@stanlemon/server-with-auth 0.1.0

package/app.js

@@ -0,0 +1,25 @@
+import { createAppServer, asyncJsonHandler as handler } from "./src/index.js";
+import SimpleUsersDao from "./src/data/simple-users-dao.js";
+
+const users = new SimpleUsersDao();
+
+const app = createAppServer({
+  port: 3003,
+  secure: ["/api/"],
+  ...users,
+});
+
+app.get(
+  "/",
+  handler(({ name }) => ({ hello: "world" }))
+);
+
+app.get(
+  "/api/users",
+  handler(() => ({ users: users.db.data.users }))
+);
+
+app.get(
+  "/insecure",
+  handler(() => ({ secure: false }))
+);

package/db.json

@@ -0,0 +1,21 @@
+{
+  "users": [
+    {
+      "username": "user",
+      "password": "$2a$10$KBUEk19saDPRLKfJYsI8zOgOYGW7Ms1wLGyAwIISjovUKYlnv2qwi",
+      "id": "1e56422f-16a4-4508-a779-6a90d685aca1",
+      "verification_token": "nUuif_f3l",
+      "created_at": "2022-03-06T18:15:51.821Z",
+      "last_updated": "2022-03-06T18:34:07.406Z",
+      "last_logged_in": "2022-03-06T18:34:07.405Z"
+    },
+    {
+      "username": "test123",
+      "password": "$2a$10$G/XayivKQZ6dYmHFJS25G.r/GtEiUIrUh/mJCPu/y7UA56czAogMa",
+      "id": "2aa34e59-bc71-4ba0-a6c6-67c565667d84",
+      "verification_token": "zk_ZAEWKI",
+      "created_at": "2022-03-06T18:17:44.052Z",
+      "last_updated": "2022-03-06T18:17:44.052Z"
+    }
+  ]
+}

package/package.json

@@ -0,0 +1,35 @@
+{
+  "name": "@stanlemon/server-with-auth",
+  "version": "0.1.0",
+  "description": "A basic express web server setup with authentication baked in.",
+  "author": "Stan Lemon <stanlemon@users.noreply.github.com>",
+  "license": "MIT",
+  "engines": {
+    "node": ">=17.0"
+  },
+  "type": "module",
+  "main": "./src/index.js",
+  "exports": "./src/index.js",
+  "scripts": {
+    "start": "NODE_ENV=development nodemon --ignore db.json ./app.js",
+    "lint": "eslint --ext js,jsx,ts,tsx ./",
+    "lint:format": "eslint --fix --ext js,jsx,ts,tsx ./",
+    "test": "NODE_OPTIONS=--experimental-vm-modules jest --detectOpenHandles",
+    "test:watch": "NODE_OPTIONS=--experimental-vm-modules jest --detectOpenHandles --watch"
+  },
+  "dependencies": {
+    "@stanlemon/server": "*",
+    "bcryptjs": "^2.4.3",
+    "jsonwebtoken": "^8.5.1",
+    "lowdb": "^3.0.0",
+    "passport": "^0.5.2",
+    "passport-jwt": "^4.0.0",
+    "shortid": "^2.2.8",
+    "uuid": "^8.3.2"
+  },
+  "devDependencies": {
+    "@stanlemon/eslint-config": "*",
+    "nodemon": "^2.0.15",
+    "supertest": "^6.2.2"
+  }
+}

package/src/checkAuth.js

@@ -0,0 +1,16 @@
+import passport from "passport";
+
+export default function checkAuth() {
+  return [
+    passport.authenticate("jwt", { session: false }),
+    (req, res, next) => {
+      if (req.isAuthenticated()) {
+        next();
+      } else {
+        res
+          .status(401)
+          .json({ error: "You must be logged in to access this resource." });
+      }
+    },
+  ];
+}

package/src/createAppServer.js

@@ -0,0 +1,99 @@
+import dotenv from "dotenv";
+import {
+  createAppServer as createBaseAppServer,
+  DEFAULTS as BASE_DEFAULTS,
+} from "@stanlemon/server";
+import passport from "passport";
+import { Strategy as JwtStrategy, ExtractJwt } from "passport-jwt";
+import defaultUserSchema from "./schema/user.js";
+import checkAuth from "./checkAuth.js";
+import auth from "./routes/auth.js";
+
+dotenv.config();
+
+// TODO: Add option for schema
+export const DEFAULTS = {
+  ...BASE_DEFAULTS,
+  secure: [],
+  schema: defaultUserSchema,
+  getUserById: (userId) => {},
+  getUserByUsername: (username) => {},
+  getUserByUsernameAndPassword: (username, password) => {},
+  getUserByVerificationToken: (token) => {},
+  createUser: (user) => {},
+  updateUser: (userId, user) => {},
+};
+
+export default function createAppServer(options) {
+  const {
+    port,
+    webpack,
+    start,
+    secure,
+    schema,
+    getUserById,
+    getUserByUsername,
+    getUserByUsernameAndPassword,
+    getUserByVerificationToken,
+    createUser,
+    updateUser,
+  } = { ...DEFAULTS, ...options };
+
+  if (!process.env.JWT_SECRET) {
+    console.warn("You need to specify a secret.");
+  }
+
+  const secret = process.env.JWT_SECRET || "YouNeedASecret";
+
+  const app = createBaseAppServer({ port, webpack, start });
+
+  passport.use(
+    "jwt",
+    new JwtStrategy(
+      {
+        jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
+        secretOrKey: secret,
+        // NOTE: Setting options like 'issuer' here must also be set when the token is signed below
+        jsonWebTokenOptions: {
+          expiresIn: "120m",
+        },
+      },
+      (payload, done) => {
+        done(null, payload);
+      }
+    )
+  );
+  passport.serializeUser((id, done) => {
+    done(null, id);
+  });
+  passport.deserializeUser((id, done) => {
+    getUserById(id)
+      .then((user) => {
+        // An undefined user means we couldn't find it, so the session is invalid
+        done(null, user === undefined ? false : user);
+      })
+      .catch((error) => {
+        done(error, null);
+      });
+  });
+  passport.initialize();
+
+  app.use(
+    auth({
+      secret,
+      schema,
+      getUserById,
+      getUserByUsername,
+      getUserByUsernameAndPassword,
+      getUserByVerificationToken,
+      createUser,
+      updateUser,
+    })
+  );
+
+  secure.forEach((path) => {
+    app.use(path, checkAuth());
+  });
+
+  return app;
+}

package/src/data/simple-users-dao.js

@@ -0,0 +1,95 @@
+import { Low, JSONFile } from "lowdb";
+import { v4 as uuidv4 } from "uuid";
+import shortid from "shortid";
+import bcrypt from "bcryptjs";
+
+export default class SimpleUsersDao {
+  constructor(seeds = [], adapter = new JSONFile("./db.json")) {
+    this.db = new Low(adapter);
+
+    this.db.read().then(() => {
+      this.db.data ||= { users: [] };
+
+      if (seeds.length > 0) {
+        seeds.forEach((user) => this.createUser(user));
+      }
+    });
+  }
+
+  getUserById = (userId) => {
+    return this.db.data.users
+      .filter((user) => {
+        // This one can get gross with numerical ids
+        // eslint-disable-next-line eqeqeq
+        return user.id == userId;
+      })
+      .shift();
+  };
+
+  getUserByUsername = (username) => {
+    return this.db.data.users
+      .filter((user) => {
+        return user.username === username;
+      })
+      .shift();
+  };
+
+  getUserByUsernameAndPassword = (username, password) => {
+    const user = this.getUserByUsername(username);
+
+    if (!bcrypt.compareSync(password, user.password)) {
+      return false;
+    }
+
+    return user;
+  };
+
+  getUserByVerificationToken = (token) => {
+    return this.db.data.users
+      .filter((user) => user.verification_token === token)
+      .shift();
+  };
+
+  createUser = async (user) => {
+    const existing = this.getUserByUsername(user.username);
+
+    if (existing) {
+      throw new Error("This username is already taken.");
+    }
+
+    const now = new Date();
+    const data = {
+      ...user,
+      password: bcrypt.hashSync(user.password, 10),
+      id: uuidv4(),
+      verification_token: shortid.generate(),
+      created_at: now,
+      last_updated: now,
+    };
+    this.db.data.users.push(data);
+    await this.db.write();
+    return data;
+  };
+
+  updateUser = async (userId, user) => {
+    const now = new Date();
+    this.db.data.users = this.db.data.users.map((u) => {
+      if (u.id === userId) {
+        // If the password has been set, encrypt it
+        if (user.password) {
+          user.password = bcrypt.hashSync(user.password, 10);
+        }
+
+        return {
+          ...u,
+          ...user,
+          id: userId,
+          last_updated: now,
+        };
+      }
+      return u;
+    });
+    await this.db.write();
+    return this.getUserById(userId);
+  };
+}

package/src/index.js

@@ -0,0 +1,15 @@
+export {
+  convertCase,
+  formatInput,
+  formatOutput,
+  asyncJsonHandler,
+  schemaHandler,
+  BadRequestException,
+  NotAuthorizedException,
+  NotFoundException,
+  AlreadyExistsException,
+} from "@stanlemon/server";
+export { default as checkAuth } from "./checkAuth.js";
+export { default as createAppServer } from "./createAppServer.js";
+export { default as schema } from "./schema/user.js";
+export { default as SimpleUsersDao } from "./data/simple-users-dao.js";

package/src/routes/auth.js

@@ -0,0 +1,143 @@
+import { isEmpty } from "lodash-es";
+import { Router } from "express";
+import passport from "passport";
+import jwt from "jsonwebtoken";
+import {
+  schemaHandler,
+  formatOutput,
+  BadRequestException,
+} from "@stanlemon/server";
+
+/* eslint-disable max-lines-per-function */
+export default function authRoutes({
+  secret,
+  schema,
+  getUserById,
+  getUserByUsername,
+  getUserByUsernameAndPassword,
+  getUserByVerificationToken,
+  createUser,
+  updateUser,
+}) {
+  const router = Router();
+
+  router.get("/auth/session", (req, res, next) => {
+    /* look at the 2nd parameter to the below call */
+    passport.authenticate("jwt", { session: false }, (err, userId) => {
+      if (err) {
+        return next(err);
+      }
+      if (!userId) {
+        return res.status(401).json({
+          token: false,
+          user: false,
+        });
+      }
+
+      req.logIn(userId, async (err) => {
+        if (err) {
+          return next(err);
+        }
+
+        const user = await getUserById(userId);
+
+        if (!user) {
+          return res.status(401).json({
+            token: false,
+            user: false,
+          });
+        } else {
+          const token = jwt.sign(user.id, secret);
+          res
+            .status(200)
+            .json({ token, user: formatOutput(user, ["password"]) });
+        }
+      });
+    })(req, res, next);
+  });
+
+  router.post("/auth/login", async (req, res) => {
+    const user = await getUserByUsernameAndPassword(
+      req.body.username,
+      req.body.password
+    );
+
+    if (!user) {
+      res.status(401).json({
+        message: "Incorrect username or password.",
+      });
+      return;
+    }
+
+    const update = await updateUser(user.id, {
+      last_logged_in: new Date(),
+    });
+
+    const token = jwt.sign(user.id, secret);
+
+    res.json({
+      token,
+      user: formatOutput(update, ["password"]),
+    });
+  });
+
+  router.get("/auth/logout", (req, res) => {
+    req.logout();
+
+    return res.status(401).json({
+      token: false,
+      user: false,
+    });
+  });
+
+  router.post(
+    "/auth/register",
+    schemaHandler(schema, async (data) => {
+      const existing = await getUserByUsername(data.username);
+
+      if (existing) {
+        throw new BadRequestException(
+          "A user with this username already exists"
+        );
+      }
+
+      const user = await createUser(data);
+
+      if (isEmpty(user)) {
+        return {
+          message: "An error has occurred",
+        };
+      }
+
+      // TODO: Add hook for handling verification notification
+      // user.verification_token
+
+      const token = jwt.sign(user.id, secret);
+      return { token, user: formatOutput(user, ["password"]) };
+    })
+  );
+
+  router.get("/auth/verify/:token", async (req, res) => {
+    const { token } = req.params;
+
+    const user = await getUserByVerificationToken(token);
+
+    if (isEmpty(user)) {
+      return res
+        .status(400)
+        .json({ success: false, message: "Cannot verify user." });
+    }
+
+    if (user.verified_date) {
+      return res
+        .status(400)
+        .send({ success: false, message: "User already verified." });
+    }
+
+    await updateUser(user.id, { verified_date: new Date() });
+
+    return res.send({ success: true, message: "User verified!" });
+  });
+
+  return router;
+}

package/src/routes/auth.test.js

@@ -0,0 +1,142 @@
+import request from "supertest";
+import { Memory } from "lowdb";
+import createAppServer from "../createAppServer";
+import SimpleUsersDao from "../data/simple-users-dao.js";
+
+let users = new SimpleUsersDao([], new Memory());
+
+const app = createAppServer({ ...users, start: false });
+
+describe("/auth", () => {
+  let userId;
+
+  beforeAll(async () => {
+    // Reset our users database before each test
+    const user = await users.createUser({
+      username: "test",
+      password: "test",
+    });
+
+    userId = user.id;
+  });
+
+  // Disabling this linting rule because it is unaware of the supertest assertions
+  /* eslint-disable jest/expect-expect */
+  it("POST /register creates a user", async () => {
+    const username = "test1";
+    const password = "p@$$w0rd!";
+
+    const data = {
+      username,
+      password,
+    };
+
+    await request(app)
+      .post("/auth/register")
+      .set("Content-Type", "application/json")
+      .set("Accept", "application/json")
+      .send(data)
+      .expect(200)
+      .then((res) => {
+        expect(res.body.errors).toBeUndefined();
+        expect(res.body.token).not.toBeUndefined();
+        expect(res.body.user).not.toBeUndefined();
+      });
+  });
+
+  it("POST /register returns error on empty data", async () => {
+    await request(app)
+      .post("/auth/register")
+      .set("Content-Type", "application/json")
+      .set("Accept", "application/json")
+      .expect(400)
+      .then((res) => {
+        expect(res.body.errors).not.toBe(undefined);
+        expect(res.body.errors.username).not.toBe(undefined);
+      });
+  });
+
+  it("POST /register returns error on short password", async () => {
+    await request(app)
+      .post("/auth/register")
+      .send({
+        username: "testshort",
+        password: "short",
+      })
+      .set("Content-Type", "application/json")
+      .set("Accept", "application/json")
+      .expect(400)
+      .then((res) => {
+        expect(res.body.errors).not.toBe(undefined);
+        expect(res.body.errors.password).not.toBe(undefined);
+      });
+  });
+
+  it("POST /register returns error on too long password", async () => {
+    await request(app)
+      .post("/auth/register")
+      .send({
+        username: "testlong",
+        password:
+          "waytolongpasswordtobeusedforthisapplicationyoushouldtrysomethingmuchmuchshorter",
+      })
+      .set("Content-Type", "application/json")
+      .set("Accept", "application/json")
+      .expect(400)
+      .then((res) => {
+        expect(res.body.errors).not.toBe(undefined);
+        expect(res.body.errors.password).not.toBe(undefined);
+      });
+  });
+
+  it("POST /register returns error on already taken username", async () => {
+    await request(app)
+      .post("/auth/register")
+      .send({
+        username: "test",
+        password: "p@$$w0rd!",
+      })
+      .set("Content-Type", "application/json")
+      .set("Accept", "application/json")
+      .expect(400)
+      .then((res) => {
+        expect(res.body).toEqual({
+          error: "Bad Request: A user with this username already exists",
+        });
+      });
+  });
+
+  it("GET /verify verifies user", async () => {
+    const user = users.getUserById(userId);
+
+    expect(user.verification_token).not.toBe(null);
+    expect(user.verified_date).toBeUndefined();
+
+    // First call will verify the user
+    await request(app)
+      .get("/auth/verify/" + user.verification_token)
+      .set("Content-Type", "application/json")
+      .set("Accept", "application/json")
+      .expect(200)
+      .then((res) => {
+        expect(res.body.success).toEqual(true);
+      });
+
+    const refresh = await users.getUserById(userId);
+
+    expect(refresh.verified_date).not.toBe(null);
+
+    // Subsequent calls are not successful because the user is already verified
+    await request(app)
+      .get("/auth/verify/" + user.verification_token)
+      .set("Content-Type", "application/json")
+      .set("Accept", "application/json")
+      .expect(400)
+      .then((res) => {
+        expect(res.body).toEqual({
+          success: false,
+          message: "User already verified.",
+        });
+      });
+  });
+});

package/src/schema/user.js

@@ -0,0 +1,8 @@
+import Joi from "joi";
+
+const schema = Joi.object({
+  username: Joi.string().required().label("Username"),
+  password: Joi.string().required().allow("").min(8).max(64).label("Password"),
+});
+
+export default schema;

package/test.http

@@ -0,0 +1,37 @@
+GET http://localhost:3003/ HTTP/1.1
+content-type: application/json
+
+###
+POST http://localhost:3003/auth/register HTTP/1.1
+Content-Type: application/json
+
+{
+  "name": "Test Example",
+  "email": "example@example.com",
+  "username": "test123",
+  "password": "password"
+}
+
+###
+
+# @name login
+POST http://localhost:3003/auth/login HTTP/1.1
+Content-Type: application/json
+
+{
+  "username": "user",
+  "password": "password"
+}
+
+###
+
+@authToken = {{login.response.body.token}}
+
+# @name session
+GET http://localhost:3003/auth/session
+Authorization: Bearer {{authToken}}
+
+###
+
+GET http://localhost:3003/api/users
+Authorization: Bearer {{authToken}}