Add ID validator; fix authentication secret usage

api/config/config.js

@@ -6,6 +6,10 @@ module.exports = {
     db: 'cc',
   },
 
+  prod: {
+    env: 'production'
+  },
+
   dev: {
     env: 'dev'
   },

api/cron-job/cron.js

@@ -61,10 +61,10 @@ const createBackup = () => {
 };
 
 // Execute daily @ 02:30 AM
-const cronJobSignature = cron.job('00 09 * * * *', createAllSignatures);
+const cronJobSignature = cron.job('00 30 02 * * *', createAllSignatures);
 
 // Execute on Mon, Thu and Sat @ 04:00 AM
-const cronJobBackup = cron.job('00 30 * * * *', createBackup);
+const cronJobBackup = cron.job('00 00 04 * * mon,thu,sat', createBackup);
 
 module.exports = {
   cronJobSignature: cronJobSignature,

api/middleware/auth-middleware.js

@@ -12,8 +12,10 @@ const apiAuthentication = (req, res, next) => {
   // decode token
   if (token) {
 
+    const secret = process.env.NODE_ENV === config.prod.env ? process.env.JWS_SECRET : 'dev-secret';
+
     // verifies secret and checks exp
-    jwt.verify(token, config.secret, (err, decoded) => {
+    jwt.verify(token, secret, (err, decoded) => {
       if (err) {
         return res.status(403).json({success: false, message: 'Failed to authenticate token.'});
       } else {

api/middleware/validators.js

@@ -0,0 +1,20 @@
+"use strict";
+
+// HTTP status codes by name
+const codes = require('../routes/http-codes');
+
+/**
+ * check if id has valid UUID format
+ */
+const idValidator = (req, res, next) => {
+  const reqId = req.params.id;
+
+  if (!reqId.match(/^[0-9a-fA-F]{24}$/)) {
+    const err = new Error("Invalid request id format");
+    err.status = codes.notfound;
+    return next(err);
+  }
+  next();
+};
+
+exports.idValidator = idValidator;

api/routes/authenticate.js

@@ -11,6 +11,8 @@ const logger = require('debug')('cc:authenticate');
 // HTTP status codes by name
 const codes = require('./http-codes');
 
+const config = require('../config/config');
+
 const routerHandling = require('../middleware/router-handling');
 
 const AppUserModel = require('../models/app-user');
@@ -52,7 +54,10 @@ let authCheck = (username, password, res) => {
     }
     if (user && user.activated && bcrypt.compareSync(password, user.password)) {
       // authentication successful
-      let secret = process.env.JWS_SECRET;
+      const secret = process.env.NODE_ENV === config.prod.env ? process.env.JWS_SECRET : 'dev-secret';
+
+      console.log(secret)
+
       deferred.resolve({
         _id: user._id,
         username: user.username,

api/routes/campaigns.js

@@ -7,10 +7,12 @@ const logger = require('debug')('cc:campaigns');
 // HTTP status codes by name
 const codes = require('./http-codes');
 
-const routerHandling = require('../middleware/router-handling');
 const apiAuthenticationMiddleware = require('../middleware/auth-middleware');
 const checkMT = require('../middleware/permission-check').checkMT;
 
+const routerHandling = require('../middleware/router-handling');
+const idValidator = require('../middleware/validators').idValidator;
+
 // Mongoose Model using mongoDB
 const CampaignModel = require('../models/campaign');
 const WarModel = require('../models/war');
@@ -41,7 +43,7 @@ campaigns.route('/')
   );
 
 campaigns.route('/:id')
-  .get((req, res, next) => {
+  .get(idValidator, (req, res, next) => {
     CampaignModel.findById(req.params.id, (err, item) => {
       if (err) {
         err.status = codes.servererror;

api/routes/decorations.js

@@ -13,7 +13,9 @@ const codes = require('./http-codes');
 
 const apiAuthenticationMiddleware = require('../middleware/auth-middleware');
 const checkHl = require('../middleware/permission-check').checkHl;
+
 const routerHandling = require('../middleware/router-handling');
+const idValidator = require('../middleware/validators').idValidator;
 
 // Mongoose Model using mongoDB
 const DecorationModel = require('../models/decoration');
@@ -71,7 +73,7 @@ decoration.route('/')
   );
 
 decoration.route('/:id')
-  .get((req, res, next) => {
+  .get(idValidator, (req, res, next) => {
     DecorationModel.findById(req.params.id, (err, item) => {
       if (err) {
         err.status = codes.servererror;

api/routes/ranks.js

@@ -13,16 +13,15 @@ const codes = require('./http-codes');
 
 const apiAuthenticationMiddleware = require('../middleware/auth-middleware');
 const checkHl = require('../middleware/permission-check').checkHl;
+
 const routerHandling = require('../middleware/router-handling');
+const idValidator = require('../middleware/validators').idValidator;
 
 // Mongoose Model using mongoDB
 const RankModel = require('../models/rank');
 
 const ranks = express.Router();
 
-// add middleware for bonus tasks 4 and 5 to find filter and offset/limit params  for GET / and GET /:id
-
-
 // routes **********************
 ranks.route('/')
   .get((req, res, next) => {
@@ -74,7 +73,7 @@ ranks.route('/')
 
 
 ranks.route('/:id')
-  .get((req, res, next) => {
+  .get(idValidator, (req, res, next) => {
     RankModel.findById(req.params.id, (err, item) => {
       if (err) {
         err.status = codes.servererror;

api/routes/signatures.js

@@ -16,6 +16,7 @@ const signatures = express.Router();
 
 // routes **********************
 signatures.route('/:id')
+  // does not use idValidator since it works by username
   .get((req, res, next) => {
     // decode UTF8-escape sequences (special characters)
     const uri = decodeURIComponent(req.params.id);

api/routes/squads.js

@@ -13,7 +13,9 @@ const codes = require('./http-codes');
 
 const apiAuthenticationMiddleware = require('../middleware/auth-middleware');
 const checkHl = require('../middleware/permission-check').checkHl;
+
 const routerHandling = require('../middleware/router-handling');
+const idValidator = require('../middleware/validators').idValidator;
 
 // Mongoose Model using mongoDB
 const SquadModel = require('../models/squad');
@@ -74,7 +76,7 @@ squads.route('/')
   );
 
 squads.route('/:id')
-  .get((req, res, next) => {
+  .get(idValidator, (req, res, next) => {
     SquadModel.findById(req.params.id, (err, item) => {
       if (err) {
         err.status = codes.servererror;

api/routes/users.js

@@ -10,9 +10,11 @@ const codes = require('./http-codes');
 
 const apiAuthenticationMiddleware = require('../middleware/auth-middleware');
 const checkHl = require('../middleware/permission-check').checkHl;
+
 const offsetlimitMiddleware = require('../middleware/limitoffset-middleware-mongo');
 const filterHandlerCreator = require('../middleware/filter-handler-mongo');
 const routerHandling = require('../middleware/router-handling');
+const idValidator = require('../middleware/validators').idValidator;
 
 // Mongoose Model using mongoDB
 const UserModel = require('../models/user');
@@ -86,7 +88,7 @@ users.route('/')
 
 
 users.route('/:id')
-  .get((req, res, next) => {
+  .get(idValidator, (req, res, next) => {
     UserModel.findById(req.params.id).populate('squadId').exec((err, user) => {
       if (err) {
         err.status = codes.servererror;

api/routes/wars.js

@@ -12,10 +12,14 @@ const logger = require('debug')('cc:wars');
 // HTTP status codes by name
 const codes = require('./http-codes');
 
+// access check
 const apiAuthenticationMiddleware = require('../middleware/auth-middleware');
 const checkMT = require('../middleware/permission-check').checkMT;
-const routerHandling = require('../middleware/router-handling');
 
+const routerHandling = require('../middleware/router-handling');
+const idValidator = require('../middleware/validators').idValidator;
+
+// log paser tool
 const parseWarLog = require('../tools/log-parse-tool');
 
 // Mongoose Model using mongoDB
@@ -139,7 +143,7 @@ wars.route('/')
   );
 
 wars.route('/:id')
-  .get((req, res, next) => {
+  .get(idValidator, (req, res, next) => {
     WarModel.findById(req.params.id, (err, item) => {
       if (err) {
         err.status = codes.servererror;