Compare commits

..

No commits in common. "8607af62b5e07795753554fd506eeab4e212f9d1" and "3ac150331ac5c2db2bc73f8ac92e8e86983b9a2f" have entirely different histories.

4 changed files with 29 additions and 22 deletions

View File

@ -5,13 +5,14 @@ import { createExpressServer } from "routing-controllers";
import authchecker from "./authchecker";
import loaders from "./loaders/index";
import { ErrorHandler } from './middlewares/ErrorHandler';
import { JWTAuth } from './middlewares/JWTAuth';
dotenvSafe.config();
const PORT = process.env.APP_PORT || 4010;
const app = createExpressServer({
authorizationChecker: authchecker,
middlewares: [ErrorHandler],
middlewares: [ErrorHandler, JWTAuth],
development: process.env.NODE_ENV === "production",
cors: true,
routePrefix: "/api",

View File

@ -1,15 +1,13 @@
import * as jwt from "jsonwebtoken";
import { Action } from "routing-controllers";
import { getConnectionManager } from 'typeorm';
import { IllegalJWTError, NoPermissionError, UserNonexistantOrRefreshtokenInvalidError } from './errors/AuthError';
import { User } from './models/entities/User';
import { IllegalJWTError, NoPermissionError } from './errors/AuthError';
// -----------
const sampletoken = jwt.sign({
"permissions": {
"TRACKS": ["read", "update", "delete", "add"]
// "TRACKS": []
}
}, "securekey")
}, process.env.JWT_SECRET || "secretjwtsecret")
console.log(`sampletoken: ${sampletoken}`);
// -----------
const authchecker = async (action: Action, permissions: string | string[]) => {
@ -23,15 +21,10 @@ const authchecker = async (action: Action, permissions: string | string[]) => {
const provided_token = action.request.query["auth"];
let jwtPayload = undefined
try {
jwtPayload = <any>jwt.verify(provided_token, "securekey");
jwtPayload = <any>jwt.verify(provided_token, process.env.JWT_SECRET || "secretjwtsecret");
} catch (error) {
console.log(error);
throw new IllegalJWTError()
}
const count = await getConnectionManager().get().getRepository(User).count({ id: jwtPayload["userdetails"]["id"], refreshTokenCount: jwtPayload["userdetails"]["refreshTokenCount"] })
if (count !== 1) {
throw new UserNonexistantOrRefreshtokenInvalidError()
}
if (jwtPayload.permissions) {
action.response.local = {}
action.response.local.jwtPayload = jwtPayload.permissions

View File

@ -23,17 +23,6 @@ export class IllegalJWTError extends UnauthorizedError {
message = "your provided jwt could not be parsed"
}
/**
* Error to throw when user is nonexistant or refreshtoken is invalid
*/
export class UserNonexistantOrRefreshtokenInvalidError extends UnauthorizedError {
@IsString()
name = "UserNonexistantOrRefreshtokenInvalidError"
@IsString()
message = "user is nonexistant or refreshtoken is invalid"
}
/**
* Error to throw when provided credentials are invalid
*/

View File

@ -0,0 +1,24 @@
import * as jwt from "jsonwebtoken";
import {
ExpressMiddlewareInterface
} from "routing-controllers";
export class JWTAuth implements ExpressMiddlewareInterface {
use(request: any, response: any, next?: (err?: any) => any): any {
const token = <string>request.headers["auth"];
try {
/**
TODO: idk if we should always check the db if refreshtokencount is valid?
seems like a lot of db overhead
at the same time it's basically our only option to support proper logouts
*/
const jwtPayload = <any>jwt.verify(token, "secretjwtsecret");
// const jwtPayload = <any>jwt.verify(token, process.env.JWT_SECRET);
response.locals.jwtPayload = jwtPayload;
} catch (error) {
console.log(error);
return response.status(401).send();
}
next();
}
}