tracman-server/config/auth.js

'use strict';

const
	mw = require('./middleware.js'),
	mail = require('./mail.js'),
	User = require('./models.js').user,
	crypto = require('crypto'),
	env = require('./env.js');

module.exports = (app, passport) => {

	// Methods for success and failure
	const
		loginOutcome = {
			failureRedirect: '/login',
			failureFlash: true
		},	
		connectOutcome = {
			failureRedirect: '/settings',
			failureFlash: true
		},
		loginCallback = (req,res)=>{
			res.redirect( req.session.next || '/map' );
		};
	
	// Login/-out
	app.route('/login')
		.get( (req,res)=>{
			if (req.isAuthenticated()){ loginCallback(); }
			else { res.render('login'); }
		})
		.post( passport.authenticate('local',loginOutcome), loginCallback );
	app.get('/logout', (req,res)=>{
		req.logout();
		req.flash('success',`You have been logged out.`);
		res.redirect(req.session.next || '/');
	});
	
	// Signup
	app.route('/signup')
		.get( (req,res)=>{
			res.redirect('/login#signup');
		})
		.post( (req,res,next)=>{
			
			// Send token and alert user
			function sendToken(user){
				
				// Create a password token
				user.createToken((err,token)=>{
					if (err){ mw.throwErr(err,req); }
					
					// Email the instructions to continue
					mail.send({
						from: mail.from,
						to: `<${user.email}>`,
						subject: 'Complete your Tracman registration',
						text: mail.text(`Welcome to Tracman!  \n\nTo complete your registration, follow this link and set your password:\n${env.url}/settings/password/${token}`),
						html: mail.html(`<p>Welcome to Tracman! </p><p>To complete your registration, follow this link and set your password:<br><a href="${env.url}/settings/password/${token}">${env.url}/settings/password/${token}</a></p>`)
					}).then(()=>{
						req.flash('success', `An email has been sent to <u>${user.email}</u>. Check your inbox to complete your registration. `);
						res.redirect('/login');
					}).catch((err)=>{
						mw.throwErr(err,req);
						res.redirect('/login#signup');
					});
				});
				
			}
			
			// Check if somebody already has that email
			User.findOne({'email':req.body.email}, (err,user)=>{
				if (err){ mw.throwErr(err,req); }
				
				// User already exists
				if (user && user.auth.password) {
					req.flash('warning','A user with that email already exists!  If you forgot your password, you can <a href="/login/forgot">reset it here</a>.');
					res.redirect('/login#login');
					next();
				}
				
				// User exists but hasn't created a password yet
				else if (user) {
					// Send another token (or the same one if it hasn't expired)
					sendToken(user);
				}
				
				// Create user
				else {
					
					user = new User();
					user.created = Date.now();
					user.email = req.body.email;
					user.slug = slug(user.email.substring(0, user.email.indexOf('@')));
					
					// Generate unique slug
					let slug = new Promise((resolve,reject) => {
						(function checkSlug(s,cb){
							
							User.findOne({slug:s})
							.catch((err)=>{
								mw.throwErr(err,req);
							})
							.then((existingUser)=>{
								
								// Slug in use: generate a random one and retry
								if (existingUser){
									crypto.randomBytes(6, (err,buf)=>{
										if (err) { mw.throwErr(err,req); }
										s = buf.toString('hex');
										checkSlug(s,cb);
									});
								}
								
								// Unique slug: proceed
								else { cb(s); }
								
							});
							
						})(user.slug, (newSlug)=>{
							user.slug = newSlug;
							resolve();
						});
					});
					
					// Generate sk32
					let sk32 = new Promise((resolve,reject) => {
						crypto.randomBytes(32, (err,buf)=>{
							if (err) { mw.throwErr(err,req); }
							user.sk32 = buf.toString('hex');
							resolve();
						});
					});
					
					// Save user and send the token by email
					Promise.all([slug, sk32])
						.then( ()=> {
							user.save();
						}).then( ()=>{
							sendToken(user);
						}).catch( (err)=>{
							mw.throwErr(err,req);
							res.redirect('/login#signup');
						});
					
				}
				
			});
		});
	
	// Forgot password
	app.route('/login/forgot')
		.all( (req,res,next)=>{
			if (req.isAuthenticated()){ loginCallback(); }
			else { next(); }
		} )
		.get( (req,res,next)=>{
			res.render('forgot');
		} )
		.post( (req,res,next)=>{
			
			//TODO: Validate email
			// req.assert('email', 'Please enter a valid email address.').isEmail();
			// req.sanitize('email').normalizeEmail({ remove_dots: false });
			
			User.findOne({'email':req.body.email})
				.then((user)=>{
					
					// No user with that email
					if (!user) {
						// Don't let on that no such user exists, to prevent dictionary attacks
						req.flash('success', `If an account exists with the email <u>${req.body.email}</u>, an email has been sent there with a password reset link. `);
						res.redirect('/login');
					}
					
					// User with that email does exist
					else {
						
						// Create reset token
						user.createToken( (err,token)=>{
							if (err){ next(err); }
							
							// Email reset link
							mail.send({
								from: mail.from,
								to: mail.to(user),
								subject: 'Reset your Tracman password',
								text: mail.text(`Hi, \n\nDid you request to reset your Tracman password?  If so, follow this link to do so:\n${env.url}/settings/password/${token}\n\nIf you didn't initiate this request, just ignore this email. `),
								html: mail.html(`<p>Hi, </p><p>Did you request to reset your Tracman password?  If so, follow this link to do so:<br><a href="${env.url}/settings/password/${token}">${env.url}/settings/password/${token}</a></p><p>If you didn't initiate this request, just ignore this email. </p>`)
							}).then(()=>{
								req.flash('success', `If an account exists with the email <u>${req.body.email}</u>, an email has been sent there with a password reset link. `);
								res.redirect('/login');
							}).catch((err)=>{
								mw.throwErr(err);
							});
	
						});
						
					}
					
				}).catch( (err)=>{
					mw.throwErr(err,req);
					res.redirect('/login/forgot');
				});
			
		} );

	// Social
	app.get('/login/:service', (req,res,next)=>{
		let service = req.params.service,
			sendParams = (service==='google')? {scope:['profile']} : null;
		
		// Social login
		if (!req.user) {
			passport.authenticate(service, sendParams)(req,res,next);
		}
		
		// Connect social account
		else if (!req.user.auth[service]) {
			passport.authorize(service, sendParams)(req,res,next);
		}
		
		// Disconnect social account
		else {
			req.user.auth[service] = undefined;
			req.user.save()
				.catch((err)=>{
					mw.throwErr(err,req);
					res.redirect('/settings');
				}).then(()=>{
					req.flash('success', `${mw.capitalize(service)} account disconnected. `);
					res.redirect('/settings');
				});
			
		}
	});
	app.get('/login/:service/cb', (req,res,next)=>{
		var service = req.params.service;
		if (!req.user) {
			passport.authenticate(service, loginOutcome)(req,res,next);
		} else {
			req.flash('success', `${mw.capitalize(service)} account connected. `);
			req.session.next = '/settings';
			passport.authenticate(service, connectOutcome)(req,res,next);
		}
	}, loginCallback);

	// Android auth
	//TODO: See if there's a better method
	app.get('/auth/google/idtoken', passport.authenticate('google-id-token'),	(req,res)=>{
		if (!req.user){ res.sendStatus(401); }
		else { res.send(req.user); }
	} );

};
Added 'use strict' to every javascript file 2017-03-15 02:01:55 -06:00			`'use strict';`

Fixed settings form styles 2017-04-09 21:40:08 -06:00			`const`
			`mw = require('./middleware.js'),`
Added login screen 2017-04-01 11:03:05 -06:00			`mail = require('./mail.js'),`
			`User = require('./models.js').user,`
Added account creation, switched to arrow functions 2017-04-13 16:53:18 -06:00			`crypto = require('crypto'),`
Added login screen 2017-04-01 11:03:05 -06:00			`env = require('./env.js');`
init commit 2016-03-31 17:06:21 -06:00
Added account creation, switched to arrow functions 2017-04-13 16:53:18 -06:00			`module.exports = (app, passport) => {`

Added login screen 2017-04-01 11:03:05 -06:00			`// Methods for success and failure`
Fixed settings form styles 2017-04-09 21:40:08 -06:00			`const`
			`loginOutcome = {`
Various changes 2017-04-12 17:39:39 -06:00			`failureRedirect: '/login',`
			`failureFlash: true`
Various changes 2017-04-13 22:45:25 -06:00			`},`
Fixed settings form styles 2017-04-09 21:40:08 -06:00			`connectOutcome = {`
Various changes 2017-04-12 17:39:39 -06:00			`failureRedirect: '/settings',`
			`failureFlash: true`
			`},`
Added account creation, switched to arrow functions 2017-04-13 16:53:18 -06:00			`loginCallback = (req,res)=>{`
Various changes 2017-04-13 22:45:25 -06:00			`res.redirect( req.session.next \|\| '/map' );`
Fixed settings form styles 2017-04-09 21:40:08 -06:00			`};`
Various changes 2017-04-13 22:45:25 -06:00
Added login screen 2017-04-01 11:03:05 -06:00			`// Login/-out`
			`app.route('/login')`
Added account creation, switched to arrow functions 2017-04-13 16:53:18 -06:00			`.get( (req,res)=>{`
Various changes 2017-04-13 22:45:25 -06:00			`if (req.isAuthenticated()){ loginCallback(); }`
Added login screen 2017-04-01 11:03:05 -06:00			`else { res.render('login'); }`
			`})`
			`.post( passport.authenticate('local',loginOutcome), loginCallback );`
Added account creation, switched to arrow functions 2017-04-13 16:53:18 -06:00			`app.get('/logout', (req,res)=>{`
Added login screen 2017-04-01 11:03:05 -06:00			`req.logout();`
Various changes 2017-04-12 17:39:39 -06:00			req.flash('success',`You have been logged out.`);
Various changes 2017-04-13 22:45:25 -06:00			`res.redirect(req.session.next \|\| '/');`
Added login screen 2017-04-01 11:03:05 -06:00			`});`
Various changes 2017-04-13 22:45:25 -06:00
Added login screen 2017-04-01 11:03:05 -06:00			`// Signup`
Cleaned up some routing 2017-04-14 19:29:50 -06:00			`app.route('/signup')`
			`.get( (req,res)=>{`
			`res.redirect('/login#signup');`
			`})`
			`.post( (req,res,next)=>{`
Various changes 2017-04-13 22:45:25 -06:00
Cleaned up some routing 2017-04-14 19:29:50 -06:00			`// Send token and alert user`
			`function sendToken(user){`
Various changes 2017-04-13 22:45:25 -06:00
Cleaned up some routing 2017-04-14 19:29:50 -06:00			`// Create a password token`
			`user.createToken((err,token)=>{`
			`if (err){ mw.throwErr(err,req); }`

			`// Email the instructions to continue`
			`mail.send({`
			`from: mail.from,`
			to: `<${user.email}>`,
			`subject: 'Complete your Tracman registration',`
			text: mail.text(`Welcome to Tracman! \n\nTo complete your registration, follow this link and set your password:\n${env.url}/settings/password/${token}`),
			html: mail.html(`<p>Welcome to Tracman! </p><p>To complete your registration, follow this link and set your password:<br><a href="${env.url}/settings/password/${token}">${env.url}/settings/password/${token}</a></p>`)
			`}).then(()=>{`
			req.flash('success', `An email has been sent to <u>${user.email}</u>. Check your inbox to complete your registration. `);
			`res.redirect('/login');`
			`}).catch((err)=>{`
			`mw.throwErr(err,req);`
			`res.redirect('/login#signup');`
			`});`
Added account creation, switched to arrow functions 2017-04-13 16:53:18 -06:00			`});`
Cleaned up some routing 2017-04-14 19:29:50 -06:00
Added account creation, switched to arrow functions 2017-04-13 16:53:18 -06:00			`}`
Various changes 2017-04-13 22:45:25 -06:00
Cleaned up some routing 2017-04-14 19:29:50 -06:00			`// Check if somebody already has that email`
			`User.findOne({'email':req.body.email}, (err,user)=>{`
			`if (err){ mw.throwErr(err,req); }`

			`// User already exists`
			`if (user && user.auth.password) {`
			`req.flash('warning','A user with that email already exists! If you forgot your password, you can <a href="/login/forgot">reset it here</a>.');`
			`res.redirect('/login#login');`
			`next();`
			`}`
Various changes 2017-04-13 22:45:25 -06:00
Cleaned up some routing 2017-04-14 19:29:50 -06:00			`// User exists but hasn't created a password yet`
			`else if (user) {`
			`// Send another token (or the same one if it hasn't expired)`
			`sendToken(user);`
			`}`
Various changes 2017-04-13 22:45:25 -06:00
Cleaned up some routing 2017-04-14 19:29:50 -06:00			`// Create user`
			`else {`

			`user = new User();`
			`user.created = Date.now();`
			`user.email = req.body.email;`
			`user.slug = slug(user.email.substring(0, user.email.indexOf('@')));`

			`// Generate unique slug`
			`let slug = new Promise((resolve,reject) => {`
			`(function checkSlug(s,cb){`
Various changes 2017-04-13 22:45:25 -06:00
Cleaned up some routing 2017-04-14 19:29:50 -06:00			`User.findOne({slug:s})`
			`.catch((err)=>{`
			`mw.throwErr(err,req);`
			`})`
			`.then((existingUser)=>{`

			`// Slug in use: generate a random one and retry`
			`if (existingUser){`
			`crypto.randomBytes(6, (err,buf)=>{`
			`if (err) { mw.throwErr(err,req); }`
			`s = buf.toString('hex');`
			`checkSlug(s,cb);`
			`});`
Added account creation, switched to arrow functions 2017-04-13 16:53:18 -06:00			`}`
Cleaned up some routing 2017-04-14 19:29:50 -06:00
			`// Unique slug: proceed`
			`else { cb(s); }`

			`});`
Various changes 2017-04-13 22:45:25 -06:00
Cleaned up some routing 2017-04-14 19:29:50 -06:00			`})(user.slug, (newSlug)=>{`
			`user.slug = newSlug;`
			`resolve();`
Added account creation, switched to arrow functions 2017-04-13 16:53:18 -06:00			`});`
			`});`
Cleaned up some routing 2017-04-14 19:29:50 -06:00
			`// Generate sk32`
			`let sk32 = new Promise((resolve,reject) => {`
			`crypto.randomBytes(32, (err,buf)=>{`
			`if (err) { mw.throwErr(err,req); }`
			`user.sk32 = buf.toString('hex');`
			`resolve();`
			`});`
Added account creation, switched to arrow functions 2017-04-13 16:53:18 -06:00			`});`
Cleaned up some routing 2017-04-14 19:29:50 -06:00
			`// Save user and send the token by email`
			`Promise.all([slug, sk32])`
			`.then( ()=> {`
			`user.save();`
			`}).then( ()=>{`
Various changes 2017-04-13 22:45:25 -06:00			`sendToken(user);`
Cleaned up some routing 2017-04-14 19:29:50 -06:00			`}).catch( (err)=>{`
			`mw.throwErr(err,req);`
			`res.redirect('/login#signup');`
Various changes 2017-04-13 22:45:25 -06:00			`});`
Cleaned up some routing 2017-04-14 19:29:50 -06:00
			`}`
Various changes 2017-04-13 22:45:25 -06:00
Cleaned up some routing 2017-04-14 19:29:50 -06:00			`});`
Added login screen 2017-04-01 11:03:05 -06:00			`});`
Cleaned up some routing 2017-04-14 19:29:50 -06:00
Added login screen 2017-04-01 11:03:05 -06:00			`// Forgot password`
Added password reset logic 2017-04-13 23:00:18 -06:00			`app.route('/login/forgot')`
			`.all( (req,res,next)=>{`
			`if (req.isAuthenticated()){ loginCallback(); }`
			`else { next(); }`
Cleaned up some routing 2017-04-14 19:29:50 -06:00			`} )`
Added password reset logic 2017-04-13 23:00:18 -06:00			`.get( (req,res,next)=>{`
			`res.render('forgot');`
Cleaned up some routing 2017-04-14 19:29:50 -06:00			`} )`
Added password reset logic 2017-04-13 23:00:18 -06:00			`.post( (req,res,next)=>{`

Fixed some auth logic 2017-04-14 19:45:49 -06:00			`//TODO: Validate email`
Added password reset logic 2017-04-13 23:00:18 -06:00			`// req.assert('email', 'Please enter a valid email address.').isEmail();`
			`// req.sanitize('email').normalizeEmail({ remove_dots: false });`

Fixed some auth logic 2017-04-14 19:45:49 -06:00			`User.findOne({'email':req.body.email})`
			`.then((user)=>{`
Added password reset logic 2017-04-13 23:00:18 -06:00
Fixed some auth logic 2017-04-14 19:45:49 -06:00			`// No user with that email`
			`if (!user) {`
			`// Don't let on that no such user exists, to prevent dictionary attacks`
			req.flash('success', `If an account exists with the email <u>${req.body.email}</u>, an email has been sent there with a password reset link. `);
			`res.redirect('/login');`
			`}`

			`// User with that email does exist`
			`else {`
Added password reset logic 2017-04-13 23:00:18 -06:00
Fixed some auth logic 2017-04-14 19:45:49 -06:00			`// Create reset token`
			`user.createToken( (err,token)=>{`
			`if (err){ next(err); }`

			`// Email reset link`
			`mail.send({`
			`from: mail.from,`
			`to: mail.to(user),`
			`subject: 'Reset your Tracman password',`
			text: mail.text(`Hi, \n\nDid you request to reset your Tracman password? If so, follow this link to do so:\n${env.url}/settings/password/${token}\n\nIf you didn't initiate this request, just ignore this email. `),
			html: mail.html(`<p>Hi, </p><p>Did you request to reset your Tracman password? If so, follow this link to do so:<br><a href="${env.url}/settings/password/${token}">${env.url}/settings/password/${token}</a></p><p>If you didn't initiate this request, just ignore this email. </p>`)
			`}).then(()=>{`
			req.flash('success', `If an account exists with the email <u>${req.body.email}</u>, an email has been sent there with a password reset link. `);
			`res.redirect('/login');`
			`}).catch((err)=>{`
			`mw.throwErr(err);`
			`});`

Added password reset logic 2017-04-13 23:00:18 -06:00			`});`
Fixed some auth logic 2017-04-14 19:45:49 -06:00
			`}`
Added password reset logic 2017-04-13 23:00:18 -06:00
Fixed some auth logic 2017-04-14 19:45:49 -06:00			`}).catch( (err)=>{`
			`mw.throwErr(err,req);`
			`res.redirect('/login/forgot');`
			`});`

Cleaned up some routing 2017-04-14 19:29:50 -06:00			`} );`
fixed stuff 2016-03-31 15:01:27 -06:00
Added login screen 2017-04-01 11:03:05 -06:00			`// Social`
Added account creation, switched to arrow functions 2017-04-13 16:53:18 -06:00			`app.get('/login/:service', (req,res,next)=>{`
Various changes 2017-04-13 22:45:25 -06:00			`let service = req.params.service,`
			`sendParams = (service==='google')? {scope:['profile']} : null;`

Added account creation, switched to arrow functions 2017-04-13 16:53:18 -06:00			`// Social login`
			`if (!req.user) {`
Added login screen 2017-04-01 11:03:05 -06:00			`passport.authenticate(service, sendParams)(req,res,next);`
Added account creation, switched to arrow functions 2017-04-13 16:53:18 -06:00			`}`
Various changes 2017-04-13 22:45:25 -06:00
Added account creation, switched to arrow functions 2017-04-13 16:53:18 -06:00			`// Connect social account`
			`else if (!req.user.auth[service]) {`
Added login screen 2017-04-01 11:03:05 -06:00			`passport.authorize(service, sendParams)(req,res,next);`
Added account creation, switched to arrow functions 2017-04-13 16:53:18 -06:00			`}`
Various changes 2017-04-13 22:45:25 -06:00
Added account creation, switched to arrow functions 2017-04-13 16:53:18 -06:00			`// Disconnect social account`
			`else {`
Added login screen 2017-04-01 11:03:05 -06:00			`req.user.auth[service] = undefined;`
Various changes 2017-04-13 22:45:25 -06:00			`req.user.save()`
			`.catch((err)=>{`
Added account creation, switched to arrow functions 2017-04-13 16:53:18 -06:00			`mw.throwErr(err,req);`
			`res.redirect('/settings');`
Various changes 2017-04-13 22:45:25 -06:00			`}).then(()=>{`
Added login screen 2017-04-01 11:03:05 -06:00			req.flash('success', `${mw.capitalize(service)} account disconnected. `);
Added account creation, switched to arrow functions 2017-04-13 16:53:18 -06:00			`res.redirect('/settings');`
Various changes 2017-04-13 22:45:25 -06:00			`});`

init commit 2016-03-31 17:06:21 -06:00			`}`
			`});`
Added account creation, switched to arrow functions 2017-04-13 16:53:18 -06:00			`app.get('/login/:service/cb', (req,res,next)=>{`
Added login screen 2017-04-01 11:03:05 -06:00			`var service = req.params.service;`
			`if (!req.user) {`
			`passport.authenticate(service, loginOutcome)(req,res,next);`
			`} else {`
			req.flash('success', `${mw.capitalize(service)} account connected. `);
Added ability to change password 2017-04-12 11:41:27 -06:00			`req.session.next = '/settings';`
Added login screen 2017-04-01 11:03:05 -06:00			`passport.authenticate(service, connectOutcome)(req,res,next);`
			`}`
			`}, loginCallback);`
Added account creation, switched to arrow functions 2017-04-13 16:53:18 -06:00
Added login screen 2017-04-01 11:03:05 -06:00			`// Android auth`
			`//TODO: See if there's a better method`
Added account creation, switched to arrow functions 2017-04-13 16:53:18 -06:00			`app.get('/auth/google/idtoken', passport.authenticate('google-id-token'), (req,res)=>{`
Various changes 2017-04-13 22:45:25 -06:00			`if (!req.user){ res.sendStatus(401); }`
Added login screen 2017-04-01 11:03:05 -06:00			`else { res.send(req.user); }`
			`} );`

Added account creation, switched to arrow functions 2017-04-13 16:53:18 -06:00			`};`