I am using passport-jwt strategy, JWT in cookies to authenticate a user. The user authentication is working fine. However, at the endpoints where we need not check for authenticated user to grant access, I want to check is a user is logged in. If yes, I'll hide some options from the webpage and show others. I am trying to implement this by retrieving jwt from cookie, verifying it and finding the corresponding user and returning the user obtained.
Naturally, I want the user to be returned in User in the router before moving forward.
authenticate.js
var verifyToken = async function verifyToken(token, secretkey){
// console.log('This is token: ', token);
// console.log('This is secretkey: ', secretkey);
try{
var data = jwt.verify(token, secretkey);
return data;
} catch(err){
return err;
}
}
exports.loggedIn = async function loggedIn(req){
try{
var token = req.signedCookies.jwt;
console.log(token);
var userFound = false;
if(token){
data = await verifyToken(token, config.secretKey);
user = await getUser(data);
console.log('Data: ',data);
console.log('User: ', user);
}
else
return userFound;
}
catch(error){
console.log(err);
}
}
var getUser = function getUser(jwt_payload){
try{
var query = User.findOne({_id: jwt_payload._id});
var returnUser = query.exec();
return returnUser;
}
catch(err){
console.log(err);
}
}
However in the router, the next line i.e. console.log('Index router: ',User); is executed before User is obtained, printing Index router: Promise {<pending>}.
router.get('/', function(req, res, next) {
Posts.find({})
.populate('posted_by', 'username _id')
.then((allPosts) => {
return allPosts;
})
.then((list) => {
console.log("list: ",list);
if(list.length > 10)
list = list.splice(10, list.length-10);
res.statusCode = 200;
res.setHeader('Content-Type','text/html');
var User = authenticate.loggedIn(req); //Here I want the User before moving forward
console.log('Index router: ',User);
res.render('index', {
posts: list,
user: User
});
})
.catch((err) => next(err));
});
I have tried writing a different async function in which I as follows async function getuser(){ User = await authenticate.loggedIn(req); }, but the same problem occurs even then. Please help!
You have to use await:
[...]
var User = await authenticate.loggedIn(req);
[...]
Of course set the function as async:
router.get('/', async function(req, res, next) {
[...]
Related
I have an API which will send an email to a user based off the input. This is the on lick submit. I can confirm the data is being console.log for the state.
const inviteUser = async () => {
userRequest.get(`companyprofile/companyUser/invite/${companyuser._id}`, teamMemberEmail);
console.log('invite sent to', (teamMemberEmail))
}
With this api, i send the body to the API and then email based off the text, however when i log the field it does not appear at all and only shows as {}
router.get("/companyUser/invite/:id", async (req, res) => {
// must update to company
var stringLength = 25;
const companyUser = await CompanyProfile.findById(req.params.id)
const companyUserToken = await companyUser.inviteToken
const companyAccessTokenStripped = await companyUserToken.substring(0, stringLength);
//encrypt the accesstoken to invite users
const url = `http://localhost:5000/api/auth/inviteToJoinTeam/${companyUserToken}/${req.body.email}`;
// const url = `http://localhost:5000/api/companyprofile/companyUser/inviteToJoinTeam/${companyUserToken}`;
console.log(req.body)
const mailOptions = {
from: 'company#gmail.com',
to: req.body.email,
subject: `You have been invited to join ${companyUser.CompanyTitle}`,
html: `${companyUser.companyTitle} has invited you to join their team ${url}`
};
transporter.sendMail(mailOptions, function(error, info){
if (error) {
console.log(error);
} else {
console.log('Email sent: ' + info.response);
}
});
try {
// const savedCompany = await newCompany.save();
res.status(201).json(companyUserToken);
} catch (err) {
res.status(500).json(err);
}
});
Can anyone see why i cannot pass this data and email the user? Appears to be an error with how it's passed but i can confirm that the endpoint works in postman if i just plug an email body in
You are trying to send an email whenever the GET route is called. However, the data won't be sent inside as "req.body" as a GET request doesn't have a body.
If you are using GET method then the data is sent as query parameters.
router.get("/companyUser/invite/:email", async (req, res, next) => {
console.log(req.params.email);
};
You can also either use a POST or PUT request in order to access the URL body
router.post("/companyUser/invite", async (req, res, next) => {
console.log(req.body.email);
};
This is my code for getting user info
router.post("/getuser", fetchuser, async (req, res) => {
try {
userId = req.user.id;
const user = await User.findById(userId).select("-password");
res.send(user);
} catch (error) {
console.error(error.message);
res.status(500).send("Internal Server Error");
}
});
and this is the code for middleware fetchuser
const fetchuser = async (req, res, next) => {
const token = req.header('auth-token');
if (!token) {
res.status(401).send({ error: "Please authenticate using a valid token" })
}
try {
const data = jwt.verify(token, process.env.SECRET);
console.log(data);
req.user = data.user;
next();
} catch (error) {
res.status(401).send({ error: "Please authenticate using a valid token" })
}
};
I am getting the user id in console.log but when I try to get the user id in the router.post then I am not able to get the user Info.
Here is the result I am getting.
Server is running on port 5000
Connected to database
{ id: '61e98c45a9d8818292b38505', iat: 1642743501 }
Cannot read properties of undefined (reading 'id')
Please can anyone tell me what is wrong with this?
router.post("/getuser", fetchuser, async (req, res) => {
try {
const params = JSON.parse(req)
userId = params.id;
const user = await User.findById(userId).select("-password");
res.send(user);
} catch (error) {
console.error(error.message);
res.status(500).send("Internal Server Error");
}
});
Your code is working fine , you just have to change this line on fetchuser middleware
req.user = data.user
to
req.user = data
and your code work as expected..
add file: src/types/express/index.d.ts
content:
declare namespace Express {
interface Request {
user: {
id: string;
};
}
}
I am currently stuck trying to implement a refresh token with express middleware, react and JWT. The problem I am having is I need to pass the refreshed token back to the client from the middleware function. I have tried using res.locals.variableName and also res.set, but once the middleware function is finished and next() is called, I am responding with res.json in my route, which I think is overwriting anything I set in the response from the middleware. How can I return this refresh token to client side while still being able to call next()?
app.all('*', function (req, res, next) {
const headerToken = req.headers.token;
const refreshToken = req.headers.refreshtoken;
const isVerifiedPath = verifyPaths(unauthorizedPaths, currentPath);
if (isVerifiedPath) {
next()
}
else {
jwt.verify(headerToken, process.env.KEY, async (err, data) => {
if (err) {
if (err.expiredAt) { // expired web token
jwt.verify(refreshToken, process.env.KEY, async (err, data) => {
if (data) {
const User = require('./models/User');
const user = await User.query().findById(data.user.id);
const token = jwt.sign({ user }, process.env.KEY, { expiresIn: 5 });
req.user = user;
res.locals.varName = token; // I would like this to be accessible from the response my api returns
next();
}
})
}
else {
return res.status(401).json({ err: 401 });
}
}
else {
req.user = data.user;
next();
}
});
}
});
The solution to my problem was to pass the token through headers like this. I wasn't able to view the token client side because I was not exposing the header (line 2).
res.set('x-token', token);
res.set('Access-Control-Expose-Headers', 'x-token');
I'm trying to make a page that only registered users can access to that page and I'm checking it by middleware at the server side, but when im trying to access the page I get 401 error because the session.user is undefined, while when im trying my code through "postman" it works great without any issues, here is the middleware:
function isLoggedIn(request, response, next) {
if (!request.session.user) {
response.status(401).send("You are not logged in!");
return;
}
next();
}
module.exports = isLoggedIn;
And here is the controller:
router.get("/", isLoggedIn,async (request, response) => {
try {
const vacations = await vacationsLogic.getAllVacationsAsync();
response.json(vacations);
}
catch (err) {
response.status(500).send(err.message);
}
});
and here is the login router:
router.post("/login", async (request, response) => {
try {
const credentials = request.body;
const user = await authLogic.login(credentials);
if (!user) {
response.status(401).send("Illegal username or password");
return
}
request.session.user = user;
response.json(user);
}
catch (err) {
response.status(500).send(err.message);
}
})
and here is the register router:
router.post("/register", async (request, response) => {
try {
const user = new User(0, request.body.firstName, request.body.lastName, request.body.username, request.body.password, 0);
// if username already exits -
// return some error(400) to the client.
const addedUser = await authLogic.register(user);
// Save that user in the session:
request.session.user = addedUser;
response.status(201).json(addedUser);
}
catch (err) {
response.status(500).send(err.message);
}
})
In order to secure REST API I'm using middleware to check for user's JWT token and only allow that particular user to access his own data.
In auth.js
const jwt = require('jsonwebtoken')
const User = require('../models/user')
const auth = async (req, res, next) => {
try {
const token = req.header('Authorization').replace('Bearer ', '')
const decoded = jwt.verify(token, process.env.JWT_SECRET)
const user = await User.findOne({ _id: decoded._id, 'tokens.token': token })
if (!user) { // If no user is found
throw new Error()
}
// if there's a user
req.token = token
req.user = user
next()
} catch (e) {
res.status(401).send({ error: 'Please authenticate.' })
}
}
module.exports = auth
In one of the get/update router
router.get('/itemShipmentStatus', auth, async (req, res) => {
// Get the items shipment status from db.
})
However, I've noticed I need to create a new admin user (e.g. admin 1, admin2) to get and update the itemShipmentStatus for all the users. Is there a way to achieve user group authentication through the middleware (auth.js?)
Update:
The only solution I can think of is to add another "userGroup" field to the user document when creating a new user. Then in the middleware auth.js add in another condition to check if the user belongs to the admin group.
if (!user || user.userGroup !== 'Admin') { // If no user is found
throw new Error()
}
Is this the conventional way of doing it?
I would suggest adding permissions array stored in the user. That way you are more flexible. Then
const auth = (allowedPermission) => (async (req, res, next) => {
try {
const token = req.header('Authorization').replace('Bearer ', '')
const decoded = jwt.verify(token, process.env.JWT_SECRET)
const user = await User.findOne({ _id: decoded._id, 'tokens.token': token })
if (!user) { // If no user is found
throw new Error()
}
if (!user.permissions.includes(allowedPermission)){
throw new Error() // Forbidden 403
}
// if there's a user
req.token = token
req.user = user
next()
} catch (e) {
res.status(401).send({ error: 'Please authenticate.' })
}
})
and in the route
router.get('/itemShipmentStatus', auth([admin, user]), async (req, res) => {
// Get the items shipment status from db.
})
Then it would be a matter to identify the correct code to run.
I would suggest considering the division of the api. A public api and an admin api. This is because conceptually a user may want to be admin and access its own itemShipmentStatus. So having
router.get('/itemShipmentStatus', auth([admin, user]), async (req, res) => {
// Get the items shipment status from db.
})
router.get('/admin/itemShipmentStatus', auth([admin]), async (req, res) => {
// Get the items shipment status from db of all user.
})
This allows an admin user to test the API as a normal user and get all the status as an admin.
A more conventional way of doing this would be to create an AuthRouter which extends the default express.Router and checks for allowed roles, so there will be no need to use middleware for each route.
Extending express.Router to check for roles:
const express = require('express');
const jwt = require('jsonwebtoken');
const User = require('../models/user');
export default class AuthRouter extends express.Router {
addRoles(...roles) {
return this.use(checkAccessForRoles(...roles));
}
}
const checkAccessForRoles = (...roles) => async (req, res, next) => {
const token = req.header('Authorization').replace('Bearer ', '');
const decoded = jwt.verify(token, process.env.JWT_SECRET);
const user = await User.findOne({ _id: decoded._id, 'tokens.token': token });
if (!roles.includes(user.role)) throw new Error('Forbidden');
req.user = user;
return next();
};
Using AuthRouter for ADMIN user role:
const adminRouter = new AuthRouter({
prefix: '/admin',
})
.addRoles(['ADMIN']);
adminRouter.get('/itemShipmentStatus', async (req, res) => {
// Get the items shipment status from db.
});