🔀 Add login flow and update user model #64
Conversation
server/api/users.js
Outdated
| } | ||
| } | ||
| const payload = await getUserChallenge(wallet); | ||
| if (!payload || !payload.wallet) res.sendStatus(404); |
There was a problem hiding this comment.
need a exit/throw after res.sendStatus(404) or it will continue to run
package.json
Outdated
| "cross-env": "^5.1.6", | ||
| "crypto": "^1.0.1", |
There was a problem hiding this comment.
crypto should be built-in for current nodejs version and should not be pull from npm
server/util/jwt.js
Outdated
| }); | ||
| }; | ||
|
|
||
| export const jwtAuthNoBlock = (req, res, next) => { |
There was a problem hiding this comment.
jwtAuth and jwtAuthNoBlock should either be
- Two functions calling 1 same function with different params, or
- Make
jwtAutha function that returns a middleware, withcredentialsRequiredvalue based on a input param
| ); | ||
| res.setHeader('Pragma', 'no-cache'); | ||
| res.setHeader('Expires', '0'); | ||
| } |
There was a problem hiding this comment.
ambiguous naming of setAuthHeader which is actually setting header to no-cache
server/api/index.js
Outdated
|
|
||
| import users from './users'; | ||
| import assets from './assets'; | ||
|
|
||
| const router = Router(); | ||
|
|
||
| router.use(cookieParser()); | ||
| router.use(bodyParser.json()); | ||
| router.use(bodyParser.urlencoded({ extended: true })); |
There was a problem hiding this comment.
probably should remove urlencoded if not needed
| params: { wallet: queryWallet }, | ||
| })); | ||
| } else { | ||
| data = Object.assign({ wallet: queryWallet }, LIKECOIN_USER_STUB); |
There was a problem hiding this comment.
LIKECOIN_USER_STUB should be used only when NODE_ENV is not production
server/util/auth.js
Outdated
| wallet, | ||
| })); | ||
| } else { | ||
| data = Object.assign({ wallet }, LIKECOIN_USER_STUB); |
There was a problem hiding this comment.
LIKECOIN_USER_STUB should be used only when NODE_ENV is not production
server/util/auth.js
Outdated
| avatar, | ||
| } = data; | ||
| if (!likecoinId || !displayName || wallet !== responseWallet) { | ||
| throw new Error('POST_CHALLENGE_FAILED'); |
There was a problem hiding this comment.
probably want to wrap whole function in try catch for POST_CHALLENGE_FAILED
and this particular part seems like SOMETHING_EVIL_IS_GOING_ON for me
server/util/jwt.js
Outdated
| } | ||
| throw new UnauthorizedError('credentials_required', { | ||
| message: 'No authorization token was found', | ||
| }); |
There was a problem hiding this comment.
should obey credentialsRequired flag instead of checking req.route.path and throwing UnauthorizedError randomly
probably want to remove line 24 to 29 and just return null
server/util/jwt.js
Outdated
| } | ||
|
|
||
| export const jwtSign = (payload) => | ||
| jwt.sign(payload, secret, { expiresIn: '7d' }); |
There was a problem hiding this comment.
7d should be configurable and no idea why cookie expire in 365 but jwt in 7
mckingho
force-pushed
the
master
branch
3 times, most recently
from
6d8e757
to
8bf8d48
Compare
server/util/auth.js
Outdated
| const { challenge, signature, wallet } = payload; | ||
| let data; | ||
| if (process.env.production) { | ||
| ({ data } = await axios.post(LIKECOIN_AUTH_URL, { |
There was a problem hiding this comment.
should be process.env.NODE_ENV === 'production' and might also want to check if LIKECOIN_AUTH_URL is not falsy
server/util/auth.js
Outdated
| export async function getUserChallenge(queryWallet) { | ||
| let data; | ||
| if (process.env.production) { | ||
| ({ data } = await axios.get(LIKECOIN_AUTH_URL, { |
There was a problem hiding this comment.
should be process.env.NODE_ENV === 'production' and might also want to check if LIKECOIN_AUTH_URL is not falsy
server/util/jwt.js
Outdated
| ) { | ||
| return req.headers.authorization.split(' ')[1]; | ||
| } else if (req.cookies && req.cookies[JWT_COOKIE_KEY]) { | ||
| return req.cookies.auth; |
There was a problem hiding this comment.
should be req.cookies[JWT_COOKIE_KEY]
server/util/jwt.js
Outdated
| } | ||
|
|
||
| export const jwtSign = (payload) => | ||
| jwt.sign(payload, secret, { expiresIn: `${JWT_EXPIRE_DAYS}d` }); |
There was a problem hiding this comment.
should not assume it must be d (days), whole string should be configurable
server/util/jwt.js
Outdated
| next(e); | ||
| }); | ||
| }; | ||
| return auth; |
There was a problem hiding this comment.
just return a arrow function without declaring auth
|
Connects #37 |
|
|
||
| export async function getUserChallenge(queryWallet) { | ||
| let data; | ||
| if (process.env.NODE_ENV === 'production' || LIKECOIN_AUTH_URL) { |
There was a problem hiding this comment.
After introducing of config/server.js, the rule should be no process.env in application code.
| likecoinId, | ||
| wallet: responseWallet, | ||
| }; | ||
| } catch (err) { |
There was a problem hiding this comment.
The try catch scope it too big. It will make debuging very difficult.
For example, we don't know it is like api fails or our application fails to handle edge case.
| res.setHeader('Expires', '0'); | ||
| } | ||
|
|
||
| export const jwtSign = (payload) => |
There was a problem hiding this comment.
It is not symmetric with other API in same apckage. Other are operating on request and request header level. This one is pure function.
I think it should accept a payload and request?
| crypto | ||
| .randomBytes(64) | ||
| .toString('hex') | ||
| .slice(0, 64); |
There was a problem hiding this comment.
This default should go to the config/server
| }); | ||
| }; | ||
|
|
||
| export const AUTH_COOKIE_OPTION = { |
There was a problem hiding this comment.
No need to expose it and the options logic should belong to this package.
No description provided.