User authentication does not work

[dipyamanroy]

Expected Behavior

All routes are user authenticated.

Current Behavior

If the path of internal routes is known they are just accessible without verifying whether the user exists or not, in the MongoDB database.

How to ensure the routes are only available via registered users?

[dipyamanroy]

Possible Solution

As suggested by @saipreetham123, within app.js move the line:

app.use(express.static('public'));

below the other use statements. And add a conditional middleware:

const excludedRoutes = ['/', '/register', '', '/login'];

app.use((req, res, next) => { 
  console.log(req.path);
  if (excludedRoutes.includes(req.path)) {
    next();
  } else {
    validateToken(req, res, next);
  }
});

[snoopysecurity]

Hi, are these just the client side pages such as http://dvws.local/upload.html, http://dvws.local/notes.html etc? these pages can be viewed unauthenticated but the data for this pages are coming from /api, and that will require an API token