Initial commit.

Author: oampo

.gitignore

@@ -0,0 +1,2 @@
+node_modules
+.env

auth/index.js

@@ -0,0 +1,5 @@
+const {router} = require('./router');
+require('./strategies');
+
+module.exports = {router};
+

auth/router.js

@@ -0,0 +1,36 @@
+const express = require('express');
+const passport = require('passport');
+const jwt = require('jsonwebtoken');
+
+const config = require('../config');
+
+const createAuthToken = user => {
+  return jwt.sign({user}, config.JWT_SECRET, {
+    subject: user.username,
+    expiresIn: config.JWT_EXPIRY,
+    algorithm: 'HS256'
+  });
+};
+
+const router = express.Router();
+
+router.post('/login',
+  // The user provides a username and password to login
+  passport.authenticate('basic', {session: false}),
+  (req, res) => {
+    const authToken = createAuthToken(req.user.apiRepr());
+    res.json({authToken});
+  }
+);
+
+router.post('/refresh',
+  // The user exchanges an existing valid JWT for a new one with a later
+  // expiration
+  passport.authenticate('jwt', {session: false}),
+  (req, res) => {
+    const authToken = createAuthToken(req.user);
+    res.json({authToken});
+  }
+);
+
+module.exports = {router};

auth/strategies.js

@@ -0,0 +1,55 @@
+const passport = require('passport');
+const {BasicStrategy} = require('passport-http');
+const {Strategy: JwtStrategy, ExtractJwt} = require('passport-jwt');
+
+const {User} = require('../users/models');
+
+const basicStrategy = new BasicStrategy((username, password, callback) => {
+  let user;
+  User
+    .findOne({username: username})
+    .then(_user => {
+      user = _user;
+      if (!user) {
+        return Promise.reject({
+          reason: 'LoginError',
+          message: 'Incorrect username',
+          location: 'username'
+        });
+      }
+      return user.validatePassword(password);
+    })
+    .then(isValid => {
+      if (!isValid) {
+        return Promise.reject({
+          reason: 'LoginError',
+          message: 'Incorrect password',
+          location: 'password'
+        });
+      }
+      return callback(null, user)
+    })
+    .catch(err => {
+      if (err.reason === 'LoginError') {
+        return callback(null, false, err);
+      }
+      return callback(err, false);
+    });
+});
+
+passport.use(basicStrategy);
+
+const jwtStrategy = new JwtStrategy({
+    secretOrKey: process.env.JWT_SECRET,
+    // Look for the JWT as a Bearer auth header
+    jwtFromRequest: ExtractJwt.fromAuthHeaderWithScheme('Bearer'),
+    // Only allow HS256 tokens - the same as the ones we issue
+    algorithms: ['HS256']
+  },
+  (payload, done) => {
+    done(null, payload.user)
+  }
+);
+
+passport.use(jwtStrategy);
+

config.js

@@ -0,0 +1,6 @@
+exports.DATABASE_URL = process.env.DATABASE_URL ||
+                       global.DATABASE_URL ||
+                      'mongodb://localhost/basic-auth-demo';
+exports.PORT = process.env.PORT || 8080;
+exports.JWT_SECRET = process.env.JWT_SECRET;
+exports.JWT_EXPIRY = process.env.JWT_EXPIRY || '7d';

package.json

@@ -0,0 +1,30 @@
+{
+  "name": "node-basic-auth",
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "start": "node server.js"
+  },
+  "keywords": [],
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "bcryptjs": "^2.4.0",
+    "body-parser": "^1.15.2",
+    "dotenv": "^4.0.0",
+    "express": "^4.14.0",
+    "jsonwebtoken": "^7.4.1",
+    "mongoose": "^4.7.4",
+    "morgan": "^1.7.0",
+    "passport": "^0.3.2",
+    "passport-http": "^0.3.0",
+    "passport-jwt": "^2.2.1"
+  },
+  "devDependencies": {
+    "chai": "^3.5.0",
+    "chai-http": "^3.0.0",
+    "faker": "^3.1.0",
+    "mocha": "^3.2.0"
+  }
+}

server.js

@@ -0,0 +1,87 @@
+require('dotenv').config();
+const bodyParser = require('body-parser');
+const express = require('express');
+const mongoose = require('mongoose');
+const morgan = require('morgan');
+const passport = require('passport');
+
+const {router: usersRouter} = require('./users');
+const {router: authRouter} = require('./auth');
+
+mongoose.Promise = global.Promise;
+
+const {PORT, DATABASE_URL} = require('./config');
+
+const app = express();
+
+// Logging
+app.use(morgan('common'));
+
+// CORS
+app.use(function (req, res, next) {
+  res.header('Access-Control-Allow-Origin', '*');
+  res.header('Access-Control-Allow-Headers', 'Content-Type');
+  res.header('Access-Control-Allow-Methods', 'GET,POST,PUT,PATCH,DELETE');
+  next();
+});
+
+app.use(passport.initialize());
+
+app.use('/api/users/', usersRouter);
+app.use('/api/auth/', authRouter);
+
+// A secret endpoint which needs a valid JWT to access it
+app.get('/api/secret',
+    passport.authenticate('jwt', {session: false}),
+    (req, res) => {
+        return res.json({
+            secret: 'rosebud'
+        });
+    });
+
+app.use('*', (req, res) => {
+  return res.status(404).json({message: 'Not Found'});
+});
+
+// Referenced by both runServer and closeServer. closeServer
+// assumes runServer has run and set `server` to a server object
+let server;
+
+function runServer() {
+  return new Promise((resolve, reject) => {
+    mongoose.connect(DATABASE_URL, err => {
+      if (err) {
+        return reject(err);
+      }
+      server = app.listen(PORT, () => {
+        console.log(`Your app is listening on port ${PORT}`);
+        resolve();
+      })
+      .on('error', err => {
+        mongoose.disconnect();
+        reject(err);
+      });
+    });
+  });
+}
+
+function closeServer() {
+  return mongoose.disconnect().then(() => {
+     return new Promise((resolve, reject) => {
+       console.log('Closing server');
+       server.close(err => {
+           if (err) {
+               return reject(err);
+           }
+           resolve();
+       });
+     });
+  });
+}
+
+if (require.main === module) {
+  runServer().catch(err => console.error(err));
+};
+
+module.exports = {app, runServer, closeServer};
+

users/index.js

@@ -0,0 +1,4 @@
+const {User} = require('./models');
+const {router} = require('./router');
+
+module.exports = {User, router};

users/models.js

@@ -0,0 +1,38 @@
+const bcrypt = require('bcryptjs');
+const mongoose = require('mongoose');
+
+mongoose.Promise = global.Promise;
+
+const UserSchema = mongoose.Schema({
+  username: {
+    type: String,
+    required: true,
+    unique: true
+  },
+  password: {
+    type: String,
+    required: true
+  },
+  firstName: {type: String, default: ""},
+  lastName: {type: String, default: ""}
+});
+
+UserSchema.methods.apiRepr = function() {
+  return {
+    username: this.username || '',
+    firstName: this.firstName || '',
+    lastName: this.lastName || ''
+  };
+}
+
+UserSchema.methods.validatePassword = function(password) {
+  return bcrypt.compare(password, this.password);
+}
+
+UserSchema.statics.hashPassword = function(password) {
+  return bcrypt.hash(password, 10);
+}
+
+const User = mongoose.model('User', UserSchema);
+
+module.exports = {User};

users/router.js

@@ -0,0 +1,102 @@
+const express = require('express');
+const bodyParser = require('body-parser');
+const passport = require('passport');
+
+const {User} = require('./models');
+
+const router = express.Router();
+
+const jsonParser = bodyParser.json();
+
+// Post to register a new user
+router.post('/', jsonParser, (req, res) => {
+  const requiredFields = ['username', 'password'];
+  const missingField = requiredFields.find(field => !(field in req.body));
+
+  if (missingField) {
+    return res.status(422).json({
+      code: 422,
+      reason: 'ValidationError',
+      message: 'Missing field',
+      location: missingField
+    });
+  }
+
+  const stringFields = ['username', 'password', 'firstName', 'lastName'];
+  const nonStringField = stringFields.find(field =>
+    (field in req.body) && typeof req.body[field] !== 'string'
+  );
+
+  if (nonStringField) {
+    return res.status(422).json({
+      code: 422,
+      reason: 'ValidationError',
+      message: 'Incorrect field type: expected string',
+      location: nonStringField
+    });
+  }
+
+  const nonEmptyFields = ['username', 'password'];
+  const emptyField = nonEmptyFields.find(field => req.body[field].trim() === '');
+
+  if (emptyField) {
+    return res.status(422).json({
+      code: 422,
+      reason: 'ValidationError',
+      message: 'Incorrect field length',
+      location: emptyField
+    });
+  }
+
+  let {username, password, firstName, lastName} = req.body;
+
+  return User
+    .find({username})
+    .count()
+    .then(count => {
+      if (count > 0) {
+        // There is an existing user with the same username
+        return Promise.reject({
+          code: 422,
+          reason: 'ValidationError',
+          message: 'Username already taken',
+          location: 'username'
+        });
+      }
+      // If there is no existing user, hash the password
+      return User.hashPassword(password)
+    })
+    .then(hash => {
+      return User
+        .create({
+          username,
+          password: hash,
+          firstName,
+          lastName
+        })
+    })
+    .then(user => {
+      return res.status(201).json(user.apiRepr());
+    })
+    .catch(err => {
+      // Forward validation errors on to the client, otherwise give a 500
+      // error because something unexpected has happened
+      if (err.reason === 'ValidationError') {
+        return res.status(err.code).json(err);
+      }
+      res.status(500).json({code: 500, message: 'Internal server error'});
+    });
+});
+
+// Never expose all your users like below in a prod application
+// we're just doing this so we have a quick way to see
+// if we're creating users. keep in mind, you can also
+// verify this in the Mongo shell.
+router.get('/', (req, res) => {
+  return User
+    .find()
+    .then(users => res.json(users.map(user => user.apiRepr())))
+    .catch(err => res.status(500).json({message: 'Internal server error'}));
+});
+
+module.exports = {router};