Angular Security course

Author: jhades

package-lock.json

@@ -37,6 +37,7 @@
     "command-line-args": "^4.0.6",
     "cookie-parser": "^1.4.3",
     "core-js": "^2.4.1",
+    "ngx-cookie": "^1.0.0",
     "nodemon": "^1.11.0",
     "password-validator": "^4.0.0",
     "rxjs": "^5.1.0",

package.json

@@ -3,7 +3,6 @@ import {db} from "./database";
 import {USERS} from "./database-data";
 import * as argon2 from 'argon2';
 import {validatePassword} from "./password-validation";
-import {AUTH_COOKIE_NAME} from "./constants";
 
 const util = require('util');
 const crypto = require('crypto');
@@ -39,11 +38,11 @@ async function createUserAndSession(res: Response, credentials) {
 
     console.log("passwordDigest", passwordDigest);
 
-    const user = db.createUser(credentials.email, passwordDigest);
+    const user = db.createUser(credentials.email, passwordDigest, sessionId);
 
     console.log(USERS);
 
-    res.cookie(AUTH_COOKIE_NAME, sessionId, {httpOnly: true, secure: true});
+    res.cookie("SESSIONID", sessionId, {httpOnly: true, secure: true});
 
     res.status(200).json({id: user.id, email: user.email});
 

server/constants.ts

@@ -5,6 +5,9 @@ import {DbUser} from "./db-user";
 export const USERS: {[key:number]:DbUser} = {};
 
 
+export const SESSIONS: {[key:number]: number} = {};
+
+
 export const LESSONS = {
 
     1: {

server/create-user.route.ts

@@ -1,7 +1,8 @@
 
 import * as _ from 'lodash';
-import {LESSONS, USERS} from "./database-data";
+import {LESSONS, SESSIONS, USERS} from "./database-data";
 import {DbUser} from "./db-user";
+import {User} from "../src/app/model/user";
 
 
 class InMemoryDatabase {
@@ -13,7 +14,7 @@ class InMemoryDatabase {
     }
 
 
-    createUser(email:string,passwordDigest:string) {
+    createUser(email:string,passwordDigest:string, sessionId:string) {
 
         const usersPerEmail = _.keyBy( _.values(USERS), "email" );
 
@@ -35,6 +36,22 @@ class InMemoryDatabase {
 
         USERS[id] = user;
 
+        SESSIONS[sessionId] = id;
+
+        return user;
+    }
+
+
+    findUserbySession(sessionId:string) : User {
+
+        let user;
+
+        const userId = SESSIONS[sessionId];
+
+        if (userId) {
+            user = {id: userId, email: USERS[userId].email};
+        }
+
         return user;
     }
 

server/database-data.ts

@@ -0,0 +1,24 @@
+
+import {Request, Response} from "express";
+import {db} from "./database";
+
+
+
+export function getUser(req:Request, res:Response) {
+
+    const sessionId = req.cookies['SESSIONID'];
+
+    const user = db.findUserbySession(sessionId);
+
+    if (user) {
+        res.status(200).send(user);
+    }
+    else {
+        res.sendStatus(204);
+    }
+
+
+
+
+
+}

server/database.ts

@@ -6,6 +6,7 @@ import * as fs from 'fs';
 import * as https from 'https';
 import {readAllLessons} from "./read-all-lessons.route";
 import {createUser} from "./create-user.route";
+import {getUser} from "./get-user.route";
 const bodyParser = require('body-parser');
 const cookieParser = require('cookie-parser');
 
@@ -31,6 +32,9 @@ app.route('/api/lessons')
 app.route('/api/signup')
     .post(createUser);
 
+app.route('/api/user')
+    .get(getUser);
+
 
 if (options.secure) {
 

server/get-user.route.ts

@@ -17,7 +17,7 @@
         <li *ngIf="isLoggedOut$ | async">
             <a routerLink="/login">Login</a>
         </li>
-        <li *ngIf="isLoggedIn$ | async">
+        <li *ngIf="isLoggedIn$ | async" (click)="logout()">
             <a>Logout</a>
         </li>
 

server/server.ts

@@ -28,4 +28,10 @@ export class AppComponent  implements OnInit{
 
 
 
+    logout() {
+
+        this.authService.logout();
+
+    }
+
 }

src/app/app.component.html

@@ -11,13 +11,14 @@ import {routesConfig} from "./routes.config";
 import {LessonsService} from "./services/lessons.service";
 import {ReactiveFormsModule} from "@angular/forms";
 
+import {AuthService} from "./services/auth.service";
+import {CookieModule} from "ngx-cookie";
+
 import 'rxjs/add/operator/switchMap';
 import 'rxjs/add/operator/map';
 import 'rxjs/add/operator/shareReplay';
 import 'rxjs/add/operator/do';
-
-import {AuthService} from "./services/auth.service";
-
+import 'rxjs/add/operator/filter';
 
 
 @NgModule({
@@ -31,7 +32,8 @@ import {AuthService} from "./services/auth.service";
     BrowserModule,
       HttpClientModule,
       RouterModule.forRoot(routesConfig),
-      ReactiveFormsModule
+      ReactiveFormsModule,
+      CookieModule.forRoot()
   ],
   providers: [LessonsService, AuthService],
   bootstrap: [AppComponent]

src/app/app.component.ts

@@ -3,6 +3,7 @@ import {HttpClient} from "@angular/common/http";
 import {Observable} from "rxjs/Observable";
 import {User} from "../model/user";
 import {BehaviorSubject} from "rxjs/BehaviorSubject";
+import {CookieService} from "ngx-cookie";
 
 export const ANONYMOUS_USER : User = {
     id: undefined,
@@ -13,26 +14,36 @@ export const ANONYMOUS_USER : User = {
 @Injectable()
 export class AuthService {
 
-   private subject = new BehaviorSubject<User>(ANONYMOUS_USER);
+   private subject = new BehaviorSubject<User>(undefined);
 
-   user$: Observable<User> = this.subject.asObservable();
+   user$: Observable<User> = this.subject.asObservable().filter(user => !!user);
 
-   isLoggedIn$: Observable<boolean> = this.user$.map(user => !!user.id);
+    isLoggedIn$: Observable<boolean> = this.user$.map(user => !!user.id);
 
-   isLoggedOut$: Observable<boolean> = this.isLoggedIn$.map(isLoggedIn => !isLoggedIn);
+    isLoggedOut$: Observable<boolean> = this.isLoggedIn$.map(isLoggedIn => !isLoggedIn);
 
 
-  constructor(private http: HttpClient) {
+  constructor(private http: HttpClient, private cookieService: CookieService) {
 
+      http.get<User>('/api/user')
+          .subscribe(user => this.subject.next(user ? user: ANONYMOUS_USER));
 
   }
 
 
   signUp(email:string, password:string ) {
-
       return this.http.post<User>('/api/signup', {email, password})
           .shareReplay()
           .do(user => this.subject.next(user));
+  }
+
+
+
+  logout() {
+
+      this.cookieService.remove('SESSIONID');
+
+      this.subject.next(ANONYMOUS_USER);
 
   }