opt-cc/api/routes/authenticate.js

168 lines
4.5 KiB
JavaScript

"use strict";
// modules
const express = require('express');
const jwt = require('jsonwebtoken');
const bcrypt = require('bcryptjs');
const Q = require('q');
const _ = require('lodash');
const logger = require('debug')('cc:authenticate');
const apiAuthenticationMiddleware = require('../middleware/auth-middleware');
const checkAdmin = require('../middleware/permission-check').checkAdmin;
// HTTP status codes by name
const codes = require('./http-codes');
const config = require('../config/config');
const routerHandling = require('../middleware/router-handling');
const AppUserModel = require('../models/app-user');
const authenticate = express.Router();
// routes **********************
authenticate.route('/')
.post((req, res, next) => {
authCheck(req.body.username, req.body.password)
.then((user) => {
if (user) {
// authentication successful
res.send(user);
} else {
// authentication failed
res.status(codes.unauthorized).send('Username or password is incorrect');
}
})
.catch((err) => {
res.status(codes.wrongrequest).send(err);
});
})
.all(
routerHandling.httpMethodNotAllowed
);
let authCheck = (username, password) => {
const deferred = Q.defer();
AppUserModel.findOne({username: username}, (err, user) => {
if (err) deferred.reject(err.name + ': ' + err.message);
const diff = 3 * 60 * 24; // time till expiration [minutes]
if (user && user.activated && bcrypt.compareSync(password, user.password)) {
// authentication successful
deferred.resolve({
_id: user._id,
username: user.username,
permission: user.permission,
token: jwt.sign({sub: user._id}, config.secret, {expiresIn: diff * 60}),
tokenExpireDate: new Date(Date.now().valueOf() + diff * 60000 - 1000)
});
} else {
// authentication failed
deferred.resolve();
}
});
return deferred.promise;
};
// ******************************** EDITING USING ADMIN PANEL ************************
authenticate.route('/editUser/:id')
.patch(apiAuthenticationMiddleware, checkAdmin, (req, res, next) => {
if (!req.body || (req.body._id && req.body._id !== req.params.id)) {
// little bit different as in PUT. :id does not need to be in data, but if the _id and url id must match
const err = new Error('id of PATCH resource and send JSON body are not equal ' + req.params.id + " " + req.body._id);
err.status = codes.notfound;
next(err);
return; // prevent node to process this function further after next() has finished.
}
// increment version manually as we do not use .save(.)
req.body.updatedAt = new Date();
req.body.$inc = {__v: 1};
// PATCH is easier with mongoose than PUT. You simply update by all data that comes from outside. no need to reset attributes that are missing.
AppUserModel.findByIdAndUpdate(req.params.id, req.body, {new: true}, (err, item) => {
if (err) {
err.status = codes.wrongrequest;
}
else if (!item) {
err = new Error("appUser not found");
err.status = codes.notfound;
}
else {
res.locals.items = item;
}
next(err);
})
})
.all(
routerHandling.httpMethodNotAllowed
);
// ******************************** SIGNUP ************************
authenticate.route('/signup')
.post((req, res, next) => {
create(req.body)
.then(() => {
res.sendStatus(200);
})
.catch((err) => {
res.status(400).send(err);
});
})
.all(
routerHandling.httpMethodNotAllowed
);
let create = (userParam) => {
const deferred = Q.defer();
// validation
AppUserModel.findOne(
{username: userParam.username},
(err, user) => {
if (err) deferred.reject(err.name + ': ' + err.message);
if (user) {
// username already exists
deferred.reject('Username "' + userParam.username + '" is already taken');
} else {
createUser();
}
});
let createUser = () => {
// set user object to userParam without the cleartext password
const user = _.omit(userParam, 'password');
// add hashed password to user object
user.password = bcrypt.hashSync(userParam.password, 10);
const newUser = new AppUserModel(user);
newUser.save((err, doc) => {
if (err) deferred.reject(err.name + ': ' + err.message);
deferred.resolve();
});
};
return deferred.promise;
};
authenticate.use(routerHandling.emptyResponse);
module.exports = authenticate;