Reworked api login to just need a session_key for everything
This commit is contained in:
Tom Bloor
parent
1d02854c96
commit
68b66d431c
9 changed files with 271 additions and 214 deletions
|
|
@ -7,6 +7,7 @@ use Email::Valid;
|
|||
use Authen::Passphrase::BlowfishCrypt;
|
||||
use Scalar::Util qw(looks_like_number);
|
||||
use Pear::LocalLoop::Schema;
|
||||
use DateTime;
|
||||
|
||||
has schema => sub {
|
||||
my $c = shift;
|
||||
|
|
@ -23,7 +24,7 @@ sub startup {
|
|||
$self->plugin('Config', {
|
||||
default => {
|
||||
sessionTimeSeconds => 60 * 60 * 24 * 7,
|
||||
sessionTokenJsonName => 'sessionToken',
|
||||
sessionTokenJsonName => 'session_key',
|
||||
sessionExpiresJsonName => 'sessionExpires',
|
||||
},
|
||||
});
|
||||
|
|
@ -54,52 +55,27 @@ sub startup {
|
|||
$r->get('/register')->to('register#index');
|
||||
$r->post('/register')->to('register#register');
|
||||
$r->any('/logout')->to('root#auth_logout');
|
||||
my $api = $r->under('/api' => sub {
|
||||
my $c = shift;
|
||||
|
||||
#See if logged in.
|
||||
my $sessionToken = $c->get_session_token();
|
||||
# Always available api routes
|
||||
$r->post('api/login')->to('api-auth#post_login');
|
||||
$r->post('api/register')->to('api-register#post_register');
|
||||
$r->post('api/logout')->to('api-auth#post_logout');
|
||||
|
||||
#0 = no session, npn-0 is has updated session
|
||||
my $hasBeenExtended = $c->extend_session($sessionToken);
|
||||
my $api = $r->under('/api')->to('api-auth#auth');
|
||||
|
||||
my $path = $c->req->url->to_abs->path;
|
||||
|
||||
#Has valid session
|
||||
if ($hasBeenExtended) {
|
||||
#If logged in and requestine the login page redirect to the main page.
|
||||
if ($path eq '/api/login') {
|
||||
#Force expire and redirect.
|
||||
$c->res->code(303);
|
||||
$c->redirect_to('/api');
|
||||
return undef;
|
||||
}
|
||||
}
|
||||
#Has expired or did not exist in the first place and the path is not login
|
||||
elsif ($path ne '/api/login' && $path ne '/api/register') {
|
||||
$c->res->code(303);
|
||||
$c->redirect_to('/api/login');
|
||||
return undef;
|
||||
}
|
||||
return 1;
|
||||
});
|
||||
|
||||
$api->post("/register")->to('api-register#post_register');
|
||||
$api->post("/upload")->to('api-upload#post_upload');
|
||||
$api->post("/search")->to('api-upload#post_search');
|
||||
$api->post("/admin-approve")->to('api-admin#post_admin_approve');
|
||||
$api->post("/admin-merge")->to('api-admin#post_admin_merge');
|
||||
$api->get("/login")->to('api-auth#get_login');
|
||||
$api->post("/login")->to('api-auth#post_login');
|
||||
$api->post("/logout")->to('api-auth#post_logout');
|
||||
$api->post("/edit")->to('api-api#post_edit');
|
||||
$api->post("/fetchuser")->to('api-api#post_fetchuser');
|
||||
$api->post("/user-history")->to('api-user#post_user_history');
|
||||
|
||||
$api->any( '/' => sub {
|
||||
my $self = shift;
|
||||
return $self->render(json => { success => Mojo::JSON->true });
|
||||
$api->post('/' => sub {
|
||||
return shift->render( json => {
|
||||
success => Mojo::JSON->true,
|
||||
message => 'Successful Auth',
|
||||
});
|
||||
});
|
||||
$api->post('/upload')->to('api-upload#post_upload');
|
||||
$api->post('/search')->to('api-upload#post_search');
|
||||
$api->post('/admin-approve')->to('api-admin#post_admin_approve');
|
||||
$api->post('/admin-merge')->to('api-admin#post_admin_merge');
|
||||
$api->post('/edit')->to('api-api#post_edit');
|
||||
$api->post('/fetchuser')->to('api-api#post_fetchuser');
|
||||
$api->post('/user-history')->to('api-user#post_user_history');
|
||||
|
||||
my $admin_routes = $r->under('/admin')->to('admin#under');
|
||||
|
||||
|
|
@ -200,15 +176,11 @@ $self->helper(generate_session => sub {
|
|||
my ($self, $userId) = @_;
|
||||
|
||||
my $sessionToken = $self->generate_session_token();
|
||||
my $expireDateTime = $self->session_token_expiry_date_time();
|
||||
|
||||
my $insertStatement = $self->db->prepare('INSERT INTO SessionTokens (SessionTokenName, UserIdAssignedTo_FK, ExpireDateTime) VALUES (?, ?, ?)');
|
||||
my $rowsAdded = $insertStatement->execute($sessionToken, $userId, $expireDateTime);
|
||||
|
||||
$self->session(expires => $expireDateTime);
|
||||
$self->session->{$self->app->config->{sessionTokenJsonName}} = $sessionToken;
|
||||
my $rowsAdded = $insertStatement->execute($sessionToken, $userId, DateTime->now()->add( years => 1 ));
|
||||
|
||||
return {$self->app->config->{sessionTokenJsonName} => $sessionToken, $self->app->config->{sessionExpiresJsonName} => $expireDateTime};
|
||||
return $sessionToken;
|
||||
});
|
||||
|
||||
$self->helper(generate_session_token => sub {
|
||||
|
|
@ -282,6 +254,7 @@ $self->helper(get_session_expiry => sub {
|
|||
sessiontokenname => $sessionToken,
|
||||
})->delete_all;
|
||||
|
||||
## TODO Does this need a seperate session cookie?
|
||||
$self->session(expires => 1);
|
||||
$self->session->{$self->app->config->{sessionTokenJsonName}} = $sessionToken;
|
||||
|
||||
|
|
|
|||
|
|
@ -3,121 +3,113 @@ use Mojo::Base 'Mojolicious::Controller';
|
|||
use Data::Dumper;
|
||||
use Mojo::JSON;
|
||||
|
||||
has error_messages => sub {
|
||||
return {
|
||||
email => {
|
||||
required => { message => 'No email sent.', status => 400 },
|
||||
email => { message => 'Email is invalid.', status => 400 },
|
||||
},
|
||||
password => {
|
||||
required => { message => 'No password sent.', status => 400 },
|
||||
},
|
||||
};
|
||||
};
|
||||
|
||||
#FIXME placeholders
|
||||
#Because of "before_dispatch" this will never be accessed unless the user is not logged in.
|
||||
sub get_login {
|
||||
my $self = shift;
|
||||
return $self->render( success => Mojo::JSON->true, text => 'This will be the login page.', status => 200 );
|
||||
sub auth {
|
||||
my $c = shift;
|
||||
|
||||
my $session_key = $c->req->json( '/session_key' );
|
||||
|
||||
my $session_result = $c->schema->resultset('SessionToken')->find({ sessiontokenname => $session_key });
|
||||
|
||||
if ( defined $session_result ) {
|
||||
$c->stash( api_user => $session_result->user );
|
||||
return 1;
|
||||
}
|
||||
|
||||
$c->render(
|
||||
json => {
|
||||
success => Mojo::JSON->false,
|
||||
message => 'Invalid Session',
|
||||
},
|
||||
status => 401,
|
||||
);
|
||||
return 0;
|
||||
}
|
||||
|
||||
#TODO set session cookie and add it to the database.
|
||||
#FIXME This suffers from replay attacks, consider a challenge response. Would TLS solve this, most likely.
|
||||
#SessionToken
|
||||
#Because of "before_dispatch" this will never be accessed unless the user is not logged in.
|
||||
sub post_login {
|
||||
my $self = shift;
|
||||
my $c = shift;
|
||||
|
||||
my $json = $self->req->json;
|
||||
$self->app->log->debug( "\n\nStart of login");
|
||||
$self->app->log->debug( "JSON: " . Dumper $json );
|
||||
my $validation = $c->validation;
|
||||
|
||||
my $json = $c->req->json;
|
||||
|
||||
if ( ! defined $json ){
|
||||
$self->app->log->debug('Path Error: file:' . __FILE__ . ', line: ' . __LINE__);
|
||||
return $self->render( json => {
|
||||
return $c->render( json => {
|
||||
success => Mojo::JSON->false,
|
||||
message => 'No json sent.',
|
||||
},
|
||||
status => 400,); #Malformed request
|
||||
status => 400); #Malformed request
|
||||
}
|
||||
|
||||
my $email = $json->{email};
|
||||
if ( ! defined $email ){
|
||||
$self->app->log->debug('Path Error: file:' . __FILE__ . ', line: ' . __LINE__);
|
||||
return $self->render( json => {
|
||||
success => Mojo::JSON->false,
|
||||
message => 'No email sent.',
|
||||
},
|
||||
status => 400,); #Malformed request
|
||||
}
|
||||
elsif ( ! $self->valid_email($email) ) {
|
||||
$self->app->log->debug('Path Error: file:' . __FILE__ . ', line: ' . __LINE__);
|
||||
return $self->render( json => {
|
||||
success => Mojo::JSON->false,
|
||||
message => 'email is invalid.',
|
||||
},
|
||||
status => 400,); #Malformed request
|
||||
$validation->input( $json );
|
||||
$validation->required('email')->email;
|
||||
$validation->required('password');
|
||||
|
||||
my $email = $validation->param('email');
|
||||
my $password = $validation->param('password');
|
||||
|
||||
if ( $validation->has_error ) {
|
||||
my $failed_vals = $validation->failed;
|
||||
for my $val ( @$failed_vals ) {
|
||||
my $check = shift @{ $validation->error($val) };
|
||||
return $c->render(
|
||||
json => {
|
||||
success => Mojo::JSON->false,
|
||||
message => $c->error_messages->{$val}->{$check}->{message},
|
||||
},
|
||||
status => $c->error_messages->{$val}->{$check}->{status},
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
my $password = $json->{password};
|
||||
if ( ! defined $password ){
|
||||
$self->app->log->debug('Path Error: file:' . __FILE__ . ', line: ' . __LINE__);
|
||||
return $self->render( json => {
|
||||
success => Mojo::JSON->false,
|
||||
message => 'No password sent.',
|
||||
},
|
||||
status => 400,); #Malformed request
|
||||
}
|
||||
my $user_result = $c->schema->resultset('User')->find({ email => $email });
|
||||
|
||||
if ( defined $user_result ) {
|
||||
if ( $user_result->check_password($password) ) {
|
||||
my $session_key = $c->generate_session( $user_result->userid );
|
||||
|
||||
|
||||
#FIXME There is a timing attack here determining if an email exists or not.
|
||||
if ($self->does_email_exist($email) && $self->check_password_email($email, $password)) {
|
||||
#Match.
|
||||
$self->app->log->debug('Path Success: file:' . __FILE__ . ', line: ' . __LINE__);
|
||||
|
||||
my $userId = $self->get_userid_foreign_key($email);
|
||||
|
||||
#Generates and stores
|
||||
my $hash = $self->generate_session($userId);
|
||||
|
||||
$self->app->log->debug('session dump:' . Dumper ($hash));
|
||||
|
||||
return $self->render( json => {
|
||||
success => Mojo::JSON->true,
|
||||
$self->config->{sessionTokenJsonName} => $hash->{$self->config->{sessionTokenJsonName}},
|
||||
$self->config->{sessionExpiresJsonName} => $hash->{$self->config->{sessionExpiresJsonName}},
|
||||
});
|
||||
}
|
||||
else{
|
||||
#Mismatch
|
||||
$self->app->log->debug('Path Error: file:' . __FILE__ . ', line: ' . __LINE__);
|
||||
return $self->render( json => {
|
||||
success => Mojo::JSON->false,
|
||||
message => 'Email or password is invalid.',
|
||||
},
|
||||
status => 401,); #Unauthorized request
|
||||
return $c->render( json => {
|
||||
success => Mojo::JSON->true,
|
||||
session_key => $session_key,
|
||||
});
|
||||
}
|
||||
} else {
|
||||
return $c->render(
|
||||
json => {
|
||||
success => Mojo::JSON->false,
|
||||
message => 'Email or password is invalid.',
|
||||
},
|
||||
status => 401
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
sub post_logout {
|
||||
my $self = shift;
|
||||
my $c = shift;
|
||||
|
||||
my $json = $self->req->json;
|
||||
$self->app->log->debug( "\n\nStart of logout");
|
||||
$self->app->log->debug( "JSON: " . Dumper $json );
|
||||
my $session_key = $c->req->json( '/session_key' );
|
||||
|
||||
#If the session token exists.
|
||||
if ($self->expire_current_session()) {
|
||||
$self->app->log->debug('Path Success: file:' . __FILE__ . ', line: ' . __LINE__);
|
||||
return $self->render( json => {
|
||||
success => Mojo::JSON->true,
|
||||
message => 'you were successfully logged out.',
|
||||
});
|
||||
}
|
||||
#Due to the "before_dispatch" hook, this most likely will not be called. i.e. race conditions.
|
||||
#FIXME untested.
|
||||
#An invalid token was presented, most likely because it has expired.
|
||||
else {
|
||||
$self->app->log->debug('Path Error: file:' . __FILE__ . ', line: ' . __LINE__);
|
||||
return $self->render( json => {
|
||||
success => Mojo::JSON->false,
|
||||
message => 'the session has expired or did not exist in the first place.',
|
||||
},
|
||||
status => 401,); #Unauthorized request
|
||||
my $session_result = $c->schema->resultset('SessionToken')->find({ sessiontokenname => $session_key });
|
||||
|
||||
if ( defined $session_result ) {
|
||||
$session_result->delete;
|
||||
}
|
||||
|
||||
$c->render( json => {
|
||||
success => Mojo::JSON->true,
|
||||
message => 'Logged Out',
|
||||
});
|
||||
}
|
||||
|
||||
|
||||
|
||||
1;
|
||||
|
|
|
|||
|
|
@ -105,9 +105,6 @@ sub post_register{
|
|||
my $postcode = $validation->param('postcode');
|
||||
my $password = $validation->param('password');
|
||||
|
||||
# TODO Replace with Password Column encoding
|
||||
my $hashedPassword = $c->generate_hashed_password($password);
|
||||
|
||||
if ($usertype eq 'customer'){
|
||||
# TODO replace with actually using the value on the post request
|
||||
my $ageForeignKey = $c->get_age_foreign_key( $validation->param('age') );
|
||||
|
|
@ -124,7 +121,7 @@ sub post_register{
|
|||
postcode => $postcode,
|
||||
},
|
||||
email => $email,
|
||||
hashedpassword => $hashedPassword,
|
||||
hashedpassword => $password,
|
||||
joindate => DateTime->now,
|
||||
});
|
||||
});
|
||||
|
|
@ -145,7 +142,7 @@ sub post_register{
|
|||
postcode => $postcode,
|
||||
},
|
||||
email => $email,
|
||||
hashedpassword => $hashedPassword,
|
||||
hashedpassword => $password,
|
||||
joindate => DateTime->now,
|
||||
});
|
||||
});
|
||||
|
|
|
|||
|
|
@ -107,7 +107,7 @@ Related object: L<Pear::LocalLoop::Schema::Result::User>
|
|||
=cut
|
||||
|
||||
__PACKAGE__->belongs_to(
|
||||
"useridassignedto_fk",
|
||||
"user",
|
||||
"Pear::LocalLoop::Schema::Result::User",
|
||||
{ userid => "useridassignedto_fk" },
|
||||
{ is_deferrable => 0, on_delete => "NO ACTION", on_update => "NO ACTION" },
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ use base 'DBIx::Class::Core';
|
|||
|
||||
=cut
|
||||
|
||||
__PACKAGE__->load_components("InflateColumn::DateTime");
|
||||
__PACKAGE__->load_components("InflateColumn::DateTime", "PassphraseColumn");
|
||||
|
||||
=head1 TABLE: C<Users>
|
||||
|
||||
|
|
@ -82,7 +82,18 @@ __PACKAGE__->add_columns(
|
|||
"joindate",
|
||||
{ data_type => "datetime", is_nullable => 0 },
|
||||
"hashedpassword",
|
||||
{ data_type => "text", is_nullable => 0 },
|
||||
{
|
||||
data_type => "varchar",
|
||||
is_nullable => 0,
|
||||
size => 100,
|
||||
passphrase => 'crypt',
|
||||
passphrase_class => 'BlowfishCrypt',
|
||||
passphrase_args => {
|
||||
salt_random => 1,
|
||||
cost => 8,
|
||||
},
|
||||
passphrase_check_method => 'check_password',
|
||||
},
|
||||
);
|
||||
|
||||
=head1 PRIMARY KEY
|
||||
|
|
|
|||
41
lib/Test/Pear/LocalLoop.pm
Normal file
41
lib/Test/Pear/LocalLoop.pm
Normal file
|
|
@ -0,0 +1,41 @@
|
|||
package Test::Pear::LocalLoop;
|
||||
use Mojo::Base -base;
|
||||
|
||||
use File::Temp;
|
||||
use Test::Mojo;
|
||||
|
||||
has config => sub {
|
||||
my $file = File::Temp->new;
|
||||
|
||||
print $file <<'END';
|
||||
{
|
||||
dsn => "dbi:SQLite::memory:",
|
||||
user => undef,
|
||||
pass => undef,
|
||||
}
|
||||
END
|
||||
|
||||
$file->seek( 0, SEEK_END );
|
||||
return $file;
|
||||
};
|
||||
|
||||
has framework => sub {
|
||||
my $self = shift;
|
||||
|
||||
$ENV{MOJO_CONFIG} = $self->config->filename;
|
||||
|
||||
my $t = Test::Mojo->new('Pear::LocalLoop');
|
||||
my $schema = $t->app->schema;
|
||||
$schema->deploy;
|
||||
|
||||
$schema->resultset('AgeRange')->populate([
|
||||
[ qw/ agerangestring / ],
|
||||
[ '20-35' ],
|
||||
[ '35-50' ],
|
||||
[ '50+' ],
|
||||
]);
|
||||
|
||||
return $t;
|
||||
};
|
||||
|
||||
1;
|
||||
Reference in a new issue