I have an handler
public ensureAuthenticated(req: express.Request, res: express.Response, next: Function) {
// check header or url parameters or post parameters for token
var token = req.body.token || req.param('token') || req.headers['x-access-token'];
// decode token
if (token) {
// verifies secret and checks exp
jwt.verify(token, config.secret, function(err, decoded) {
if (err) {
return res.status(404).json({ success: false, message: 'Failed to authenticate token.' });
} else {
// if everything is good, save to request for use in other routes
next();
}
});
} else {
// if there is no token
// return an error
return res.status(403).send({
success: false,
message: 'No token provided.'
});
}
}
And here the route
app.post('/api/article/create', AuthenticationHelper.ensureAuthenticated, this.create);
In unit test, how can I mock the ensureAuthenticated to make sure it is authenticated.
sinon.stub(AuthenticationHelper, 'ensureAuthenticated').returns(true);
I will give you an example where I test it without using sinon.
This is my authentication-helper.js:
'use strict';
module.exports = function(jwt, config) {
return {
ensureAuthenticated: function (req, res, next) {
var token = req.body.token ||
req.param('token') ||
req.headers['x-access-token'];
if (token) {
jwt.verify(
token,
config.secret,
function(err, decoded) {
if (err) {
res
.status(404)
.json({
success: false,
message: 'Failed to auth.'
});
} else {
next();
}
}
);
} else {
res
.status(403)
.send({
success: false,
message: 'No token provided.'
});
}
}
};
}
And this is my test file:
'use strict';
var jwt = {};
jwt.verify = function (token, secret, fn) {
fn(null, 'something');
};
var config = {};
config.secret = 'shh';
var req = {};
req.body = {};
req.body.token = 'mytoken';
var res = {};
var AuthenticationHelper = require('./authentication-helper.js')(jwt, config);
describe('Test Express Middleware', function() {
it('should call next on middlware', function(done) {
var next = function () {
console.log('next was called');
done();
};
AuthenticationHelper.ensureAuthenticated(req, res, next);
});
});
Related
How to make user redirect after authentication based on user.role ?
I'm getting the following error: UnhandledPromiseRejectionWarning: Error [ERR_HTTP_HEADERS_SENT]: Cannot set headers after they are sent to the client
const jwt = require('jsonwebtoken')
const { COOKIE_NAME, SECRET } = require('../config/config')
module.exports = function() {
return (req, res, next) => {
let token = req.cookies[COOKIE_NAME]
if(token) {
jwt.verify(token, SECRET, function(err, decoded){
if (err) {
res.clearCookie(COOKIE_NAME)
} else {
if(decoded.user.role === 'admin') {
res.redirect('http://localhost:4000')
}
req.user = decoded;
}
})
}
next();
}
}
Login Fetch:
fetch(`${API}/auth/login`,{
method: 'POST',
credentials: 'include',
withCredentials: true,
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify(user)
})
.then((response) => {
if(response.status === 302) {
window.location = 'http://localhost:4000'
}
else if(response.status === 200) {
onSuccess()
setTimeout(() => {
window.location = '/'
}, 1000)
} else if (response.status === 401) {
onError()
}
})
.catch((error) => {
console.log(error)
})
}
Here is my authService:
const jwt = require('jsonwebtoken')
const User = require('../models/User');
const bcrypt = require('bcrypt')
const { SALT_ROUNDS, SECRET } = require('../config/config');
const register = async ({name, username, email, password, cart}) => {
let salt = await bcrypt.genSalt(SALT_ROUNDS);
let hash = await bcrypt.hash(password, salt);
const user = new User({
name,
username,
email,
password: hash,
cart
});
return await user.save()
}
const login = async ({email, password}) => {
let user = await User.findOne({email})
if (!user) {
throw {message: 'User not found!'}
}
let isMatch = await bcrypt.compare(password, user.password)
if (!isMatch) {
throw {message: 'Password does not match!'}
}
let token = jwt.sign({user}, SECRET)
return token;
}
And my authController:
const { Router } = require('express');
const authService = require('../services/authService');
const { COOKIE_NAME } = require('../config/config');
const router = Router();
router.post('/login', async (req, res) => {
const {email, password} = req.body
try {
let token = await authService.login({email, password})
res.cookie(COOKIE_NAME, token)
res.status(200).json(token)
} catch (error) {
res.status(401).json({ error: error })
}
})
Here is my server if this will help:
app.use((req, res, next) => {
const allowedOrigins = ['http://localhost:3000', 'http://localhost:4000'];
const origin = req.headers.origin;
if (allowedOrigins.includes(origin)) {
res.setHeader('Access-Control-Allow-Origin', origin);
res.setHeader('Access-Control-Allow-Credentials', true)
}
res.header('Access-Control-Allow-Headers', 'Origin, X-Requested-With, Content-Type, Accept');
next();
});
Since you're using jwt.verify with a callback, it is being executed asynchronously. Due to this, immediately after calling verify but before getting the decoded token, your next() function is called which passes the control to the next middleware (which probably would be synchronous) which then returns the request.
The flow of events would be something like this:
if(token) { ... starts
jwt.verify(token, ... is called asynchronously. It registers the callback function(err, decoded) { ... but doesn't execute it yet.
You exit the if(token) { ... } block and call next().
The next middleware in line starts executing and probably returns the request if it is the last middleware in chain. So the client has already been sent the response by this time.
jwt.verify(token ... succeeds and calls your registered callback.
It sees that there is no error at line if (err) ... so it moves to the else block.
It decodes the user role and tries to redirect (which internally would try to insert a header on the response). But this fails because the user was already sent the response (and hence your error message).
So the simple solution to this is to not call next() UNTIL jwt verifies and decodes your token and you know the role. In the code below, I've moved the next() function call a few lines upwards.
const jwt = require('jsonwebtoken')
const { COOKIE_NAME, SECRET } = require('../config/config')
module.exports = function() {
return (req, res, next) => {
let token = req.cookies[COOKIE_NAME]
if(token) {
jwt.verify(token, SECRET, function(err, decoded){
if (err) {
res.clearCookie(COOKIE_NAME)
} else {
if(decoded.user.role === 'admin') {
res.redirect('http://localhost:4000')
}
req.user = decoded;
}
next();
})
}
}
}
l have a route which return me a json with user grant.
router.get('/test', function(req, res,next ) {
var token = req.cookies.auth;
if (!token) return res.status(401).send({ message: ""});
jwt.verify(token, config.secret, function(err, decoded) {
if (err) return res.status(500).send({ message: "Failed to authenticate token."});
User.findById(decoded.id,function(err,user){
if (err) return res.status(500).send({ message: "problmes found user, sorry "});
if(!user) return res.status(404).send({message: "user not found "});
res.status(200).send({message:user.role});
});
});
});
i want to catch the json response in a variable for another route to authorize an action.
router.get('/', function(req, res, next) {
if (jsonresponse == grant ){
var allMusique;
var idMaxMusique;
MongoClient.connect(url, function(err, db) {
if (err) throw err;
var dbo = db.db("projet_node");
dbo.collection("musiques").find({}).toArray(function(err, result) {
if (err) throw err;
allMusique = result;
var size = allMusique.length-1;
idMaxMusique = parseInt(result[size].id)+1;
res.render('musiques', { resultat: allMusique, idMax: idMaxMusique });
});
});}
else{
res.render('unauthorized');
}
});
create Controllers/middlewares/authenticate.js file and write the below code
const jwt = require('jsonwebtoken')
module.exports = (req, res, next) => {
const token = req.headers['token'] || req.body.token || req.cookies.token;
if (token) {
try {
req.decoded = jwt.verify(token, JWT_SECRET_KEY)
// JWT_SECRET_KEY -> config.secret
next()
} catch (err) {
res.status(403)
.send({ success: false, message: 'Failed to authenticate token.' })
}
}
return res.status(403).send({
success: false,
message: 'No token provided.'
})
}
create Controlller/UserController.js file
exports.getUser = function (req, res) {
// Perform Your requirement of code
// return Something
}
exports.getUserTest = function (req, res) {
// Perform Your requirement of code
// return Something
}
In Your routes/routes.js file
const authenticate = require('./Controllers/middlewares/authenticate');
const UserController = require('./Controllers/UserController');
// Routes with authentication. User must be login for get this routes
router.get('/getUser', authenticate, UserController.getUser);
// Routes without authentication. No need to login
router.post('/getUserTest', UserController.getUserTest);
Most Important require('PathOfFile') properly or Simply always double check path of file and folder in require.
I would like to have the middleware for these routes:
POST /tickets
PUT /tickets/:id
DELETE /tickets/:id
etc...
but currently my middleware executes on every HTTP request made on /tickets and so on:
app.use('/tickets', function(req, res, next) {
var token = req.body.token || req.query.token || req.headers['x-access-token'];
if (token) {
jwt.verify(token, app.get('superSecret'), function(err, decoded) {
if (err) {
return res.json({ success: false, message: 'Failed to authenticate token.' });
} else {
req.decoded = decoded;
next();
}
});
} else {
return res.status(403).send({
success: false,
message: 'No token provided.'
});
}
});
How could I use this on specific requests?
Express has post/get/delete methods for routing. More at documentation
Your should write middleware function and reuse that at routing.
Example:
function JWTCheckMiddleware(req, res, next) {
var token = req.body.token || req.query.token || req.headers['x-access-token'];
if (token) {
jwt.verify(token, app.get('superSecret'), function(err, decoded) {
if (err) {
return res.json({ success: false, message: 'Failed to authenticate token.' });
} else {
req.decoded = decoded;
next();
}
});
} else {
return res.status(403).send({
success: false,
message: 'No token provided.'
});
}
});
app.post('/tickets', JWTCheckMiddleware, function createTicket(req, res) {...});
app.put('/tickets/:id', JWTCheckMiddleware, function updateTicket(req, res) {...});
app.delete('/tickets/:id', JWTCheckMiddleware, function removeTicket(req, res) {...});
I am working on authentication in nodeJs. I have created successfully login API and it works well on the postman. I'm stuck on client side. It does not set token on headers. I am using the passport, jwt for authentication.
My code is:
app.post('/login', (req, res, next) => {
var name = {
name: req.body.name,
password: req.body.password
}
// let m = '';
// console.log(name)
request({
url: "http://localhost:3000/api/login",
method: "POST",
json: true, // <--Very important!!!
body: name
}, function (error, response) {
if (response.body.error == true) {
req.flash('errorMsg', response.body.message);
res.redirect('/');
}
else {
// localStorage.setItem('token', response.body.token);
// console.log(localStorage.getItem('token'))
// req.headers['authorization'] = response.body.token;
// res.setHeader('authorization', response.body.token);
// req.session['token'] = response.body.token;
// console.log(req.session['token'])
// res.set({
// 'Content-Type': 'text/plain',
// 'authorization':response.body.token
// });
// res.setHeader('authorization', response.body.token);
// req.headers['authorization'] = response.body.token;
res.redirect('/secret');
next();
}
});
// console.log(m);
});
and my middleware is:
app.use((req, res, next) => {
var token = req.body.token || req.session['token'] || req.query.token || req.headers['x-access-token'] || localStorage.getItem('token');
req.headers['authorization'] = token;
console.log(req.session['token'], token)
console.log(req.headers['authorization'], config.jwtSecret);
if (token) {
jwt.verify(token, config.jwtSecret, (err, decoded) => {
if (err) {
res.json({
'message': 'Failed to authenticate user'
});
} else {
req.decoded = decoded;
next();
}
});
} else {
// logger.warn('Unauthorized');
return res.sendStatus(401);
}
console.log(req.headers['authorization'])
});
I have tried all possible to set the token in headers but it didn't work well. If I get my token on app.use middleware then I can verify token easily but it didn't allow to set my token.
How can I do this??
Best way!
router.get('/your-route', async (req, res) => {
//...
res.setHeader('your-key', 'your-value');
//..
})
You can see output in header tab in browser or postman
your-key: your-value
I'm new to Express 4 and i'm wondering something about how to implement this thing: I'm using jwt to authenticate the consumer of my API, to do that i have a pretty simple middleware to check the validity of the jwt token:
var requireValidToken = function(req, res, next) {
var token = req.body.token || req.query.token || req.headers['x-access-token'];
if (token) {
try {
var decoded = jwt.verify(token, req.app.get('superSecret'));
} catch(err) {
return res.json({ success: false, message: 'Failed to authenticate token.' });
}
req.user = decoded.user;
next();
} else {
return res.status(403).send({
success: false,
message: 'No token provided.'
});
}
};
This is working pretty well, but now, i want to extend this to be able to check the role of the user:
router.get('/anAdminRoute', requireRole('ROLE_ADMIN'), function (req, res, next) {
// some code...
});
So i added a middleware for this:
var requireRole = function(role) {
return function(req, res, next){
// Dummy tests...
if(req.user.role == roles.admin || req.user.role == role){
next();
} else {
return res.status(403)({
success: false,
message: "Token valid, but you don't have the right permission to access this resource :)"
});
}
}
}
But as this requireRole() function while obviously checks for a valid jwt token, i'm wondering how can i call my requireValidToken middleware within this function, and so not having to explicitly call it for each route i want to protect.
An easy solution would have been not to use requireValidToken as a middleware but i still want to be able to use it to protect certain routes
Edit: Solution
Chaining middlewares is a simple as that:
var middleware2 = function(param) {
return function(req, res, next){
middleware1(req, res, function(){
// middleware2 code
});
}
}
If anybody interested, my final working solution to validate a user role:
var jwt = require('jsonwebtoken'),
roles = require('../models/user').roles;
// authentication middleware
// check if the given jwt token is valid
var requireValidToken = function(req, res, next) {
var token = req.body.token || req.query.token || req.headers['x-access-token'];
if (token) {
try {
var decoded = jwt.verify(token, req.app.get('superSecret'));
} catch(err) {
return res.json({ success: false, message: 'Failed to authenticate token.' });
}
req.user = decoded.user;
next();
} else {
return res.status(403).send({
success: false,
message: 'No token provided.'
});
}
};
var requireRole = function(role) {
return function(req, res, next){
requireValidToken(req, res, function(){
if(req.user.role == roles.admin || req.user.role == role){
next();
} else {
return res.status(403).send({
success: false,
message: "Token valid, but you don't have the right permission to access this resource :)"
});
}
});
}
}
module.exports = {
requireValidToken: requireValidToken,
requireRole: requireRole
}
Completely misread your question. If you want to call requireValidToken for certain situations, you can pass along the req and res objects to the middleware function, along with an anonymous callback. How you get the middleware function largely depends on your application architecture so I'll assume I have the requireValidToken within my context:
var requireRole = function(role) {
return function(req, res, next){
// Dummy tests...
requireValidToken(req, res, function () {
if(req.user.role == roles.admin || req.user.role == role){
next();
} else {
return res.status(403)({
success: false,
message: "Token valid, but you don't have the right permission to access this resource :)"
});
}
});
}
};
This syntax worked for me. Where auth is another middleware module
import auth from "../middlewares/auth.js";
export default function (req, res, next) {
auth(req, res, function () {
if (req.params.id !== req.user._id)
return res
.status(401)
.send({ status: "error", message: "User does not have rights to modify this data." });
next();
});
}