Continued work on remember me tokens.
This commit is contained in:
parent
95ed2fa403
commit
e00e5a608b
11 changed files with 113 additions and 36 deletions
|
|
@ -22,6 +22,7 @@ const {validationResult, matchedData} = require('express-validator');
|
|||
|
||||
//local imports
|
||||
const migrationModel = require('../../../schemas/user/migrationSchema.js');
|
||||
const rememberMeModel = require('../../../schemas/user/rememberMeSchema.js');
|
||||
const sessionUtils = require('../../../utils/sessionUtils');
|
||||
const hashUtils = require('../../../utils/hashUtils.js');
|
||||
const {exceptionHandler, errorHandler} = require('../../../utils/loggerUtils');
|
||||
|
|
@ -35,10 +36,39 @@ module.exports.post = async function(req, res){
|
|||
//if we don't have errors
|
||||
if(validResult.isEmpty()){
|
||||
//Pull sanatzied/validated data
|
||||
const {user, pass} = matchedData(req);
|
||||
|
||||
//try to authenticate the session, and return a successful code if it works
|
||||
await sessionUtils.authenticateSession(user, pass, req);
|
||||
const data = matchedData(req);
|
||||
|
||||
//try to authenticate the session, throwing an error and breaking the current code block if user is un-authorized
|
||||
await sessionUtils.authenticateSession(data.user, data.pass, req);
|
||||
|
||||
//If the user already has a remember me token
|
||||
if(data.rememberme != null && data.rememberme.id != null){
|
||||
//Fucking nuke the bitch
|
||||
await rememberMeModel.deleteOne({id: data.rememberme.id})
|
||||
|
||||
//Tell the client to drop the token
|
||||
res.clearCookie("rememberme.id");
|
||||
res.clearCookie("rememberme.token");
|
||||
}
|
||||
|
||||
//If the user requested a rememberMe token (I'm not validation checking a fucking boolean)
|
||||
if(req.body.rememberMe){
|
||||
//Gen user token
|
||||
//requires second DB call, but this enforces password requirement for toke generation while ensuring we only
|
||||
//need one function in the userModel for authentication, even if the second woulda just been a wrapper.
|
||||
//Less attack surface is less attack surface, and this isn't something thats going to be getting constantly called
|
||||
const authToken = await rememberMeModel.genToken(data.user, data.pass);
|
||||
|
||||
//Check config for protocol
|
||||
const secure = config.protocol.toLowerCase() == "https";
|
||||
|
||||
//Set remember me ID and token as browser-side cookies for safe-keeping
|
||||
res.cookie("rememberme.id", authToken.id, {sameSite: 'strict', httpOnly: true, secure});
|
||||
//This should be the servers last interaction with the plaintext token before saving the hashed copy, and dropping it out of RAM
|
||||
res.cookie("rememberme.token", authToken.token, {sameSite: 'strict', httpOnly: true, secure});
|
||||
}
|
||||
|
||||
//Tell the browser everything is dandy
|
||||
return res.sendStatus(200);
|
||||
}else{
|
||||
res.status(400);
|
||||
|
|
@ -64,22 +94,22 @@ module.exports.post = async function(req, res){
|
|||
return res.sendStatus(301);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
//Get login attempts
|
||||
const attempts = sessionUtils.getLoginAttempts(user)
|
||||
|
||||
//if we've gone over max attempts
|
||||
if(attempts.count > sessionUtils.throttleAttempts){
|
||||
if(attempts != null && attempts.count > sessionUtils.throttleAttempts){
|
||||
//tell client it needs a captcha
|
||||
return res.sendStatus(429);
|
||||
}else{
|
||||
//Scream about any un-caught errors
|
||||
return exceptionHandler(res, err);
|
||||
}
|
||||
}else{
|
||||
res.status(400);
|
||||
return res.send({errors: validResult.array()})
|
||||
}
|
||||
|
||||
//Scream about any un-caught errors
|
||||
return exceptionHandler(res, err);
|
||||
}
|
||||
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue