Angular Security course

jhades · jhades · commit c4f818364daa · 2017-09-18T14:28:36.000+02:00
diff --git a/server/auth.middleware.ts b/server/auth.middleware.ts
@@ -3,7 +3,7 @@ import {Request, Response, NextFunction} from 'express';
 
 export function checkIfAuthenticated(req: Request, res: Response, next: NextFunction) {
 
-    if (req['userId']) {
+    if (req['user']) {
         next();
     }
     else {
diff --git a/server/database-data.ts b/server/database-data.ts
@@ -6,19 +6,19 @@ export const USERS: { [key: number]: DbUser } = {
         email: 'admin@gmail.com',
         // ADMIN user (password is Password10) can read all lessons and also can login on behalf of other users
         passwordDigest: '$argon2i$v=19$m=4096,t=3,p=1$PcKtsL4a6+xuPbMCKPep7A$rrFO2lKZcAVguIMaSGaf3hMrKtb6wUG4zN/wDG+xNts',
-        roles: [
-            'READ:LESSONS'
-        ]
+        roles: {
+            'READ:LESSONS': true
+        }
     },
     2: {
         id: 1,
         email: 'user@gmail.com',
         // normal user (password is Password10), does not have access to login as another user functionality
         passwordDigest: '$argon2i$v=19$m=4096,t=3,p=1$PcKtsL4a6+xuPbMCKPep7A$rrFO2lKZcAVguIMaSGaf3hMrKtb6wUG4zN/wDG+xNts',
-        roles: [
-            'READ:LESSONS',
-            'ADMIN'
-        ]
+        roles: {
+            'READ:LESSONS': true,
+            'ADMIN': true
+        }
     }
 };
 
diff --git a/server/db-user.ts b/server/db-user.ts
@@ -4,5 +4,5 @@ export interface DbUser {
     id:number;
     email:string;
     passwordDigest:string,
-    roles: string[]
+    roles: Object
 }
diff --git a/server/get-user.middleware.ts b/server/get-user.middleware.ts
@@ -29,7 +29,7 @@ async function handleSessionCookie(jwt:string, req: Request) {
 
         const payload = await decodeJwt(jwt);
 
-        req["userId"] = payload.sub;
+        req["user"] = payload;
 
     }
     catch(err) {
diff --git a/server/login-as-user.route.ts b/server/login-as-user.route.ts
@@ -0,0 +1,38 @@
+
+
+
+import {db} from "./database";
+import {createSessionToken} from "./security.utils";
+
+
+export function loginAsUser(req, res) {
+
+    const adminUser = req["user"],
+          roles = adminUser.userRoles,
+          userEmail = req.body.email;
+
+    if (roles && roles['ADMIN']) {
+
+        const newUser = db.findUserByEmail(userEmail);
+
+        createSessionToken(newUser)
+            .then(sessionToken => {
+
+                res.cookie("SESSIONID", sessionToken, {httpOnly:true, secure:true});
+
+                res.status(200).json({ id: newUser.id, email: newUser.email });
+
+            })
+            .catch(err => {
+                console.log("Error trying to login as user",err);
+                res.sendStatus(500);
+            });
+
+
+    }
+    else {
+        res.SendStatus(403);
+    }
+}
+
+
diff --git a/server/login.route.ts b/server/login.route.ts
@@ -43,8 +43,8 @@ async function loginAndBuildResponse(credentials:any, user:DbUser,  res: Respons
     catch(err) {
 
         console.log("Login failed!");
-
         res.sendStatus(403);
+
     }
 }
 
@@ -58,7 +58,7 @@ async function attemptLogin(credentials:any, user:DbUser) {
         throw new Error("Password Invalid");
     }
 
-    return createSessionToken(user.id.toString());
+    return createSessionToken(user);
 }
 
 
diff --git a/server/read-all-lessons.route.ts b/server/read-all-lessons.route.ts
@@ -4,6 +4,12 @@ import {db} from "./database";
 
 export function readAllLessons(req, res) {
 
-    res.status(200).json({lessons:db.readAllLessons()});
-
+    const userRoles = req["user"].roles;
+
+    if (userRoles && userRoles['READ:LESSONS']) {
+        res.status(200).json({lessons:db.readAllLessons()});
+    }
+    else {
+        res.SendStatus(403);
+    }
 }
diff --git a/server/security.utils.ts b/server/security.utils.ts
@@ -7,6 +7,7 @@ const crypto = require('crypto');
 import * as jwt from 'jsonwebtoken';
 import * as fs from "fs";
 import * as argon2 from 'argon2';
+import {DbUser} from "./db-user";
 
 
 export const randomBytes = util.promisify(crypto.randomBytes);
@@ -21,11 +22,12 @@ const RSA_PUBLIC_KEY = fs.readFileSync('./demos/public.key');
 const SESSION_DURATION = 1000;
 
 
-export async function createSessionToken(userId:string) {
+export async function createSessionToken(user: DbUser) {
     return signJwt({}, RSA_PRIVATE_KEY, {
         algorithm: 'RS256',
         expiresIn: 240,
-        subject: userId
+        subject: user.id,
+        roles: user.roles
     });
 }
 
diff --git a/src/app/admin/admin.component.css b/src/app/admin/admin.component.css
diff --git a/src/app/admin/admin.component.html b/src/app/admin/admin.component.html
@@ -13,5 +13,5 @@
         <button class="button button-primary" (click)="loginAsUser()">Login As User</button>
     </div>
 
+</form>
 
-</form>
diff --git a/src/app/admin/admin.component.ts b/src/app/admin/admin.component.ts
@@ -1,18 +1,21 @@
-import { Component, OnInit } from '@angular/core';
+import { Component } from '@angular/core';
 import {FormBuilder, FormGroup, Validators} from "@angular/forms";
 import {AuthService} from "../services/auth.service";
 import {Router} from "@angular/router";
 
 @Component({
   selector: 'admin',
   templateUrl: './admin.component.html',
-  styleUrls: ['./admin.component.css', '../common/forms.css']
+  styleUrls: [ '../common/forms.css']
 })
 export class AdminComponent {
 
     form:FormGroup;
 
-    constructor(private fb:FormBuilder, private authService: AuthService, private router: Router) {
+    constructor(
+        private fb:FormBuilder,
+        private authService: AuthService,
+        private router: Router) {
 
         this.form = this.fb.group({
             userEmail: ['user@gmail.com',Validators.required]
@@ -24,19 +27,15 @@ export class AdminComponent {
 
         const val = this.form.value;
 
-        if (val.email && val.password) {
-
+        if (val.email) {
             this.authService.loginAsUser(val.email)
                 .subscribe(
                     () => {
                         console.log("Logged in as user with email " + val.email);
                         this.router.navigateByUrl('/');
                     }
                 );
-
         }
-
-
     }
 
 }

Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@ import {Request, Response, NextFunction} from 'express';`
`3`	`3`
`4`	`4`	`export function checkIfAuthenticated(req: Request, res: Response, next: NextFunction) {`
`5`	`5`
`6`		`- if (req['userId']) {`
	`6`	`+ if (req['user']) {`
`7`	`7`	`next();`
`8`	`8`	`}`
`9`	`9`	`else {`
Original file line number	Diff line number	Diff line change
`@@ -4,5 +4,5 @@ export interface DbUser {`
`4`	`4`	`id:number;`
`5`	`5`	`email:string;`
`6`	`6`	`passwordDigest:string,`
`7`		`- roles: string[]`
	`7`	`+ roles: Object`
`8`	`8`	`}`
Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ async function handleSessionCookie(jwt:string, req: Request) {`
`29`	`29`
`30`	`30`	`const payload = await decodeJwt(jwt);`
`31`	`31`
`32`		`- req["userId"] = payload.sub;`
	`32`	`+ req["user"] = payload;`
`33`	`33`
`34`	`34`	`}`
`35`	`35`	`catch(err) {`
Original file line number	Diff line number	Diff line change
`@@ -43,8 +43,8 @@ async function loginAndBuildResponse(credentials:any, user:DbUser, res: Respons`
`43`	`43`	`catch(err) {`
`44`	`44`
`45`	`45`	`console.log("Login failed!");`
`46`		`-`
`47`	`46`	`res.sendStatus(403);`
	`47`	`+`
`48`	`48`	`}`
`49`	`49`	`}`
`50`	`50`
`@@ -58,7 +58,7 @@ async function attemptLogin(credentials:any, user:DbUser) {`
`58`	`58`	`throw new Error("Password Invalid");`
`59`	`59`	`}`
`60`	`60`
`61`		`- return createSessionToken(user.id.toString());`
	`61`	`+ return createSessionToken(user);`
`62`	`62`	`}`
`63`	`63`
`64`	`64`
-Original file line number
+Diff line change
         <button class="button button-primary" (click)="loginAsUser()">Login As User</button>
     </div>
 +</form>
 -</form>