From 42672399ffb30fc4b50506904a7b91f084be5b97 Mon Sep 17 00:00:00 2001 From: Divlo Date: Wed, 8 Apr 2020 20:15:35 +0200 Subject: [PATCH] Hotfix: maxAge cookie 'user' - expires in 1 week --- api/assets/config/config.js | 3 ++- api/controllers/users.js | 38 ++++++++++++++++----------------- api/middlewares/isAdmin.js | 6 +++--- api/middlewares/isAuth.js | 7 +++--- api/package-lock.json | 20 ++++++++++++++--- api/package.json | 1 + website/contexts/UserContext.js | 12 ++++------- 7 files changed, 49 insertions(+), 38 deletions(-) diff --git a/api/assets/config/config.js b/api/assets/config/config.js index 1663319..38cfd59 100644 --- a/api/assets/config/config.js +++ b/api/assets/config/config.js @@ -18,7 +18,8 @@ const config = { user: process.env.EMAIL_USER, pass: process.env.EMAIL_PASSWORD } - } + }, + TOKEN_LIFE: '1 week' }; module.exports = config; \ No newline at end of file diff --git a/api/controllers/users.js b/api/controllers/users.js index 329f2da..989eb66 100644 --- a/api/controllers/users.js +++ b/api/controllers/users.js @@ -1,20 +1,20 @@ -const path = require('path'); -const { validationResult } = require('express-validator'); -const bcrypt = require('bcryptjs'); -const jwt = require('jsonwebtoken'); -const uuid = require('uuid'); -const errorHandling = require('../assets/utils/errorHandling'); -const { serverError, generalError } = require('../assets/config/errors'); -const { JWT_SECRET, FRONT_END_HOST } = require('../assets/config/config'); -const transporter = require('../assets/config/transporter'); -const { EMAIL_INFO, HOST } = require('../assets/config/config'); -const { emailTemplate } = require('../assets/config/emails'); -const Users = require('../models/users'); -const Favorites = require('../models/favorites'); -const Functions = require('../models/functions'); -const Categories = require('../models/categories'); -const Comments = require('../models/comments'); -const deleteFilesNameStartWith = require('../assets/utils/deleteFilesNameStartWith'); +const path = require('path'); +const { validationResult } = require('express-validator'); +const bcrypt = require('bcryptjs'); +const jwt = require('jsonwebtoken'); +const ms = require('ms'); +const uuid = require('uuid'); +const errorHandling = require('../assets/utils/errorHandling'); +const { serverError, generalError } = require('../assets/config/errors'); +const { JWT_SECRET, FRONT_END_HOST, EMAIL_INFO, HOST, TOKEN_LIFE } = require('../assets/config/config'); +const transporter = require('../assets/config/transporter'); +const { emailTemplate } = require('../assets/config/emails'); +const Users = require('../models/users'); +const Favorites = require('../models/favorites'); +const Functions = require('../models/functions'); +const Categories = require('../models/categories'); +const Comments = require('../models/comments'); +const deleteFilesNameStartWith = require('../assets/utils/deleteFilesNameStartWith'); async function handleEditUser(res, { name, email, biography, isPublicEmail }, userId, logoName) { const user = await Users.findOne({ where: { id: userId } }); @@ -128,8 +128,8 @@ exports.login = async (req, res, next) => { } const token = jwt.sign({ email: user.email, userId: user.id - }, JWT_SECRET, { expiresIn: '6h' }); - return res.status(200).json({ token, id: user.id, name: user.name, email: user.email, biography: user.biography, logo: user.logo, isPublicEmail: user.isPublicEmail, isAdmin: user.isAdmin, createdAt: user.createdAt }); + }, JWT_SECRET, { expiresIn: TOKEN_LIFE }); + return res.status(200).json({ token, id: user.id, name: user.name, email: user.email, biography: user.biography, logo: user.logo, isPublicEmail: user.isPublicEmail, isAdmin: user.isAdmin, createdAt: user.createdAt, expiresIn: Math.round(ms(TOKEN_LIFE) / 1000) }); } catch (error) { console.log(error); return errorHandling(next, serverError); diff --git a/api/middlewares/isAdmin.js b/api/middlewares/isAdmin.js index d783a23..5802249 100644 --- a/api/middlewares/isAdmin.js +++ b/api/middlewares/isAdmin.js @@ -4,15 +4,15 @@ const Users = require('../models/users'); module.exports = (req, _res, next) => { if (!req.userId) { - return errorHandling(next, { message: "Vous n'êtes pas connecté.", statusCode: 401 }); + return errorHandling(next, { message: "Vous n'êtes pas connecté.", statusCode: 403 }); } Users.findOne({ where: { id: req.userId } }) .then((user) => { if (!user) { - return errorHandling(next, { message: "Le mot de passe ou l'adresse email n'est pas valide.", statusCode: 400 }); + return errorHandling(next, { message: "Le mot de passe ou l'adresse email n'est pas valide.", statusCode: 403 }); } if (!user.isAdmin) { - return errorHandling(next, { message: "Vous n'êtes pas administrateur.", statusCode: 400 }); + return errorHandling(next, { message: "Vous n'êtes pas administrateur.", statusCode: 403 }); } next(); }) diff --git a/api/middlewares/isAuth.js b/api/middlewares/isAuth.js index 5eb3b56..c8979fc 100644 --- a/api/middlewares/isAuth.js +++ b/api/middlewares/isAuth.js @@ -1,23 +1,22 @@ const jwt = require('jsonwebtoken'); const errorHandling = require('../assets/utils/errorHandling'); -const { serverError } = require('../assets/config/errors'); const { JWT_SECRET } = require('../assets/config/config'); module.exports = (req, _res, next) => { const token = req.get('Authorization'); if (!token) { - return errorHandling(next, { message: "Vous n'êtes pas connecté.", statusCode: 401 }); + return errorHandling(next, { message: "Vous devez être connecter pour effectuer cette opération.", statusCode: 403 }); } let decodedToken; try { decodedToken = jwt.verify(token, JWT_SECRET); } catch (error) { - return errorHandling(next, serverError); + return errorHandling(next, { message: "Vous devez être connecter pour effectuer cette opération.", statusCode: 403 }); } if (!decodedToken) { - return errorHandling(next, { message: "Vous n'êtes pas connecté.", statusCode: 401 }); + return errorHandling(next, { message: "Vous devez être connecter pour effectuer cette opération.", statusCode: 403 }); } req.userId = decodedToken.userId; diff --git a/api/package-lock.json b/api/package-lock.json index a49edb7..9e1a4a7 100644 --- a/api/package-lock.json +++ b/api/package-lock.json @@ -369,6 +369,13 @@ "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==", "requires": { "ms": "2.0.0" + }, + "dependencies": { + "ms": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz", + "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g=" + } } }, "deep-extend": { @@ -598,6 +605,13 @@ "integrity": "sha512-OX8XqP7/1a9cqkxYw2yXss15f26NKWBpDXQd0/uK/KPqdQhxbPa994hnzjcE2VqQpDslf55723cKPUOGSmMY3g==", "requires": { "ms": "2.0.0" + }, + "dependencies": { + "ms": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz", + "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g=" + } } } } @@ -1127,9 +1141,9 @@ } }, "ms": { - "version": "2.0.0", - "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz", - "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g=" + "version": "2.1.2", + "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz", + "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==" }, "mysql2": { "version": "2.1.0", diff --git a/api/package.json b/api/package.json index f06ed0a..5a610d3 100644 --- a/api/package.json +++ b/api/package.json @@ -19,6 +19,7 @@ "helmet": "^3.21.3", "jsonwebtoken": "^8.5.1", "moment": "^2.24.0", + "ms": "^2.1.2", "mysql2": "^2.1.0", "nodemailer": "^6.4.6", "sequelize": "^5.21.5", diff --git a/website/contexts/UserContext.js b/website/contexts/UserContext.js index aa4667f..af978d3 100644 --- a/website/contexts/UserContext.js +++ b/website/contexts/UserContext.js @@ -34,12 +34,6 @@ function UserContextProvider(props) { setUser(null); setIsAuth(false); } - - const changeUserValue = (newUser) => { - cookies.remove('user', { path: '/' }); - cookies.set('user', newUser, { path: '/' }); - setUser(newUser); - } const loginUser = ({ email, password }) => { setLoginLoading(true); @@ -47,7 +41,9 @@ function UserContextProvider(props) { try { const response = await api.post('/users/login', { email, password }); const newUser = response.data; - changeUserValue(newUser); + cookies.remove('user', { path: '/' }); + cookies.set('user', newUser, { path: '/', maxAge: newUser.expiresIn }); + setUser(newUser); setIsAuth(true); setMessageLogin('

Succès: Connexion réussi!

'); setLoginLoading(false); @@ -63,7 +59,7 @@ function UserContextProvider(props) { } return ( - + {props.children} );