-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🔀 Add login flow and update user model #64
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
also commit message is ambiguous, probably want to state clearly what jwt and avatar is for, and where
server/api/users.js
Outdated
} | ||
} | ||
const payload = await getUserChallenge(wallet); | ||
if (!payload || !payload.wallet) res.sendStatus(404); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
need a exit/throw after res.sendStatus(404)
or it will continue to run
package.json
Outdated
"cross-env": "^5.1.6", | ||
"crypto": "^1.0.1", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
crypto should be built-in for current nodejs version and should not be pull from npm
server/util/jwt.js
Outdated
}); | ||
}; | ||
|
||
export const jwtAuthNoBlock = (req, res, next) => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
jwtAuth
and jwtAuthNoBlock
should either be
- Two functions calling 1 same function with different params, or
- Make
jwtAuth
a function that returns a middleware, withcredentialsRequired
value based on a input param
); | ||
res.setHeader('Pragma', 'no-cache'); | ||
res.setHeader('Expires', '0'); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ambiguous naming of setAuthHeader
which is actually setting header to no-cache
server/api/index.js
Outdated
|
||
import users from './users'; | ||
import assets from './assets'; | ||
|
||
const router = Router(); | ||
|
||
router.use(cookieParser()); | ||
router.use(bodyParser.json()); | ||
router.use(bodyParser.urlencoded({ extended: true })); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
probably should remove urlencoded
if not needed
params: { wallet: queryWallet }, | ||
})); | ||
} else { | ||
data = Object.assign({ wallet: queryWallet }, LIKECOIN_USER_STUB); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LIKECOIN_USER_STUB
should be used only when NODE_ENV
is not production
server/util/auth.js
Outdated
wallet, | ||
})); | ||
} else { | ||
data = Object.assign({ wallet }, LIKECOIN_USER_STUB); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LIKECOIN_USER_STUB
should be used only when NODE_ENV
is not production
server/util/auth.js
Outdated
avatar, | ||
} = data; | ||
if (!likecoinId || !displayName || wallet !== responseWallet) { | ||
throw new Error('POST_CHALLENGE_FAILED'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
probably want to wrap whole function in try catch for POST_CHALLENGE_FAILED
and this particular part seems like SOMETHING_EVIL_IS_GOING_ON
for me
server/util/jwt.js
Outdated
} | ||
throw new UnauthorizedError('credentials_required', { | ||
message: 'No authorization token was found', | ||
}); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should obey credentialsRequired
flag instead of checking req.route.path
and throwing UnauthorizedError
randomly
probably want to remove line 24 to 29 and just return null
server/util/jwt.js
Outdated
} | ||
|
||
export const jwtSign = (payload) => | ||
jwt.sign(payload, secret, { expiresIn: '7d' }); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
7d
should be configurable and no idea why cookie expire in 365 but jwt in 7
6d8e757
to
8bf8d48
Compare
server/util/auth.js
Outdated
const { challenge, signature, wallet } = payload; | ||
let data; | ||
if (process.env.production) { | ||
({ data } = await axios.post(LIKECOIN_AUTH_URL, { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should be process.env.NODE_ENV === 'production'
and might also want to check if LIKECOIN_AUTH_URL
is not falsy
server/util/auth.js
Outdated
export async function getUserChallenge(queryWallet) { | ||
let data; | ||
if (process.env.production) { | ||
({ data } = await axios.get(LIKECOIN_AUTH_URL, { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should be process.env.NODE_ENV === 'production'
and might also want to check if LIKECOIN_AUTH_URL
is not falsy
server/util/jwt.js
Outdated
) { | ||
return req.headers.authorization.split(' ')[1]; | ||
} else if (req.cookies && req.cookies[JWT_COOKIE_KEY]) { | ||
return req.cookies.auth; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should be req.cookies[JWT_COOKIE_KEY]
server/util/jwt.js
Outdated
} | ||
|
||
export const jwtSign = (payload) => | ||
jwt.sign(payload, secret, { expiresIn: `${JWT_EXPIRE_DAYS}d` }); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should not assume it must be d
(days), whole string should be configurable
server/util/jwt.js
Outdated
next(e); | ||
}); | ||
}; | ||
return auth; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just return a arrow function without declaring auth
Connects #37 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Various comments but not a merge blocker.
|
||
export async function getUserChallenge(queryWallet) { | ||
let data; | ||
if (process.env.NODE_ENV === 'production' || LIKECOIN_AUTH_URL) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After introducing of config/server.js
, the rule should be no process.env in application code.
likecoinId, | ||
wallet: responseWallet, | ||
}; | ||
} catch (err) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The try catch scope it too big. It will make debuging very difficult.
For example, we don't know it is like api fails or our application fails to handle edge case.
res.setHeader('Expires', '0'); | ||
} | ||
|
||
export const jwtSign = (payload) => |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is not symmetric with other API in same apckage. Other are operating on request and request header level. This one is pure function.
I think it should accept a payload and request?
crypto | ||
.randomBytes(64) | ||
.toString('hex') | ||
.slice(0, 64); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This default should go to the config/server
}); | ||
}; | ||
|
||
export const AUTH_COOKIE_OPTION = { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No need to expose it and the options logic should belong to this package.
No description provided.