From ffc1636896eea2577e9668dabccf0951b7ea7a8c Mon Sep 17 00:00:00 2001 From: Dhruv Kumar Jha Date: Sat, 25 Mar 2017 13:49:28 +0530 Subject: [PATCH] Version 1.0.2 --- app/app.js | 11 ++- app/global/middlewares/AccessValidator.js | 87 ++++++++++++++++++++ app/global/middlewares/ValidAuthToken.js | 96 ----------------------- app/graphql/resolvers/Auth.js | 2 +- package.json | 2 +- 5 files changed, 97 insertions(+), 101 deletions(-) create mode 100644 app/global/middlewares/AccessValidator.js delete mode 100644 app/global/middlewares/ValidAuthToken.js diff --git a/app/app.js b/app/app.js index d59f09e..913107b 100644 --- a/app/app.js +++ b/app/app.js @@ -6,7 +6,7 @@ const cors = require('cors'); const config = require('app/global/config'); const mongoose = require('mongoose'); -const ValidAuthTokenMiddleware = require('app/global/middlewares/ValidAuthToken'); +const AccessValidatorMiddleware = require('app/global/middlewares/AccessValidator'); const expressGraphQL = require('express-graphql'); const GraphQLSchema = require('app/graphql'); @@ -26,7 +26,7 @@ app.use( body_parser.json({ limit: '50mb' }) ); app.use( body_parser.urlencoded({ limit: '50mb', extended: true }) ); // make sure all the requests are made by authenticated users. -app.use( ValidAuthTokenMiddleware ); +app.use( AccessValidatorMiddleware ); // disable graphiql in production., so other users cant access the graphiql ui @@ -41,7 +41,12 @@ app.use( ); app.get( '/', (req, res) => { - res.json({ code: 200, online: true, message: 'success' }); + res.json({ + code: 200, + online: true, + message: 'success', + description: 'Welcome, this is the backend for the productivity application.' + }); }); diff --git a/app/global/middlewares/AccessValidator.js b/app/global/middlewares/AccessValidator.js new file mode 100644 index 0000000..2e77cbf --- /dev/null +++ b/app/global/middlewares/AccessValidator.js @@ -0,0 +1,87 @@ +'use strict'; + +const Loka = require('loka'); +const User = require('app/services/models/User'); +const jwt = require('jsonwebtoken'); +const config = require('app/global/config'); +const Response = require('app/global/helpers/Response'); + +module.exports = ( req, res, next ) => { + + // incase we add different routes and dont want to run this middleware when they are accessed. + const ignoredRoutes = [ + '/', + ]; + + // these can be accessed by users without logging in. + const publicOperations = [ + 'Login', + 'Signup', + 'Logout', + 'PublicBoard', + ]; + + + + // if the route is present in the ignoredRoutes, just return next. + if ( ignoredRoutes.includes(req.path) ) { + return next(); + } + + + let operationName = ''; + if ( req.body && req.body.operationName ) { operationName = req.body.operationName; } + + // if the GraphQL operation is not present in publicOperations + if( ! publicOperations.includes(operationName) ) { + + const authorization_header = req.headers.authorization; + let token; + if ( authorization_header ) { token = authorization_header.split(" ")[1]; } + + if ( token ) { + + // reset the user data, for every request. + Loka.set('user', {}); + + jwt.verify( token, config.server.WEB_TOKEN_SECRET, (err, decoded_user) => { + + if ( err ) { + if ( err.name === 'TokenExpiredError' ) { + // throw new Error('Your token has expired. please login again to generate new token.'); + res.json( Response.error(401, 'Unauthorized', 'Your token has expired. please login again to generate new token.') ); + } else { + res.json( Response.authError() ); + } + } + else { + User.findById( decoded_user.id, (error, user) => { + if (error) { + res.json( Response.authError() ); + } else { + req.user = user; // just incase we decide to access current user info from req object + Loka.set('user', user); // setting it using loka, so this can be accessed from other files. + next(); + } + }); + } + + }); + + } else { + + return res.json({ + code: 400, + error: true, + message: 'Authentication error occoured, you must be logged in to access the server.' + }); + + } + + } else { + // we don't need to validate the token as this doesnt require user to be authenticated. + next(); + } + + +}; diff --git a/app/global/middlewares/ValidAuthToken.js b/app/global/middlewares/ValidAuthToken.js deleted file mode 100644 index b433fbd..0000000 --- a/app/global/middlewares/ValidAuthToken.js +++ /dev/null @@ -1,96 +0,0 @@ -'use strict'; - -const Loka = require('loka'); -const User = require('app/services/models/User'); -const jwt = require('jsonwebtoken'); -const config = require('app/global/config'); -const Response = require('app/global/helpers/Response'); - -module.exports = ( req, res, next ) => { - - - // incase we add different routes and dont want to run this middleware when they are accessed. - const ignored_routes = [ - ]; - - // these can be accessed by users without logging in. - const publicOperations = [ - 'Login', - 'Signup', - 'Logout', - 'PublicBoard', - ]; - - - // we wont be using route paths, as we're using graphql, so make necessary changes here. - if( ! ignored_routes.includes(req.path) ) { - // we need to validate users auth token - - const authorization_header = req.headers.authorization; - let token; - if ( authorization_header ) { token = authorization_header.split(" ")[1]; } - - - if ( token ) { - - // reset the user data, for every request. - Loka.set('user', {}); - - jwt.verify( token, config.server.WEB_TOKEN_SECRET, (err, decoded_user) => { - if ( err ) { - if ( err.name === 'TokenExpiredError' ) { - if ( req.method === 'POST' && publicOperations.includes(req.body.operationName) ) { - next(); - } else { - // throw new Error('Your token has expired. please login again to generate new token.'); - res.json( Response.error(401, 'Unauthorized', 'Your token has expired. please login again to generate new token.') ); - } - } else { - if ( req.method === 'POST' && publicOperations.includes(req.body.operationName) ) { - next(); - } else { - res.json( Response.authError() ); - } - // res.json( Response.authError() ); - } - } - else { - User.findById( decoded_user.id, (error, user) => { - if (error) { - res.json( Response.authError() ); - } else { - req.user = user; // just incase we decide to access current user info from req object - Loka.set('user', user); // setting it using loka, so this can be accessed from other files. - next(); - // setTimeout( () => { next(); }, 1000); // using this to manually delay the response. - } - }); - } - }); - - } else { - - if ( req.method === 'POST' ) { - - const operationName = req.body.operationName; - - if ( publicOperations.includes(operationName) ) { - next(); - } else { - return res.json({ code: 400, error: true, message: 'Authentication error occoured, you must be logged in to access the server.' }); - } - - } else { - return res.json({ code: 400, error: true, message: 'authentication error occoured, you must be logged in to access the server.' }); - } - - } - - } - else { - // no auth token validation required. - next(); - } - - -}; diff --git a/app/graphql/resolvers/Auth.js b/app/graphql/resolvers/Auth.js index 0c48e2e..b5957e0 100644 --- a/app/graphql/resolvers/Auth.js +++ b/app/graphql/resolvers/Auth.js @@ -38,7 +38,7 @@ class AuthController extends ModelController { logout(options) { - const id = this.store.user.id; + const id = this.store.user ? this.store.user.id : 0; return { status: true, id: id }; } diff --git a/package.json b/package.json index fe76954..6100d47 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "productivity-backend", - "version": "1.0.1", + "version": "1.0.2", "description": "Backend for the productivity application", "main": "index.js", "scripts": {