bug(signin): return error if password don't match

- Create a function to check input password
chidimo · May 20, 2019 · 307b8e4 · 307b8e4
1 parent 418043e
commit 307b8e4
Show file tree

Hide file tree

Showing 5 changed files with 52 additions and 22 deletions.
diff --git a/controllers/AuthController.js b/controllers/AuthController.js
@@ -1,9 +1,10 @@
 import Model from '../models/Model';
 import 
 { 
-    check_user_existence,
+    check_user_exists,
     get_user_clause,
-    add_user_to_db
+    add_user_to_db,
+    check_password
 } from './helpers/AuthController';
 // import { dev_logger } from '../utils/loggers';
 
@@ -12,7 +13,7 @@ const users_model = new Model('users');
 const AuthController = {
     signup: async (req, res) => {
         const { email } = req.body;
-        const user_exists = await check_user_existence(
+        const user_exists = await check_user_exists(
             users_model, email, res);
 
         if (user_exists) {
@@ -27,13 +28,20 @@ const AuthController = {
         const user = await get_user_clause(users_model, res, clause, err_msg);
         return res.status(201).json({ data: { ...user, token: req.token } });
     },
-    
+
     signin: async (req, res) => {
-        const { email } = req.body;
+        const { email, password } = req.body;
         const clause = `WHERE email='${email}'`;
         const err_msg = `User with email ${email} does not exist.`;
-        const user = await get_user_clause(users_model, res, clause, err_msg);
-        return res.status(200).json({ data: { ...user, token: req.token } });
+        // check user exists
+        const match = await check_password(users_model, email, password, res);
+        if (match) {
+            const user = await get_user_clause(
+                users_model, res, clause, err_msg);
+            return res
+                .status(200).json({ data: { ...user, token: req.token } });
+        }
+        return res.status(404).json({ error: 'Incorrect password' });
     },
 };
 

diff --git a/controllers/UsersController.js b/controllers/UsersController.js
@@ -36,15 +36,13 @@ const UsersController = {
             let data;
             if (status) {
                 data = await users_model.select(
-                    `id, email, password, firstname,
-                    lastname, phone, status, address`,
+                    'id, email, firstname, lastname, phone, status, address',
                     `WHERE status='${status}'`
                 );
             }
             else {
                 data = await users_model.select(
-                    `id, email, password, firstname,
-                    lastname, phone, status, address`,
+                    'id, email, firstname, lastname, phone, status, address',
                 );
             }
             return res.status(200).json({ data: data.rows });

diff --git a/controllers/helpers/AuthController.js b/controllers/helpers/AuthController.js
@@ -2,7 +2,7 @@ import bcrypt from 'bcrypt';
 
 import { InternalServerError } from '../../utils/errorHandlers';
 
-export const check_user_existence = async (model_instance, email, res) => {
+export const check_user_exists = async (model_instance, email, res) => {
     try {
         const { rows } = await model_instance.select(
             'id, email', `WHERE email='${email}'`);
@@ -13,6 +13,17 @@ export const check_user_existence = async (model_instance, email, res) => {
     catch (e) { return InternalServerError(res, e);}
 };
 
+export const check_password = async (model_instance, email, password, res) => {
+    try {
+        const { rows } = await model_instance.select(
+            'id, email, password', `WHERE email='${email}'`);
+        const [ user, ] = rows;
+        if (bcrypt.compareSync(password, user.password)) return true;
+        return false;
+    }
+    catch (e) { return InternalServerError(res, e);}
+};
+
 export const add_user_to_db = async (model_instance, req, res) => {
     const { email, password, firstname, lastname } = req.body;
     const hashedPassword = bcrypt.hashSync(password, 8);

diff --git a/test/testdb.sql b/test/testdb.sql
@@ -225,16 +225,16 @@ COPY public.repayments (id, loanid, adminid, createdon, amount) FROM stdin;
 --
 
 COPY public.users (id, email, password, firstname, lastname, phone, photo, address, status, isadmin) FROM stdin;
-1	a@b.com	password	first	men	080121515	\N	{"home": "iyaba", "office": "ring road"}	unverified	f
-2	c@d.go	password	name	cat	08151584151	\N	{"home": "london", "office": "NYC"}	unverified	f
-3	me@yahoo.com	password	tayo	dele	08012345678	\N	{"home": "ijebu", "office": "ijegun"}	unverified	f
+1	a@b.com	$2b$08$PyyTo.r0nPso8DHA0HfTs.lZSaGNA6J23V4eiw06rN8iWJin24f3O	first	men	080121515	\N	{"home": "iyaba", "office": "ring road"}	unverified	f
+2	c@d.go	$2b$08$PyyTo.r0nPso8DHA0HfTs.lZSaGNA6J23V4eiw06rN8iWJin24f3O	name	cat	08151584151	\N	{"home": "london", "office": "NYC"}	unverified	f
+3	me@yahoo.com	$2b$08$PyyTo.r0nPso8DHA0HfTs.lZSaGNA6J23V4eiw06rN8iWJin24f3O	tayo	dele	08012345678	\N	{"home": "ijebu", "office": "ijegun"}	unverified	f
 4	abc@gmail.com	password	what	is	08012345678	\N	{"home": "must", "office": "not"}	unverified	f
-5	name@chat.co	password	niger	tornadoes	08012345678	\N	{"home": "niger", "office": "niger"}	unverified	f
-6	bcc@gmail.com	password	bcc	lions	08012345678	\N	{"home": "gboko", "office": "gboko"}	unverified	f
-7	bbc@bbc.uk	password	bbc	broadcast	08012345678	\N	{"home": "london", "office": "uk"}	unverified	f
-8	c@g.move	password	abc	def	08012345678	\N	{"home": "shop", "office": "home"}	unverified	f
-9	an@dela.ng	password	and	ela	08012345678	\N	{"home": "ikorodu", "office": "lagos"}	unverified	f
-10	soft@ware.eng	password	soft	eng	08012345678	\N	{"home": "remote", "office": "on-site"}	unverified	f
+5	name@chat.co	$2b$08$PyyTo.r0nPso8DHA0HfTs.lZSaGNA6J23V4eiw06rN8iWJin24f3O	niger	tornadoes	08012345678	\N	{"home": "niger", "office": "niger"}	unverified	f
+6	bcc@gmail.com	$2b$08$PyyTo.r0nPso8DHA0HfTs.lZSaGNA6J23V4eiw06rN8iWJin24f3O	bcc	lions	08012345678	\N	{"home": "gboko", "office": "gboko"}	unverified	f
+7	bbc@bbc.uk	$2b$08$PyyTo.r0nPso8DHA0HfTs.lZSaGNA6J23V4eiw06rN8iWJin24f3O	bbc	broadcast	08012345678	\N	{"home": "london", "office": "uk"}	unverified	f
+8	c@g.move	$2b$08$PyyTo.r0nPso8DHA0HfTs.lZSaGNA6J23V4eiw06rN8iWJin24f3O	abc	def	08012345678	\N	{"home": "shop", "office": "home"}	unverified	f
+9	an@dela.ng	$2b$08$PyyTo.r0nPso8DHA0HfTs.lZSaGNA6J23V4eiw06rN8iWJin24f3O	and	ela	08012345678	\N	{"home": "ikorodu", "office": "lagos"}	unverified	f
+10	soft@ware.eng	$2b$08$PyyTo.r0nPso8DHA0HfTs.lZSaGNA6J23V4eiw06rN8iWJin24f3O	soft	eng	08012345678	\N	{"home": "remote", "office": "on-site"}	unverified	f
 \.
 
 

diff --git a/test/users-spec.js b/test/users-spec.js
@@ -141,6 +141,20 @@ describe('/users', () => {
                         done();
                     });
             });
+
+
+            it('should return error for wrong password', done => {
+                const user = { email: 'a@b.com', password: 'wrongpassword' };
+                server
+                    .post('/auth/signin')
+                    .send(user)
+                    .expect(200)
+                    .end((err, res) => {
+                        res.status.should.equal(404);
+                        res.body.error.should.equal('Incorrect password');
+                        done();
+                    });
+            });
         });
     });
 
@@ -169,7 +183,6 @@ describe('/users', () => {
                     for (const each of res.body.data) {
                         each.should.have.property('id');
                         each.should.have.property('email');
-                        each.should.have.property('password');
                         each.should.have.property('firstname');
                         each.should.have.property('lastname');
                         each.should.have.property('phone');