-
Notifications
You must be signed in to change notification settings - Fork 11
/
server.js
105 lines (95 loc) · 2.88 KB
/
server.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
import express from 'express'
import next from 'next'
import bodyParser from 'body-parser'
import cookieParser from 'cookie-parser'
import jwt from 'jsonwebtoken'
import crypto from 'crypto'
const dev = process.env.NODE_ENV !== 'production'
const app = next({ dev })
const handle = app.getRequestHandler()
app.prepare().then(() => {
const server = express()
// Request body parsing middleware should be above methodOverride
server.use(bodyParser.json());
server.use(bodyParser.urlencoded({ extended: false }));
server.use(cookieParser())
// Verify username and password, if passed, we return jwt token for client
// We also include xsrfToken for client, which will be used to prevent CSRF attack
// and, you should use random complicated key (JWT Secret) to make brute forcing token very hard
server.post('/authenticate', (req, res) => {
const { username, password } = req.body
if (username === 'test' || password === 'test') {
var token = jwt.sign({
username: username,
xsrfToken: crypto.createHash('md5').update(username).digest('hex')
}, 'jwtSecret', {
expiresIn: 60*60
});
res.status(200).json({
success: true,
message: 'Enjoy your token',
token: token
})
} else {
res.status(400).json({
success: false,
message: 'Authentication failed'
})
}
})
// Authenticate middleware
// We will apply this middleware to every route except '/login' and '/_next'
server.use(unless(['/login', '/_next'], (req, res, next) => {
const token = req.cookies['x-access-token'];
if (token) {
jwt.verify(token, 'jwtSecret', (err, decoded) => {
if (err) {
res.redirect('/login');
} else {
// if everything is good, save to request for use in other routes
req.decoded = decoded;
next();
}
})
} else {
res.redirect('/login');
}
}))
// Api example to prevent CRSF attack
server.post('/api/preventCRSF', (req, res, next) => {
if (req.decoded.xsrfToken === req.get('X-XSRF-TOKEN')) {
res.status(200).json({
success: true,
message: 'Yes, this api is protected by CRSF attack'
})
} else {
res.status(400).json({
success: false,
message: 'CRSF attack is useless'
})
}
})
server.get('*', (req, res) => {
return handle(req, res)
})
server.listen(3000, (err) => {
if (err) throw err
console.log('> Ready on http://localhost:3000')
})
})
function unless (paths, middleware) {
return function(req, res, next) {
let isHave = false
paths.forEach((path) => {
if (path === req.path || req.path.includes(path)) {
isHave = true
return
}
})
if (isHave) {
return next()
} else {
return middleware(req, res, next)
}
}
}