diff --git a/package.json b/package.json index 6b4363f..61c1707 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "auth-server", - "version": "1.3.1", + "version": "1.3.2", "description": "An API centric auth server. Uses Sequelize and mariaDB by default.", "main": "server/server.js", "scripts": { diff --git a/server/auth/account-delete.js b/server/auth/account-delete.js index 6e7b782..4aad5b0 100644 --- a/server/auth/account-delete.js +++ b/server/auth/account-delete.js @@ -9,18 +9,26 @@ const { accounts } = require('../database/models'); //auth/deletion const route = async (req, res) => { + if (!req.body.password) { + return res.status(401).end('Missing password'); + } + const account = await accounts.findOne({ where: { - index: req.user.index + index: req.user.index || '' } }); + if (!account) { + return res.status(401).end('Missing account'); + } + //compare the user's password const compare = utils.promisify(bcrypt.compare); - const match = await compare(req.body.password || '', account.hash); + const match = await compare(req.body.password, account.hash); if (!match) { - return res.status(401).send('incorrect password'); + return res.status(401).send('Incorrect password'); } //set the deletion time (2 days from now) diff --git a/server/auth/account-query.js b/server/auth/account-query.js index 9350da7..5031ff5 100644 --- a/server/auth/account-query.js +++ b/server/auth/account-query.js @@ -4,12 +4,12 @@ const { accounts } = require('../database/models'); const route = async (req, res) => { const account = await accounts.findOne({ where: { - index: req.user.index + index: req.user.index || '' } }); if (!account) { - return res.status(401).send('Unknown account'); + return res.status(401).end('Unknown account'); } //respond with the private-facing data diff --git a/server/auth/account-update.js b/server/auth/account-update.js index 74a7476..7745f67 100644 --- a/server/auth/account-update.js +++ b/server/auth/account-update.js @@ -3,13 +3,13 @@ const { accounts } = require('../database/models'); //auth/update const route = async (req, res) => { - //generate the password hash - let hash; - - if (req.body.password) { - hash = await bcrypt.hash(req.body.password, await bcrypt.genSalt(11)); + if (!req.body.password) { + return res.status(401).end('Missing password'); } + //generate the password hash + let hash = await bcrypt.hash(req.body.password, await bcrypt.genSalt(11)); + //update the account await accounts.update({ contact: req.body.contact, diff --git a/server/auth/index.js b/server/auth/index.js index fd445a1..fd0151e 100644 --- a/server/auth/index.js +++ b/server/auth/index.js @@ -17,6 +17,9 @@ router.post('/token', require('./token')); //middleware router.use(tokenAuth); +//logouts allowed when banned, still needs tokens +router.delete('/logout', require('./logout')); + router.use(async (req, res, next) => { const record = await accounts.findOne({ where: { @@ -36,7 +39,6 @@ router.use(async (req, res, next) => { }); //basic account management (needs a token) -router.delete('/logout', require('./logout')); router.get('/account', require('./account-query')); router.patch('/account', require('./account-update')); router.delete('/account', require('./account-delete')); diff --git a/server/auth/login.js b/server/auth/login.js index d88fb12..59f3601 100644 --- a/server/auth/login.js +++ b/server/auth/login.js @@ -13,7 +13,7 @@ const route = async (req, res) => { //validate the given details const validateErr = await validateDetails(req.body); if (validateErr) { - return res.status(401).send(validateErr); + return res.status(401).end(validateErr); } //get the existing account @@ -55,13 +55,18 @@ const route = async (req, res) => { }; const validateDetails = async (body) => { - //basic formatting (with an exception for the default admin account) - if (!validateEmail(body.email) && body.email != `${process.env.ADMIN_DEFAULT_USERNAME}@${process.env.WEB_ADDRESS}`) { - return 'invalid email'; + if (!body.email) { + return 'Missing email'; } - //check for existing (banned) - //TODO: restore banning + if (!body.password) { + return 'Missing password'; + } + + //basic formatting (with an exception for the default admin account) + if (!validateEmail(body.email) && body.email != `${process.env.ADMIN_DEFAULT_USERNAME}@${process.env.WEB_ADDRESS}`) { + return 'Invalid email'; + } return null; } diff --git a/server/auth/signup.js b/server/auth/signup.js index 3779a62..675e3d7 100644 --- a/server/auth/signup.js +++ b/server/auth/signup.js @@ -46,11 +46,11 @@ const route = async (req, res) => { const validateDetails = async (body) => { //basic formatting if (!validateEmail(body.email)) { - return 'invalid email'; + return 'Invalid email'; } if (!validateUsername(body.username)) { - return 'invalid username'; + return 'Invalid username'; } //check for existing (banned) @@ -64,23 +64,31 @@ const validateDetails = async (body) => { }); if (emailRecord) { - return 'email already exists'; + return 'Email already exists'; + } + + if (!body.username) { + return 'Missing username'; } //check for existing username const usernameRecord = await accounts.findOne({ where: { - username: body.username || '' + username: body.username } }); if (usernameRecord) { - return 'username already exists'; + return 'Username already exists'; } //validate password + if (!body.password) { + return 'Missing password'; + } + if (body.password.length < 8) { - return 'password too short'; + return 'Password too short'; } return null; diff --git a/server/auth/validation.js b/server/auth/validation.js index 0227d4b..b2c86f6 100644 --- a/server/auth/validation.js +++ b/server/auth/validation.js @@ -11,11 +11,11 @@ const route = async (req, res) => { //check the given info if (!info) { - return res.status(401).send('validation failed'); + return res.status(401).send('Validation failed'); } if (info.token != req.query.token) { - return res.status(401).send('tokens do not match'); + return res.status(401).send('Tokens do not match'); } //move data to the accounts table