From 392a3fb9fde9bce2c33df57b1853d9001eaf54da Mon Sep 17 00:00:00 2001 From: detronetdip Date: Sun, 25 Sep 2022 01:13:46 +0530 Subject: [PATCH 01/11] changed request type to get for fetching files. --- server/index.js | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/server/index.js b/server/index.js index 9b6b768..2aed09d 100644 --- a/server/index.js +++ b/server/index.js @@ -277,8 +277,10 @@ app.post("/api/upload", authMiddleware, async (req, res) => { } }) -app.post("/api/user/files", authMiddleware, async (req, res) => { - const metadata = await magic.users.getMetadataByToken(req.headers.authorization.substring(7)); +app.get("/api/user/files", authMiddleware, async (req, res) => { + const metadata = await magic.users.getMetadataByToken( + req.headers.authorization.substring(7) + ); const magic_id = metadata.issuer; const user = await User.findOne({ magic_id: magic_id }); if (!user) { From 62720dc3003e2f75499d73150a1902e413780cfd Mon Sep 17 00:00:00 2001 From: detronetdip Date: Sun, 25 Sep 2022 01:16:08 +0530 Subject: [PATCH 02/11] new middleware added for secure authentication --- server/middlewares/authenticate.js | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 server/middlewares/authenticate.js diff --git a/server/middlewares/authenticate.js b/server/middlewares/authenticate.js new file mode 100644 index 0000000..3f4f876 --- /dev/null +++ b/server/middlewares/authenticate.js @@ -0,0 +1,15 @@ +const { Magic } = require("@magic-sdk/admin"); +const magic = new Magic(process.env.MAGIC_SECRET_KEY); + +const authMiddleware = async (req, res, next) => { + console.log("Auth middleware 2 called"); + try { + const { didToken } = req.cookies; + await magic.token.validate(didToken); + next(); + } catch (error) { + return res.status(401).json({ error: error.message }); + } +}; + +module.exports = authMiddleware; From 130075c2d6cdbbeb1666ec70a49ed8e6fd9b15c8 Mon Sep 17 00:00:00 2001 From: detronetdip Date: Sun, 25 Sep 2022 01:19:19 +0530 Subject: [PATCH 03/11] cookieparser added --- server/index.js | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/server/index.js b/server/index.js index 2aed09d..da76e7e 100644 --- a/server/index.js +++ b/server/index.js @@ -1,13 +1,4 @@ -const express = require('express'); -const cors = require('cors'); -const mongoose = require('mongoose'); -const User = require('./models/user') -const { v4: uuidv4 } = require('uuid'); -const { Magic } = require('@magic-sdk/admin'); -const authMiddleware = require('./middlewares/authMiddleware'); -const { fs, readFileSync, createWriteStream, unlink, readdirSync, rmSync, unlinkSync } = require('fs'); -require('dotenv').config(); -const jscrypt = require('jscrypt'); +const cookieParser = require("cookie-parser"); const { create } = require("ipfs-http-client"); const fileUpload = require('express-fileupload'); @@ -44,6 +35,7 @@ const magic = new Magic(process.env.MAGIC_SECRET_KEY); app.use(cors()); app.use(express.json()); +app.use(cookieParser()); app.use(express.urlencoded({ extended: true })); app.use(fileUpload()); From 30145daf903e07ee5b30bba6f6395efacad3ade1 Mon Sep 17 00:00:00 2001 From: detronetdip Date: Sun, 25 Sep 2022 01:20:33 +0530 Subject: [PATCH 04/11] changed request type with cookie config --- client/src/pages/myFiles/MyFiles.jsx | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/client/src/pages/myFiles/MyFiles.jsx b/client/src/pages/myFiles/MyFiles.jsx index 8ff3347..84f3a54 100644 --- a/client/src/pages/myFiles/MyFiles.jsx +++ b/client/src/pages/myFiles/MyFiles.jsx @@ -25,7 +25,13 @@ function MyFiles() { useEffect(() => { setIsLoading(true); - Axios.post(`${process.env.REACT_APP_SERVER_URL}/api/user/files`, {}, { headers: { Authorization: 'Bearer ' + window.localStorage.getItem("didToken") } }).then(res => { + Axios.get( + `${process.env.REACT_APP_SERVER_URL}/api/user/files`, + { + withCredentials:true + } + ) + .then((res) => { console.log(res.data.files); setOwner(res.data.owner); setFiles(res.data.files); From c2b2dfc6f9cd0ebb7e898742f08f21031c800651 Mon Sep 17 00:00:00 2001 From: detronetdip Date: Sun, 25 Sep 2022 01:26:18 +0530 Subject: [PATCH 05/11] added cookie based token mechanism --- server/index.js | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/server/index.js b/server/index.js index da76e7e..530433c 100644 --- a/server/index.js +++ b/server/index.js @@ -185,9 +185,13 @@ const addFile = async (fileName, filePath) => { return fileAdded; } -app.post("/api/upload", authMiddleware, async (req, res) => { - const metadata = await magic.users.getMetadataByToken(req.headers.authorization.substring(7)); - const user = await User.findOne({ magic_id: metadata.issuer }, { encryption_key: 1 }); +app.post("/api/upload", authenticate, async (req, res) => { + const { didToken } = req.cookies; + const metadata = await magic.users.getMetadataByToken(didToken); + const user = await User.findOne( + { magic_id: metadata.issuer }, + { encryption_key: 1 } + ); console.log(user); if (metadata.issuer === "") { return res.status(500).json({ error: "User is not authenticated" }); From 1c60887ca17492dc1c37fa628d1f765c51ddc445 Mon Sep 17 00:00:00 2001 From: detronetdip Date: Sun, 25 Sep 2022 01:27:15 +0530 Subject: [PATCH 06/11] cofigure to sent cookies with header --- client/src/pages/home/Home.jsx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/src/pages/home/Home.jsx b/client/src/pages/home/Home.jsx index 05c1dcb..22c2174 100644 --- a/client/src/pages/home/Home.jsx +++ b/client/src/pages/home/Home.jsx @@ -47,9 +47,9 @@ function Home() { //upload files to server Axios.post(`${process.env.REACT_APP_SERVER_URL}/api/upload`, formData, { + withCredentials:true, headers: { 'Content-Type': 'multipart/form-data', - 'Authorization': 'Bearer ' + window.localStorage.getItem("didToken") } }) .then(res => { From 7216de820562c70be2a1bfd782da9b62e97b6f7b Mon Sep 17 00:00:00 2001 From: detronetdip Date: Sun, 25 Sep 2022 01:36:49 +0530 Subject: [PATCH 07/11] changed spelling --- server/middlewares/authenticate.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/server/middlewares/authenticate.js b/server/middlewares/authenticate.js index 3f4f876..c76d329 100644 --- a/server/middlewares/authenticate.js +++ b/server/middlewares/authenticate.js @@ -1,7 +1,7 @@ const { Magic } = require("@magic-sdk/admin"); const magic = new Magic(process.env.MAGIC_SECRET_KEY); -const authMiddleware = async (req, res, next) => { +const authenticate = async (req, res, next) => { console.log("Auth middleware 2 called"); try { const { didToken } = req.cookies; @@ -12,4 +12,4 @@ const authMiddleware = async (req, res, next) => { } }; -module.exports = authMiddleware; +module.exports = authenticate; From fa8f67f7b25ca92492b76919de4afaad8fbd962e Mon Sep 17 00:00:00 2001 From: detronetdip Date: Sun, 25 Sep 2022 01:59:09 +0530 Subject: [PATCH 08/11] cookie-parser added --- server/package.json | 1 + 1 file changed, 1 insertion(+) diff --git a/server/package.json b/server/package.json index aaa9a5e..d1bda68 100644 --- a/server/package.json +++ b/server/package.json @@ -12,6 +12,7 @@ "license": "ISC", "dependencies": { "@magic-sdk/admin": "^1.4.1", + "cookie-parser": "^1.4.6", "cors": "^2.8.5", "dotenv": "^16.0.1", "express": "^4.18.1", From 42ad3a617536b8d2473c8fb462de8150e2ec72f0 Mon Sep 17 00:00:00 2001 From: detronetdip Date: Sun, 25 Sep 2022 05:28:05 +0530 Subject: [PATCH 09/11] package added --- server/package-lock.json | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/server/package-lock.json b/server/package-lock.json index 31ccf74..24c1f87 100644 --- a/server/package-lock.json +++ b/server/package-lock.json @@ -10,6 +10,7 @@ "license": "ISC", "dependencies": { "@magic-sdk/admin": "^1.4.1", + "cookie-parser": "^1.4.6", "cors": "^2.8.5", "dotenv": "^16.0.1", "express": "^4.18.1", @@ -733,6 +734,26 @@ "node": ">= 0.6" } }, + "node_modules/cookie-parser": { + "version": "1.4.6", + "resolved": "https://registry.npmjs.org/cookie-parser/-/cookie-parser-1.4.6.tgz", + "integrity": "sha512-z3IzaNjdwUC2olLIB5/ITd0/setiaFMLYiZJle7xg5Fe9KWAceil7xszYfHHBtDFYLSgJduS2Ty0P1uJdPDJeA==", + "dependencies": { + "cookie": "0.4.1", + "cookie-signature": "1.0.6" + }, + "engines": { + "node": ">= 0.8.0" + } + }, + "node_modules/cookie-parser/node_modules/cookie": { + "version": "0.4.1", + "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.4.1.tgz", + "integrity": "sha512-ZwrFkGJxUR3EIoXtO+yVE69Eb7KlixbaeAWfBQB9vVsNn/o+Yw69gBWSSDK825hQNdN+wF8zELf3dFNl/kxkUA==", + "engines": { + "node": ">= 0.6" + } + }, "node_modules/cookie-signature": { "version": "1.0.6", "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz", @@ -3565,6 +3586,22 @@ "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.5.0.tgz", "integrity": "sha512-YZ3GUyn/o8gfKJlnlX7g7xq4gyO6OSuhGPKaaGssGB2qgDUS0gPgtTvoyZLTt9Ab6dC4hfc9dV5arkvc/OCmrw==" }, + "cookie-parser": { + "version": "1.4.6", + "resolved": "https://registry.npmjs.org/cookie-parser/-/cookie-parser-1.4.6.tgz", + "integrity": "sha512-z3IzaNjdwUC2olLIB5/ITd0/setiaFMLYiZJle7xg5Fe9KWAceil7xszYfHHBtDFYLSgJduS2Ty0P1uJdPDJeA==", + "requires": { + "cookie": "0.4.1", + "cookie-signature": "1.0.6" + }, + "dependencies": { + "cookie": { + "version": "0.4.1", + "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.4.1.tgz", + "integrity": "sha512-ZwrFkGJxUR3EIoXtO+yVE69Eb7KlixbaeAWfBQB9vVsNn/o+Yw69gBWSSDK825hQNdN+wF8zELf3dFNl/kxkUA==" + } + } + }, "cookie-signature": { "version": "1.0.6", "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz", From 1b820747c7fb4006c30b541b3a3d86a5965373fb Mon Sep 17 00:00:00 2001 From: detronetdip Date: Sun, 25 Sep 2022 05:48:26 +0530 Subject: [PATCH 10/11] cookie based token added --- client/src/pages/signin/Signin.jsx | 4 ++-- server/routes/auth.js | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/client/src/pages/signin/Signin.jsx b/client/src/pages/signin/Signin.jsx index 3ad6177..e7bf288 100644 --- a/client/src/pages/signin/Signin.jsx +++ b/client/src/pages/signin/Signin.jsx @@ -87,9 +87,9 @@ function Signin() { let userMetadata = await magic.user.getMetadata(); await setUser(userMetadata); let newDidToken = await magic.user.getIdToken({ lifespan: 24 * 60 * 60 * 7 }); - window.localStorage.setItem("didToken", newDidToken); + // window.localStorage.setItem("didToken", newDidToken); // cookie.set("didToken", newDidToken); - await Axios.post(`${process.env.REACT_APP_SERVER_URL}/api/user/create`, { magic_id: userMetadata.issuer, user_name: userName, email: email }, { headers: { Authorization: 'Bearer ' + window.localStorage.getItem("didToken") } }).then((res) => { + await Axios.post(`${process.env.REACT_APP_SERVER_URL}/api/user/create`, { magic_id: userMetadata.issuer, user_name: userName, email: email }, { headers: { Authorization: 'Bearer ' + newDidToken } }).then((res) => { console.log(res.data); }).catch((err) => { console.log(err); diff --git a/server/routes/auth.js b/server/routes/auth.js index 4f85783..69f0c9a 100644 --- a/server/routes/auth.js +++ b/server/routes/auth.js @@ -22,6 +22,7 @@ router.post('/api/user/create', authMiddleware, async (req, res) => { const magic_id = req.body.magic_id; const user_name = req.body.user_name; const email = req.body.email; + const didToken = req.headers.authorization.substring(7); if (!user_name || !magic_id || !email) { return res.status(400).json({ error: "Missing required fields" }); @@ -41,6 +42,7 @@ router.post('/api/user/create', authMiddleware, async (req, res) => { }) console.log("saving user") await user.save(); + res.cookie('didToken',didToken,{httpOnly:true}) return res.status(200).json({ message: "User created successfully" }); } else { From 0fb0b1ecb42db4b2869eea513392065b5987a58c Mon Sep 17 00:00:00 2001 From: detronetdip Date: Sun, 25 Sep 2022 05:52:46 +0530 Subject: [PATCH 11/11] authenticate middleware added --- server/routes/user.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/server/routes/user.js b/server/routes/user.js index 4793801..e508123 100644 --- a/server/routes/user.js +++ b/server/routes/user.js @@ -1,5 +1,6 @@ const router = require("express").Router(); const authMiddleware = require("../middlewares/authMiddleware"); +const authenticate=require("../middlewares/authenticate") const User = require('../models/user') const { Magic } = require('@magic-sdk/admin'); const magic = new Magic(process.env.MAGIC_SECRET_KEY); @@ -19,7 +20,7 @@ router.post('/api/user/check', async (req, res) => { }) -router.post("/api/user/files", authMiddleware, async (req, res) => { +router.post("/api/user/files", authenticate, async (req, res) => { const metadata = await magic.users.getMetadataByToken(req.headers.authorization.substring(7)); const magic_id = metadata.issuer; const user = await User.findOne({ magic_id: magic_id });