Improve the user auth and token verification

Author: rickyhurtado

.env.dist

@@ -1,6 +1,7 @@
 PORT=7770
 ALLOW_ORIGIN=http://localhost:7771
 JWT_SECRET=jwtsecretcode
+HASH=356a192b7913b04c54574d18c28d46e6395428ab.da4b9237bacccdf19c0760cab7aec4a8359010b0.77de68daecd823babbb58edb1c8e14d7106e83bb.1b6453892473a467d07372d45eb05abc2031647a.ac3478d69a3c81fa62e60f5c3696165a4e5e6ac4
 POSTGRES_PORT=5432
 POSTGRES_DB=express_api_dev
 POSTGRES_USER=express_api_user

README.md

@@ -22,12 +22,17 @@ Copy `.env.dist` to `.env` and change the values of the environment variables if
 PORT=7770
 ALLOW_ORIGIN=http://localhost:7771
 JWT_SECRET=jwtsecretcode
+HASH=sha1hash1.sha1hash2.sha1hash3
 POSTGRES_PORT=5432
 POSTGRES_DB=express_api_dev
 POSTGRES_USER=express_api_user
 POSTGRES_PASSWORD=root
 ```
 
+NOTE: Generate random hashes and concatenate the hashes with “.”.
+The same hashes should also be used in the React client app.
+The more hashes, the better.
+
 Then run the following commands:
 
 ```
@@ -87,33 +92,33 @@ To manage separate Docker instance for API, open another terminal console and ru
 
 ### Docker
 
-| Command                                | Description                                                        |
-|----------------------------------------|--------------------------------------------------------------------|
-| `./bin/install`                        | Build the Docker containers, initialise database and start the app |
-| `./bin/reinstall`                      | Re-build containers, re-initialise database and start the app      |
-| `./bin/start`                          | Start all the services (API and database)                          |
-| `./bin/stop`                           | Stop all the services                                              |
-| `./bin/console <container ID or Name>` | Access the terminal console of the API container                   |
+| Command                              | Description                                                        |
+|--------------------------------------|--------------------------------------------------------------------|
+| `bin/install`                        | Build the Docker containers, initialise database and start the app |
+| `bin/reinstall`                      | Re-build containers, re-initialise database and start the app      |
+| `bin/start`                          | Start all the services (API and database)                          |
+| `bin/stop`                           | Stop all the services                                              |
+| `bin/console <container ID or Name>` | Access the terminal console of the API container                   |
 
 ### Database
 
 **Local**
 
-| Command                               | Description                                                |
-|---------------------------------------|------------------------------------------------------------|
-| `./bin/pg/local/start`                | Start the PostgreSQL server (for Mac users only)           |
-| `./bin/pg/local/resetdb`              | Drop and re-initialise database                            |
-| `./bin/pg/local/migrate`              | Run new schema migration                                   |
-| `./bin/pg/local/migrateundo`          | Revert the recent schema migration                         |
-| `./bin/pg/local/seed <seed file>`     | Run specific data seed file with or without .js extension  |
-| `./bin/pg/local/seedundo <seed file>` | Revert the seed of specific data seed file                 |
-| `./bin/pg/local/psql`                 | Access the database console                                |
+| Command                             | Description                                                |
+|-------------------------------------|------------------------------------------------------------|
+| `bin/pg/local/start`                | Start the PostgreSQL server (for Mac users only)           |
+| `bin/pg/local/resetdb`              | Drop and re-initialise database                            |
+| `bin/pg/local/migrate`              | Run new schema migration                                   |
+| `bin/pg/local/migrateundo`          | Revert the recent schema migration                         |
+| `bin/pg/local/seed <seed file>`     | Run specific data seed file with or without .js extension  |
+| `bin/pg/local/seedundo <seed file>` | Revert the seed of specific data seed file                 |
+| `bin/pg/local/psql`                 | Access the database console                                |
 
 **Docker**
 
 - To run the commands for Docker database service, simply remove the `local` from the command
 - The `start` command works only in local machine
-- Used `./bin/pg/psql <database container ID or Name>` to access the database console
+- Used `bin/pg/psql <database container ID or Name>` to access the database console
 
 ## Users
 

src/controllers/Sessions.js

@@ -27,15 +27,16 @@ export default {
     Sessions
       .auth(req, res)
       .then(auth => {
-        res.status(auth.status).send(auth.data)
+        res.status(auth.status).send(auth.responseData)
       })
       .catch(error => {
         res.status(400).send(error)
       })
   },
 
   signOut(req, res) {
-    Sessions.signOut(req)
+    Sessions
+      .signOut(req)
       .then(() => {
         res.status(200).send()
       })

src/lib/Sessions.js

@@ -15,11 +15,16 @@ const FILTER_OPTIONS = {
 }
 
 Passport.use(new HttpBearerStrategy(
-  function(token, done) {
-    const { userId } = verifyToken(null, { token, returnData: true })
+  { passReqToCallback: true },
+  function(req, token, done) {
+    const { userId } = verifyToken(null, { token, key: process.env.JWT_SECRET, returnData: true })
+    const ipAddress = getIpAddress(req)
+    const userAgent = req.headers['user-agent']
+
+    if (!userId) return done(null, false)
 
     return find(null, {
-      where: { userId, token },
+      where: { token, ipAddress, userAgent },
       returnData: true
     })
     .then(Session => {
@@ -110,15 +115,16 @@ export function find(res, options) {
 
 export function auth(req, res) {
   let status = 200, data = {}
-  const { email, password } = verifyToken(res, { token: req.body.token, returnData: true })
+  const { token, tkid } = req.body
+  const { email, password } = verifyToken(res, { token, key: hash(tkid)[0], returnData: true })
   const authResponse = {
     invalid: {
       status: 404,
-      data: { message: "The email or password you entered doesn't match any account." }
+      responseData: { message: "The email or password you entered doesn't match any account." }
     },
     blocked: {
       status: 401,
-      data: { message: 'Your account is blocked. Please contact the administrator.' }
+      responseData: { message: 'Your account is blocked. Please contact the administrator.' }
     }
   }
 
@@ -132,7 +138,9 @@ export function auth(req, res) {
         return authResponse.blocked
 
       const date = new Date()
-      const token = JWT.sign(Object.assign({}, User.json, { date }), process.env.JWT_SECRET, { expiresIn: 86400 })
+      const key = hash()
+      const token = JWT.sign({ userId: User.json.userId, date }, process.env.JWT_SECRET, { expiresIn: 86400 })
+      const data = JWT.sign(_.merge({}, User.json, { date }), key[0], { expiresIn: 86400 })
       const sessionData = {
         userId: User.json.userId,
         userAgent: req.headers['user-agent'],
@@ -143,8 +151,9 @@ export function auth(req, res) {
       return DB.Session
         .create(sessionData)
         .then(() => {
-          data = Object.assign({}, { token }, data, { redirect: User.json.redirect })
-          return { status, data }
+          const responseData = { token, data, redirect: User.json.redirect, tkid: key[1] }
+
+          return { status, responseData }
         })
     })
 }
@@ -164,10 +173,8 @@ export function authBearer() {
   return Passport.authenticate('bearer', { session: false })
 }
 
-function verifyToken(res, { token, returnData }) {
-  return JWT.verify(
-    token,
-    process.env.JWT_SECRET,
+function verifyToken(res, { token, key, returnData }) {
+  return JWT.verify(token, key,
     function(errors, decoded) {
       if (errors) return returnData ? {} : res.status(401).end()
 
@@ -251,3 +258,15 @@ function userSQLFn(column, value) {
     { [Op.regexp]: ['\\y', value.toLowerCase(), '\\y'].join('') }
   )
 }
+
+function hash(index) {
+  const hashList = process.env.HASH.split('.')
+
+  if (index) index = parseInt(index.toString().charAt(index.toString().length - 1), 10)
+  else index = _.random(0, hashList.length - 1)
+
+  return [
+    hashList[index],
+    [_.random(1111111, 9999999), index].join('')
+  ]
+}