I would like to query my Redis server for a username's matching password. How can I do this? I have very little experience with both Redis and Node so I wasn't able to find the key that stores such.
Any help is well appreciated!
Look in file /src/routes/authentication.js. There you have Auth.login function which get username, password as parameters. Then you have getUidByUserslug function on user object which is call at first and returns you userID (_uid) from redis hash called 'userslug:uid' (look in /src/user.js file db.getObjectField('userslug:uid', userslug, callback); function). Next step is getting user by user ID from 'user:' + uid hash, stored in redis. This is done using db.getObjectFields('user:' + uid, ['password', 'banned'], next); function in authenticate.js file.
The following is Auth.login function:
Auth.login = function(req, username, password, next) {
if (!username || !password) {
return next(new Error('[[error:invalid-password]]'));
}
var userslug = utils.slugify(username);
var uid;
async.waterfall([
function(next) {
user.getUidByUserslug(userslug, next);
},
function(_uid, next) {
if (!_uid) {
return next(new Error('[[error:no-user]]'));
}
uid = _uid;
user.auth.logAttempt(uid, req.ip, next);
},
function(next) {
db.getObjectFields('user:' + uid, ['password', 'banned'], next);
},
function(userData, next) {
if (!userData || !userData.password) {
return next(new Error('[[error:invalid-user-data]]'));
}
if (userData.banned && parseInt(userData.banned, 10) === 1) {
return next(new Error('[[error:user-banned]]'));
}
Password.compare(password, userData.password, next);
},
function(passwordMatch, next) {
if (!passwordMatch) {
return next(new Error('[[error:invalid-password]]'));
}
user.auth.clearLoginAttempts(uid);
next(null, {uid: uid}, '[[success:authentication-successful]]');
}
], next);
};
Related
I create the user, hash his password and save on mongo. My problem begins when I try to update that user. For now, when I update the hash isn't generated, cause I really don't know how to do it.
The middleware to get the user that I'm talking about:
exports.userByID = function(req, res, next, id) {
User.findOne(
{
_id: id
},
function(err, user) {
if (err) {
return next(err);
} else {
req.user = user;
next();
}
}
);
};
The user controller, to update an user:
exports.update = async function(req, res, next) {
User.findByIdAndUpdate(req.user.id, req.body, function(err, user) {
if (err) {
return next(err);
} else {
res.json(user);
}
});
};
The pre 'save' on User's model:
UserSchema.pre("save", function(next) {
var user = this;
if (user.password) {
var md5 = crypto.createHash("md5");
user.password = md5.update(user.password).digest("hex");
console.log("Password após o save (hasheando):" + user.password);
}
next();
});
I'm using passport authentication ('local'). Already tried user.save() on the controller update:
user.save();
res.json(user);
But, without success.
This is may be because you are not storing the new_password in the mongo.
In update controller you have to do like this:
User.findByIdAndUpdate(req.user.id, req.body, function (err, user) {
if (err) {
return next(err);
} else {
user.password = req.body.new_password;
user.save(function (err, user) {
if (err) {
res.send("Error: ", err);
} else {
res.send("password updated successfully!");
}
})
}
});
Before saving the password just hash it and update it in DB. it will be something like below.
exports.update = async function(req, res, next) {
let { body} = req;
if(body['password']){
var md5 = crypto.createHash("md5");
body['password']= md5.update(body['password']).digest("hex");
}
let updateUser = await User.findByIdAndUpdate(req.user.id, body)
};
I have a db operation in login post router, when db operation callback success, I got a username value, and how I can pass this username to the "/" router?
router.post('/login', (req, res)=> {
var username = req.body.username;
var password = common.md5(req.body.password + common.MD5_SUFFIX);
db.query(`SELECT * FROM admin_table WHERE username='${username}'`, (err, data)=> {
if (err) {
console.log(err);
res.status(500).send('database error').end();
} else {
if (data.length == 0) {
res.status(404).send('no this admin').end();
} else {
if (data[0].password == password) {
req.session['admin_id']=data[0].ID;
res.redirect('/');
} else {
res.status(404).send('This password is not incorrect!').end();
}
}
}
});
});
router.get('/login',(req,res)=>{
res.render('admin/login.ejs',{layout:'/admin/layout.ejs',title:'Login'});
});
router.get('/',(req,res)=>{
res.render('admin/index.ejs',{layout:'/admin/layout.ejs',title:'Index',username:username});
});
Such as in post login router, I got a username is "ollie", when db operation is ending, the router redirect "/", I can got the username "ollie" in the "/" router .
The simplest way is to use a session. E.g. where you configure the express app, use this:
if (data[0].password == password) {
req.session['admin_id']=data[0].ID;
req.session.username = data.username;
res.redirect('/');
}
Then later you can access that, e.g.
router.get('/route', (req, res) => {
console.log(req.session && req.session.username);
res.end(`Hi ${req.session && req.session.username}`)
});
And please, please, please do not use md5 in any authentication schemes, even example code.
So, I have everything working but it is not showing it is an authenticate user even though it arrives at the proper places...
javascript code from the page to validate login
var UserManager = {
validateLogin : function (username, password) {
var userData = {
username: username,
password: password
}
return new Promise(function(resolve, reject) {
$.ajax({
url: "/musicplayer/users/api/login",
dataType: "json",
data: userData,
type: "POST",
success: function loginSuccess(result, status, xhr) {
resolve(null);
},
error: function loginError(xhr, status, result) {
reject(new Error(result));
},
});
});
}
}
function userLogin(){
UserManager.validateLogin($('#loginEmail').val(), $('#loginPassword').val()).then(function(response) {
window.location = '/musicplayer/library'
},
function(error){
$("#msgBox").messageBox({"messages" : error.message, "title" : "Warning", boxtype: 4 });
$("#msgBox").messageBox("show");
});
return false;
}
local.strategy.js
var passport = require('passport');
var localStrategy = require('passport-local').Strategy;
var userLibrary = require('../../classes/music/userlibrary.js');
module.exports = function () {
passport.use(new localStrategy(
{
usernameField: 'username',
passwordField: 'password'
},
function(username, password, done) {
//validating user here
var userManager = new userLibrary.UserManager();
userManager.login(username, password).then(
function (user){
done(null, user);
},
function (reason){
if (reason.err) {
done(err, false, info);
}
else {
done(null, false, {message: reason.message});
}
}
);
})
);
};
Router
/******* validate the user login ********/
usersRouter.post('/api/login', function(req, res, next) {
passport.authenticate('local', function(err, user, info) {
if (err) {
console.log("Login Failed", err.message + " - " + err.stack);
if (req.xhr){
res.status(500).send({ error: 'Internal Error' });
}
else {
next(err);
}
}
else if (!err && !user){
err = new Error();
err.message = info.message;
err.status = 401;
console.log("Invalid Data", err.message);
if (req.xhr){
res.status(401).send({ error: err.message });
}
else {
next(err);
}
}
else if (user){
console.log("Successful Login:", user);
res.status(200).send({message: "successful"});
}
}
)(req, res, next);
});
passport.js file which has my Middleware...
var passport = require("passport");
module.exports = function (app) {
app.use(passport.initialize());
app.use(passport.session());
passport.serializeUser(function(user, done){
done(null, user);
});
passport.deserializeUser(function(user, done){
done(null, user);
});
require('./strategies/local.strategy')();
app.all('/musicplayer/*', function (req, res, next){
// logged in
//need function for exceptions
if (req.user || req.url === '/musicplayer/users/api/login' || req.url === '/musicplayer/users/signin') {
next();
}
// not logged in
else {
// 401 Not Authorized
var err = new Error("Not Authorized");
err.status = 401;
next(err);
}
});
}
Userlibrary/UserManager
I am using promises to be able to utilize the creation of a library and to deal with sync versus async issues that I ran into early on...
var sqlite3 = require('sqlite3').verbose();
function User() {
this.email = "";
this.password = "";
this.userid = "";
};
function UserManager () {
this.user = new User();
};
UserManager.prototype.login = function (email, password) {
var db = new sqlite3.Database('./data/MusicPlayer.db');
params = {
$email: email,
$password: password
}
var self = this;
return new Promise(function(resolve, reject){
db.serialize(function () {
db.get("SELECT * FROM users WHERE email = $email and password = $password", params, function (err, row) {
db.close();
if (!err && row) {
//log in passed
self.user.userid = row.userid;
self.user.email = row.email;
self.user.password = row.password;
resolve(self.user);
}
else if (!err) {
//log in failed log event
reject({
err: err,
message: null
});
}
else {
//error happened through out an event to log the error
reject({
message : "Email and/or Password combination was not found",
err : null
});
}
});
});
});
};
module.exports = {
User : User,
UserManager : UserManager
}
Now, I have debugged this and it is for sure getting to "successful Login"
Returns to the browser with success, the browser says okay let me redirect you to the library page (which is really just a blank page). When it goes to my library page I get a 401 unauthorized.
So if I debug inside the middleware to ensure authentication. I look at req.user and it is undefined and I try req.isAuthenticated() it returns a false.
I think I must be missing something...
What I want is a global authentication saying hey is this person logged in. And then I will set up the route/route basis say okay do they have permission for this page or web service call.
Right now I am sticking with session for everything as it is not useful to me to learn web tokens at this point and time.
Any help would be appreciated... I been around and around on this looking at examples out there. But the examples I find are the "basic" examples no one calling a library to validate from database or they are not trying to set up the authorization globally but rather on a route by route basis.
Upon searching I found this article
https://github.com/jaredhanson/passport/issues/255
then I found this in documentation
app.get('/login', function(req, res, next) {
passport.authenticate('local', function(err, user, info) {
if (err) { return next(err); }
if (!user) { return res.redirect('/login'); }
req.logIn(user, function(err) {
if (err) { return next(err); }
return res.redirect('/users/' + user.username);
});
})(req, res, next);
});
and that worked for me... I basically forgot to do the req.logIn method itself when using the custom callback.... I knew it was something simple... Hope this helps someone in the future.
I'm using the MEAN stack with passport and the Passport-Local-Mongoose plugin. However, whenever I update a User record's username, I am logged out of my current session. What is the correct way to update a username with Passport-Local-Mongoose?
// Update User -- Tied to Usernames or will log out
exports.update = function(req, res) {
user = req.user;
user = _.extend(user, req.body);
user.save(function(err, user) {
if(err) {
console.log(err);
// Error handling for uniqueness violations
if (err.code === 11001) {
if (err.err.indexOf("email") != -1) {
return next(new Error("Email Address Already In Use"));
} else if (err.err.indexOf("username") != -1) {
return next(new Error("Username Already In Use"));
}
}
};
});
};
The reason for this behavior is the serialize/deserialize implementation shipped with passport-local-mongoose:
schema.statics.serializeUser = function() {
return function(user, cb) {
cb(null, user.get(options.usernameField));
}
};
schema.statics.deserializeUser = function() {
var self = this;
return function(username, cb) {
self.findByUsername(username, cb);
}
};
This implementation uses the username field for serialization and deserialization. As a consequence a change to the username will fail if the username value changed. You can prevent this behavior by using a custom serialization/deserialization strategy like this:
schema.statics.serializeUser = function() {
return function(user, cb) {
cb(null, user.id);
}
};
schema.statics.deserializeUser = function() {
var self = this;
return function(id, cb) {
self.findOne(id, cb);
}
};
I'm trying to show defferent content for logged in and not users on one page.
Here is the code I use for generating / page:
app.get('/',function(req, res){
if (!checkSession(req, res)) {
res.render('index.ejs', {
title: 'FrontSpeak - blog-based social network'
})
} else {
res.render('index.ejs', {
title: 'autrhorized'
})
}
})
checkSession function:
function checkSession(req, res) {
if (req.session.user_id) {
db.collection('users', function (err, collection) {
collection.findOne({
_id: new ObjectID(req.session.user_id)
}, function (err, user) {
if (user) {
req.currentUser = user;
return true;
} else {
return false;
}
});
});
} else {
return false;
}
}
loggin function:
app.post('/', function(req, res){
db.collection("users", function (err, collection) {
collection.findOne({ username: req.body.username }, function (err, doc) {
if (doc && doc.password == req.body.password) {
console.log("user found");
req.session.user_id = doc._id;
}
}
});
});
});
So, it doesn't seems to be working. However, I think this is not the best way to display different content. May be there are some more elegant ways to do this? Thank you!
UPDATE: New login function:
app.post('/', function(req, res){
db.collection("users", function (err, collection) {
collection.findOne({ username: req.body.username }, function (err, doc) {
console.log('found user');
if (doc && doc.password == req.body.password) {
req.session.user_id = doc._id;
res.redirect('/');
};
res.redirect('/');
});
res.redirect('/');
});
});
This is a case of trying to apply the traditional synchronous model to Node's asynchronous callback-driven model.
After your database query completes, you return true, but you're just returning to the database driver. checkSession returned a long time ago. Since that function returns undefined if there is a session.user_id (and false if there isn't), the login check will always evaluate false.
Instead, you can use Brandon's suggestion to make checkSession asynchronous, or I recommend implementing a middleware function:
function checkLogin(req, res, next) {
if (req.session.user_id) {
db.collection('users', function (err, collection) {
if (err) return next(err); // handle errors!
collection.findOne({
_id: new ObjectID(req.session.user_id)
}, function (err, user) {
if (user) {
req.currentUser = user;
} else {
req.currentUser = null;
}
next();
});
});
} else {
req.currentUser = null;
next();
}
}
Now you have two ways of using your middleware function. If you want to check for a user on every request, just add it to the app:
app.use(checkLogin);
Now every single request will have a req.currentUser, but you incur the performance hit of fetching login state from the database for every request. Alternatively, if you only need user information for certain requests, stick the function in the route:
app.get('/', checkLogin, function(req, res) {
if (req.currentUser) {
// logged in
} else {
// not
}
});
You can read more about this in the Express docs.
It looks like you're trying to use checkSession as a synchronous function by checking its return value, but checkSession cannot be synchronous because it depends on asynchronous functionality, namely the callback here: db.collection('users', function (err, collection) .... You'll need to modify checkSession to be async:
function checkSession(req, res, callback) {
if (req.session.user_id) {
db.collection('users', function (err, collection) {
collection.findOne({
_id: new ObjectID(req.session.user_id)
}, function (err, user) {
if (user) {
req.currentUser = user;
callback(true);
} else {
callback(false);
}
});
});
} else {
callback(false);
}
}
and then use it asynchronously in your request handler:
app.get('/',function(req, res){
checkSession(req, res, function(isUser) {
if (!isUser) {
res.render('index.ejs', {
title: 'FrontSpeak - blog-based social network'
})
} else {
res.render('index.ejs', {
title: 'autrhorized'
})
}
});
})