@stanlemon/server-with-auth 0.2.12 → 0.3.0

package/src/routes/auth.js

@@ -1,24 +1,50 @@
-import { isEmpty } from "lodash-es";
+import { EventEmitter } from "node:events";
+import { isEmpty, omit } from "lodash-es";
 import { Router } from "express";
+import passport from "passport";
 import jwt from "jsonwebtoken";
-import {
-  schemaHandler,
-  formatOutput,
-  BadRequestException,
-} from "@stanlemon/server";
+import { schemaHandler, formatOutput } from "@stanlemon/server";
 import checkAuth from "../checkAuth.js";
-import UserDao from "../data/user-dao.js";
+import checkUserDao from "../utilities/checkUserDao.js";
+import checkSchemas from "../utilities/checkSchemas.js";
+import { HIDDEN_FIELDS, ROUTES, EVENTS } from "../constants.js";
 
+/**
+ * Create express routes for authentication operations.
+ * @param {object} options
+ * @param {string[]} options.secret Route patterns to protect by authentication.
+ * @param {Object.<string, Joi.Schema>} options.schemas Object map of routes to schema for validating route inputs.
+ * @param {import("../data/user-dao.js").default} options.dao Dao to use for various user operations
+ * @param {EventEmitter} options.eventEmitter  Event emitter that can be used to hook into user operations
+ * @param {number} options.jwtExpireInMinutes Number of minutes before a JWT token expires
+ * @returns {Express.Router}
+ */
 /* eslint-disable max-lines-per-function */
-export default function authRoutes({ secret, schema, dao }) {
-  if (!(dao instanceof UserDao)) {
-    throw new Error("The dao object must be of type UserDao.");
+export default function authRoutes({
+  secret,
+  schemas,
+  dao,
+  eventEmitter,
+  jwtExpireInMinutes,
+}) {
+  checkUserDao(dao);
+  checkSchemas(schemas);
+
+  if (!(eventEmitter instanceof EventEmitter)) {
+    throw new Error("The eventEmitter object must be of type EventEmitter.");
   }
 
   const router = Router();
 
-  router.get("/auth/session", checkAuth(), async (req, res) => {
-    const userId = req.user;
+  const makeJwtToken = (user) => {
+    const token = jwt.sign({ ...user }, secret, {
+      expiresIn: 60 * jwtExpireInMinutes,
+    });
+    return token;
+  };
+
+  router.get(ROUTES.SESSION, checkAuth(), async (req, res) => {
+    const userId = req.user.id;
 
     if (!userId) {
       res.status(401).json({
@@ -36,38 +62,56 @@ export default function authRoutes({ secret, schema, dao }) {
         user: false,
       });
     } else {
-      const token = jwt.sign(user.id, secret);
-      res.status(200).json({ token, user: formatOutput(user, ["password"]) });
+      const token = makeJwtToken(user);
+      res.status(200).json({ token, user: formatOutput(user, HIDDEN_FIELDS) });
     }
   });
 
-  router.post("/auth/login", async (req, res) => {
-    const user = await dao.getUserByUsernameAndPassword(
-      req.body.username,
-      req.body.password
-    );
+  router.post(ROUTES.LOGIN, (req, res, next) => {
+    // Customizing the login so we can send a proper JSON response when unable to login
+    passport.authenticate("local", (err, user, info) => {
+      if (err) {
+        return next(err);
+      }
+      if (!user) {
+        return res.status(401).json({
+          success: false,
+          message: "Incorrect username or password.",
+        });
+      }
 
-    if (!user) {
-      res.status(401).json({
-        message: "Incorrect username or password.",
-      });
-      return;
-    }
+      return req.logIn(user, (err) => {
+        if (err) {
+          return next(err);
+        }
 
-    const update = await dao.updateUser(user.id, {
-      last_logged_in: new Date(),
-    });
+        return dao
+          .updateUser(user.id, {
+            last_logged_in: new Date(),
+          })
+          .then((update) => {
+            const token = makeJwtToken(user);
 
-    const token = jwt.sign(user.id, secret);
+            eventEmitter.emit(EVENTS.USER_LOGIN, omit(user, ["password"]));
 
-    res.json({
-      token,
-      user: formatOutput(update, ["password"]),
-    });
+            return res.json({
+              token,
+              user: formatOutput(update, HIDDEN_FIELDS),
+            });
+          });
+      });
+    })(req, res, next);
   });
 
-  router.get("/auth/logout", (req, res) => {
-    req.logout();
+  router.get(ROUTES.LOGOUT, (req, res) => {
+    // This will happen if you are only using the JWT strategy
+    if (req.logout !== undefined) {
+      req.logout();
+    } else {
+      console.warn("Logout attempted, but there is no logout function.");
+    }
+
+    eventEmitter.emit(EVENTS.USER_LOGOUT, req.user.id);
 
     return res.status(401).json({
       token: false,
@@ -76,33 +120,38 @@ export default function authRoutes({ secret, schema, dao }) {
   });
 
   router.post(
-    "/auth/register",
-    schemaHandler(schema, async (data) => {
+    ROUTES.SIGNUP,
+    schemaHandler(schemas[ROUTES.SIGNUP], async (data, req, res) => {
       const existing = await dao.getUserByUsername(data.username);
 
       if (existing) {
-        throw new BadRequestException(
-          "A user with this username already exists"
-        );
+        res.status(400).json({
+          success: false,
+          message: "A user with this username already exists.",
+        });
+        return;
       }
 
-      const user = await dao.createUser(data);
+      const user = await dao.createUser({
+        ...data,
+      });
 
       if (isEmpty(user)) {
-        return {
+        res.status(400).json({
+          success: false,
           message: "An error has occurred",
-        };
+        });
+        return;
       }
 
-      // TODO: Add hook for handling verification notification
-      // user.verification_token
+      eventEmitter.emit(EVENTS.USER_CREATED, omit(user, ["password"]));
 
-      const token = jwt.sign(user.id, secret);
-      return { token, user: formatOutput(user, ["password"]) };
+      const token = makeJwtToken(user);
+      return { token, user: formatOutput(user, HIDDEN_FIELDS) };
     })
   );
 
-  router.get("/auth/verify/:token", async (req, res) => {
+  router.get(ROUTES.VERIFY, async (req, res) => {
     const { token } = req.params;
 
     const user = await dao.getUserByVerificationToken(token);
@@ -121,8 +170,132 @@ export default function authRoutes({ secret, schema, dao }) {
 
     await dao.updateUser(user.id, { verified_date: new Date() });
 
+    eventEmitter.emit(EVENTS.USER_VERIFIED, omit(user, ["password"]));
+
     return res.send({ success: true, message: "User verified!" });
   });
 
+  router.get(ROUTES.USER, checkAuth(), async (req, res) => {
+    const userId = req.user.id;
+
+    if (!userId) {
+      res.status(401).json({
+        token: false,
+        user: false,
+      });
+      return;
+    }
+
+    const user = await dao.getUserById(userId);
+
+    if (!user) {
+      res.status(401).json({
+        token: false,
+        user: false,
+      });
+    } else {
+      res.status(200).json(formatOutput(user, HIDDEN_FIELDS));
+    }
+  });
+
+  router.put(
+    ROUTES.USER,
+    checkAuth(),
+    schemaHandler(schemas[ROUTES.USER], async (data, req, res) => {
+      const user = await dao.getUserById(req.user.id);
+
+      if (!user) {
+        res.status(404).json({
+          success: false,
+          message: "Not Found",
+        });
+        return;
+      }
+
+      const input = {
+        ...omit(data, [
+          "id",
+          "created_at",
+          "last_updated",
+          "last_login",
+          "password",
+          "username",
+          "verification_token",
+          "verified_date",
+        ]),
+      };
+
+      const updated = await dao.updateUser(user.id, input);
+
+      eventEmitter.emit(EVENTS.USER_UPDATED, omit(user, ["password"]));
+
+      res.status(200).json(formatOutput(updated, HIDDEN_FIELDS));
+    })
+  );
+
+  router.delete(ROUTES.USER, checkAuth(), async (req, res) => {
+    const deleted = await dao.deleteUser(req.user.id);
+
+    eventEmitter.emit(EVENTS.USER_DELETED, req.user.id, deleted);
+
+    res.status(200).json({ success: deleted });
+  });
+
+  router.post(
+    ROUTES.PASSWORD,
+    checkAuth(),
+    schemaHandler(schemas[ROUTES.PASSWORD], async (data, req, res) => {
+      const currentUser = await dao.getUserById(req.user.id);
+      const user = await dao.getUserByUsernameAndPassword(
+        currentUser.username,
+        data.current_password // Reminder: Joi will switch the casing
+      );
+
+      if (!user) {
+        res.status(400).json({
+          success: false,
+          errors: {
+            current_password: "Current password is incorrect",
+          },
+        });
+        return;
+      }
+
+      const success = await dao.updateUser(user.id, {
+        password: data.password,
+      });
+
+      if (success) {
+        eventEmitter.emit(EVENTS.USER_PASSWORD, omit(user, ["password"]));
+      }
+
+      return { success: success };
+    })
+  );
+
+  // TODO: This is a placeholder for a password reset request, you should implement the event handler to handle this.
+  router.get(
+    ROUTES.RESET,
+    schemaHandler(schemas[ROUTES.RESET], async (data) => {
+      const user = await dao.getUserByUsername(data.username);
+
+      eventEmitter.emit(EVENTS.USER_RESET_REQUESTED, omit(user, ["password"]));
+
+      return { success: true };
+    })
+  );
+
+  // TODO: This is a placeholder for a password reset completion, you should implement the event handler to handle this.
+  router.post(
+    ROUTES.RESET,
+    schemaHandler(schemas[ROUTES.RESET], async (data) => {
+      const user = await dao.getUserByUsername(data.username);
+
+      eventEmitter.emit(EVENTS.USER_RESET_COMPLETED, omit(user, ["password"]));
+
+      return { success: true };
+    })
+  );
+
   return router;
 }

package/src/routes/auth.test.js

@@ -2,59 +2,62 @@
  * @jest-environment node
  */
 import request from "supertest";
-import createAppServer from "../createAppServer";
-import LowDBUserDao, { createInMemoryDb } from "../data/lowdb-user-dao.js";
+import Joi from "joi";
+import { v4 as uuidv4 } from "uuid";
+import { createAppServer, createSchemas } from "../index.js";
+import LowDBUserDao, { createInMemoryLowDb } from "../data/lowdb-user-dao.js";
 
 // This suppresses a warning we don't need in tests
 process.env.JWT_SECRET = "SECRET";
 
-let dao = new LowDBUserDao(createInMemoryDb());
+let dao = new LowDBUserDao(createInMemoryLowDb());
 
 // We want to explicitly test functionality we disable during testing
 process.env.NODE_ENV = "override";
-const app = createAppServer({ dao, start: false });
+const app = createAppServer({
+  dao,
+  start: false,
+  schemas: createSchemas({
+    name: Joi.string().label("Name"),
+    email: Joi.string().email().label("Email"),
+  }),
+});
 process.env.NODE_ENV = "test";
 
 describe("/auth", () => {
-  let userId;
-
-  beforeAll(async () => {
-    // Reset our users database before each test
-    const user = await dao.createUser({
-      username: "test",
-      password: "test",
-    });
-
-    userId = user.id;
-  });
-
   // Disabling this linting rule because it is unaware of the supertest assertions
   /* eslint-disable jest/expect-expect */
-  it("POST /register creates a user", async () => {
-    const username = "test1";
+  it("POST /signup creates a user", async () => {
+    const username = "test" + uuidv4();
     const password = "p@$$w0rd!";
+    const fullName = "Test User";
 
     const data = {
       username,
       password,
+      fullName, // Not in the schema, should be discarded
     };
 
     await request(app)
-      .post("/auth/register")
+      .post("/auth/signup")
       .set("Content-Type", "application/json")
       .set("Accept", "application/json")
       .send(data)
       .expect(200)
       .then((res) => {
+        expect(res.body.user.username).toEqual(username);
+        expect(res.body.user.createdAt).not.toBeUndefined();
+        expect(res.body.user.lastUpdated).not.toBeUndefined();
+        expect(res.body.user.fullName).toBeUndefined();
         expect(res.body.errors).toBeUndefined();
         expect(res.body.token).not.toBeUndefined();
         expect(res.body.user).not.toBeUndefined();
       });
   });
 
-  it("POST /register returns error on empty data", async () => {
+  it("POST /signup returns error on empty data", async () => {
     await request(app)
-      .post("/auth/register")
+      .post("/auth/signup")
       .set("Content-Type", "application/json")
       .set("Accept", "application/json")
       .expect(400)
@@ -64,11 +67,11 @@ describe("/auth", () => {
       });
   });
 
-  it("POST /register returns error on short password", async () => {
+  it("POST /signup returns error on short password", async () => {
     await request(app)
-      .post("/auth/register")
+      .post("/auth/signup")
       .send({
-        username: "testshort",
+        username: "test" + uuidv4(),
         password: "short",
       })
       .set("Content-Type", "application/json")
@@ -80,11 +83,11 @@ describe("/auth", () => {
       });
   });
 
-  it("POST /register returns error on too long password", async () => {
+  it("POST /signup returns error on too long password", async () => {
     await request(app)
-      .post("/auth/register")
+      .post("/auth/signup")
       .send({
-        username: "testlong",
+        username: "test" + uuidv4(),
         password:
           "waytolongpasswordtobeusedforthisapplicationyoushouldtrysomethingmuchmuchshorter",
       })
@@ -97,54 +100,206 @@ describe("/auth", () => {
       });
   });
 
-  it("POST /register returns error on already taken username", async () => {
+  it("POST /signup returns error on already taken username", async () => {
+    const data = {
+      username: "test" + uuidv4(),
+      password: "p@$$w0rd!",
+    };
+
+    // First call should succeed
     await request(app)
-      .post("/auth/register")
-      .send({
-        username: "test",
-        password: "p@$$w0rd!",
-      })
+      .post("/auth/signup")
+      .send(data)
+      .set("Content-Type", "application/json")
+      .set("Accept", "application/json")
+      .expect(200);
+
+    // Second call will fail
+    await request(app)
+      .post("/auth/signup")
+      .send(data)
       .set("Content-Type", "application/json")
       .set("Accept", "application/json")
       .expect(400)
       .then((res) => {
         expect(res.body).toEqual({
-          error: "Bad Request: A user with this username already exists",
+          success: false,
+          message: "A user with this username already exists.",
         });
       });
   });
 
+  /**
+   * @returns Session token
+   */
+  async function signupAndLogin(
+    username = "test" + uuidv4(),
+    password = "p@$$w0rd!"
+  ) {
+    const signup = await request(app)
+      .post("/auth/signup")
+      .set("Content-Type", "application/json")
+      .set("Accept", "application/json")
+      .send({
+        username,
+        password,
+      })
+      .expect(200);
+
+    const session = await request(app)
+      .post("/auth/login")
+      .set("Content-Type", "application/json")
+      .set("Accept", "application/json")
+      .send({
+        username,
+        password,
+      })
+      .expect(200);
+
+    expect(signup.body.user.id).toEqual(session.body.user.id);
+
+    return {
+      id: session.body.user.id,
+      token: session.body.token,
+    };
+  }
+
   it("GET /verify verifies user", async () => {
-    const user = dao.getUserById(userId);
+    const { id } = await signupAndLogin();
+    // Verification token should not be part of the response, so load it from the DB
+    const user = await dao.getUserById(id);
 
     expect(user.verification_token).not.toBe(null);
     expect(user.verified_date).toBeUndefined();
 
     // First call will verify the user
-    await request(app)
+    const verify = await request(app)
       .get("/auth/verify/" + user.verification_token)
       .set("Content-Type", "application/json")
       .set("Accept", "application/json")
-      .expect(200)
-      .then((res) => {
-        expect(res.body.success).toEqual(true);
-      });
+      .expect(200);
+
+    expect(verify.body.success).toEqual(true);
 
-    const refresh = await dao.getUserById(userId);
+    const refresh = await dao.getUserById(user.id);
 
     expect(refresh.verified_date).not.toBe(null);
 
     // Subsequent calls are not successful because the user is already verified
-    await request(app)
+    const reverify = await request(app)
       .get("/auth/verify/" + user.verification_token)
       .set("Content-Type", "application/json")
       .set("Accept", "application/json")
-      .expect(400)
-      .then((res) => {
-        expect(res.body).toEqual({
-          success: false,
-          message: "User already verified.",
-        });
-      });
+      .expect(400);
+    expect(reverify.body).toEqual({
+      success: false,
+      message: "User already verified.",
+    });
+  });
+
+  it("GET /user retrieves the user", async () => {
+    const username = "test" + uuidv4();
+    const password = "p@$$w0rd!";
+
+    const { id, token } = await signupAndLogin(username, password);
+
+    const user = await request(app)
+      .get("/auth/user")
+      .set("Content-Type", "application/json")
+      .set("Accept", "application/json")
+      .set("Authorization", "Bearer " + token);
+
+    expect(user.status).toEqual(200);
+    expect(user.body.id).toEqual(id);
+    expect(user.body.username).toEqual(username);
+    expect(user.body.createdAt).not.toBeUndefined();
+    expect(user.body.lastUpdated).not.toBeUndefined();
+    expect(user.body.fullName).toBeUndefined();
+  });
+
+  it("UPDATE /user updates the user", async () => {
+    const { id, token } = await signupAndLogin();
+
+    const check = await dao.getUserById(id);
+
+    expect(check.name).toBeFalsy();
+    expect(check.email).toBeFalsy();
+
+    const data = {
+      name: "Test User",
+      email: "test@test.com",
+    };
+
+    const update = await request(app)
+      .put("/auth/user")
+      .send(data)
+      .set("Content-Type", "application/json")
+      .set("Accept", "application/json")
+      .set("Authorization", "Bearer " + token);
+
+    expect(update.status).toEqual(200);
+
+    const user = await dao.getUserById(id);
+
+    expect(user.name).toEqual(data.name);
+    expect(user.email).toEqual(data.email);
+  });
+
+  it("DELETE /user deletes the user", async () => {
+    const { id, token } = await signupAndLogin();
+
+    const del = await request(app)
+      .delete("/auth/user")
+      .set("Content-Type", "application/json")
+      .set("Accept", "application/json")
+      .set("Authorization", "Bearer " + token);
+
+    expect(del.status).toEqual(200);
+
+    const user = await dao.getUserById(id);
+
+    expect(user).toBeFalsy();
+  });
+
+  it("POST /password updates the password", async () => {
+    const username = "test" + uuidv4();
+    const password1 = "FirstP@ssw0rd";
+    const password2 = "SecondP@ssw0rd";
+    const data = { password: password2, current_password: password1 };
+
+    const { token } = await signupAndLogin(username, password1);
+
+    const reset = await request(app)
+      .post("/auth/password")
+      .send(data)
+      .set("Content-Type", "application/json")
+      .set("Accept", "application/json")
+      .set("Authorization", "Bearer " + token);
+
+    expect(reset.status).toEqual(200);
+
+    // Using the old password should fail
+    await request(app)
+      .post("/auth/login")
+      .set("Content-Type", "application/json")
+      .set("Accept", "application/json")
+      .send({
+        username,
+        password: password1,
+      })
+      .expect(401);
+
+    // Using the new password should succeed
+    const attempt2 = await request(app)
+      .post("/auth/login")
+      .set("Content-Type", "application/json")
+      .set("Accept", "application/json")
+      .send({
+        username,
+        password: password2,
+      })
+      .expect(200);
+
+    expect(attempt2.body.user.username).toEqual(username);
   });
 });