From 52ae2828e576e3b686c036f80a90c3e036a84838 Mon Sep 17 00:00:00 2001 From: MrFry Date: Fri, 3 Apr 2020 10:36:53 +0200 Subject: [PATCH] Storing session id in cookies, and db --- modules/api/api.js | 27 ++++++++++++++++++++------- modules/api/apiDBStruct.json | 17 +++++++++++++++++ modules/api/auth.middleware.js | 31 +++++++++++++++++++------------ 3 files changed, 56 insertions(+), 19 deletions(-) diff --git a/modules/api/api.js b/modules/api/api.js index 70e49b1..7a4f434 100644 --- a/modules/api/api.js +++ b/modules/api/api.js @@ -143,12 +143,25 @@ Load() app.post('/login', (req, res) => { logger.LogReq(req) const pw = req.body.pw - // FIXME: redirect to original url - const user = 'u' - // TODO: get user - // TODO: check if pw is correct - res.cookie('pw', pw).redirect('/') - req.session.user = user + const user = dbtools.Select(authDB, 'users', { + pw: pw + })[0] + + if (user) { + const sessionID = uuidv4() + req.session.user = user + dbtools.Insert(authDB, 'sessions', { + id: sessionID, + ip: req.headers['cf-connecting-ip'] || req.connection.remoteAddress, + userID: user.id + }) + // FIXME: redirect to original url + res.cookie('sessionID', sessionID).redirect('/') + } else { + res.json({ + msg: 'invalid pw' + }) + } }) app.post('/logout', (req, res) => { @@ -158,7 +171,7 @@ app.post('/logout', (req, res) => { req.session.destroy(function () { logger.Log(`User ${userID} logout`) }) - res.clearCookie('pw').redirect('/') + res.clearCookie('sessionID').redirect('/') }) // -------------------------------------------------------------- diff --git a/modules/api/apiDBStruct.json b/modules/api/apiDBStruct.json index 882158b..18a9166 100644 --- a/modules/api/apiDBStruct.json +++ b/modules/api/apiDBStruct.json @@ -20,6 +20,23 @@ } } }, + "sessions": { + "tableStruct": { + "id": { + "type": "text", + "primary": true, + "notNull": true + }, + "ip": { + "type": "text", + "notNull": true + }, + "userID": { + "type": "number", + "notNull": true + } + } + }, "acesses": { "tableStruct": { "accessId": { diff --git a/modules/api/auth.middleware.js b/modules/api/auth.middleware.js index 296e29e..948acef 100644 --- a/modules/api/auth.middleware.js +++ b/modules/api/auth.middleware.js @@ -1,48 +1,55 @@ const logger = require('../../utils/logger.js') const dbtools = require('../../utils/dbtools.js') -const usersDBName = 'users' - const exceptions = [ 'favicon', '/login' ] -// TODO: session +// TODO: session table, dont store pw in cookie module.exports = function (options) { const { authDB } = options return function (req, res, next) { - logger.DebugLog(`AUTH: ${req.url}`, 'auth', 1) const isException = exceptions.some((exc) => { return req.url === exc }) if (isException) { + logger.DebugLog(`EXCEPTION: ${req.url}`, 'auth', 1) next() return } - const user = GetUserByPW(authDB, req.cookies.pw) + const user = req.session.user || GetUserBySessionID(authDB, req.cookies.sessionID, req) if (user) { + logger.DebugLog(`ID #${user.id}: ${req.url}`, 'auth', 1) next() } else { + logger.DebugLog(`No user:${req.url}`, 'auth', 1) res.render('login') } } } -function GetUserByPW (db, password) { - if (password === undefined) { +function GetUserBySessionID (db, sessionID, req) { + logger.DebugLog(`Getting user from db`, 'auth', 2) + if (sessionID === undefined) { return } - const res = dbtools.Select(db, usersDBName, { - pw: password - }) - if (res) { - return res[0] + const session = dbtools.Select(db, 'sessions', { + id: sessionID + })[0] + + const user = dbtools.Select(db, 'users', { + id: session.userID + })[0] + + if (user) { + req.session.user = user + return user } }