res.redirect() hanging on first submit - node.js

I am having a weird issue that I can only replicate with certain users. When logging in using activedirectory (https://www.npmjs.com/package/activedirectory) only on google chrome, the first time they click login the res.redirect won't work. If they wait for a second and hit enter or click again, it goes through and as long as they don't close chrome, they can log in and out as much as they want without any issues. A large majority of my users can log in with no issues ever.
I am posting the login from a form, not AJAX, there are some promises, that all return the correct values when I debug so I know they are not part of the issue. Has anyone experienced this before?
app.post('/login',
function(req, res) {
var username = req.body.username;
var password = req.body.password;
ad.authenticate(username.toLowerCase()+config.adDomain, password, function(err,auth) {
if (err) {
console.log('ERROR: '+JSON.stringify(err));
res.render('login.ejs', {
login: false,
message: true
});
} else {
if(auth) {
if (req.body.remember) {
req.session.cookie.maxAge = 1000 * 60 * 3;
} else {
req.session.cookie.expires = false;
}
req.session.isAuthenticated = true;
req.session.username = username;
let namePromise = ADRequests.getUserFullName(username);
namePromise.then(function(fullName) {
let setUserInfo = Users.checkUserExists(username,fullName);
let seedPTO = PTO.SeedIntialPTOLogin(username);
Promise.all([setUserInfo, seedPTO]).then(values => {
res.redirect('/');
});
});
} else {
res.render('login.ejs', {
login: false,
message: true
});
}
}
});
}

catching the exception will help you better to understand the flow,
I prefer to add the catch method after then

Related

TypeError: validator.escape is not a function - (express-validator#6.12.1 package)

Codecademy video: link
Explanation:
As part of my Codecademy Back-End Engineer training, I have to do a project outside of their platform. The goal of this project is to make sure a node application is protected from common web attacks.
One challenge I faced was securing the code from Cross-Site Scripting (XSS) attacks. To do this, I used a package called express-validator#6.12.1. The code uses a function called validator.escape which is supposed to protect against any malicious code being inserted into an input form. However, I am getting an error in the console when I try to use it.
Terminal output :
TypeError: validator.escape is not a function
Here is the code :
const validator = require("express-validator");
app.post("/public_forum", function (request, response) {
if (request.session.loggedin) {
var comment = validator.escape(request.body.comment);
var username = request.session.username;
if (comment) {
db.all(
`INSERT INTO public_forum (username,message) VALUES ('${username}','${comment}')`,
(err, rows) => {
console.log(err);
}
);
db.all(`SELECT username,message FROM public_forum`, (err, rows) => {
console.log(rows);
console.log(err);
response.render("forum", { rows });
});
} else {
db.all(`SELECT username,message FROM public_forum`, (err, rows) => {
console.log(rows);
console.log(err);
response.render("forum", { rows });
});
}
comment = "";
} else {
response.redirect("/");
}
comment = "";
//response.end();
});
In the video of Codecademy, the guy uses this function.
Try with:
const {check, validationResult} = require('express-validator');
app.post('/public_forum', async function (request, response) {
if (request.session.loggedin) {
await check('comment').trim().escape().run(req);
const validationResult = await validationResult(req);
if (validationResult.isEmpty()) {
// Good to go...
const { comment } = req.body;
}
...
Link to official docs
I have implemented your code. I tried to add both a malicious and safe comment, but I got an error message on my browser that said, "Port 4000 Not Found." Every time I run the code, it kills the port. So I have implemented another code that works well based on what you sent me.
// This code defines a post request handler for the "/public_forum" endpoint.
app.post('/public_forum', async function (request, response) {
// Check if the user is logged in by checking the session data.
if (request.session.loggedin) {
// Trim and escape the incoming comment.
await check('comment').trim().escape().run(request);
// Get the validation result of the incoming comment.
const errors = validationResult(request);
// If the validation result contains errors, return a 400 status with the errors in a JSON format.
if (!errors.isEmpty()) {
return response.status(400).json({ errors: errors.array() });
}
// Get the comment from the request body.
const { comment } = request.body;
// If a valid comment exists, insert it into the "public_forum" database table.
if (comment) {
db.run(
`INSERT INTO public_forum (username,message) VALUES (?,?)`, [request.session.username, comment],
(err) => {
// If an error occurs while inserting the comment, log the error.
if (err) {
console.error(err);
}
}
);
}
// Select all the rows from the "public_forum" table.
db.all(`SELECT username,message FROM public_forum`, (err, rows) => {
// If an error occurs while selecting the rows, log the error.
if (err) {
console.error(err);
}
// Log the selected rows.
console.log(rows);
// Render the "forum" template, passing in the selected rows as a parameter.
response.render("forum", { rows });
});
} else {
// If the user is not logged in, redirect them to the homepage.
response.redirect("/");
}
});

Unable to get document using document.findOne()

I tried to get a document using document.findOne() but it's value is showing undefined .
Here is my code
`app.post("/studentlogin",(req,res)=>
{
let password;
console.log("login page");
bcrypt.hash(req.body.password,saltRounds,(err,hash)=>
{
const user= Student.findOne({srno:req.body.srno});
console.log(user.srno);
if(req.body.srno==user.srno && hash==user.password)
{
session=req.username;
session.userid=req.body.srno;
res.redirect("/");
}
else{
console.log("invalid user");
res.redirect("/studentlogin");
}
});
})`
I'm implementing session authentication using express-session. Here when I log the user it's showing schema and bunch of other stuff which I don't know(The error is too long) . user.srno is also showing as undefined. How can I fix it?
I tried using call-back function which gave me required document correctly. But I want the query to return the correct document and store it in user.
Using callback function
`app.post("/studentlogin",(req,res)=>
{
let password;
console.log("login page");
bcrypt.hash(req.body.password,saltRounds,(err,hash)=>
{
Student.findOne({srno:req.body.srno},(err,result)=>
{
console.log(result);
});
//console.log(user.srno);
if(req.body.srno==user.srno && hash==user.password)
{
session=req.username;
session.userid=req.body.srno;
res.redirect("/");
}
else{
console.log("invalid user");
res.redirect("/studentlogin");
}
});
})`
You need to wait the result from your query on the database before doing the next task like comparing your password, and looks like you just try to log in, you re not going to register a new one, so it's better to use the compare method in Bcrypt like this :
app.post("/studentlogin", async (req , res) => {
const {srno, password} = req.body // destructuring your request is better for visibility
try {
const user = await Student.findOne({srno: srno});//await the result before next step
console.log(user.srno) //you can check
if(!user) {
console.log("invalid user");
// your logic to tell not student found /wrong username or password, and/or redirect
}
const isMatch = await bcrypt.compare(password, user.password) //await the result and this method for comparing the request password and the user's password found
if(!isMatch) {
//your code to tell Wrong username or password
res.redirect("/studentlogin");
} else {
// your code to access to the login.
res.redirect("/");
}
} catch (err) {
console.log(err)
}
The error you are facing is because you are not using async await in your code. use async in your function definition then use await where you are searching the database.
const someFunction = async(req,res)=>{
// your code
const user=await Student.findOne({srno:req.body.srno});
// your code
}
Your code should look like this.
app.post("/studentlogin", async(req,res)=> {
// your code
const user=await Student.findOne({srno:req.body.srno});
// your code
}
console.log(user) to verify.
Hope it helps.

can't set headers after they are sent in node.js

I am trying to redirect to Homepage.html after successful login. But i am getting error and the page is not displaying. I know this is may be due to 2 responses sent or something like that. I have posted before this question on stackoverflow but not get any answer.I will really aprreciate if any one can help me :)
I have also used return response.redirect('/home'); as it was stated in one of the answer but still nothing worked.
In the home route, i have a console.log and it is working but the file is not displaying. So i guess that code is redirecting to /home but is not opening the file.
When i use console.log(response.headersSent); it displays false.
app.post('/auth', function(request, response) {
var number = request.body.number;
var password = request.body.pwd;
if (number && password) {
var sql = `SELECT
fyp_helpers.Mobile_number AS number,
fyp_helpers.Password AS Password
FROM fyp_helpers
WHERE Mobile_number = ?
UNION
SELECT
fyp_employers.Employer_Contact AS number ,
fyp_employers.Employer_Password AS Employer_Password
FROM fyp_employers
WHERE Employer_Contact = ?`;
connection.query(sql, [number, number], function (error, results, fields) {
if (results.length > 0) {
var hashedPassword = results[0].Password;
bcrypt.compare(password, hashedPassword, function (cryptErr, cryptResult) {
if (cryptResult) {
request.session.loggedin = true;
request.session.number = number;
return response.redirect('/home');
} else {
response.send('Incorrect Password!');
console.log(cryptErr);
}
});
} else {
response.send('User not registered');
}
});
}
else {
response.send('Please enter Username and Password!');
response.end();
}
});
app.get('/home', function(request, response) {
if (request.session.loggedin) {
console.log('I am home');
response.sendFile(path.join(__dirname + '/HomePage.html'));
} else {
response.send('Please login to view this page!');
}
response.end();
});
app.listen(3000);
Here is the error.
You're not waiting for your callback function. You should use the promise for your connection.query and explicitly wait for it using async to return.
Related question with a good answer can be found here.

ldapjs - write after end error

I have created an authentication service using the following code in Node.js and ldapjs.
var when = require ('when');
var AuthenticationError = require('../errors/AuthenticationError');
var SessionManagerService = require('./SessionManagerService');
var ldap = require('ldapjs');
var client = ldap.createClient({
url: 'ldaps://ad.mycompany.com:636',
tlsOptions: {'rejectUnauthorized': false}
});
module.exports = {
signIn: function (email, password) {
return this.ldapBind(email, password).then(
function () {
return SessionManagerService.createSessionHash({email: email});
}
);
},
ldapBind: function (email, password) {
var deferred = when.defer();
client.bind(email, password, function(err) {
if (err) {
deferred.reject (new AuthenticationError('Invalid username and/or password!', 'Authentication.signIn.error'));
} else {
client.unbind();
deferred.resolve(true);
}
});
return deferred.promise;
},
};
When I authenticate my user for the first time, it works perfectly but it fails starting from the second attempt.
The error message is: 'write after end'.
When I restart the node server it works again for the first attempt.
It looks like something is hanging but I don't know what. Any idea?
I solved this problem a few days ago for creating ldap-client every time in ldapBind function (in your case).

authentication using node.js and mongodb

Guys I am trying to get myself authenticated and for this I am using node.js and mongo DB.But the thing is that after registarion the user is not able to authenticate himself.Here is my snippet
app.post('/login',function(req,res){
ContactProvider.findAll(function(error, posts) {
var aut = req.body;
if (aut.user == posts.user && aut.pass == posts.pass) {
req.session.name = {name:aut.user};
res.redirect('/home');
} else {
res.send('Bad user/pass');
}
});
});
Below is my snippet for registering the user
app.post('/register',function(req, res) {
var post=req.body;
if(post.pass!=post.cpass) {
res.send("Error:Password doesnt match");
} else {
ContactProvider.save({
user: req.param('user'),
pass: req.param('pass'),
cpass: req.param('cpass'),
email: req.param('email')
}, function(error, docs) {
res.redirect('/');
});
}
});
The ContactProvider is the one below where post provider is a different file where all the mongoose things happen
var ContactProvider = require('./PostProvider').ContactProvider;
var ContactProvider= new ContactProvider();
This is the finone query in the postprovider file
ContactProvider.prototype.findone = function(name,pass, callback) {
Post.findOne({name:name},{pass:pass}, function (err, post) {
callback(null, post);
});
};
Something's seriously wrong with your code ( why you use name posts for an array of ContactProvider? ). You have to search for ContactProvider based on username and password. Something like this:
app.post('/login',function(req,res){
var aut = req.body;
ContactProvider.findOne(
{
user: aut.user,
pass: aut.pass
},
function(err, usr) {
if (error || !usr) {
res.send('Bad user/pass');
} else {
// we have a user, authenticate!
req.session.name = {name:aut.user};
res.redirect('/home');
}
}
);
});
SIDE NOTE: This is a very simple way of authenticating users, but it is not secure at all. You should read more about authentication and security in the internet. Very useful knowledge indeed.
EDIT: There's also an issue with your registration. Your data is stored in post variable, so use it on ContactProvider as well:
// some other code
ContactProvider.save({
user: post.user,
pass: post.pass,
cpass: post.cpass, // no need to store the same thing twice
email: post.email

Resources