Angular Security course

jhades · jhades · commit eba0e216e960 · 2017-08-16T18:04:19.000+02:00
diff --git a/server/auth.middleware.ts b/server/auth.middleware.ts
diff --git a/server/create-user.route.ts b/server/create-user.route.ts
@@ -4,7 +4,6 @@ import {db} from "./database";
 import * as argon2 from 'argon2';
 import {validatePassword} from "./password-validation";
 import moment = require("moment");
-import {createCsrfToken, createSessionToken, randomBytes} from "./security.utils";
 
 
 
@@ -32,14 +31,11 @@ async function createUserAndSession(res:Response, credentials) {
 
     const user = db.createUser(credentials.email, passwordDigest);
 
-    const sessionToken = await createSessionToken(user.id);
-
-    const csrfToken = await createCsrfToken();
+    // TODO replace with JWT
+    const sessionToken = 1;
 
     res.cookie("SESSIONID", sessionToken, {httpOnly:true, secure:true});
 
-    res.cookie("CSRF-TOKEN", csrfToken);
-
     res.status(200).json({id:user.id, email:user.email});
 }
 
diff --git a/server/csrf.middleware.ts b/server/csrf.middleware.ts
diff --git a/server/get-user.route.ts b/server/get-user.route.ts
@@ -1,21 +1,20 @@
 
 
 import {Request, Response} from "express";
-import {db} from "./database";
 
 
 
 export function getUser(req:Request, res:Response) {
 
-    const userId = req['userId'];
-
-    const user = db.findUserById(userId);
+    //TODO retrieve the actual user based on JWT content
+    const user = {
+        email:'test@gmail.com'
+    };
 
     if (user) {
         res.status(200).json(user);
     }
     else {
         res.sendStatus(204);
     }
-
 }
diff --git a/server/login.route.ts b/server/login.route.ts
@@ -3,9 +3,7 @@
 import {Request, Response} from "express";
 import {db} from "./database";
 import * as argon2 from 'argon2';
-import {User} from "../src/app/model/user";
 import {DbUser} from "./db-user";
-import {createCsrfToken, createSessionToken, randomBytes} from "./security.utils";
 
 
 
@@ -32,12 +30,8 @@ async function loginAndBuildResponse(credentials:any, user:DbUser,  res: Respons
 
         console.log("Login successful");
 
-        const csrfToken = createCsrfToken();
-
         res.cookie("SESSIONID", sessionToken, {httpOnly:true, secure:true});
 
-        res.cookie("CSRF-TOKEN", csrfToken);
-
         res.status(200).json({id:user.id, email:user.email});
 
     }
@@ -59,7 +53,8 @@ async function attemptLogin(credentials:any, user:DbUser) {
         throw new Error("Password Invalid");
     }
 
-    return createSessionToken(user.id);
+    //TODO return JWT
+    return 1;
 }
 
 
diff --git a/server/logout.route.ts b/server/logout.route.ts
@@ -6,10 +6,7 @@ import {Request, Response} from 'express';
 
 export function logout(req: Request, res: Response) {
 
-    const sessionId = req.cookies['SESSIONID'];
-
     res.clearCookie("SESSIONID");
-    res.clearCookie("CSRF-TOKEN");
 
     res.sendStatus(200);
 }
diff --git a/server/security.utils.ts b/server/security.utils.ts
@@ -20,32 +20,3 @@ const RSA_PUBLIC_KEY = fs.readFileSync('./demos/public.key');
 const SESSION_DURATION = 240;
 
 
-export async function createSessionToken(userId:number) {
-    return jwt.sign(
-        {
-        },
-        RSA_PRIVATE_KEY,
-        {
-            algorithm: 'RS256',
-            expiresIn: SESSION_DURATION,
-            subject: '' + userId
-        });
-}
-
-
-export async function isSessionTokenValid(sessionToken:string) {
-
-    const  verify = await jwt.verify(sessionToken, RSA_PUBLIC_KEY);
-
-    console.log("decoded token", verify);
-
-    return verify;
-}
-
-
-export async function createCsrfToken() {
-    return randomBytes(32).then(bytes => bytes.toString('hex'));
-}
-
-
-
diff --git a/server/server.ts b/server/server.ts
@@ -9,16 +9,13 @@ import {createUser} from "./create-user.route";
 import {getUser} from "./get-user.route";
 import {logout} from "./logout.route";
 import {login} from "./login.route";
-import {checkIfAuthenticated, retrieveUserIdFromRequest} from "./auth.middleware";
-import {checkCsrfToken} from "./csrf.middleware";
 const bodyParser = require('body-parser');
 const cookieParser = require('cookie-parser');
 
 
 const app: Application = express();
 
 app.use(cookieParser());
-app.use(retrieveUserIdFromRequest);
 app.use(bodyParser.json());
 
 
@@ -33,7 +30,7 @@ const options = commandLineArgs(optionDefinitions);
 
 // REST API
 app.route('/api/lessons')
-    .get(checkIfAuthenticated, readAllLessons);
+    .get(readAllLessons);
 
 app.route('/api/signup')
     .post(createUser);
@@ -42,7 +39,7 @@ app.route('/api/user')
     .get(getUser);
 
 app.route('/api/logout')
-    .post(checkIfAuthenticated, checkCsrfToken, logout);
+    .post( logout);
 
 app.route('/api/login')
     .post(login);

Original file line number	Diff line number	Diff line change
`@@ -1,21 +1,20 @@`
`1`	`1`
`2`	`2`
`3`	`3`	`import {Request, Response} from "express";`
`4`		`-import {db} from "./database";`
`5`	`4`
`6`	`5`
`7`	`6`
`8`	`7`	`export function getUser(req:Request, res:Response) {`
`9`	`8`
`10`		`- const userId = req['userId'];`
`11`		`-`
`12`		`- const user = db.findUserById(userId);`
	`9`	`+ //TODO retrieve the actual user based on JWT content`
	`10`	`+ const user = {`
	`11`	`+ email:'test@gmail.com'`
	`12`	`+ };`
`13`	`13`
`14`	`14`	`if (user) {`
`15`	`15`	`res.status(200).json(user);`
`16`	`16`	`}`
`17`	`17`	`else {`
`18`	`18`	`res.sendStatus(204);`
`19`	`19`	`}`
`20`		`-`
`21`	`20`	`}`
Original file line number	Diff line number	Diff line change
`@@ -6,10 +6,7 @@ import {Request, Response} from 'express';`
`6`	`6`
`7`	`7`	`export function logout(req: Request, res: Response) {`
`8`	`8`
`9`		`- const sessionId = req.cookies['SESSIONID'];`
`10`		`-`
`11`	`9`	`res.clearCookie("SESSIONID");`
`12`		`- res.clearCookie("CSRF-TOKEN");`
`13`	`10`
`14`	`11`	`res.sendStatus(200);`
`15`	`12`	`}`