-
Notifications
You must be signed in to change notification settings - Fork 18
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Now using bcrypt to hash passwords - Switched from md5ed timestamps to JWT's (Login) and true random strings (Email confirmation / Password resets) for tokens. - Now using helmet for xss and iframe protection - Updated dependencys - Added Dependency badge Signed-off-by: Henry Gressmann <[email protected]>
- Loading branch information
1 parent
77f8a08
commit c0b6996
Showing
22 changed files
with
352 additions
and
536 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,10 +1,9 @@ | ||
language: node_js | ||
|
||
node_js: | ||
- '6' | ||
- '5' | ||
- '5.1' | ||
- '4' | ||
- '4.1' | ||
|
||
env: | ||
- CXX=g++-4.8 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,19 +1,100 @@ | ||
'use strict'; | ||
const nconf = require('nconf'); | ||
const LevelDB = require('./db_level'); | ||
const MySQL = require('./db_mysql'); | ||
const MongoDB = require('./db_mongo'); | ||
const utils = require('./utils'); | ||
let Database; | ||
|
||
function Database() { | ||
nconf.defaults({ | ||
'db:dbType': 'level' | ||
}); | ||
switch (nconf.get('db:dbType')) { | ||
case 'level': | ||
return require('./db_level'); | ||
case 'mysql': | ||
return require('./db_mysql'); | ||
case 'mongo': | ||
return require('./db_mongo'); | ||
default: | ||
return require('./db_level'); | ||
} | ||
var util = require('util'); | ||
|
||
switch (nconf.get('db:dbType')) { | ||
case 'level': | ||
Database = LevelDB; | ||
break; | ||
case 'mysql': | ||
Database = MySQL; | ||
break; | ||
case 'mongo': | ||
Database = MongoDB; | ||
break; | ||
default: | ||
Database = LevelDB; | ||
} | ||
|
||
function loginCallback(callback) { | ||
return function (err, user, email) { | ||
if (email) { | ||
callback(null, user, utils.token.createToken({ email }, nconf.get('tokenSecret'), nconf.get('loginExpire'))); | ||
return; | ||
} | ||
callback(err); | ||
}; | ||
} | ||
|
||
class DB extends Database { | ||
loginUser(obj, callback) { | ||
if (obj.token) { | ||
try { | ||
obj.email = utils.token.verify(obj.token, nconf.get('tokenSecret')).email; | ||
} catch (e) { | ||
if (e) { | ||
callback('InvalidToken'); | ||
return; | ||
} | ||
} | ||
} | ||
|
||
this.getUser(obj.email, (err, user) => { | ||
if ((err && err.notFound) || user == null) { | ||
callback('UserNotFound'); | ||
return; | ||
} | ||
|
||
if (err) { | ||
callback(err); | ||
return; | ||
} | ||
// If the user has an old md5 password saved in the db | ||
if (typeof user.data.pw === 'string' && utils.hash.isMD5(user.data.pw) && !obj.token) { | ||
// And if that md5 password matches with the supplied pw | ||
if (utils.db.makePassMD5(obj.pw, user.data.salt) !== user.data.pw) { | ||
callback('IncorrectPassword'); | ||
return; | ||
} | ||
// Update the pw to a new bcrypt password | ||
user.pw = obj.pw; | ||
super.loginUser(obj.email, loginCallback(callback)); | ||
// If user has an md5 password and only supplied a token | ||
} else if (utils.hash.isMD5(user.data.pw) && obj.token) { | ||
// Say token is invalid so we get the password instead of the token next time | ||
callback('InvalidToken'); | ||
} else if (obj.token) { | ||
// Check if the token is correct | ||
utils.token.verify(obj.token, nconf.get('tokenSecret'), (err, decoded) => { | ||
if (err) { | ||
callback('InvalidToken'); | ||
return; | ||
} | ||
const email = decoded.email; | ||
super.loginUser(email, loginCallback(callback)); | ||
}); | ||
} else if (obj.pw && utils.hash.compareBcrypt(obj.pw, user.data.pw)) { | ||
super.loginUser(obj.email, loginCallback(callback)); | ||
} else { | ||
callback('IncorrectPassword'); | ||
} | ||
}); | ||
} | ||
createUser(obj, callback) { | ||
if (obj.pw) { | ||
obj.pw = utils.hash.bcrypt(obj.pw); | ||
super.createUser(obj, loginCallback(callback)); | ||
} else { | ||
callback('InvalidPassword'); | ||
} | ||
} | ||
} | ||
|
||
module.exports = new Database(); | ||
const db = new DB(); | ||
module.exports = db; |
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.