From 7493911266b14e3d4d0f4d51e07bcb117fffca19 Mon Sep 17 00:00:00 2001 From: BhagatHarsh <93080554+BhagatHarsh@users.noreply.github.com> Date: Tue, 20 Dec 2022 21:16:03 +0530 Subject: [PATCH 1/2] AuthMiddleware --- .gitignore | 1 + server/controllers/auth.controller.js | 9 ++++--- server/middlewares/auth.middleware.js | 38 +++++++++++++++++++++++++++ server/routes/auth.routes.js | 7 ++++- 4 files changed, 50 insertions(+), 5 deletions(-) create mode 100644 server/middlewares/auth.middleware.js diff --git a/.gitignore b/.gitignore index b16d3b9..fb5ad69 100644 --- a/.gitignore +++ b/.gitignore @@ -113,6 +113,7 @@ dist # testing /coverage +*.rest # production /build diff --git a/server/controllers/auth.controller.js b/server/controllers/auth.controller.js index b6ff926..66b26be 100644 --- a/server/controllers/auth.controller.js +++ b/server/controllers/auth.controller.js @@ -12,6 +12,9 @@ const fs = require('fs'); pathToKey = require('path').join(__dirname, '..', './config/id_rsa_priv.pem'); const PRIV_KEY = fs.readFileSync(pathToKey, 'utf8'); //private key is used for signing the token +// token expiration time +const tokenExpirationTime = "1m"; + /* This function is used to authenticate the user when he/she tries to login A post request is made to the server with the user's email and password @@ -38,11 +41,10 @@ const signin = async (req, res, next) => { if (user && (await bcrypt.compare(password, user.password))) { const payload = { user: user, - iat: Date.now() } // Create token const token = "Bearer " + jwt.sign( - payload, PRIV_KEY, { expiresIn: "1d", algorithm: 'RS256' } + payload, PRIV_KEY, { expiresIn: tokenExpirationTime, algorithm: 'RS256' } ); // send user res.status(200).json({ token, user }); @@ -97,11 +99,10 @@ const signup = async (req, res, next) => { const payload = { user: user, - iat: Date.now() } // Create token const token = "Bearer " + jwt.sign( - payload, PRIV_KEY, { expiresIn: "1d", algorithm: 'RS256' } + payload, PRIV_KEY, { expiresIn: tokenExpirationTime, algorithm: 'RS256' } ); // return new user res.status(201).json({ token, user }); diff --git a/server/middlewares/auth.middleware.js b/server/middlewares/auth.middleware.js new file mode 100644 index 0000000..6a71d20 --- /dev/null +++ b/server/middlewares/auth.middleware.js @@ -0,0 +1,38 @@ +const jwt = require("jsonwebtoken"); + +// reading the content of the private key +const fs = require("fs"); +pathToKey = require("path").join(__dirname, "..", "./config/id_rsa_priv.pem"); +const PRIV_KEY = fs.readFileSync(pathToKey, "utf8"); //private key is used for signing the token + +const tokenCheck = (req, res, next) => { + // Get the token from the header if present + let getToken = + req.body.token || + req.query.token || + req.headers["authorization"] || + req.headers["x-access-token"]; + + // If token is not present + if (!getToken) { + return res.status(403).send("A token is required for authentication"); + } + + const token = getToken.split(" ")[1]; //removing the Bearer from the token + + // Verify the token + jwt.verify(token, PRIV_KEY, { algorithms: ["RS256"] }, (err, user) => { + // If token is not valid + if (err) { + return res.status(401).send(err); + } else { + // If token is valid + console.log("Token verified"); + // Save the user in the request object + req.user = user; + } + }); + next(); //calling next() to move to the next middleware +}; + +module.exports = tokenCheck; diff --git a/server/routes/auth.routes.js b/server/routes/auth.routes.js index 12e8cd7..73b30f1 100644 --- a/server/routes/auth.routes.js +++ b/server/routes/auth.routes.js @@ -1,5 +1,6 @@ const express = require('express'); -const router = express.Router() +const router = express.Router(); +const authMiddleWare = require('../middlewares/auth.middleware'); const authController = require('../controllers/auth.controller'); @@ -7,4 +8,8 @@ router.post('/signin', authController.signin); router.post('/signup', authController.signup); +router.get('/test', authMiddleWare,(req, res) => { + res.json(req.user); +}); + module.exports = router; \ No newline at end of file From 29a643211bab6c230b89aa87ae005dc34221b837 Mon Sep 17 00:00:00 2001 From: Harsh Bhagat <93080554+BhagatHarsh@users.noreply.github.com> Date: Wed, 28 Dec 2022 03:32:04 +0000 Subject: [PATCH 2/2] hide privkey --- server/config/id_rsa_pub.pem | 13 ------------- server/controllers/auth.controller.js | 8 +++++--- server/middlewares/auth.middleware.js | 8 +++++--- server/models/user.models.js | 2 +- 4 files changed, 11 insertions(+), 20 deletions(-) delete mode 100644 server/config/id_rsa_pub.pem diff --git a/server/config/id_rsa_pub.pem b/server/config/id_rsa_pub.pem deleted file mode 100644 index da5785f..0000000 --- a/server/config/id_rsa_pub.pem +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN RSA PUBLIC KEY----- -MIICCgKCAgEAxf5OXB6gCzeVjV7tnqBGnUe/uMfGtOZ1ofJLc2WZ1yKxfg5anQE4 -sarqDNhgrOYz9REaQrdBPhbu0qxdyChOwlesEYO24dzAUa53cb0FwzfEedbwo/Gf -dzklulE4lP5VX9G9qflu+B1vZ1Y4t0pd7B2NoJk4IrJu35Snu3HALeXkJxNDTN+c -WXGaEkMCRakDTlDIFRnMoSNHu3NYGicSKDd1olIv0HEwoUaWorDiTwCpvC7bGOb1 -DnL+Kupyqs5o1cgZLTY8+UqPA3Ul6voLh6FUTkEZinuFjhTtXDr1rpExuwI4nkDm -NTlrihrLSRiSXd82q2s5wFUPymzknbE80p1eVrhG24MS+VI8mCtG1BEH84IyeBGR -4Xmz+kMKsrKT9uRCbvGwjdE+XD7VFuG0XFpWmNxbW3uI9OHNTGRXgVd4rUVAO8od -8UpYyQFoBEvp7LE9aLUDiprmpr+8bzMrzqF3aOXRYnpXYd434Mx/lSUMBSC+Qgfw -KZMqzcebYS2F0yyZ5HDlYOY+5vQa0/wLH+IDwHSTD2H83hXhyZ9D22yG+BekuAa6 -R8dsS02QdgqKYnGuQXcBgJs5Pz5rUzwYC0Z/xsTpkAhXo3ky52ESznVhgl9+76i1 -GUd3dm7f0TbODQYLqMHhQH6y2Kw8U2Pfd0SVBqnT/p89V3XpKHZm08UCAwEAAQ== ------END RSA PUBLIC KEY----- diff --git a/server/controllers/auth.controller.js b/server/controllers/auth.controller.js index 66b26be..2f8515a 100644 --- a/server/controllers/auth.controller.js +++ b/server/controllers/auth.controller.js @@ -8,9 +8,11 @@ const jwt = require('jsonwebtoken') const bcrypt = require('bcryptjs') // reading the content of the private key -const fs = require('fs'); -pathToKey = require('path').join(__dirname, '..', './config/id_rsa_priv.pem'); -const PRIV_KEY = fs.readFileSync(pathToKey, 'utf8'); //private key is used for signing the token +// const fs = require('fs'); +// pathToKey = require('path').join(__dirname, '..', './config/id_rsa_priv.pem'); +// const PRIV_KEY = fs.readFileSync(pathToKey, 'utf8'); //private key is used for signing the token +require('dotenv').config() +const PRIV_KEY = process.env.PRIV_KEY; // token expiration time const tokenExpirationTime = "1m"; diff --git a/server/middlewares/auth.middleware.js b/server/middlewares/auth.middleware.js index 6a71d20..2dd1acc 100644 --- a/server/middlewares/auth.middleware.js +++ b/server/middlewares/auth.middleware.js @@ -1,9 +1,11 @@ const jwt = require("jsonwebtoken"); // reading the content of the private key -const fs = require("fs"); -pathToKey = require("path").join(__dirname, "..", "./config/id_rsa_priv.pem"); -const PRIV_KEY = fs.readFileSync(pathToKey, "utf8"); //private key is used for signing the token +// const fs = require("fs"); +// pathToKey = require("path").join(__dirname, "..", "./config/id_rsa_priv.pem"); +// const PRIV_KEY = fs.readFileSync(pathToKey, "utf8"); //private key is used for signing the token +require('dotenv').config() +const PRIV_KEY = process.env.PRIV_KEY; const tokenCheck = (req, res, next) => { // Get the token from the header if present diff --git a/server/models/user.models.js b/server/models/user.models.js index d977a78..032089d 100644 --- a/server/models/user.models.js +++ b/server/models/user.models.js @@ -1,5 +1,5 @@ const mongoose = require("mongoose"); -import {isEmail} from "validator" +const isEmail = require("validator/lib/isEmail"); const userSchema = new mongoose.Schema({ name: String,