tfrUw_pXb0lCdYfPMjPLHJMNyZMLxCxExBoHay7UoYDx_cYU-UTR1hQQ2xbHfrA8oMz1fOCjwCChEXuDKVDqOF9W4LhbrdvGmVgv8mvdl72VSHkqH5jWc3vh0u5xJtsMpRBwg0-OBU3hOebtlyg';
 
 
 var publicKey = fs.readFileSync('./demos/public.key');
 
 
 console.log("verifying");
 
-const verify = jwt.verify(existingToken, publicKey, {algorithm: 'RS256' });
+const verify = jwt.verify(existingToken, publicKey);
 
 
 

demos/jwt-hs256.js

@@ -6,15 +6,14 @@ var jwt = require('jsonwebtoken');
 var secretKey = 'secret-key';
 
 var payload = {
-  userId: 1
+  name: 'Alice'
 };
 
 
 // create a JWT
-var newToken = jwt.sign({
-    algorithm: 'HS256',
-    data: payload
-}, secretKey);
+var newToken = jwt.sign(payload, secretKey, {
+    algorithm: 'HS256'
+});
 
 console.log("JWT created:", newToken);
 

demos/jwt-rs256.js

@@ -6,14 +6,15 @@ var fs = require('fs');
 var privateKey = fs.readFileSync('./demos/private.key');
 
 var payload = {
-  userId: 1
+  name: 'Alice'
 };
 
 
-var token = jwt.sign({
+var token = jwt.sign(payload, privateKey, {
     algorithm: 'RS256',
-    data: payload
-}, privateKey);
+    expiresIn: 120,
+    subject: "1"
+});
 
 
 console.log('RSA 256 JWT', token);

server/auth.middleware.ts

@@ -0,0 +1,42 @@
+import {Request, Response, NextFunction} from 'express';
+import {isSessionTokenValid} from "./security.utils";
+
+
+export function retrieveUserIdFromRequest(req: Request, res: Response, next: NextFunction) {
+
+    const jwt = req.cookies['SESSIONID'];
+
+    if (jwt) {
+        handleSessionCookie(jwt, req, next);
+    }
+    else {
+        next();
+    }
+}
+
+async function handleSessionCookie(jwt, req: Request, next: NextFunction) {
+    try {
+
+        const token = await isSessionTokenValid(jwt);
+
+        console.log("decoded token", token);
+
+        req['userId'] = token.sub;
+
+    }
+    catch (error) {
+        console.error("Error: Could not extract user from request");
+    }
+    finally {
+        next();
+    }
+}
+
+
+export function checkIfAuthenticated(req: Request, res: Response, next: NextFunction) {
+
+    console.log("Calling check if authenticated ...");
+
+    next();
+
+}

server/get-user.route.ts

@@ -6,10 +6,10 @@ import {Request, Response} from "express";
 
 export function getUser(req:Request, res:Response) {
 
-    const sessionId = req.cookies['SESSIONID'];
+    const userId = req.cookies['SESSIONID'];
 
     //TODO
-    const user = {};
+    const user = {email:'test@gmail.com'};
 
 
     if (user) {

server/security.utils.ts

@@ -11,15 +11,42 @@ import * as fs from "fs";
 
 const RSA_PRIVATE_KEY = fs.readFileSync('./demos/private.key');
 
+const RSA_PUBLIC_KEY = fs.readFileSync('./demos/public.key');
+
+
+
 export const randomBytes = util.promisify(crypto.randomBytes);
 
 
 
 export async function createSessionToken(userId:number) {
     return jwt.sign(
+        {
+        },
+        RSA_PRIVATE_KEY,
         {
             algorithm: 'RS256',
-            exp: (moment().add(2,"minutes").toDate().getTime() / 1000),
-            subject: userId
-        }, RSA_PRIVATE_KEY);
-}
+            expiresIn: 120,
+            subject: '' + userId
+        });
+}
+
+
+export async function isSessionTokenValid(sessionToken:string) {
+
+    console.log("validating token", sessionToken);
+
+    const  verify = await jwt.verify(sessionToken, RSA_PUBLIC_KEY);
+
+    console.log("decoded token", verify);
+
+    return verify;
+}
+
+
+
+
+
+
+
+

server/server.ts

@@ -9,14 +9,17 @@ import {createUser} from "./create-user.route";
 import {getUser} from "./get-user.route";
 import {logout} from "./logout.route";
 import {login} from "./login.route";
+import {checkIfAuthenticated, retrieveUserIdFromRequest} from "./auth.middleware";
 const bodyParser = require('body-parser');
 const cookieParser = require('cookie-parser');
 
 
 const app: Application = express();
 
-app.use(bodyParser.json());
 app.use(cookieParser());
+app.use(retrieveUserIdFromRequest);
+app.use(bodyParser.json());
+
 
 const commandLineArgs = require('command-line-args');
 
@@ -29,16 +32,16 @@ const options = commandLineArgs(optionDefinitions);
 
 // REST API
 app.route('/api/lessons')
-    .get(readAllLessons);
+    .get(checkIfAuthenticated, readAllLessons);
 
 app.route('/api/signup')
     .post(createUser);
 
 app.route('/api/user')
-    .get(getUser);
+    .get(checkIfAuthenticated, getUser);
 
 app.route('/api/logout')
-    .post(logout);
+    .post(checkIfAuthenticated, logout);
 
 app.route('/api/login')
     .post(login);