JWT improper decoding with mongoose data - node.js

Here is the data that i am encoding
{ _id: 5880c2562f109c2e17489155,
password: '$2a$10$1TGM/Nnoii/ERt5YZFqaROJA0176bXw5wn7fF9B7.DrikVcW/Va4e',
verified: false,
__v: 0 }
and the data that i get from decoding using jsonwebtoken.
{ '$__':
{ strictMode: true,
getters: {},
wasPopulated: false,
activePaths: { paths: [Object], states: [Object], stateNames: [Object] },
emitter: { domain: null, _events: {}, _eventsCount: 0, _maxListeners: 0 } },
isNew: false,
_doc:
{ __v: 0,
verified: false,
password: '$2a$10$1TGM/Nnoii/ERt5YZFqaROJA0176bXw5wn7fF9B7.DrikVcW/Va4e',
_id: '5880c2562f109c2e17489155' },
_pres:
{ '$__original_save': [ null, null ],
'$__original_validate': [ null ],
'$__original_remove': [ null ] },
_posts:
{ '$__original_save': [],
'$__original_validate': [],
'$__original_remove': [] },
iat: 1484834592 }
If you notice the docs i should be able to access the decoded password field using decoded.password but from this case i have to use decoded._doc.password. Is this happening somehow because i am directly passing in the mongoose object into jwt or the output is fine and i should access the data by adding _doc. The relevant code is
module.exports['generateToken'] = (data)=>{
return new Promise((fullfill,reject)=>{
console.log(data.user);
var token = jwt.sign(data.user,'shhhhhh');
fullfill(token);
});
}
module.exports['decodeToken'] = (token)=>{
return new Promise((fullfill,reject)=>{
jwt.verify(token,'shhhhhh',(err,decoded)=>{
if(err)
reject(err);
console.log(decoded);
fullfill(token);
});
});
}
data.user is the document that i got from mongoose query findOne.

Is this happening somehow because i am directly passing in the mongoose object into jwt
Yes, instances of mongoose models have quite complicated structure inside. And _doc is a reference to an internal document.
To avoid accessing by ._doc, you should encode document converted to a plain object:
module.exports['generateToken'] = (data)=>{
return new Promise((fullfill,reject)=>{
console.log(data.user);
var token = jwt.sign(data.user.toObject(),'shhhhhh');
fullfill(token);
});
}

Related

Destructuring of the object returned by mongodb query result

Let's say we start a mongodb query statement as the following:
const user = await db.users.findOne(...);
console.log(user);
The result is good.
{
_id: 5f60647c28b90939d0e5fb24,
tenantId: '5e6f7c86e7158b42bf500371',
username: 'aaaa',
email: 'xxxx#yy.com',
createdAt: 2020-09-15T06:51:40.531Z,
updatedAt: 2020-09-15T06:51:40.531Z,
__v: 0
}
Then we use destructuring.
const { _id, username, ...others } = user;
console.log(others);
We get a weird thing:
[
[
'$__',
InternalCache {
strictMode: false,
selected: [Object],
shardval: undefined,
saveError: undefined,
validationError: undefined,
adhocPaths: undefined,
removing: undefined,
inserting: undefined,
saving: undefined,
version: undefined,
getters: {},
_id: 5f60647c28b90939d0e5fb24,
populate: undefined,
populated: undefined,
wasPopulated: false,
scope: undefined,
activePaths: [StateMachine],
pathsToScopes: {},
cachedRequired: {},
session: undefined,
'$setCalled': Set(0) {},
ownerDocument: undefined,
fullPath: undefined,
emitter: [EventEmitter],
'$options': [Object]
}
],
[ 'isNew', false ],
[ 'errors', undefined ],
[ '$locals', {} ],
[ '$op', null ],
[
'_doc',
{
_id: 5f60647c28b90939d0e5fb24,
tenantId: '5e6f7c86e7158b42bf500371',
username: 'aaaa',
email: 'xxxx#yyy.com',
createdAt: 2020-09-15T06:51:40.531Z,
updatedAt: 2020-09-15T06:51:40.531Z,
__v: 0
}
],
[ '$init', true ]
]
What's going on here? And how to make destructuring work again? There is the same error on Object.entries(others).
There is one workaround, I can stringify it and then parse it back. But this is obviously redundant.
By default, Mongoose queries return an instance of the Mongoose Document class. That's why you get the weird result after destructuring. In your case, you should use .lean()
on your query to get expected result;
this works for me :
const user = UserModel.findOne({...});
const { _id, username, ...others } = user.toObject();

.patch() do not saves the parameter to the database in Objection.js with Knex

I am creating Express API and I am using Objection.js as ORM with Knex.js
I have created router for updating user password from the profile with 2 fields (old password and the new password),first it verifies the old password (protection from stealing JWT token). After it returns valid condition then I proceed to hash the new password with bcrypt and update it with .patch() otherwise it will return validation error the old password it is not the correct password. The problem is when I send the same exact request it goes through meaning that .patch not worked and did not save the new password to the database. Can anyone explain some solution to this problem or probably hit me with some documention on how to fix it
The code is bellow:
router.patch('/updatepassword', async (req, res, next) => {
const { id } = req.user;
const {
oldPassword,
newPassword,
} = req.body;
try {
await passwordSchema.validate({
oldPassword,
newPassword,
}, {
abortEarly: false
});
const UserOldPassword = await User.query().select('password').findById(id);
const validOldPassword = await bcrypt.compare(oldPassword, UserOldPassword.password);
if (validOldPassword) {
const hashedPassword = await bcrypt.hash(newPassword, 12);
const defi = User.query().patch({ password: hashedPassword }).where('id', id).returning('*')
.first();
console.log(defi);
res.status(200).json({
message: returnMessage.passwordUpdated
});
} else {
const error = new Error(returnMessage.invalidOldPassword);
res.status(403);
throw error;
}
} catch (error) {
next(error);
}
});
Console log:
QueryBuilder {
_modelClass: [Function: User],
_operations: [
UpdateOperation {
name: 'patch',
opt: [Object],
adderHookName: null,
parentOperation: null,
childOperations: [],
model: [User],
modelOptions: [Object]
},
KnexOperation {
name: 'where',
opt: {},
adderHookName: null,
parentOperation: null,
childOperations: [],
args: [Array]
},
ReturningOperation {
name: 'returning',
opt: {},
adderHookName: null,
parentOperation: null,
childOperations: [],
args: [Array]
},
FirstOperation {
name: 'first',
opt: {},
adderHookName: null,
parentOperation: null,
childOperations: []
}
],
_context: QueryBuilderContext {
userContext: QueryBuilderUserContext { [Symbol()]: [Circular] },
options: InternalOptions {
skipUndefined: false,
keepImplicitJoinProps: false,
isInternalQuery: false,
debug: false
},
knex: null,
aliasMap: null,
tableMap: null,
runBefore: [],
runAfter: [],
onBuild: []
},
_parentQuery: null,
_isPartialQuery: false,
_activeOperations: [],
_resultModelClass: null,
_explicitRejectValue: null,
_explicitResolveValue: null,
_modifiers: {},
_allowedGraphExpression: null,
_findOperationOptions: {},
_relatedQueryFor: null,
_findOperationFactory: [Function: findOperationFactory],
_insertOperationFactory: [Function: insertOperationFactory],
_updateOperationFactory: [Function: updateOperationFactory],
_patchOperationFactory: [Function: patchOperationFactory],
_relateOperationFactory: [Function: relateOperationFactory],
_unrelateOperationFactory: [Function: unrelateOperationFactory],
_deleteOperationFactory: [Function: deleteOperationFactory]
}
PATCH /v1/profile/updatepassword 200 1346.797 ms - 42
Solution: Do not forget to put await on async function.

Keystone.js / mongoose virtual fields lean record

I'm trying to produce a lean record for a REST API that include virtual fields.
The official documentation for how to implement virtual fields for Mongoose:
http://mongoosejs.com/docs/guide.html
My model:
var keystone = require('keystone')
, Types = keystone.Field.Types
, list = new keystone.List('Vendors');
list.add({
name : {
first: {type : Types.Text}
, last: {type : Types.Text}
}
});
list.schema.virtual('name.full').get(function() {
return this.name.first + ' ' + this.name.last;
});
list.register();
Now, let's query the model:
var keystone = require('keystone'),
vendors = keystone.list('Vendors');
vendors.model.find()
.exec(function(err, doc){
console.log(doc)
});
Virtual field name.full is not here:
[ { _id: 563acf280f2b2dfd4f59bcf3,
__v: 0,
name: { first: 'Walter', last: 'White' } }]
But if we do this:
vendors.model.find()
.exec(function(err, doc){
console.log(doc.name.full); // "Walter White"
});
Then the virtual shows.
I guess the reason is that when I do a console.log(doc) the Mongoose document.toString() method is invoked which does not include virtuals by default. Fair enough. That's understandable.
To include the virtuals in any of the conversion methods you have to go:
doc.toString({virtuals: true})
doc.toObject({virtuals: true})
doc.toJSON({virtuals: true})
However, this includes keys I don't want for my REST API to pump out to my users:
{ _id: 563acf280f2b2dfd4f59bcf3,
__v: 0,
name: { first: 'Walter', last: 'White', full: 'Walter White' },
_: { name: { last: [Object], first: [Object] } },
list:
List {
options:
{ schema: [Object],
noedit: false,
nocreate: false,
nodelete: false,
autocreate: false,
sortable: false,
hidden: false,
track: false,
inherits: false,
searchFields: '__name__',
defaultSort: '__default__',
defaultColumns: '__name__',
label: 'Vendors' },
key: 'Vendors',
path: 'vendors',
schema:
Schema {
paths: [Object],
subpaths: {},
virtuals: [Object],
nested: [Object],
inherits: {},
callQueue: [],
_indexes: [],
methods: [Object],
statics: {},
tree: [Object],
_requiredpaths: [],
discriminatorMapping: undefined,
_indexedpaths: undefined,
options: [Object] },
schemaFields: [ [Object] ],
uiElements: [ [Object], [Object] ],
underscoreMethods: { name: [Object] },
fields: { 'name.first': [Object], 'name.last': [Object] },
fieldTypes: { text: true },
relationships: {},
mappings:
{ name: null,
createdBy: null,
createdOn: null,
modifiedBy: null,
modifiedOn: null },
model:
{ [Function: model]
base: [Object],
modelName: 'Vendors',
model: [Function: model],
db: [Object],
discriminators: undefined,
schema: [Object],
options: undefined,
collection: [Object] } },
id: '563acf280f2b2dfd4f59bcf3' }
I can always of course just delete the unwanted keys, but this doesn't seem quite right:
vendors.model.findOne()
.exec(function(err, doc){
var c = doc.toObject({virtuals: true});
delete c.list;
delete c._;
console.log(c)
});
This produces what I need:
{ _id: 563acf280f2b2dfd4f59bcf3,
__v: 0,
name: { first: 'Walter', last: 'White', full: 'Walter White' },
id: '563acf280f2b2dfd4f59bcf3' }
Is there not a better way of getting a lean record?
I think you want the select method.. something like this:
vendors.model.findOne()
.select('_id __v name').
.exec(function(err, doc){
console.log(c)
});
Also personally I prefer setting virtuals: true on the schema rather than the document, but depends on use case I guess.
One solution would be to use a module like Lodash (or Underscore) which allows you pick a whitelist of property names:
vendors.model.findOne()
.exec(function(err, doc){
var c = _.pick(doc, ['id', 'name.first', 'name.last', 'name.full']);
console.log(c)
});
Given your use-case of serving this data via REST API, I think explicitly defining a whitelist of property names is safer. You could even define a virtual property on your schema which returns the predefined whitelist:
list.schema.virtual('whitelist').get(function() {
return ['id', 'name.first', 'name.last', 'name.full'];
});
and use it in multiple places, or have different versions of your whitelist, all managed at the model layer.

Model.findOne not returning docs but returning a wrapper object

I have defined a Model with mongoose like this:
var mongoose = require("mongoose")
var Schema = mongoose.Schema
var userObject = Object.create({
alias: String,
email: String,
password: String,
updated: {
type: Date,
default: Date.now
}
})
var userSchema = new Schema(userObject, {strict: false})
var User = mongoose.model('User', userSchema)
module.exports = User
Then I created a user that I can perfectly find through mongo console like this:
db.users.findOne({ email: "coco#coco.com" });
{
"_id" : ObjectId("55e97420d82ebdea3497afc7"),
"password" : "caff3a46ebe640e5b4175a26f11105bf7e18be76",
"gravatar" : "a4bfba4352aeadf620acb1468337fa49",
"email" : "coco#coco.com",
"alias" : "coco",
"updated" : ISODate("2015-09-04T10:36:16.059Z"),
"apps" : [ ],
"__v" : 0
}
However, when I try to access this object through a node.js with mongoose, the object a retrieve is not such doc, but a wrapper:
This piece of code...
// Find the user for which the login queries
var User = require('../models/User')
User.findOne({ email: mail }, function(err, doc) {
if (err) throw err
if (doc) {
console.dir(doc)
if(doc.password == pass) // Passwords won't match
Produces this output from console.dir(doc)...
{ '$__':
{ strictMode: false,
selected: undefined,
shardval: undefined,
saveError: undefined,
validationError: undefined,
adhocPaths: undefined,
removing: undefined,
inserting: undefined,
version: undefined,
getters: {},
_id: undefined,
populate: undefined,
populated: undefined,
wasPopulated: false,
scope: undefined,
activePaths: { paths: [Object], states: [Object], stateNames: [Object] },
ownerDocument: undefined,
fullPath: undefined,
emitter: { domain: null, _events: {}, _maxListeners: 0 } },
isNew: false,
errors: undefined,
_doc:
{ __v: 0,
apps: [],
updated: Fri Sep 04 2015 12:36:16 GMT+0200 (CEST),
alias: 'coco',
email: 'coco#coco.com',
gravatar: 'a4bfba4352aeadf620acb1468337fa49',
password: 'caff3a46ebe640e5b4175a26f11105bf7e18be76',
_id: { _bsontype: 'ObjectID', id: 'Uét Ø.½ê4¯Ç' } },
'$__original_validate': { [Function] numAsyncPres: 0 },
validate: [Function: wrappedPointCut],
_pres: { '$__original_validate': [ [Object] ] },
_posts: { '$__original_validate': [] } }
Therefore, passwords won't match because doc.password is undefined.
Why is this caused?
That's exactly the purpose of mongoose, wrapping mongo objects. It's what provides the ability to call mongoose methods on your documents. If you'd like the simple object, you can call .toObject() or use a lean query if you don't plan on using any mongoose magic on it at all. That being said, the equality check should still hold as doc.password returns doc._doc.password.

Mongoose: findOne method does not complete/has odd behaviour when called inside Array.map

So I have an endpoint that receives an array of strings and I would like to populate another array with the results of a Mongoose search with the parameters of the request body. My code inside app.post("/whee", function (req, res)goes like so.
var SU = db.model("SignUp", supModel)
var dab = req.body.map(function(x) {
return SU.findOne({"email": x}, function(err, data){
if(err) throw err;
return data;
});
});
console.log(dab);
If I send a request, what I get when I print dab to the console is this:
[ { _mongooseOptions: {},
mongooseCollection:
{ collection: [Object],
opts: [Object],
name: 'signups',
conn: [Object],
queue: [],
buffer: false },
model:
{ [Function: model]
base: [Object],
modelName: 'SignUp',
model: [Function: model],
db: [Object],
discriminators: undefined,
schema: [Object],
options: undefined,
collection: [Object] },
op: 'findOne',
options: {},
_conditions: { email: 'hello#sample.com' },
_fields: undefined,
_update: undefined,
_path: undefined,
_distinct: undefined,
_collection: { collection: [Object] },
_castError: null } ]
Obviously, hello#sample.com was an element of the array I sent in the request. For simplicity's sake, you can assume the element is already a value inside a document in my mongo datastore. What's going on? Why am I receiving this garble instead of my document? Calling the forEach method and pushing the results into dab only renders an empty array, which makes sense considering it's a synchronous method.
Any ideas as to how to fix this?
Try using async.
https://www.npmjs.org/package/async
var SU = db.model("SignUp", supModel);
var dab = [];
async.each(req.body, function(email, callback) {
SU.findOne({"email": email}, function(err, data) {
if (err) {
callback(err);
} else {
dab.push(data);
callback();
}
});
}, function(err) {
console.log(dab);
});

Resources