feat(): basic features added for users, auth and basic validations.

Author: makinhs

README.md

@@ -1 +1,10 @@
-# rest-api-tutorial
+# rest-api-tutorial
+
+This project was created to help the toptal article called *Creating secure REST API Using Node.js*
+
+## Usage
+
+Make sure you have mongodb installed into your own machine and running;
+Get the project and run: `npm install`
+
+Run `npm start`. It will initialize the server at port 3600.

authorization/controllers/authorization.controller.js

@@ -0,0 +1,29 @@
+const jwtSecret = require('../../common/config/env.config.js').jwt_secret,
+    jwt = require('jsonwebtoken');
+const crypto = require('crypto');
+const uuid = require('node-uuid');
+
+exports.login = (req, res) => {
+    try {
+        let refreshId = req.body.userId + jwtSecret;
+        let salt = crypto.randomBytes(16).toString('base64');
+        let hash = crypto.createHmac('sha512', salt).update(refreshId).digest("base64");
+        req.body.refreshKey = salt;
+        let token = jwt.sign(req.body, jwtSecret);
+        let b = new Buffer(hash);
+        let refresh_token = b.toString('base64');
+        res.status(201).send({accessToken: token, refreshToken: refresh_token});
+    } catch (err) {
+        res.status(500).send({errors: err});
+    }
+};
+
+exports.refresh_token = (req, res) => {
+    try {
+        req.body = req.jwt;
+        let token = jwt.sign(req.body, jwtSecret);
+        res.status(201).send({id: token});
+    } catch (err) {
+        res.status(500).send({errors: err});
+    }
+};

authorization/middlewares/verify.user.middleware.js

@@ -0,0 +1,48 @@
+const UserModel = require('../../users/models/users.model');
+const crypto = require('crypto');
+
+exports.hasAuthValidFields = (req, res, next) => {
+    let errors = [];
+
+    if (req.body) {
+        if (!req.body.email) {
+            errors.push('Missing email field');
+        }
+        if (!req.body.password) {
+            errors.push('Missing password field');
+        }
+
+        if (errors.length) {
+            return res.status(400).send({errors: errors.join(',')});
+        } else {
+            return next();
+        }
+    } else {
+        return res.status(400).send({errors: 'Missing email and password fields'});
+    }
+};
+
+exports.isPasswordAndUserMatch = (req, res, next) => {
+    UserModel.findByEmail(req.body.email)
+        .then((user)=>{
+            if(!user[0]){
+                res.status(404).send({});
+            }else{
+                let passwordFields = user[0].password.split('$');
+                let salt = passwordFields[0];
+                let hash = crypto.createHmac('sha512', salt).update(req.body.password).digest("base64");
+                if (hash === passwordFields[1]) {
+                    req.body = {
+                        userId: user[0]._id,
+                        email: user[0].email,
+                        permissionLevel: user[0].permissionLevel,
+                        provider: 'email',
+                        name: user[0].firstName + ' ' + user[0].lastName,
+                    };
+                    return next();
+                } else {
+                    return res.status(400).send({errors: ['Invalid e-mail or password']});
+                }
+            }
+        });
+};

authorization/routes.config.js

@@ -0,0 +1,18 @@
+const VerifyUserMiddleware = require('./middlewares/verify.user.middleware');
+const AuthorizationController = require('./controllers/authorization.controller');
+const AuthValidationMiddleware = require('../common/middlewares/auth.validation.middleware');
+exports.routesConfig = function (app) {
+
+    app.post('/auth', [
+        VerifyUserMiddleware.hasAuthValidFields,
+        VerifyUserMiddleware.isPasswordAndUserMatch,
+        AuthorizationController.login
+    ]);
+
+    app.post('/auth/refresh', [
+        AuthValidationMiddleware.validJWTNeeded,
+        AuthValidationMiddleware.verifyRefreshBodyField,
+        AuthValidationMiddleware.validRefreshNeeded,
+        AuthorizationController.login
+    ]);
+};

common/config/env.config.js

@@ -0,0 +1,13 @@
+module.exports = {
+    "port": 3600,
+    "appEndpoint": "http://localhost:3600",
+    "apiEndpoint": "http;//localhost:3600",
+    "jwt_secret": "myS33!!creeeT",
+    "jwt_expiration_in_seconds": 36000,
+    "environment": "dev",
+    "permissionLevels": {
+        "NORMAL_USER": 1,
+        "PAID_USER": 4,
+        "ADMIN": 2048
+    }
+};

common/middlewares/auth.permission.middleware.js

@@ -0,0 +1,43 @@
+const jwt = require('jsonwebtoken'),
+    secret = require('../config/env.config')['jwt_secret'];
+
+const ADMIN_PERMISSION = 4096;
+
+exports.minimumPermissionLevelRequired = (required_permission_level) => {
+    return (req, res, next) => {
+        let user_permission_level = parseInt(req.jwt.permissionLevel);
+        let userId = req.jwt.userId;
+        if (user_permission_level & required_permission_level) {
+            return next();
+        } else {
+            return res.status(403).send();
+        }
+    };
+};
+
+exports.onlySameUserOrAdminCanDoThisAction = (req, res, next) => {
+
+    let user_permission_level = parseInt(req.jwt.permissionLevel);
+    let userId = req.jwt.userId;
+    if (req.params && req.params.userId && userId === req.params.userId) {
+        return next();
+    } else {
+        if (user_permission_level & ADMIN_PERMISSION) {
+            return next();
+        } else {
+            return res.status(403).send();
+        }
+    }
+
+};
+
+exports.sameUserCantDoThisAction = (req, res, next) => {
+    let userId = req.jwt.userId;
+
+    if (req.params.userId !== userId) {
+        return next();
+    } else {
+        return res.status(400).send();
+    }
+
+};

common/middlewares/auth.validation.middleware.js

@@ -0,0 +1,43 @@
+const jwt = require('jsonwebtoken'),
+    secret = require('../config/env.config.js').jwt_secret,
+    crypto = require('crypto');
+
+exports.verifyRefreshBodyField = (req, res, next) => {
+    if (req.body && req.body.refresh_token) {
+        return next();
+    } else {
+        return res.status(400).send({error: 'need to pass refresh_token field'});
+    }
+};
+
+exports.validRefreshNeeded = (req, res, next) => {
+    let b = new Buffer(req.body.refresh_token, 'base64');
+    let refresh_token = b.toString();
+    let hash = crypto.createHmac('sha512', req.jwt.refresh_key).update(req.jwt.user_id + secret).digest("base64");
+    if (hash === refresh_token) {
+        req.body = req.jwt;
+        return next();
+    } else {
+        return res.status(400).send({error: 'Invalid refresh token'});
+    }
+};
+
+
+exports.validJWTNeeded = (req, res, next) => {
+    if (req.headers['authorization']) {
+        try {
+            let authorization = req.headers['authorization'].split(' ');
+            if (authorization[0] !== 'Bearer') {
+                return res.status(401).send();
+            } else {
+                req.jwt = jwt.verify(authorization[1], secret);
+                return next();
+            }
+
+        } catch (err) {
+            return res.status(403).send();
+        }
+    } else {
+        return res.status(401).send();
+    }
+};

index.js

@@ -0,0 +1,30 @@
+const config = require('./common/config/env.config.js');
+
+const express = require('express');
+const app = express();
+const bodyParser = require('body-parser');
+
+const AuthorizationRouter = require('./authorization/routes.config');
+const UsersRouter = require('./users/routes.config');
+
+app.use(function (req, res, next) {
+    res.header('Access-Control-Allow-Origin', '*');
+    res.header('Access-Control-Allow-Credentials', 'true');
+    res.header('Access-Control-Allow-Methods', 'GET,HEAD,PUT,PATCH,POST,DEconstE');
+    res.header('Access-Control-Expose-Headers', 'Content-Length');
+    res.header('Access-Control-Allow-Headers', 'Accept, Authorization, Content-Type, X-Requested-With, Range');
+    if (req.method === 'OPTIONS') {
+        return res.send(200);
+    } else {
+        return next();
+    }
+});
+
+app.use(bodyParser.json());
+AuthorizationRouter.routesConfig(app);
+UsersRouter.routesConfig(app);
+
+
+app.listen(config.port, function () {
+    console.log('app listening at port %s', config.port);
+});

package.json

@@ -0,0 +1,31 @@
+{
+  "name": "rest-api-tutorial",
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1",
+    "start": "node index.js"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/makinhs/rest-api-tutorial.git"
+  },
+  "author": "",
+  "license": "ISC",
+  "bugs": {
+    "url": "https://github.com/makinhs/rest-api-tutorial/issues"
+  },
+  "homepage": "https://github.com/makinhs/rest-api-tutorial#readme",
+  "dependencies": {
+    "body-parser": "1.7.0",
+    "express": "^4.8.7",
+    "jsonwebtoken": "^7.3.0",
+    "moment": "^2.17.1",
+    "moment-timezone": "^0.5.13",
+    "mongoose": "^5.1.1",
+    "node-uuid": "^1.4.8",
+    "swagger-ui-express": "^2.0.13",
+    "sync-request": "^4.0.2"
+  }
+}

users/controllers/users.controller.js

@@ -0,0 +1,55 @@
+const UserModel = require('../models/users.model');
+const crypto = require('crypto');
+
+exports.insert = (req, res) => {
+    let salt = crypto.randomBytes(16).toString('base64');
+    let hash = crypto.createHmac('sha512', salt).update(req.body.password).digest("base64");
+    req.body.password = salt + "$" + hash;
+    req.body.permissionLevel = 1;
+    UserModel.createUser(req.body)
+        .then((result) => {
+            res.status(201).send({id: result._id});
+        });
+};
+
+exports.list = (req, res) => {
+    let limit = req.query.limit && req.query.limit <= 100 ? parseInt(req.query.limit) : 10;
+    let page = 0;
+    if (req.query) {
+        if (req.query.page) {
+            req.query.page = parseInt(req.query.page);
+            page = Number.isInteger(req.query.page) ? req.query.page : 0;
+        }
+    }
+    UserModel.list(limit, page)
+        .then((result) => {
+            res.status(200).send(result);
+        })
+};
+
+exports.getById = (req, res) => {
+    UserModel.findById(req.params.userId)
+        .then((result) => {
+            res.status(200).send(result);
+        });
+};
+exports.patchById = (req, res) => {
+    if (req.body.password) {
+        let salt = crypto.randomBytes(16).toString('base64');
+        let hash = crypto.createHmac('sha512', salt).update(req.body.password).digest("base64");
+        req.body.password = salt + "$" + hash;
+    }
+
+    UserModel.patchUser(req.params.userId, req.body)
+        .then((result) => {
+            res.status(204).send({});
+        });
+
+};
+
+exports.removeById = (req, res) => {
+    UserModel.removeById(req.params.userId)
+        .then((result)=>{
+            res.status(204).send({});
+        });
+};