express/examples/auth/index.js at 840246c804943cde16ee680abf90b08db443bf89 · expressjs/express · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
'use strict'

/**
 * Module dependencies.
 */

const express = require('../../')
const hash = require('pbkdf2-password')()
const path = require('node:path')
const session = require('express-session')

const app = module.exports = express()

// config

app.set('view engine', 'ejs')
app.set('views', path.join(__dirname, 'views'))

// middleware

app.use(express.urlencoded())
app.use(session({
  resave: false, // don't save session if unmodified
  saveUninitialized: false, // don't create session until something stored
  secret: 'shhhh, very secret'
}))

// Session-persisted message middleware

app.use((req, res, next) => {
  const err = req.session.error
  const msg = req.session.success
  delete req.session.error
  delete req.session.success
  res.locals.message = ''
  if (err) res.locals.message = '<p class="msg error">' + err + '</p>'
  if (msg) res.locals.message = '<p class="msg success">' + msg + '</p>'
  next()
})

// dummy database

const users = {
  tj: { name: 'tj' }
}

// when you create a user, generate a salt
// and hash the password ('foobar' is the pass here)

hash({ password: 'foobar' }, (err, pass, salt, hash) => {
  if (err) throw err
  // store the salt & hash in the "db"
  users.tj.salt = salt
  users.tj.hash = hash
})

// Authenticate using our plain-object database of doom!

function authenticate (name, pass, fn) {
  if (!module.parent) console.log('authenticating %s:%s', name, pass)
  const user = users[name]
  // query the db for the given username
  if (!user) return fn(null, null)
  // apply the same algorithm to the POSTed password, applying
  // the hash against the pass / salt, if there is a match we
  // found the user
  hash({ password: pass, salt: user.salt }, (err, pass, salt, hash) => {
    if (err) return fn(err)
    if (hash === user.hash) return fn(null, user)
    fn(null, null)
  })
}

function restrict (req, res, next) {
  if (req.session.user) {
    next()
  } else {
    req.session.error = 'Access denied!'
    res.redirect('/login')
  }
}

app.get('/', (req, res) => {
  res.redirect('/login')
})

app.get('/restricted', restrict, (req, res) => {
  res.send('Wahoo! restricted area, click to <a href="/logout">logout</a>')
})

app.get('/logout', (req, res) => {
  // destroy the user's session to log them out
  // will be re-created next request
  req.session.destroy(() => {
    res.redirect('/')
  })
})

app.get('/login', (req, res) => {
  res.render('login')
})

app.post('/login', (req, res, next) => {
  if (!req.body) return res.sendStatus(400)
  authenticate(req.body.username, req.body.password, (err, user) => {
    if (err) return next(err)
    if (user) {
      // Regenerate session when signing in
      // to prevent fixation
      req.session.regenerate(() => {
        // Store the user's primary key
        // in the session store to be retrieved,
        // or in this case the entire user object
        req.session.user = user
        req.session.success = 'Authenticated as ' + user.name +
          ' click to <a href="/logout">logout</a>. ' +
          ' You may now access <a href="/restricted">/restricted</a>.'
        res.redirect(req.get('Referrer') || '/')
      })
    } else {
      req.session.error = 'Authentication failed, please check your ' +
        ' username and password.' +
        ' (use "tj" and "foobar")'
      res.redirect('/login')
    }
  })
})

/* istanbul ignore next */
if (!module.parent) {
  app.listen(3000)
  console.log('Express started on port 3000')
}