token encyrption working. never send token to the front end.

5 years ago · 0f6ce7c3d8
parent f3339089ff
commit 0f6ce7c3d8
4 changed files with 42 additions and 12 deletions
--- a/brain/api/v1/auth.js
+++ b/brain/api/v1/auth.js
@ -30,7 +30,7 @@ router.get('/status', function(req, res) {
 		res.json({
 			type: DataEvent.API_REQUEST_GOOD,
 			message: 'Auth is Good',
-			token: session.token
+			token: session.hashToken
 		});
 	} else {
 		res.json({
@ -60,10 +60,11 @@ router.post('/login', function(req, res) {
 			let session = req.session;
 			session.user = found;
 			session.token = token;
+			session.hashToken = hashToken(token);
 			res.json({
 				type: DataEvent.REQUEST_GOOD,
 				message: 'Welcome Back',
-				token: session.token
+				token: session.hashToken
 			});
 		} else {
 			res.json({
@ -80,3 +81,7 @@ module.exports = router;
 function isValidPassword(user, password) {
 	return bCrypt.compareSync(password, user.password);
 }
+
+function hashToken(token) {
+	return bCrypt.hashSync(token, bCrypt.genSaltSync(10), null);
+}
--- a/brain/api/v1/pages.js
+++ b/brain/api/v1/pages.js
@ -6,7 +6,9 @@ const multer = require('multer');
 const fs = require('fs-extra');
 const moment = require('moment');
 const jwt = require('jsonwebtoken');
+const bCrypt = require('bcrypt-nodejs');
 const book = new Book();
+const _ = require('lodash');
 const uploadPath =
 	'./public/assets/images/blog/' + moment().format('YYYY') + '/' + moment().format('MM');
 fs.ensureDir(uploadPath, () => {
@ -42,17 +44,27 @@ router.get('/', (req, res) => {
    Update Page
 */
 router.post('/write/:task?', feature_upload, (req, res) => {
-	/** 
 	if (req.session.user) {
-		var member = req.session.user;
-		jwt.verify(req.session.token, member.key, function(err, decoded) {
-			if (err) {
-				console('NOPE', err);
-			}
-			console.log('YUP', decoded);
-		});
+		//Get enctrypted hashed token from header request
+		let hash = req.headers['x-access-token'];
+		//Checks if token is a proper hash, if not reject
+		if (!isTokenValid(req.session.token, hash)) {
+			res.json({
+				type: DataEvent.API_REQUEST_LAME,
+				message: 'Invalid Token. Auth Blocked'
+			});
+		} else {
+			//console.log('TOKEN IS GOOD');
+			var member = req.session.user;
+			jwt.verify(req.session.token, member.key, function(err, decoded) {
+				if (err) {
+					console('NOPE', err);
+				}
+				console.log('YUP', decoded);
+			});
+		}
 	}
-	*/
+
 	var feature = '';
 	if (req.files.length > 0) {
 		var path = req.files[0].path;
@ -141,3 +153,7 @@ router.post('/add-post-image', post_upload, function(req, res) {
 });

 module.exports = router;
+
+function isTokenValid(token, hashedToken) {
+	return bCrypt.compareSync(token, hashedToken);
+}
--- a/src/com/controllers/PageEditor.js
+++ b/src/com/controllers/PageEditor.js
@ -135,7 +135,10 @@ export default class PostEditor {
 						)
 							.then(response => {
 								let r = JSON.parse(response.request['response']);
-								if (r.type === DataEvent.PAGE_ERROR) {
+								if (
+									r.type === DataEvent.PAGE_ERROR ||
+									r.type === DataEvent.API_REQUEST_LAME
+								) {
 									notify.alert(r.message, false);
 								} else {
 									if (r.type === DataEvent.PAGE_UPDATED) {
--- a/src/com/utils/APIUtils.js
+++ b/src/com/utils/APIUtils.js
@ -52,6 +52,12 @@ export default class APIUtils {
 				}
 			};
 			if (requestType == REQUEST_TYPE_PUT || requestType == REQUEST_TYPE_POST) {
+				if (
+					eventType === DataEvent.API_PAGE_WRITE ||
+					eventType === DataEvent.API_IMAGES_UPLOAD ||
+					eventType === DataEvent.API_SETTINGS_WRITE
+				)
+					request.setRequestHeader('x-access-token', self.token);
 				switch (contentType) {
 					case CONTENT_TYPE_JSON:
 						request.setRequestHeader('Content-type', 'application/' + contentType);