implement proper jwt checking in authchecker

ref #12
2020-12-05 17:59:43 +01:00 · 2020-12-05 17:59:43 +01:00 · 76e19ca28d
commit 76e19ca28d
parent e5b605cc55
4 changed files with 22 additions and 29 deletions
--- a/src/app.ts
+++ b/src/app.ts
@ -5,14 +5,13 @@ import { createExpressServer } from "routing-controllers";
 import authchecker from "./authchecker";
 import loaders from "./loaders/index";
 import { ErrorHandler } from './middlewares/ErrorHandler';
 import { JWTAuth } from './middlewares/JWTAuth';
 dotenvSafe.config();
 const PORT = process.env.APP_PORT || 4010;
 const app = createExpressServer({
  authorizationChecker: authchecker,
-  middlewares: [ErrorHandler, JWTAuth],
+  middlewares: [ErrorHandler],
  development: process.env.NODE_ENV === "production",
  cors: true,
  routePrefix: "/api",
--- a/src/authchecker.ts
+++ b/src/authchecker.ts
@ -1,13 +1,15 @@
 import * as jwt from "jsonwebtoken";
 import { Action } from "routing-controllers";
-import { IllegalJWTError, NoPermissionError } from './errors/AuthError';
+import { getConnectionManager } from 'typeorm';
 import { IllegalJWTError, NoPermissionError, UserNonexistantOrRefreshtokenInvalidError } from './errors/AuthError';
 import { User } from './models/entities/User';
 // -----------
 const sampletoken = jwt.sign({
    "permissions": {
        "TRACKS": ["read", "update", "delete", "add"]
        // "TRACKS": []
    }
-}, process.env.JWT_SECRET || "secretjwtsecret")
+}, "securekey")
 console.log(`sampletoken: ${sampletoken}`);
 // -----------
 const authchecker = async (action: Action, permissions: string | string[]) => {
@ -21,10 +23,15 @@ const authchecker = async (action: Action, permissions: string | string[]) => {
    const provided_token = action.request.query["auth"];
    let jwtPayload = undefined
    try {
-        jwtPayload = <any>jwt.verify(provided_token, process.env.JWT_SECRET || "secretjwtsecret");
+        jwtPayload = <any>jwt.verify(provided_token, "securekey");
    } catch (error) {
        console.log(error);
        throw new IllegalJWTError()
    }
    const count = await getConnectionManager().get().getRepository(User).count({ id: jwtPayload["userdetails"]["id"], refreshTokenCount: jwtPayload["userdetails"]["refreshTokenCount"] })
    if (count !== 1) {
        throw new UserNonexistantOrRefreshtokenInvalidError()
    }
    if (jwtPayload.permissions) {
        action.response.local = {}
        action.response.local.jwtPayload = jwtPayload.permissions
--- a/src/errors/AuthError.ts
+++ b/src/errors/AuthError.ts
@ -23,6 +23,17 @@ export class IllegalJWTError extends UnauthorizedError {
 	message = "your provided jwt could not be parsed"
 }
 /**
 * Error to throw when user is nonexistant or refreshtoken is invalid
 */
 export class UserNonexistantOrRefreshtokenInvalidError extends UnauthorizedError {
 	@IsString()
 	name = "UserNonexistantOrRefreshtokenInvalidError"
 	@IsString()
 	message = "user is nonexistant or refreshtoken is invalid"
 }
 /**
 * Error to throw when provided credentials are invalid
 */
--- a/src/middlewares/jwtauth.ts
+++ b/src/middlewares/jwtauth.ts
@ -1,24 +0,0 @@
 import * as jwt from "jsonwebtoken";
 import {
    ExpressMiddlewareInterface
 } from "routing-controllers";
 export class JWTAuth implements ExpressMiddlewareInterface {
    use(request: any, response: any, next?: (err?: any) => any): any {
        const token = <string>request.headers["auth"];
        try {
            /**
            TODO: idk if we should always check the db if refreshtokencount is valid?
            seems like a lot of db overhead
            at the same time it's basically our only option to support proper logouts
             */
            const jwtPayload = <any>jwt.verify(token, "secretjwtsecret");
            // const jwtPayload = <any>jwt.verify(token, process.env.JWT_SECRET);
            response.locals.jwtPayload = jwtPayload;
        } catch (error) {
            console.log(error);
            return response.status(401).send();
        }
        next();
    }
 }