@stanlemon/server-with-auth 0.1.29 → 0.2.0

package/app.js

@@ -1,25 +1,28 @@
 import { createAppServer, asyncJsonHandler as handler } from "./src/index.js";
-import SimpleUsersDao from "./src/data/simple-users-dao.js";
+import LowDBUserDao from "./src/data/lowdb-user-dao.js";
 
-const users = new SimpleUsersDao();
+const dao = new LowDBUserDao();
 
 const app = createAppServer({
   port: 3003,
   secure: ["/api/"],
-  ...users,
+  dao,
 });
 
+// Insecure endpoint
 app.get(
   "/",
-  handler(({ name }) => ({ hello: "world" }))
+  handler(() => ({ hello: "world" }))
 );
 
+// Insecure endpoint
 app.get(
-  "/api/users",
-  handler(() => ({ users: users.db.data.users }))
+  "/hello/:name",
+  handler(({ name = "world" }) => ({ hello: name }))
 );
 
+// Secure endpoint
 app.get(
-  "/insecure",
-  handler(() => ({ secure: false }))
+  "/api/users",
+  handler(() => ({ users: dao.getDB().data.users }))
 );

package/package.json

@@ -1,11 +1,11 @@
 {
   "name": "@stanlemon/server-with-auth",
-  "version": "0.1.29",
+  "version": "0.2.0",
   "description": "A basic express web server setup with authentication baked in.",
   "author": "Stan Lemon <stanlemon@users.noreply.github.com>",
   "license": "MIT",
   "engines": {
-    "node": ">=16.13.0"
+    "node": ">=18.0"
   },
   "type": "module",
   "main": "./src/index.js",
@@ -22,13 +22,12 @@
     "@stanlemon/server": "*",
     "@stanlemon/webdev": "*",
     "bcryptjs": "^2.4.3",
-    "jsonwebtoken": "^9.0.1",
+    "jsonwebtoken": "^9.0.2",
     "lowdb": "^6.0.1",
     "lowdb-node": "^3.0.2",
     "passport": "^0.6.0",
     "passport-jwt": "^4.0.1",
-    "shortid": "^2.2.16",
-    "uuid": "^9.0.0"
+    "uuid": "^9.0.1"
   },
   "devDependencies": {
     "@stanlemon/eslint-config": "*",
@@ -36,4 +35,4 @@
     "nodemon": "^3.0.1",
     "supertest": "^6.3.3"
   }
-}
+}

package/src/createAppServer.js

@@ -5,40 +5,50 @@ import {
 } from "@stanlemon/server";
 import passport from "passport";
 import { Strategy as JwtStrategy, ExtractJwt } from "passport-jwt";
-import shortid from "shortid";
+import { v4 as uuid } from "uuid";
+import Joi from "joi";
 import defaultUserSchema from "./schema/user.js";
 import checkAuth from "./checkAuth.js";
 import auth from "./routes/auth.js";
+import UserDao from "./data/user-dao.js";
 
 dotenv.config();
 
-// TODO: Add option for schema
 export const DEFAULTS = {
   ...BASE_DEFAULTS,
   secure: [],
   schema: defaultUserSchema,
-  getUserById: (userId) => {},
-  getUserByUsername: (username) => {},
-  getUserByUsernameAndPassword: (username, password) => {},
-  getUserByVerificationToken: (token) => {},
-  createUser: (user) => {},
-  updateUser: (userId, user) => {},
+  dao: new UserDao(),
 };
 
+/**
+ * Create an app server with authentication.
+ * @param {number} options.port Port to listen on
+ * @param {boolean} options.webpack Whether or not to create a proxy for webpack
+ * @param {string[]} options.secure Paths that require authentication
+ * @param {Joi.Schema} options.schema Joi schema for user object
+ * @param {UserDao} options.dao Data access object for user interactions
+ * @returns {import("express").Express} Express app
+ */
 export default function createAppServer(options) {
-  const {
-    port,
-    webpack,
-    start,
-    secure,
-    schema,
-    getUserById,
-    getUserByUsername,
-    getUserByUsernameAndPassword,
-    getUserByVerificationToken,
-    createUser,
-    updateUser,
-  } = { ...DEFAULTS, ...options };
+  const { port, webpack, start, secure, schema, dao } = {
+    ...DEFAULTS,
+    ...options,
+  };
+
+  if (!(dao instanceof UserDao)) {
+    throw new Error("The dao object must be of type UserDao.");
+  }
+
+  if (!Joi.isSchema(schema)) {
+    throw new Error("The schema object must be of type Joi schema.");
+  }
+
+  if (!schema.describe().keys.username || !schema.describe().keys.password) {
+    throw new Error(
+      "The schema object must have a username and password defined."
+    );
+  }
 
   const app = createBaseAppServer({ port, webpack, start });
 
@@ -47,10 +57,10 @@ export default function createAppServer(options) {
   }
 
   if (!process.env.JWT_SECRET) {
-    console.warn("You need to specify a secret.");
+    console.warn("You need to specify a JWT secret!");
   }
 
-  const secret = process.env.JWT_SECRET || shortid.generate();
+  const secret = process.env.JWT_SECRET || uuid();
 
   passport.use(
     "jwt",
@@ -72,7 +82,8 @@ export default function createAppServer(options) {
     done(null, id);
   });
   passport.deserializeUser((id, done) => {
-    getUserById(id)
+    dao
+      .getUserById(id)
       .then((user) => {
         // An undefined user means we couldn't find it, so the session is invalid
         done(null, user === undefined ? false : user);
@@ -87,12 +98,7 @@ export default function createAppServer(options) {
     auth({
       secret,
       schema,
-      getUserById,
-      getUserByUsername,
-      getUserByUsernameAndPassword,
-      getUserByVerificationToken,
-      createUser,
-      updateUser,
+      dao,
     })
   );
 

package/src/data/lowdb-user-dao.js

@@ -0,0 +1,124 @@
+import { LowSync, MemorySync } from "lowdb";
+import { JSONFileSync } from "lowdb-node";
+import { v4 as uuidv4 } from "uuid";
+import bcrypt from "bcryptjs";
+import UserDao from "./user-dao.js";
+
+const DEFAULT_ADAPTER =
+  process.env.NODE_ENV === "test"
+    ? new MemorySync()
+    : new JSONFileSync("./db.json");
+
+export default class LowDBUserDao extends UserDao {
+  #db;
+
+  constructor(seeds = [], adapter = DEFAULT_ADAPTER) {
+    super();
+
+    this.#db = new LowSync(adapter, { users: [] });
+    this.#db.read();
+
+    if (seeds.length > 0) {
+      seeds.forEach((user) => this.createUser(user));
+    }
+  }
+
+  getDB() {
+    return this.#db;
+  }
+
+  /** @inheritdoc */
+  getUserById(userId) {
+    return this.#db.data.users
+      .filter((user) => {
+        // This one can get gross with numerical ids
+        // eslint-disable-next-line eqeqeq
+        return user.id == userId;
+      })
+      .shift();
+  }
+
+  /** @inheritdoc */
+  getUserByUsername(username) {
+    return this.#db.data.users
+      .filter((user) => {
+        return user.username === username;
+      })
+      .shift();
+  }
+
+  /** @inheritdoc */
+  getUserByUsernameAndPassword(username, password) {
+    // Treat this like a failed login.
+    if (!username || !password) {
+      return false;
+    }
+
+    const user = this.getUserByUsername(username);
+
+    if (!user || !bcrypt.compareSync(password, user.password)) {
+      return false;
+    }
+
+    return user;
+  }
+
+  /** @inheritdoc */
+  getUserByVerificationToken(token) {
+    return this.#db.data.users
+      .filter((user) => user.verification_token === token)
+      .shift();
+  }
+
+  /** @inheritdoc */
+  createUser(user) {
+    const existing = this.getUserByUsername(user.username);
+
+    if (existing) {
+      throw new Error("This username is already taken.");
+    }
+
+    const now = new Date();
+    const data = {
+      ...user,
+      password: bcrypt.hashSync(user.password, 10),
+      id: uuidv4(),
+      verification_token: uuidv4(),
+      created_at: now,
+      last_updated: now,
+    };
+    this.#db.data.users.push(data);
+    this.#db.write();
+    return data;
+  }
+
+  /** @inheritdoc */
+  updateUser(userId, user) {
+    const now = new Date();
+    this.#db.data.users = this.#db.data.users.map((u) => {
+      if (u.id === userId) {
+        // If the password has been set, encrypt it
+        if (user.password) {
+          user.password = bcrypt.hashSync(user.password, 10);
+        }
+
+        return {
+          ...u,
+          ...user,
+          id: userId,
+          last_updated: now,
+        };
+      }
+      return u;
+    });
+    this.#db.write();
+    return this.getUserById(userId);
+  }
+
+  /** @inheritdoc */
+  deleteUser(userId) {
+    this.#db.data.users = this.#db.data.users.filter((u) => u.id !== userId);
+    this.#db.write();
+    return true;
+  }
+}

package/src/data/{simple-users-dao.test.js → lowdb-user-dao.test.js}

@@ -2,24 +2,25 @@
  * @jest-environment node
  */
 import { MemorySync } from "lowdb";
-import SimpleUsersDao from "./simple-users-dao.js";
+import LowDBUserDao from "./lowdb-user-dao.js";
 
-describe("simple-users-dao", () => {
+describe("lowdb-user-dao", () => {
   // This is a user that we will reuse in our tests
   const data = {
     username: "test",
     password: "password",
   };
-  // This will be our user database
-  let users;
+
+  /** @type {LowDBUserDao} */
+  let dao;
 
   beforeEach(() => {
     // Before each test reset our users database
-    users = new SimpleUsersDao([], new MemorySync());
+    dao = new LowDBUserDao([], new MemorySync());
   });
 
   it("creates a user", async () => {
-    let user = await users.createUser(data);
+    let user = await dao.createUser(data);
 
     expect(user.username).toEqual(data.username);
     // The value should be encrypted now
@@ -29,7 +30,7 @@ describe("simple-users-dao", () => {
     expect(user.created_at).not.toBeUndefined();
     expect(user.last_updated).not.toBeUndefined();
 
-    const refresh = users.getUserByUsername(data.username);
+    const refresh = dao.getUserByUsername(data.username);
 
     // If we retrieve the user by username, it matches the object we got when we created it
     expect(refresh).toMatchObject(user);
@@ -40,9 +41,9 @@ describe("simple-users-dao", () => {
 
     try {
       // Create the user
-      await users.createUser(data);
+      await dao.createUser(data);
       // Attempt to create the user again, this will fail
-      await users.createUser(data);
+      await dao.createUser(data);
     } catch (err) {
       hasError = err;
     }
@@ -52,9 +53,9 @@ describe("simple-users-dao", () => {
   });
 
   it("retrieve user by username and password", async () => {
-    const user1 = await users.createUser(data);
+    const user1 = await dao.createUser(data);
 
-    const user2 = users.getUserByUsernameAndPassword(
+    const user2 = dao.getUserByUsernameAndPassword(
       data.username,
       data.password
     );
@@ -63,9 +64,9 @@ describe("simple-users-dao", () => {
   });
 
   it("retrieve user by username and wrong password fails", async () => {
-    await users.createUser(data);
+    await dao.createUser(data);
 
-    const user2 = users.getUserByUsernameAndPassword(
+    const user2 = dao.getUserByUsernameAndPassword(
       data.username,
       "wrong password"
     );
@@ -74,22 +75,35 @@ describe("simple-users-dao", () => {
   });
 
   it("retrieve user by username and undefined password fails", async () => {
-    await users.createUser(data);
+    await dao.createUser(data);
 
-    const user2 = users.getUserByUsernameAndPassword(data.username, undefined);
+    const user2 = dao.getUserByUsernameAndPassword(data.username, undefined);
 
     expect(user2).toBe(false);
   });
 
   it("retrieve user by username that does not exist fails", async () => {
-    const user = users.getUserByUsernameAndPassword("notarealuser", "password");
+    const user = dao.getUserByUsernameAndPassword("notarealuser", "password");
 
     expect(user).toBe(false);
   });
 
   it("retrieve user by username that is undefined fails", async () => {
-    const user = users.getUserByUsernameAndPassword(undefined, "password");
+    const user = dao.getUserByUsernameAndPassword(undefined, "password");
 
     expect(user).toBe(false);
   });
+
+  it("deletes a user by id", async () => {
+    const user = await dao.createUser(data);
+
+    expect(dao.getDB().data.users).toHaveLength(1);
+
+    const deleted = dao.deleteUser(user.id);
+
+    expect(deleted).toBe(true);
+    expect(dao.getUserById(user.id)).toBeUndefined();
+
+    expect(dao.getDB().data.users).toHaveLength(0);
+  });
 });

package/src/data/simple-users-dao.js

@@ -1,116 +1,6 @@
-import { LowSync, MemorySync } from "lowdb";
-import { JSONFileSync } from "lowdb-node";
-import { v4 as uuidv4 } from "uuid";
-import shortid from "shortid";
-import bcrypt from "bcryptjs";
+import LowDBUserDao from "./lowdb-user-dao.js";
 
-const DEFAULT_ADAPTER =
-  process.env.NODE_ENV === "test"
-    ? new MemorySync()
-    : new JSONFileSync("./db.json");
-
-export default class SimpleUsersDao {
-  constructor(seeds = [], adapter = DEFAULT_ADAPTER) {
-    this.db = new LowSync(adapter, { users: [] });
-
-    this.db.read();
-
-    if (seeds.length > 0) {
-      seeds.forEach((user) => this.createUser(user));
-    }
-  }
-
-  getDb() {
-    return this.db;
-  }
-
-  generateId() {
-    return uuidv4();
-  }
-
-  generateVerificationToken() {
-    return shortid.generate();
-  }
-
-  getUserById = (userId) => {
-    return this.db.data.users
-      .filter((user) => {
-        // This one can get gross with numerical ids
-        // eslint-disable-next-line eqeqeq
-        return user.id == userId;
-      })
-      .shift();
-  };
-
-  getUserByUsername = (username) => {
-    return this.db.data.users
-      .filter((user) => {
-        return user.username === username;
-      })
-      .shift();
-  };
-
-  getUserByUsernameAndPassword = (username, password) => {
-    // Treat this like a failed login.
-    if (!username || !password) {
-      return false;
-    }
-
-    const user = this.getUserByUsername(username);
-
-    if (!user || !bcrypt.compareSync(password, user.password)) {
-      return false;
-    }
-
-    return user;
-  };
-
-  getUserByVerificationToken = (token) => {
-    return this.db.data.users
-      .filter((user) => user.verification_token === token)
-      .shift();
-  };
-
-  createUser = (user) => {
-    const existing = this.getUserByUsername(user.username);
-
-    if (existing) {
-      throw new Error("This username is already taken.");
-    }
-
-    const now = new Date();
-    const data = {
-      ...user,
-      password: bcrypt.hashSync(user.password, 10),
-      id: this.generateId(),
-      verification_token: this.generateVerificationToken(),
-      created_at: now,
-      last_updated: now,
-    };
-    this.db.data.users.push(data);
-    this.db.write();
-    return data;
-  };
-
-  updateUser = (userId, user) => {
-    const now = new Date();
-    this.db.data.users = this.db.data.users.map((u) => {
-      if (u.id === userId) {
-        // If the password has been set, encrypt it
-        if (user.password) {
-          user.password = bcrypt.hashSync(user.password, 10);
-        }
-
-        return {
-          ...u,
-          ...user,
-          id: userId,
-          last_updated: now,
-        };
-      }
-      return u;
-    });
-    this.db.write();
-    return this.getUserById(userId);
-  };
-}
+/**
+ * @deprecated since version 2.0, use LowDBUserDao instead.
+ */
+export default class SimpleUsersDao extends LowDBUserDao {}

package/src/data/user-dao.js

@@ -0,0 +1,73 @@
+export default class UserDao {
+  constructor() {}
+
+  #error() {
+    throw new Error(
+      "The UserDao class serves as an interface, do not use it directly."
+    );
+  }
+
+  /**
+   * Get user by id.
+   * @param {*} userId Identifier to get user by
+   */
+  // eslint-disable-next-line no-unused-vars
+  getUserById(userId) {
+    this.#error();
+  }
+
+  /**
+   * Get user by username.
+   * @param {string} username Username
+   */
+  // eslint-disable-next-line no-unused-vars
+  getUserByUsername(username) {
+    this.#error();
+  }
+
+  /**
+   * Get user by username and password.
+   * @param {string} username Username
+   * @param {string} password Password
+   */
+  // eslint-disable-next-line no-unused-vars
+  getUserByUsernameAndPassword(username, password) {
+    this.#error();
+  }
+
+  /**
+   * Get user by verification token.
+   * @param {string} token User verification token
+   */
+  // eslint-disable-next-line no-unused-vars
+  getUserByVerificationToken(token) {
+    this.#error();
+  }
+
+  /**
+   * Create a new user.
+   * @param {object} user User
+   */
+  // eslint-disable-next-line no-unused-vars
+  createUser(user) {
+    this.#error();
+  }
+
+  /**
+   * Update an existing user.
+   * @param {*} userId User identifier
+   * @param {object} user User object
+   */
+  // eslint-disable-next-line no-unused-vars
+  updateUser(userId, user) {
+    this.#error();
+  }
+
+  /**
+   * Delete a user.
+   * @param {*} userId User identifier
+   */
+  deleteUser(userId) {
+    this.#error();
+  }
+}

package/src/index.js

@@ -13,3 +13,4 @@ export { default as checkAuth } from "./checkAuth.js";
 export { default as createAppServer } from "./createAppServer.js";
 export { default as schema } from "./schema/user.js";
 export { default as SimpleUsersDao } from "./data/simple-users-dao.js";
+export { default as LowDBUserDao } from "./data/lowdb-user-dao.js";

package/src/routes/auth.js

@@ -7,18 +7,14 @@ import {
   BadRequestException,
 } from "@stanlemon/server";
 import checkAuth from "../checkAuth.js";
+import UserDao from "../data/user-dao.js";
 
 /* eslint-disable max-lines-per-function */
-export default function authRoutes({
-  secret,
-  schema,
-  getUserById,
-  getUserByUsername,
-  getUserByUsernameAndPassword,
-  getUserByVerificationToken,
-  createUser,
-  updateUser,
-}) {
+export default function authRoutes({ secret, schema, dao }) {
+  if (!(dao instanceof UserDao)) {
+    throw new Error("The dao object must be of type UserDao.");
+  }
+
   const router = Router();
 
   router.get("/auth/session", checkAuth(), async (req, res) => {
@@ -32,7 +28,7 @@ export default function authRoutes({
       return;
     }
 
-    const user = await getUserById(userId);
+    const user = await dao.getUserById(userId);
 
     if (!user) {
       res.status(401).json({
@@ -46,7 +42,7 @@ export default function authRoutes({
   });
 
   router.post("/auth/login", async (req, res) => {
-    const user = await getUserByUsernameAndPassword(
+    const user = await dao.getUserByUsernameAndPassword(
       req.body.username,
       req.body.password
     );
@@ -58,7 +54,7 @@ export default function authRoutes({
       return;
     }
 
-    const update = await updateUser(user.id, {
+    const update = await dao.updateUser(user.id, {
       last_logged_in: new Date(),
     });
 
@@ -82,7 +78,7 @@ export default function authRoutes({
   router.post(
     "/auth/register",
     schemaHandler(schema, async (data) => {
-      const existing = await getUserByUsername(data.username);
+      const existing = await dao.getUserByUsername(data.username);
 
       if (existing) {
         throw new BadRequestException(
@@ -90,7 +86,7 @@ export default function authRoutes({
         );
       }
 
-      const user = await createUser(data);
+      const user = await dao.createUser(data);
 
       if (isEmpty(user)) {
         return {
@@ -109,7 +105,7 @@ export default function authRoutes({
   router.get("/auth/verify/:token", async (req, res) => {
     const { token } = req.params;
 
-    const user = await getUserByVerificationToken(token);
+    const user = await dao.getUserByVerificationToken(token);
 
     if (isEmpty(user)) {
       return res
@@ -123,7 +119,7 @@ export default function authRoutes({
         .send({ success: false, message: "User already verified." });
     }
 
-    await updateUser(user.id, { verified_date: new Date() });
+    await dao.updateUser(user.id, { verified_date: new Date() });
 
     return res.send({ success: true, message: "User verified!" });
   });

package/src/routes/auth.test.js

@@ -4,16 +4,16 @@
 import request from "supertest";
 import { MemorySync } from "lowdb";
 import createAppServer from "../createAppServer";
-import SimpleUsersDao from "../data/simple-users-dao.js";
+import LowDBUserDao from "../data/lowdb-user-dao.js";
 
 // This suppresses a warning we don't need in tests
 process.env.JWT_SECRET = "SECRET";
 
-let users = new SimpleUsersDao([], new MemorySync());
+let dao = new LowDBUserDao([], new MemorySync());
 
 // We want to explicitly test functionality we disable during testing
 process.env.NODE_ENV = "override";
-const app = createAppServer({ ...users, start: false });
+const app = createAppServer({ dao, start: false });
 process.env.NODE_ENV = "test";
 
 describe("/auth", () => {
@@ -21,7 +21,7 @@ describe("/auth", () => {
 
   beforeAll(async () => {
     // Reset our users database before each test
-    const user = await users.createUser({
+    const user = await dao.createUser({
       username: "test",
       password: "test",
     });
@@ -116,7 +116,7 @@ describe("/auth", () => {
   });
 
   it("GET /verify verifies user", async () => {
-    const user = users.getUserById(userId);
+    const user = dao.getUserById(userId);
 
     expect(user.verification_token).not.toBe(null);
     expect(user.verified_date).toBeUndefined();
@@ -131,7 +131,7 @@ describe("/auth", () => {
         expect(res.body.success).toEqual(true);
       });
 
-    const refresh = await users.getUserById(userId);
+    const refresh = await dao.getUserById(userId);
 
     expect(refresh.verified_date).not.toBe(null);