Retrieve Salted PW using Node-bcrypt and Passport.JS - bcrypt

I have an issue in which I can create hashed passwords in node-bcrypt and passport.js, but am unable to use the hashed password.
Im using nodejs, express, mongodb, mongoose, passport js, bcrypt.
What Im Trying To Do
Be able to login as normal, but using the bcrypt salted paswword etc.
What I have Done
I know my routes, api, and db are working. Since my current set up logs users in and out if I use a normal string for password instead of bcrypt.
I also checked my db and a bcrypt/salted password appears in the password field.
I got the idea to use bcrypt from this article (so using this code):
http://devsmash.com/blog/password-authentication-with-mongoose-and-bcrypt
Here is my relevant code:
var express = require('express'),
routes = require('./routes'),
passport = require('passport'),
util = require('util'),
flash = require('connect-flash'),
LocalStrategy = require('passport-local').Strategy,
mongoose = require('mongoose');
mongoose.connect('mongodb://54.254.96.11/bcrypt')
var Schema = mongoose.Schema;
var ObjectId = Schema.ObjectId;
bcrypt = require('bcrypt'),
SALT_WORK_FACTOR = 10;
var user = new Schema({
username: { type: String, required: true, index: { unique: true } },
password: { type: String, required: true },
email: String
});
var user = mongoose.model('user', user);
//Bcrypt Code
user.pre('save', function(next) {
var guest = this;
// only hash the password if it has been modified (or is new)
if (!guest.isModified('password')) return next();
// generate a salt
bcrypt.genSalt(SALT_WORK_FACTOR, function(err, salt) {
if (err) return next(err);
// hash the password using our new salt
bcrypt.hash(guest.password, salt, function(err, hash) {
if (err) return next(err);
// override the cleartext password with the hashed one
guest.password = hash;
next();
});
});
});
user.methods.comparePassword = function(candidatePassword, cb) {
bcrypt.compare(candidatePassword, this.password, function(err, isMatch) {
if (err) return cb(err);
cb(null, isMatch);
});
};
//
passport.serializeUser(function(user, done) {
done(null, user.id);
});
passport.deserializeUser(function(id, done) {
user.findById(id, function (err, user) {
done(err, user);
});
});
passport.use(new LocalStrategy(
function(username, password, done) {
// asynchronous verification, for effect...
process.nextTick(function () {
// Find the user by username. If there is no user with the given
// username, or the password is not correct, set the user to `false` to
// indicate failure and set a flash message. Otherwise, return the
// authenticated `user`.
user.findOne({ username: username}, function(err, user) {
if (err) { return done(err); }
if (!user) { return done(null, false, { message: 'Unknown user ' + username }); }
if (user.password != password) { return done(null, false, { message: 'Invalid password' }); }
return done(null, user);
})
});
}
));
// Relevant Express Routes
app.post('/login',
passport.authenticate('local', { failureRedirect: '/login', failureFlash: true }),
function(req, res) {
res.redirect('/home');
});
app.post('/create', function(req, res, next){
var moot = new user({
"username": req.body.username,
"password" : req.body.password,
"email" : req.body.email});
moot.save(function (err) {
if (!err) {
res.redirect('/home');
}
else {
res.redirect('/');
}
});
});

I would do it this way:
create a new method for User model:
userSchema.statics.authenticate = function(username, password, callback)
{
this.findOne({username: username}, function(err, user)
{
if(err) return callback(err);
if(!user) return callback(null, false);
user.comparePassword(password, function(err, correct)
{
if(!correct) return callback(null, false);
callback(null, user);
});
});
}
then in the passport config:
passport.use(new LocalStrategy(
function(username, password, done)
{
User.authenticate(username, password, function(err, user)
{
if(err) return done(err);
if(!user) return done(null, false);
done(null, user);
}
}
));
This should work (I didn't test it)
PS: please use 'user' for one user
for the model, use 'User'

Related

Next-Auth JWT Session Token

Currently I am returning the users email to the session as a JWT. This is working just fine. Now I am trying to return the users username with the email as a JWT. If I am to console.log the username, it is appearing in the terminal. Yet, if I am logging the session.user in my getServerSideProps function I am only able to view the email. Any tips?
export default NextAuth({
session: { jwt: true },
providers: [
CredentialsProvider({
async authorize(credentials) {
const client = await connectToDatabase();
const userCollection = client.db().collection("users");
const user = await userCollection.findOne({ email: credentials.email });
console.log(user.userName);
if (!user) {
client.close();
throw new Error("No user found!");
}
const isValid = await comparePasswords(
credentials.password,
user.password
);
if (!isValid) {
client.close();
throw new Error("Invalid password");
}
client.close();
if (user) {
return {
email: user.email,
userName: user.userName,
};
} else {
return null;
}
},
}),
],
});

Write on session with Sapper and Svelte

I wrote a Sapper app with session management following the RealWorld example:
polka()
.use(bodyParser.json())
.use(session({
name: 'kidways-app',
secret: 'conduit',
resave: false,
saveUninitialized: true,
cookie: {
maxAge: 31536000
},
store: new FileStore({
path: 'data/sessions',
})
}))
.use(
compression({ threshold: 0 }),
sirv('static', { dev }),
pdfMiddleware,
sapper.middleware({
session: req => ({
token: req.session && req.session.token
})
})
)
.listen(PORT, err => {
if (err) console.log('error', err);
});
Then on my _layout.sevlte:
<script context="module">
export async function preload({ query }, session) {
console.log('preload', session)
return {
// ...
};
}
</script>
<script>
import { onMount, createEventDispatcher } from 'svelte';
import { Splash } from 'project-components';
import * as sapper from '#sapper/app';
import { user } from '../stores';
import client from '../feathers';
const { session } = sapper.stores();
onMount(async () => {
try {
await client.reAuthenticate();
const auth = await client.get('authentication');
user.set(auth.user);
$session.token = 'test';
} catch (e) {
} finally {
loaded = true;
}
});
console.log($session)
</script>
<h1>{$session.token}</h1>
This work on client side rendering, but the token is still undefined on preload, making my SSR template rendering broken.
What did I missed?
When a page renders, session is populated according to the return value of the function you specified here:
sapper.middleware({
session: req => ({
token: req.session && req.session.token
})
})
So while the client may have an up-to-date token, it won't take effect on page reload unless you somehow persist the token to the server in such a way that the session middleware knows about it.
Typically you'd achieve this by having a server route, like routes/auth/token.js or something...
export function post(req, res) {
req.session.token = req.body.token;
res.writeHead(200, {
'Content-Type': 'application/json'
});
res.end();
}
...and posting the token from the client:
onMount(async () => {
try {
await client.reAuthenticate();
const auth = await client.get('authentication');
user.set(auth.user);
await fetch(`auth/token`, {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({ token })
});
// writing to the session store on the client means
// it's immediately available to the rest of the app,
// without needing to reload the page
$session.token = 'test';
} catch (e) {
} finally {
loaded = true;
}
});

Data are not inserted in mongodb, it gives could not get any response error in postman

I build the project using the mean stack. I insert record using postman but I get one error, I try to resolve much time but not to find where is a mistake.
Postman error
This is models user.js file.which is shows userSchema details.
Models -> user.js
var mongoose = require('mongoose');
var bcrypt = require('bcryptjs');
var config = require('../config/database');
// User Schema
var UserSchema = mongoose.Schema({
name: {
type: String,
},
email: {
type: String,
required: true
},
username: {
type: String,
required: true
},
password: {
type: String,
required: true
}
});
var User = module.exports = mongoose.model('User', UserSchema);
module.exports.getUserById = function(id, callback){
User.findById(id, callback);
}
module.exports.getUserByUsername = function(username, callback){
var query = {username: username}
User.findOne(query, callback);
}
module.exports.addUser = function(newUser, callback){
bcrypt.genSalt(10, (err, salt) => {
bcrypt.hash(newUser.password, salt, (err, hash) => {
if(err) throw err;
newUSer.password = hash;
newUser.save(callback);
});
});
}
This is Routes user.js file. here router of register displays, also define add user status results that can be shown if postman value is inserted in mongo then successfully another wise unsuccessfull message.
Routes -> users.js
var express = require('express');
var router = express.Router();
var password = require('passport');
var jwt = require('jsonwebtoken');
var User = require('../models/user');
// Register
router.post('/register', function(req, res, next){
let newUser = new User({
name: req.body.name,
email: req.body.email,
username: req.body.username,
password: req.body.password
});
User.addUser(newUser, (err, user) => {
if(err){
res.json({success: false, msg:'Failed to Register User'});
} else {
res.json({success: true, msg:'User Registered'});
}
});
});
// Authenticate
router.post('/authenticate', function(req, res, next){
res.send('Authenticate');
});
// Profile
router.get('/profile', function(req, res, next){
res.send('Profile');
});
module.exports = router;
You are sending the request wrongly from Postman. You should not use x-www-form-urlencoded. Use the Raw option at send it as a json object, like this:
{
"name": "Mark Melton",
"email": "xyz#gmail.com",
"username": "shuta",
"password": "Sunala123"
}
This is how it will work, because in your routes, you are using req.body...

How to return json web token (jwt) with passport-facebook without showing it in the redirect url

I am using passport-facebook to login in a MEAN stack webapp. After successful login, I want to generate a JSON Web Token (jwt) and redirect to a page in my SPA. (res.redirect('/#/posts/'+ doc.generateJWT()); -- please see the associated code below).
My question is:
How do I send the JWT to the redirect page without showing it in the URL?
Code:
passport.serializeUser(function(user, done) {
done(null, user);
});
passport.deserializeUser(function(obj, done) {
done(null, obj);
});
passport.use(new FacebookStrategy({
clientID: FACEBOOK_APP_ID,
clientSecret: FACEBOOK_APP_SECRET,
callbackURL: FACEBOOK_CALLBACKURL
},
function(accessToken, refreshToken, profile, done) {
process.nextTick(function () {
User.findOne({'fbid':profile.id},function(err, docs) {
if (err){
//console.log('Error in SignUp: '+err);
return res.status(401).json(info);
}
else {
if (docs) {
//console.log('User already exists');
globalid = profile.id;
return done(null,docs);
} else {
// if there is no user with that fbid
// create the user
var newUser = new User();
// set the user's local credentials
newUser.fbid = profile.id;
globalid = profile.id;
newUser.firstname = profile.name.givenName;
newUser.lastname = profile.name.familyName;
newUser.gender = profile.gender;
if(profile.emails){
newUser.fbemail = profile.emails[0].value;
};
newUser.fblink = profile.profileUrl;
newUser.fbverified = profile.verified;
// save the user
newUser.save(function(err) {
if (err){
//console.log('Error in Saving user: '+err);
return res.status(401).json(info);
}
//console.log('User Registration succesful');
return done(null, newUser);
});
}
}
});
});
}));
var router = express.Router();
router.get('/auth/facebook',
passport.authenticate('facebook', { scope : 'email' }
));
router.get('/auth/facebook/callback',
passport.authenticate('facebook', { session: false, failureRedirect: '/'}),
function(req, res,done) {
var redirection = true;
User.findOne({ 'fbid': globalid }, function (err, doc){
//console.log("Generating token");
doc.token = doc.generateJWT();
doc.save(function(err) {
if (err){
//console.log('Error in Saving token for old user: '+err);
return res.status(401).json(info);
}
else
{
//console.log('User Login succesful');
redirection = doc.mobileverified;
//console.log(redirection);
//return done(null, doc);
if(doc.mobileverified === true){
console.log("Token:",doc.generateJWT());
res.redirect('/#/posts/'+ doc.generateJWT());
}
else{
console.log("Token:",doc.generateJWT());
//res.json({token: doc.generateJWT()});
res.redirect('/#/register/' + doc.generateJWT());
}
}
});
});
});
Many Thanks in advance!
If you don't wanna show your token on the url you have to send the response as json
var fbOptions = {
clientID: FACEBOOK_APP_ID,
clientSecret: FACEBOOK_APP_SECRET,
callbackURL: FACEBOOK_CALLBACKURL
};
passport.use(new FacebookStrategy(fbOptions, function(token, refreshToken, profile, done) {
var user = profile;
// NOTE: ‘my_token’ we will use later
user.my_token = 'generate your jwt token';
done(null, user);
}));
And then on your router return the token as json
app.get('/auth/facebook/callback', passport.authenticate('facebook', {session: false, failureRedirect : '/'}), function(req, res) {
// The token we have created on FacebookStrategy above
var token = req.user.my_token;
res.json({ token: token });
});

Passport.js Ajax login?

Is it possible to login via ajax with passport.js?
The thing is i'm creating a user via ajax and i want it to be logged in automatically (everything with json in a restful style) but the req.login() does some stuff that i don't know and that apparently sends its own status, headers and even it redirects to the home but and i need is to create my own json response.
The code where i create the user:
signup_facebook: function (req, res) {
var restponse = new Restponse();
var body = req.body;
var obj = {
display_name: body.first_name,
name: body.first_name,
surname: body.last_name,
photos: ['http://graph.facebook.com/'+ body.id+ '/picture?type=normal'],
gender: body.gender,
facebook: {
userID: body.id,
displayName: body.display_name
}
}
User.facebookSignUp(obj, function(user){
if(user !== false){
user = obj;
restponse.location = '/';
restponse.status = HTTPStatus.REST.C201_OK;
}else{
restponse.location = '/';
restponse.status = HTTPStatus.REST.C302_FOUND;
}
restponse.body = user;
req.login(user, {}, function(err) {
APIheart.respondJson(res, restponse);
});
})
Thanks for your time!
I found the answer in this post:
http://toon.io/on-passportjs-specific-use-cases/
// Manually establish the session...
req.login(user, function(err) {
if (err) return next(err);
return res.json({
message: 'user authenticated',
});
});

Resources