I am create an authentication route for my backend API:
const express = require("express");
const jwt = require("jsonwebtoken");
const User = require("../models/User");
let router = express.Router();
router.post("/", (req, res, next) => {
const { username, phone, password } = req.body;
if (!(username || phone) || !password) {
let err = new Error("invalid parameters");
err.status = 400;
next(err);
}
// XXX: Perhaps a better way to do this
let params = {};
if (username) {
params.username = username;
}
if (phone) {
params.phone = phone;
}
User.findOne(params)
.then(user => {
if (!user) {
let err = new Error("invalid credentials");
err.status = 401;
next(err);
}
user.checkPassword(password, (err, isMatch) => {
if (err) {
next(err);
}
if (!isMatch) {
console.log("we get here");
let err = new Error("invalid credentials");
err.status = 401;
next(err);
}
console.log("we also get here");
res.send({
token: jwt.sign(
{
_id: user._id,
username: user.username,
phone: user.phone
},
req.app.get("jwtSecret")
)
});
});
})
.catch(err => {
next(err);
});
});
module.exports = router;
When passing in a valid username but invalid password I get the output:
we got here
we also got here
Error: Can't set headers after they are sent.
at ...
The error I presume is because next(err) is not stopping the execution flow and therefore a response is getting sent twice.
Why is next(err) not stopping the execution flow?
You need to return inside your function after you call next(err).
next(err) stops future routing, but it doesn't stop execution within your own function. So, you need to either be using if/else or return when you're done to stop other parts of your own function from executing.
Personally, I would uses promises for all my asnyc operations and not use a mix and match of promises and callbacks. Then, you can just reject and funnel everything to just your one .catch() at the end.
But, if you're going to stick with your mixture of promises and callbacks, you can add return statements like this:
router.post("/", (req, res, next) => {
const { username, phone, password } = req.body;
if (!(username || phone) || !password) {
let err = new Error("invalid parameters");
err.status = 400;
next(err);
return;
}
// XXX: Perhaps a better way to do this
let params = {};
if (username) {
params.username = username;
}
if (phone) {
params.phone = phone;
}
User.findOne(params).then(user => {
if (!user) {
let err = new Error("invalid credentials");
err.status = 401;
throw err;
}
user.checkPassword(password, (err, isMatch) => {
if (err) {
next(err);
return;
}
if (!isMatch) {
console.log("we get here");
let err = new Error("invalid credentials");
err.status = 401;
next(err);
return;
}
console.log("we also get here");
let token = jwt.sign({_id: user._id, username: user.username, phone: user.phone}, req.app.get("jwtSecret"))
res.send({token});
});
}).catch(err => {
next(err);
});
});
If you change your implementation of user.checkPassword() to return a promise instead of using a callback, then you can do it this way without mixing callbacks and promises:
router.post("/", (req, res, next) => {
function throwErr(msg, status) {
let err = new Error(msg);
err.status = status;
throw err;
}
Promise.resolve().then(() => {
const { username, phone, password } = req.body;
if (!(username || phone) || !password) {
throwErr("invalid parameters", 400);
}
let params = {};
if (username) {
params.username = username;
}
if (phone) {
params.phone = phone;
}
return User.findOne(params).then(user => {
if (!user) {
throwErr("invalid credentials", 401);
}
return user.checkPassword(password).then(isMatch) => {
if (!isMatch) {
throwErr("invalid credentials", 401);
}
let token = jwt.sign({_id: user._id, username: user.username, phone: user.phone}, req.app.get("jwtSecret"))
res.send({token});
});
});
}).catch(err => {
next(err);
});
});
The throwErr() calls will all end up in the .catch().
Related
I'm having an issue with my routes not sending responses to the frontend. I only have 3 routes so far, only two send responses, but neither are doing so. I am using node-postgres(pg). My register route seems to be working because when I register a user, it is reflected in the database. Here are the two routes in question.
// login
app.post('/api/v1/login', checkInput, async (req, res, next) => {
console.log(req.body)
try {
// find user
db.query(`SELECT * FROM users WHERE username = $1`, [req.body.username], async (err, user) => {
if (err) throw err;
// user not found
if (!user) {
res.send({message: 'error'});
} else {
// compare passwords
const matchedPassword = await bcrypt.compare(req.body.password, user.password);
// password doesn't match
if (!matchedPassword) {
res.send({message: 'error'});
} else {
// user found
req.session.user = user.username;
req.session.auth = true;
res.send({message: 'success'});
}
}
})
} catch (error) {
next(error);
}
});
// register
app.post('/api/v1/register', checkInput, async (req, res, next) => {
console.log(req.body)
try {
// check if user already exists
db.query(`SELECT username FROM users WHERE username = $1`, [req.body.username], (err, user) => {
if (err || user) {
res.send({message: 'error'});
}
});
// user doesn't exist so create user
// encrypt password
const salt = await bcrypt.genSalt(3);
const hashPassword = await bcrypt.hash(req.body.password, salt);
db.query(`INSERT INTO users (username, password) VALUES ($1, $2)`, [req.body.username, hashPassword], (err, user) => {
if (err) {
res.send({message: 'error'});
} else {
res.send({message: 'success'});
}
});
} catch (error) {
next(error);
}
});
Any help would be appreciated!
I recently switched from php development to Javascript (I'm really amazed by the performance and possibilities).
Currently I try to create a simple authentification function (Username,hashed Password checked to mariadb Database)
After following some tutorials I managed to create the following structure:
But when I try to test the API via Postman and Insomnia I just get no response. Not even an Error Code. Just going on forever, just like an infinite Loop?
I'm thankful for any tip as I'm new to this. Thanks in advance.
My Stack: React, Nodejs, Mariadb, Express & Jwt / bcryptjs
My Express Router router.js:
router.post('/login', (req, res, next) => {
pool.query(
`SELECT * FROM TABLE WHERE username = ${pool.escape(req.body.username)};`,
(err, result) => {
// user does not exists
if (err) {
throw err;
return res.status(400).send({
msg: err
});
}
if (!result.length) {
return res.status(401).send({
msg: 'Username or password is incorrect!'
});
}
// check password
bcrypt.compare(
req.body.password,
result[0]['password'],
(bErr, bResult) => {
// wrong password
if (bErr) {
throw bErr;
}
if (bResult) {
const token = jwt.sign({
username: result[0].username,
userId: result[0].id
},
process.env.API_SecretKey, {
expiresIn: '2h'
}
);
return res.status(200).send({
msg: 'Logged in!',
token,
user: result[0]
});
}
return res.status(401).send({
msg: 'Username or password is incorrect!'
});
}
);
}
);
});
router.post('/sign-up', userMiddleware.validateRegister, (req, res, next) => {
pool.query(
`SELECT * FROM TABLE WHERE LOWER(username) = LOWER(${pool.escape(
req.body.username
)});`,
(err, result) => {
if (result.length) {
return res.status(409).send({
msg: 'This username is already in use!'
});
} else {
// username is available
bcrypt.hash(req.body.password, 10, (err, hash) => {
if (err) {
return res.status(500).send({
msg: err
});
} else {
// has hashed pw => add to database
pool.query(
`INSERT INTO TABLE (SecurityID, userPassword, username, userOTP) VALUES ('${pool.escape}', ${pool.escape(
req.body.SecurityID,
req.body.username,
req.body.password,
req.body.userOTP
)}, ${pool.escape(hash)}, now())`,
(err, result) => {
if (err) {
throw err;
return res.status(400).send({
msg: err
});
}
return res.status(201).send({
msg: 'Registered!'
});
}
);
}
});
}
}
);
pool.end;
});
router.get('/secret-route', userMiddleware.isLoggedIn, (req, res, next) => {
console.log(req.userData);
res.send('This is the secret content. Only logged in users can see that!');
});
module.exports = router;
My Middleware users.js
module.exports = {
validateRegister: (req, res, next) => {
// username min length 3
if (!req.body.username || req.body.username.length < 3) {
return res.status(400).send({
msg: 'Passwort:' + req.body.username + 'Please enter a username with at least 3 chars',
});
}
// password min 6 chars
if (!req.body.password || req.body.password.length < 6) {
return res.status(400).send({
msg: 'Passwort:' + req.body.password + 'Please enter a password with at least 6 chars'
});
}
// password (repeat) does not match
if (
!req.body.password_repeat ||
req.body.password != req.body.password_repeat
) {
return res.status(400).send({
msg: 'Both passwords must match'
});
}
next();
},
isLoggedIn: (req, res, next) => {
try {
const token = req.headers.authorization.split(' ')[1];
const decoded = jwt.verify(
token,
process.env.API_SecretKey
);
req.userData = decoded;
next();
} catch (err) {
return res.status(401).send({
msg: 'Your session is not valid!'
});
}
}
};
My index.js:
const express = require("express");
const DigitalMangement = express();
const cors = require('cors');
require("dotenv").config();
DigitalMangement.use(cors());
DigitalMangement.use(express.json());
// add routes
const router = require('./Routes/router.js');
DigitalMangement.use("/api", router);
DigitalMangement.listen(process.env.Application_Port, () => {
console.log("Server is running on Port " + process.env.Application_Port)
});
I haven't reviewed the whole code but, if you throw the error the code block will not continue. In this case, it won't be logged or sent as a response. Try removing the throw err line and rerun the code.
if (err) {
throw err; //! here
return res.status(400).send({
msg: err
});
}
Thanks for all the help fellow Coders:
It seems to be that the import MariaDB isn't 100% correct in this situation.
I changed it to mariadb/callback and it started to work.
The MariaDB library returns Promises and mariadb/callback allows callbacks.
I'm using koa to reset a password, wanting to use .save in order to fire the schema.pre('save' ).
data was returning with findOneAndUpdate, but not when I use .save.
what's the magic combination to make this return the .save doc properly with the await/asyncs?
r.post("/public/auth/resetpass", async (ctx, next) => {
const values = ctx.request.body;
const query = {
email: values.email,
resetPasswordToken: values.resetPasswordToken,
resetPasswordExpires: {
$gt: new Date(new Date())
}
};
const update = {
password: values.password,
resetPasswordToken: null,
resetPasswordExpires: null
};
// let userFound = null;
await User.findOne(query,async function(err, user) {
if (err) {
console.log("*** err");
next(err);
} else {
if (_.isEmpty(user)) {
ctx.status = 200;
ctx.body = {
error: true,
message: "token is incorrect or time has expired for password reset"
};
} else {
user.password = values.password;
await user.save(function(err, doc) {
if (err) {
console.log('***err saving');
next(err);
} else {
//console.log fires, but ctx body doesn't return
console.log ('***saved, writing poco');
ctx.body = userToPoco(doc);
}
});
}
}
});
});
ultimately switched to a promise.
await user.save().then (doc =>{
ctx.body = doc;
});
I faced to a little problem which blocks me. I'm working on authentication user service for my app used Node.js. I'm working on a PUT user route and need to compare the old and new password used bcrypt.
Sense adding a comparative try/catch I'm getting the following error:
Error: Can't set headers after they are sent.
app.put(`/users/:email`, checkAuthenticated, envisionDuplicateEmails, async (req, res) => {
const accountEmail = req.params.email
body = req.body
const user = users.find((user) => user.email === accountEmail)
const index = users.indexOf(user)
if (!user) {
res.status(500).send('Account not found.');
} else {
try {
if (await bcrypt.compare(body.password, user.password)) {
body.password = user.password
} else {
const hashedPassword = await bcrypt.hash(body.password, 10)
body.password = hashedPassword
}
} catch (e) {
return res.status(500).send('Internal server error');
}
const updatedAccount = { ...user, ...body }
users[index] = updatedAccount
res.redirect('/')
}
})
utility functions:
function checkAuthenticated(req, res, next) {
if (req.isAuthenticated()) {
return next()
}
res.redirect('/login')
}
function envisionDuplicateEmails(req, res, next) {
accountEmail = req.params.email
bodyEmail = req.body.email
if (bodyEmail) {
if (bodyEmail != accountEmail) {
checkEmailExist(req, res, next)
}
}
return next()
}
function checkEmailExist(req, res, next) {
const accountEmail = req.body.email
const getAccount = users.find((user) => user.email === accountEmail)
if (getAccount === undefined) {
} else {
return res.status(500).send({ 'message': 'Account email already exist' })
}
return next()
}
Thanks for help :P
You are trying to re-execute the res.status(500) twice.
In your try/catch clause, just add the return keyword like that:
try {
if (await bcrypt.compare(body.password, user.password)) {
body.password = user.password
} else {
const hashedPassword = await bcrypt.hash(body.password, 10)
body.password = hashedPassword
}
} catch (e) {
// I've added the return keyword here
return res.status(500).send('Internal server error');
}
Now, when your try/catch catch an error, the code not continue and stop here.
I am able to register and login to the application but I receive the following server error:
"Unhandled rejection Error [ERR_HTTP_HEADERS_SENT]: Cannot set headers after they are sent to the client" upon registration. I came across similar questions here but none of them resolved my problem.
authController.js:
const User = require("../models/User");
const jwt = require("jsonwebtoken");
const simplecrypt = require("simplecrypt");
const sc = simplecrypt();
process.env.SECRET_KEY = "secret";
exports.postLogin = (req, res, next) => {
const { username, password } = req.body;
let validationMessages = [];
if (!username || !password) {
validationMessages.push({ message: "Please fill in all fields" });
}
if (password.length < 6) {
validationMessages.push({
message: "Password should be at least 6 characters"
});
}
if (validationMessages.length > 0) {
res.sendStatus(403).json(validationMessages);
} else {
User.findOne({ where: { username: username } })
.then(user => {
if (!user) {
res.sendStatus(400).json({
message: "Invalid username or password"
});
} else if (password == sc.decrypt(user.password)) {
const token = jwt.sign(user.dataValues, process.env.SECRET_KEY, {
expiresIn: 1440 // expires in 24 hours
});
res.send(token);
}
})
.catch(err => {
res.send("Error: " + err);
});
}
};
exports.postRegister = (req, res, next) => {
const { username, password, password2 } = req.body;
let validationMessages = [];
//Check required fields
if (!username || !password || !password2) {
validationMessages.push({ message: "Please fill in all fields" });
}
if (password.length < 6 || password2.length < 6) {
validationMessages.push({
message: "Password should be at least 6 characters"
});
}
if (password !== password2) {
validationMessages.push({
message: "Passwords do not match"
});
}
if (validationMessages.length > 0) {
return res.sendStatus(400).json(validationMessages);
} else {
User.findOne({ where: { username: username } })
.then(user => {
if (user) {
return res.sendStatus(403).json("User already exists");
}
const hashedPassword = sc.encrypt(password);
User.create({ username: username, password: hashedPassword })
.then(user => {
return res.sendStatus(200).send(user);
})
.catch(err => {
throw new Error(err);
});
})
.catch(err => {
throw new Error(err);
});
}
};
exports.getProfile = (req, res, next) => {
const decoded = jwt.verify(
req.headers["authorization"],
process.env.SECRET_KEY
);
User.findOne({
where: {
id: decoded.id
}
})
.then(user => {
if (user) {
res.statusCode(200).json(user);
} else {
throw new Error("User does not exist");
}
})
.catch(err => {
throw new Error(err);
});
};
I am using Node.JS v12.14.0 and Express.JS v4.17.1.
I resolved it myself. My problem was using res.sendStatus which sets the given response HTTP status code and sends its string representation as the response body. res.json will set the content-type response header, but at time time the response will already have been sent to the client. So simply res.send() should replace res.sendStatus().