User Authentication with ExpressJS and CouchDB - javascript

I'm trying to login a CouchDB User into my express app via a frontend form and store the login in the session. What have so far is the following:
app.js:
var express = require('express');
var couchUser = require('express-user-couchdb');
var session = require('express-session');
var login = require('./routes/login');
var app = express();
app.use(couchUser({
users: 'http://localhost:5984/_users',
request_defaults: {
auth: {
user: 'admin',
pass: 'adminpw'
}
}
}));
app.use(session({ secret: 'secretstring'}));
app.use(express.static(path.join(__dirname, 'public')));
app.use('/', login);
and in my login.js:
var express = require('express');
var router = express.Router();
var couchUser = require('express-user-couchdb');
/* GET users listing. */
router.get('/', function(req, res, next) {
res.render('login', {title: 'Login'});
});
router.post('/login', function(req, res) {
// Don't know what to put here
//res.send(req.body.username)
});
module.exports = router;
I don't know how to go on in my login.js route. Any help is appreciated.
Update - Since I couldn't get the code underneath to work because I didn't understand it completely, research lead me to the following solution:
router.post('/', function(req, res) {
var options = {
url: 'http://localhost:5984/_session',
method: 'POST',
json: {
"name": "admin",
"password": "password"
}
};
request(options, function (error, response, body) {
if (!error && response.statusCode == 200) {
console.log('authenticated');
}else{
console.log('not authenticated');
res.redirect('/')
}
});
});
When I do the same request via HttpRequester I get Statuscode 200 and {"ok":true,"name":null,"roles":["_admin"]} .. but via nodejs it won't do it even though it should be the same?!?

To validate user credentials against CouchDB just follow the example from CouchDB documentation.
curl -X POST http://localhost:5984/_session -d 'name=jan&password=apple'
After successful authentication you can keep CouchDB credentials the session storage.
I created a "proof of concept" code which is probably even not correct since i am not nodejs expert. But after some tuning it should work.
var http = require('http');
router.post('/login', function(req, res) {
var session = req.session;
request.post('http://localhost:5984/_session')
.auth(req.data.username, req.data.password, true)
.on('response', function(response) {
if(response.statusCode == 200) {
session.couchSession = req.data.username + ':' + req.data.password;
res.status(200);
res.send();
} else {
res.status(400);
res.send('Wrong credentials');
}
});
});

Related

how to check user authentication status on the server side

I want to check user authentication before showing a html page
my server.js file is like this
const express = require('express');
var jquery = require('jquery');
var admin = require("firebase");
const app = express();
app.use(express.static(__dirname + '/public'));
var serviceAccount = require("firebasekey.json");
admin.initializeApp({
credential: admin.credential.cert(serviceAccount),
databaseURL: "https://23442344114.firebaseio.com"
});
var ref = admin.app().database().ref();
app.get(['/','/index.html'], function(req, res) {
res.sendFile(__dirname + '/public/index.html');
});
app.get(['/dash' ], function(req, res) {
res.sendFile(__dirname + '/public/dash/index.html');
});
How could I check if a user is authenticated first on the server side before rendering a page; for example,
app.get(['/dash' ], function(req, res) {
//check if the user is authenticated
if auth == true {
res.sendFile(__dirname + '/public/dash/index.html');
} else{
res.sendFile(__dirname + '/public/login.html');
}
});
how do I check the user authentication status on the server side?
As suggested, there are countless ways to authenticate your users.
But i will help you out with a simple example:
You should have a persistent list of your users e.g. database. For the simplicity we will go with a constant in your code.
const express = require('express');
var jquery = require('jquery');
var admin = require("firebase");
const USER = {
email: "john#doe.com",
password: "12345"
}
There are several ways to implement the authentication check. I would recommend using a middleware which can be applied to various routes:
const authenticate = (req, res, next) => {
// parse the user out of your request
// e.g with bodyparser -> see npm
if (req.body.email === USER.email && req.body.password === USER.password) {
next()
} else {
res.send({ status: 401 });
}
}
Apply this middleware to the routes you want to protect or to all routes
// all routes
app.use(authenticate)
// certain route
app.get('/someRoute', authenticate, (req, res)) => {
// only successful authenticated user
// (in this case: john#doe.com) will
// have access to this route.
// ... code
}
This pattern can be extended with e.g cookies, jwt and of course a database where you can store your registered users.
You should read about Authentication methods like JWT and OAuth. You can use a middleware to check if a particular user is authenticated or not. You can you libraries like passport for this. You can create you own router level middleware like this.
let middleware = function (req, res, next) {
//Do your checking...
next();
};
app.get(['/dash' ],middleware, function(req, res) {
//check if the user is authenticated
if auth == true {
res.sendFile(__dirname + '/public/dash/index.html');
} else {
res.sendFile(__dirname + '/public/login.html');
}
});

req.url.indexOf('?') throws undefined error when trying to route to a controller with Express.router and passport

var search = 1 + req.url.indexOf('?'); throws an error saying the statement to my left is undefined. Im using passportjs to create a login/registration page on my angular frontend. trying to make a post request to nodejs results in the above error. Im entirely new to the mean stack and ive tried several different tutorials to get myself up and running but have had some road blocks. can someone point in the right direction?
I've played around with just about every file moving around code and trying different solutions but nothing works, or one problem is solved but another occurs.
server.js
// set up ========================
var DATABASE = "mongodb://localhost:27017/smartHomeDevices";
var express = require("express");
var mongoose = require("mongoose"); //require monogDB Driver
var morgan = require("morgan"); // log requests to the console (express4)
var bodyParser = require("body-parser"); // pull information from HTML POST (express4)
var methodOverride = require("method-override"); // simulate DELETE and PUT (express4)
var passport = require("passport");
//var _ = require("lodash");
var http = require('http');
//setup
//app.models =
require("./Models/moduleIndex");
// Bring in the Passport config after model is defined
require('./config/passport');
//registering routes
var routes = require("./routes");
//Create App
var app = express();
app.use(passport.initialize());
//Add Middleware for REST API
app.use(bodyParser.urlencoded({
extended: true
}));
app.use(bodyParser.json);
app.use(bodyParser.json({
type: 'application/vnd.api+json'
}));
app.use(methodOverride("X-HTTP-Method-Override"));
app.use(morgan("dev"));
//CORS Support, makes API Public
app.use(function(req, res, next) {
res.header("Access-Control-Allow-Origin", "*");
res.header("Access-Control-Allow-Methods", "GET,PUT,POST,DELETE,");
res.header("Access-Control-Allow-Headers", "Content-Type,Authorization");
next();
});
app.use("/", routes);
// Connect to the db
mongoose.connect(DATABASE);
mongoose.connection.once("open", function() {
var serv = http.createServer(function(req, res) {
res.setHeader("Access-Control-Allow-Origin", "*");
res.setHeader("Access-Control-Allow-Methods", "GET,PUT,POST,DELETE");
res.setHeader("Access-Control-Allow-Headers", "Content-Type,Authorization");
res.writeHead(200, {
'Content-Type': 'text/plain'
});
res.end();
console.log(routes(req.method, req.url));
}).listen(3000);
//module.exports = app;
console.log("Listening on 3000");
});
routes.js
//setup
var express = require('express');
var router = express.Router();
var jwt = require('express-jwt');
var auth = jwt({
secret: 'MY_SECRET',
userProperty: 'payload'
});
var ctrlProfile = require('./Controllers/ProfileController');
var ctrlAuth = require('./Controllers/RegisterUserController');
// profile
router.get('/profile', auth, ctrlProfile.profileRead);
// authentication
router.post('/register', ctrlAuth.register);
router.post('/login', ctrlAuth.login);
module.exports = router;
/*module.exports = {
"/smartDevices" : require("./Controllers/SmartDeviceController"),
"/registeredUsers": require("./Controllers/RegisterUserController")
};*/
resgisteredUsersControllers.js
//setup
//var Resource = require("resourcejs");
var restful = require("node-restful");
var passport = require('passport');
var mongoose = require('mongoose');
var User = mongoose.model('registeredUserModel');
var sendJSONresponse = function(res, status, content) {
res.status(status);
res.json(content);
};
module.exports.register = function(req,res) {
console.log(req);
console.log("nw logging res");
console.log(res);
var user = new User();
user.name = req.body.name;
user.email = req.body.email;
user.username = req.body.username;
user.setPassword(req.body.password);
user.save(function(err) {
if(err)
console.log(err);
var token;
token = user.generateJwt();
res.status(200);
res.json({
"token" : token
});
});
next();
};
module.exports.login = function(req, res) {
passport.authenticate('local', function(err, user, info) {
var token;
// If Passport throws/catches an error
if (err) {
res.status(404).json(err);
return;
}
// If a user is found
if (user) {
token = user.generateJwt();
res.status(200);
res.json({
"token": token
});
} else {
// If user is not found
res.status(401).json(info);
}
})(req, res);
next();
};
/*module.exports = function(app, route) {
//setup controller for restful
// Resource(app,"",route,app.models.registeredUserModel).rest();
var rest = restful.model("registeredUserModel",
app.models.registeredUserModel
).methods(["get", "put", "post", "delete"]);
rest.register(app, route);
//return Middleware
return function(req, res, next) {
next();
};
};
*/
ProfileController.js
var mongoose = require('mongoose');
var User = mongoose.model('registeredUserModel');
module.exports.profileRead = function(req, res) {
// If no user ID exists in the JWT return a 401
if (!req.payload._id) {
res.status(401).json({
"message" : "UnauthorizedError: private profile"
});
} else {
// Otherwise continue
User
.findById(req.payload._id)
.exec(function(err, user) {
res.status(200).json(user);
});
}
};
Request object does not have url field.

How to redirect to route from included files

Im having trouble with redirecting to a different route from a required JavaScript file. As you see in oauth2.js i have a function validate which is called when callback from the request.post() method is called. This means I cant pass the express-instantiation (app) as a parameter.
server.js
var app = require('express);
var login = require('./routes/login');
app.use('/login', login);
var oauth2 = require('./oauth2');
oauth2.auth();
app.get('/login', function(req, res) {
res.sendFile('./public/login.html', { root: __dirname });
});
app.listen(8080);
routes/login.js
var express = require('express');
var router = express.Router();
module.exports = function (){
router.get('/login', function(req, res){
console.log('Logging in...');
}
return router;
}
oauth2.js
...
var request = require('request');
request.post({
uri: uri,
headers:headers,
body:data
}, validate);
function validate(err, res, body){
...
// REDIRECT TO /login.html
}
How can I redirect to /login.html from the validate method?
You can use a middleware to grab the response object of express and use it when oauth2 returns a result:
var app = require('express);
var login = require('./routes/login');
app.use('/login', login);
var oauth2 = require('./oauth2');
app.use(function (req, res, next) {
oauth2.auth(function (err, res, body) {
// validate
res.redirect('/login');
});
});
app.get('/login', function(req, res) {
res.sendFile('./public/login.html', { root: __dirname });
});
and your oauth2.js should receive a callback:
// some code..
function auth (cb) {
// some code ..
request.post({
uri: uri,
headers:headers,
body:data
}, cb);
// some code ..
}
// some code ..

node js route not found

i have the following method to auth my users:
app.all('/*', function(req, res, next) {
// CORS headers
res.header("Access-Control-Allow-Origin", "*"); // restrict it to the required domain
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
// Set custom headers for CORS
res.header('Access-Control-Allow-Headers', 'Content-type,Accept,X-Access-Token,X-Key');
if (req.method == 'OPTIONS') {
res.status(200).end();
} else {
next();
}
});
var auth = require('./auth.js');
router.post('/login', auth.login);
app.all('/api/*', [require('./middlewares/validateRequest')]);
// If no route is matched by now, it must be a 404
app.use(function(req, res, next) {
var err = new Error('Not Found');
err.status = 404;
next(err);
});
And my Auth.js
var jwt = require('jwt-simple');
var auth = {
login: function(req, res) {
var username = req.body.username || '';
var password = req.body.password || '';
if (username == '' || password == '') {
res.status(401);
res.json({
"status": 401,
"message": "Invalid credentials"
});
return;
}
// Fire a query to your DB and check if the credentials are valid
var dbUserObj = auth.validate(username, password);
if (!dbUserObj) { // If authentication fails, we send a 401 back
res.status(401);
res.json({
"status": 401,
"message": "Invalid credentials"
});
return;
}
if (dbUserObj) {
// If authentication is success, we will generate a token
// and dispatch it to the client
res.json(genToken(dbUserObj));
}
},
validate: function(username, password) {
// spoofing the DB response for simplicity
var dbUserObj = { // spoofing a userobject from the DB.
name: 'arvind',
role: 'admin',
username: 'arvind#myapp.com'
};
return dbUserObj;
},
validateUser: function(username) {
// spoofing the DB response for simplicity
var dbUserObj = { // spoofing a userobject from the DB.
name: 'arvind',
role: 'admin',
username: 'arvind#myapp.com'
};
return dbUserObj;
}
}
// private method
function genToken(user) {
var expires = expiresIn(7); // 7 days
var token = jwt.encode({
exp: expires
}, require('../config/secret')());
return {
token: token,
expires: expires,
user: user
};
}
function expiresIn(numDays) {
var dateObj = new Date();
return dateObj.setDate(dateObj.getDate() + numDays);
}
module.exports = auth;
This server runs on port 8080.
So when i attempt to go to http://localhost:8080/login i get the following error message:
Error: Not Found
at app.use.bodyParser.urlencoded.extended (/var/www/example/backend/server.js:34:15)
at Layer.handle [as handle_request] (/var/www/example/backend/node_modules/express/lib/router/layer.js:82:5)
at trim_prefix (/var/www/example/backend/node_modules/express/lib/router/index.js:302:13)
at /var/www/example/backend/node_modules/express/lib/router/index.js:270:7
at Function.proto.process_params (/var/www/example/backend/node_modules/express/lib/router/index.js:321:12)
at next (/var/www/example/backend/node_modules/express/lib/router/index.js:261:10)
at next (/var/www/example/backend/node_modules/express/lib/router/route.js:100:14)
at next (/var/www/example/backend/node_modules/express/lib/router/route.js:104:14)
at next (/var/www/example/backend/node_modules/express/lib/router/route.js:104:14)
at next (/var/www/example/backend/node_modules/express/lib/router/route.js:104:14)
However it seems that the rest of my auth is working because if i go to:
http://localhost:8080/api/user
I get: {"status":401,"message":"Invalid Token or Key"}
Can anyone tell me why my login does not work?
Full server script:
// BASE SETUP
// =============================================================================
var express = require('express'),
bodyParser = require('body-parser');
var app = express();
var router = express.Router();
var es = require('express-sequelize');
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({
extended: true
}));
// =============================================================================
//Secure
app.all('/*', function(req, res, next) {
// CORS headers
res.header("Access-Control-Allow-Origin", "*"); // restrict it to the required domain
res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');
// Set custom headers for CORS
res.header('Access-Control-Allow-Headers', 'Content-type,Accept,X-Access-Token,X-Key');
if (req.method == 'OPTIONS') {
res.status(200).end();
} else {
next();
}
});
var auth = require('./auth.js');
router.post('/login', auth.login);
app.all('/api/*', [require('./middlewares/validateRequest')]);
// If no route is matched by now, it must be a 404
app.use(function(req, res, next) {
var err = new Error('Not Found');
err.status = 404;
next(err);
});
var env = app.get('env') == 'development' ? 'dev' : app.get('env');
var port = process.env.PORT || 8080;
var Sequelize = require('sequelize');
// db config
var env = "dev";
var config = require('./database.json')[env];
var password = config.password ? config.password : null;
// initialize database connection
var sequelize = new Sequelize(
config.database,
config.user,
config.password,
{
logging: console.log,
define: {
timestamps: false
}
}
);
//Init models
var division_model = require('./lb_models/division/division_model')(express,sequelize,router);
var user_model = require('./lb_models/user/user_model')(express,sequelize,router);
var team_model = require('./lb_models/Team')(express,sequelize,router);
app.use('/api', router);
app.use(division_model);
app.use(user_model);
app.use(team_model);
// START THE SERVER
app.listen(port);
console.log('Magic happens on port ' + port);
Try moving your app.use(bodyParser…) statements above the login route. The order of middleware matters. At the time login is called the req object hasn't run through the bodyParser middleware yet.
Also, your router instance is mounted at "/api" so the router methods will never get called for "/login". The following line should be place above your 404 catchall:
app.use('/', router);
Before, you had used app.use('/api', router), which means that your router routes will only be looked at for any request that starts with '/api'. Also, you had place the 'use' statement too far down.
When setting up middleware, the order in which you call app.use() is key. In your server.js, you're setting up your application routes before you set up body parser. Meaning, when the request comes in, is is not parsed before hitting your application logic. You need to move the app.use(bodyParser) parts to the top of your code.
var express = require('express'),
bodyParser = require('body-parser');
var app = express();
var router = express.Router();
var es = require('express-sequelize');
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({
extended: true
}));
perphaps you have to move the
app.use("/", (req, res, next) => {
res.status("404").json({message: "Not found"})
})
to the bottom of your code, but before "app.listen()", The order you declare the routes in the router are important, so putting the "app.use" after you declare all theses routes, would search a match with all the previous route and if none is found then it will enter in that last one
Like this:
.
..
...
app.use('/api', router);
app.use(division_model);
app.use(user_model);
app.use(team_model);
app.use("/", (req, res, next) => {
res.status("404").json({message: "Not found"})
})
// START THE SERVER
app.listen(port);
console.log('Magic happens on port ' + port);

JWT Angular Authentication on Refresh

So I'm following the following Egghead.io guide:
https://egghead.io/lessons/angularjs-finalizing-jwt-authentication-with-angularjs
With a twist, I am trying to incorporate a MongoDB to retrieve my users. I have everything working so far, except the last part where he states that the /me route should just return req.user and it should be fine on refreshes. I don't get that. What I do get is blank user returned from my server.
My server code is setup like this:
var jwtSecret = 'fjkdlsajfoew239053/3uk';
app.use(cors());
app.use(bodyParser.json());
app.use(expressJwt({ secret: jwtSecret }).unless({ path: [ '/login' ]}));
app.use(compression());
app.use(express.static(__dirname + '/client'));
app.get('/', function(req, res){
res.render(__dirname + '/client/bundle.js');
});
app.get('/me', function (req, res) {
res.send(req.user);
});
... setup for user schema and other boring stuff ...
function authenticate(req, res, next) {
var body = req.body;
if (!body.username || !body.password) {
res.status(400).end('Must provide username or password');
}
//do salting, hashing, etc here yo
User.findOne({ username: body.username }, function(err, user){
if (user === null || body.password !== user.password) {
res.status(401).end('Username or password incorrect');
}else{
req.user = user;
next();
}
});
}
// ROUTES
app.post('/login', authenticate, function (req, res, next) {
var token = jwt.sign({
username: req.user.username
}, jwtSecret);
res.send({
token: token,
user: req.user
});
});
app.listen(process.env.PORT || 5000);
And my controller (Client-side) handling the basic authentication is:
module.exports = function($scope, $state, $modal, UserFactory) {
var vm = this;
$scope.$state = $state;
$scope.sign_in = false;
$scope.open = function () {
var $modalInstance = $modal.open({
templateUrl: 'suggestion-modal.html',
controller: 'modalCtrl'
});
};
// initialization
UserFactory.getUser().then(function success(response) {
vm.user = response.data;
});
function login(username, password) {
UserFactory.login(username, password).then(function success(response) {
vm.user = response.data.user;
}, handleError);
}
function logout() {
UserFactory.logout();
vm.user = null;
}
function handleError(response) {
alert('Error: ' + response.data);
}
vm.login = login;
vm.logout = logout;
};
Can anyone catch the bug I'm not seeing here? Basically I have a JWT on the client when I'm logged in but my initialization on the client controller is not recognizing that I'm logged in (it's not setting the user object to anything). It's kinda strange.
So my solution ended up taking into account Kent's help and a little brainstorming. It looked like the following. Note, apparently middleware ordering in express matters a lot since after changing when Express-jwt got loaded made a huge difference in whether or not the authentication headers were checked on initial directory load on the client (which if they were angular wouldn't load and the whole app broke). Cheers!
'use strict';
var faker = require('faker');
var cors = require('cors');
var bodyParser = require('body-parser');
var jwt = require('jsonwebtoken');
var expressJwt = require('express-jwt');
var compression = require('compression');
var express = require('express');
var bcrypt = require('bcrypt');
var connectLiveReload = require('connect-livereload');
var jwt = require('jsonwebtoken');
var app = express();
var jwtSecret = 'fjkdlsajfoew239053/3uk';
app.use(cors());
app.use(bodyParser.json());
app.use(compression());
app.use(express.static(__dirname + '/client'));
// app.get('/', function(req, res){
// res.render(__dirname + '/client/bundle.js');
// });
app.use(expressJwt({ secret: jwtSecret }).unless({ path: ['/login']}));
app.get('/me', function (req, res) {
res.send(req.user);
});
...schema stuff...
// UTIL FUNCTIONS
function authenticate(req, res, next) {
var body = req.body;
if (!body.username || !body.password) {
res.status(400).end('Must provide username or password');
}
//do salting, hashing, etc here yo
User.findOne({ username: body.username }, function(err, user){
if (user === null || body.password !== user.password) {
res.status(401).end('Username or password incorrect');
}else{
req.user = user;
next();
}
});
}
// ROUTES
app.post('/login', authenticate, function (req, res, next) {
var token = jwt.sign({
username: req.body.username
}, jwtSecret);
res.send({
token: token,
user: req.user
});
});
// app.use(connectLiveReload()); figure out whats wrong with this later and get livereload working
app.listen(process.env.PORT || 5000);

Categories