@stanlemon/server-with-auth 0.2.11 → 0.3.0

package/README.md

@@ -0,0 +1,48 @@
+# Express App Server with Authentication
+
+[![npm version](https://badge.fury.io/js/%40stanlemon%2Fserver-with-auth.svg)](https://badge.fury.io/js/%40stanlemon%2Fserver-with-auth)
+
+This is a base express app server that is wired up with sensible defaults, like compression, json support and serving the `dist` folder statically and also includes basic authentication support. It builds off of the [@stanlemon/server](../server/README.md) package.
+
+This package includes authentication against secure endpoints using JWT. There are endpoints for logging in and signing up, as well as basic user management flows such as updating a profile, verifying a user and resetting a password.
+
+When `NODE_ENV=development` the server will also proxy requests to webpack.
+
+This library goes well with [@stanlemon/webdev](../webdev/README.md). You can see this package, along with [@stanlemon/webdev] in action by using the [@stanlemon/app-template](../../apps/template/README.md) package.
+
+```javascript
+import {
+  createAppServer,
+  asyncJsonHandler as handler,
+  NotFoundException,
+  LowDBUserDao,
+  createLowDb
+} from "@stanlemon/server-with-auth";
+import  from "./src/data/lowdb-user-dao.js";
+
+const db = createLowDb();
+const dao = new LowDBUserDao(db);
+
+const app = createAppServer({
+  port: 3003,secure: ["/api/"],
+  schemas,
+  dao,
+ });
+
+
+// Insecure endpoint
+app.get(
+  "/",
+  handler(() => ({ hello: "world" }))
+);
+
+// Secure endpoint
+app.get(
+  "/api/users",
+  handler(() => ({
+    users: db.data.users.map((u) =>
+      omit(u, ["password", "verification_token"])
+    ),
+  }))
+);
+```

package/app.js

@@ -1,13 +1,40 @@
-import { createAppServer, asyncJsonHandler as handler } from "./src/index.js";
-import LowDBUserDao, { createDb } from "./src/data/lowdb-user-dao.js";
+import { omit } from "lodash-es";
+import EventEmitter from "node:events";
+import Joi from "joi";
+import {
+  createAppServer,
+  asyncJsonHandler as handler,
+  createSchemas,
+  EVENTS,
+  LowDBUserDao,
+  createLowDb,
+} from "./src/index.js";
 
-const db = createDb();
+const db = createLowDb();
 const dao = new LowDBUserDao(db);
+const eventEmitter = new EventEmitter();
+Object.values(EVENTS).forEach((event) => {
+  eventEmitter.on(event, (user) => {
+    // eslint-disable-next-line no-console
+    console.info(
+      `Event = ${event}, User = ${JSON.stringify(
+        omit(user, ["password", "verification_token"])
+      )}`
+    );
+  });
+});
+
+const schemas = createSchemas({
+  fullName: Joi.string().required().label("Full Name"),
+  email: Joi.string().email().required().label("Email"),
+});
 
 const app = createAppServer({
   port: 3003,
   secure: ["/api/"],
+  schemas,
   dao,
+  eventEmitter,
 });
 
 // Insecure endpoint
@@ -25,5 +52,11 @@ app.get(
 // Secure endpoint
 app.get(
   "/api/users",
-  handler(() => ({ users: db.data.users }))
+  handler(() => ({
+    users: db.data.users.map((u) =>
+      omit(u, ["password", "verification_token"])
+    ),
+  }))
 );
+
+app.catch404s("/api/*");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@stanlemon/server-with-auth",
-  "version": "0.2.11",
+  "version": "0.3.0",
   "description": "A basic express web server setup with authentication baked in.",
   "author": "Stan Lemon <stanlemon@users.noreply.github.com>",
   "license": "MIT",
@@ -13,7 +13,7 @@
   "scripts": {
     "start": "NODE_ENV=development nodemon --ignore db.json ./app.js",
     "lint": "eslint --ext js,jsx,ts,tsx ./",
-    "lint:format": "eslint --fix --ext js,jsx,ts,tsx ./",
+    "lint:fix": "eslint --fix --ext js,jsx,ts,tsx ./",
     "test": "jest --detectOpenHandles",
     "test:coverage": "jest --detectOpenHandles --coverage",
     "test:watch": "jest --detectOpenHandles --watch"
@@ -22,17 +22,21 @@
     "@stanlemon/server": "*",
     "@stanlemon/webdev": "*",
     "bcryptjs": "^2.4.3",
+    "express-session": "^1.17.3",
     "jsonwebtoken": "^9.0.2",
-    "lowdb": "^6.1.1",
+    "lowdb": "^7.0.1",
     "lowdb-node": "^3.0.2",
     "passport": "^0.7.0",
     "passport-jwt": "^4.0.1",
+    "passport-local": "^1.0.0",
     "uuid": "^9.0.1"
   },
   "devDependencies": {
     "@stanlemon/eslint-config": "*",
     "@types/supertest": "^6.0.2",
+    "better-sqlite3": "^9.2.2",
+    "knex": "^3.1.0",
     "nodemon": "^3.0.2",
     "supertest": "^6.3.3"
   }
-}
+}

package/src/constants.js

@@ -0,0 +1,59 @@
+export const HIDDEN_FIELDS = ["password", "verification_token"];
+
+export const ROUTES = {
+  SIGNUP: "/auth/signup",
+  REGISTER: "/auth/register",
+  SESSION: "/auth/session",
+  LOGIN: "/auth/login",
+  LOGOUT: "/auth/logout",
+  USER: "/auth/user",
+  VERIFY: "/auth/verify/:token",
+  RESET: "/auth/reset",
+  PASSWORD: "/auth/password",
+};
+
+/**
+ * Authentication related events.
+ *
+ * Listen to these with the {EventEmitter}.
+ */
+export const EVENTS = {
+  /**
+   * When a user logs in.
+   */
+  USER_LOGIN: "user.login",
+  /**
+   * When a user logs out.
+   */
+  USER_LOGOUT: "user.logout",
+  /**
+   * When a user is created.
+   */
+  USER_CREATED: "user.created",
+  /**
+   * When a user is verified.
+   */
+  USER_VERIFIED: "user.verified",
+  /**
+   * When a user is updated.
+   */
+  USER_UPDATED: "user.updated",
+  /**
+   * When a user is deleted.
+   */
+  USER_DELETED: "user.deleted",
+  /**
+   * When a user changes their password.
+   */
+  USER_PASSWORD: "user.password",
+  /**
+   * When a user reset is requested.
+   * This is not a managed lifecycle event, you'll need to implement this!
+   */
+  USER_RESET_REQUESTED: "user.reset.requested",
+  /**
+   * When a user reset is completed.
+   * This is not a managed lifecycle event, you'll need to implement this!
+   */
+  USER_RESET_COMPLETED: "user.reset.completed",
+};

package/src/createAppServer.js

@@ -1,54 +1,60 @@
+import EventEmitter from "node:events";
 import dotenv from "dotenv";
 import {
   createAppServer as createBaseAppServer,
   DEFAULTS as BASE_DEFAULTS,
 } from "@stanlemon/server";
+import expressSession from "express-session";
 import passport from "passport";
+import { Strategy as LocalStrategy } from "passport-local";
 import { Strategy as JwtStrategy, ExtractJwt } from "passport-jwt";
 import { v4 as uuid } from "uuid";
-import Joi from "joi";
-import defaultUserSchema from "./schema/user.js";
+import SCHEMAS from "./schema/index.js";
 import checkAuth from "./checkAuth.js";
 import auth from "./routes/auth.js";
 import UserDao from "./data/user-dao.js";
+import checkUserDao from "./utilities/checkUserDao.js";
+import checkSchemas from "./utilities/checkSchemas.js";
 
 dotenv.config();
 
 export const DEFAULTS = {
   ...BASE_DEFAULTS,
   secure: [],
-  schema: defaultUserSchema,
+  schemas: SCHEMAS,
   dao: new UserDao(),
+  eventEmitter: new EventEmitter(),
+  jwtExpireInMinutes: 10,
 };
 
 /**
  * Create an app server with authentication.
+ * @param {object} options
  * @param {number} options.port Port to listen on
  * @param {boolean} options.webpack Whether or not to create a proxy for webpack
  * @param {string[]} options.secure Paths that require authentication
- * @param {Joi.Schema} options.schema Joi schema for user object
+ * @param {Object.<string, Joi.Schema>} options.schemas Object map of routes to schema for validating route inputs.
  * @param {UserDao} options.dao Data access object for user interactions
- * @returns {import("express").Express} Express app
+ * @returns {import("@stanlemon/server/src/createAppServer.js").AppServer} Pre-configured express app server with extra helper methods
  */
+/* eslint-disable max-lines-per-function */
 export default function createAppServer(options) {
-  const { port, webpack, start, secure, schema, dao } = {
+  const {
+    port,
+    webpack,
+    start,
+    secure,
+    schemas,
+    dao,
+    eventEmitter,
+    jwtExpireInMinutes,
+  } = {
     ...DEFAULTS,
     ...options,
   };
 
-  if (!(dao instanceof UserDao)) {
-    throw new Error("The dao object must be of type UserDao.");
-  }
-
-  if (!Joi.isSchema(schema)) {
-    throw new Error("The schema object must be of type Joi schema.");
-  }
-
-  if (!schema.describe().keys.username || !schema.describe().keys.password) {
-    throw new Error(
-      "The schema object must have a username and password defined."
-    );
-  }
+  checkUserDao(dao);
+  checkSchemas(schemas);
 
   const app = createBaseAppServer({ port, webpack, start });
 
@@ -56,21 +62,38 @@ export default function createAppServer(options) {
     return app;
   }
 
+  if (!process.env.COOKIE_SECRET) {
+    console.warn("You need to specify a cookie secret!");
+  }
+
   if (!process.env.JWT_SECRET) {
     console.warn("You need to specify a JWT secret!");
   }
 
-  const secret = process.env.JWT_SECRET || uuid();
+  // These secrets will not be stable between restarts
+  const cookieSecret = process.env.COOKIE_SECRET || uuid();
+  const jwtSecret = process.env.JWT_SECRET || uuid();
+
+  passport.use(
+    new LocalStrategy((username, password, done) => {
+      dao.getUserByUsernameAndPassword(username, password).then((user) => {
+        if (!user) {
+          return done(null, false);
+        }
+        return done(null, user);
+      });
+    })
+  );
 
   passport.use(
     "jwt",
     new JwtStrategy(
       {
         jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
-        secretOrKey: secret,
+        secretOrKey: jwtSecret,
         // NOTE: Setting options like 'issuer' here must also be set when the token is signed below
         jsonWebTokenOptions: {
-          expiresIn: "120m",
+          expiresIn: `${jwtExpireInMinutes}m`,
         },
       },
       (payload, done) => {
@@ -78,27 +101,40 @@ export default function createAppServer(options) {
       }
     )
   );
-  passport.serializeUser((id, done) => {
-    done(null, id);
+
+  passport.serializeUser((user, done) => {
+    done(null, user);
   });
-  passport.deserializeUser((id, done) => {
+
+  passport.deserializeUser(({ id }, done) => {
     dao
       .getUserById(id)
       .then((user) => {
         // An undefined user means we couldn't find it, so the session is invalid
-        done(null, user === undefined ? false : user);
+        done(null, !user ? false : user);
       })
       .catch((error) => {
         done(error, null);
       });
   });
-  passport.initialize();
+
+  app.use(
+    expressSession({
+      secret: cookieSecret,
+      resave: true,
+      saveUninitialized: true,
+    })
+  );
+  app.use(passport.initialize());
+  app.use(passport.session());
 
   app.use(
     auth({
-      secret,
-      schema,
+      secret: jwtSecret,
+      schemas,
       dao,
+      eventEmitter,
+      jwtExpireInMinutes,
     })
   );
 
@@ -106,5 +142,11 @@ export default function createAppServer(options) {
     app.use(path, checkAuth());
   });
 
+  // Handling 500
+  app.use(function (error, req, res, next) {
+    console.error(error);
+    res.status(500).json({ error: "Internal Error" });
+  });
+
   return app;
 }

package/src/data/knex-user-dao.js

@@ -0,0 +1,142 @@
+import { v4 as uuidv4 } from "uuid";
+import bcrypt from "bcryptjs";
+import UserDao from "./user-dao.js";
+import knex from "knex";
+
+export async function createBetterSqlite3Db() {
+  const db = knex({
+    client: "better-sqlite3",
+    connection: {
+      filename: ":memory:",
+    },
+  });
+
+  await db.schema.createTable("users", (table) => {
+    table.string("id").primary(); // UUID
+    table.string("username").notNullable();
+    table.string("password").notNullable();
+    table.string("email").nullable();
+    table.string("name").nullable();
+    table.string("verification_token").notNullable();
+    table.dateTime("verified_date").nullable();
+    table.dateTime("last_login").nullable();
+    table.dateTime("created_at").notNullable();
+    table.dateTime("last_updated").notNullable();
+  });
+
+  return db;
+}
+
+export default class KnexUserDao extends UserDao {
+  #db;
+
+  constructor(db) {
+    super();
+
+    // TODO: Check if db is a knex instance and throw an error if it is now
+    this.#db = db;
+  }
+
+  /** @inheritdoc */
+  async getUserById(userId) {
+    return await this.#db("users").select().where({ id: userId }).first();
+  }
+
+  /** @inheritdoc */
+  async getUserByUsername(username) {
+    const user = await this.#db
+      .select()
+      .from("users")
+      .where({ username: username })
+      .first();
+
+    return !user ? false : user;
+  }
+
+  /** @inheritdoc */
+  async getUserByUsernameAndPassword(username, password) {
+    // Treat this like a failed login.
+    if (!username || !password) {
+      return false;
+    }
+
+    const user = await this.getUserByUsername(username);
+
+    if (!user || !bcrypt.compareSync(password, user.password)) {
+      return false;
+    }
+
+    return user;
+  }
+
+  /** @inheritdoc */
+  async getUserByVerificationToken(token) {
+    if (!token) {
+      return false;
+    }
+
+    const user = await this.#db("users")
+      .select()
+      .where({ verification_token: token })
+      .first();
+
+    return !user ? false : user;
+  }
+
+  /** @inheritdoc */
+  async createUser(user) {
+    const existing = await this.getUserByUsername(user.username);
+
+    if (existing) {
+      throw new Error("This username is already taken.");
+    }
+    const now = new Date();
+
+    const data = {
+      ...user,
+      password: bcrypt.hashSync(user.password, 10),
+      id: uuidv4(),
+      verification_token: uuidv4(),
+      created_at: now,
+      last_updated: now,
+    };
+
+    await this.#db("users").insert(data);
+
+    return await this.getUserById(data.id);
+  }
+
+  /** @inheritdoc */
+  async updateUser(userId, user) {
+    if (!userId) {
+      throw new Error("User ID is required.");
+    }
+    if (!user) {
+      throw new Error("User data is required");
+    }
+
+    const existing = await this.getUserById(userId);
+
+    if (!existing) {
+      throw new Error("User does not exist.");
+    }
+
+    await this.#db("users").where({ id: userId }).update(user);
+
+    return await this.getUserById(userId);
+  }
+
+  /** @inheritdoc */
+  async deleteUser(userId) {
+    return !!(await this.#db("users").where({ id: userId }).delete());
+  }
+
+  async getAllUsers() {
+    const users = await this.#db("users").select();
+    return users;
+  }
+
+  close() {
+    this.#db.destroy();
+  }
+}