Reworked api login to just need a session_key for everything

This commit is contained in:
Tom Bloor 2017-04-18 22:31:08 +01:00
parent 1d02854c96
commit 68b66d431c
9 changed files with 271 additions and 214 deletions

View file

@ -7,6 +7,7 @@ use Email::Valid;
use Authen::Passphrase::BlowfishCrypt; use Authen::Passphrase::BlowfishCrypt;
use Scalar::Util qw(looks_like_number); use Scalar::Util qw(looks_like_number);
use Pear::LocalLoop::Schema; use Pear::LocalLoop::Schema;
use DateTime;
has schema => sub { has schema => sub {
my $c = shift; my $c = shift;
@ -23,7 +24,7 @@ sub startup {
$self->plugin('Config', { $self->plugin('Config', {
default => { default => {
sessionTimeSeconds => 60 * 60 * 24 * 7, sessionTimeSeconds => 60 * 60 * 24 * 7,
sessionTokenJsonName => 'sessionToken', sessionTokenJsonName => 'session_key',
sessionExpiresJsonName => 'sessionExpires', sessionExpiresJsonName => 'sessionExpires',
}, },
}); });
@ -54,52 +55,27 @@ sub startup {
$r->get('/register')->to('register#index'); $r->get('/register')->to('register#index');
$r->post('/register')->to('register#register'); $r->post('/register')->to('register#register');
$r->any('/logout')->to('root#auth_logout'); $r->any('/logout')->to('root#auth_logout');
my $api = $r->under('/api' => sub {
my $c = shift;
#See if logged in. # Always available api routes
my $sessionToken = $c->get_session_token(); $r->post('api/login')->to('api-auth#post_login');
$r->post('api/register')->to('api-register#post_register');
$r->post('api/logout')->to('api-auth#post_logout');
#0 = no session, npn-0 is has updated session my $api = $r->under('/api')->to('api-auth#auth');
my $hasBeenExtended = $c->extend_session($sessionToken);
my $path = $c->req->url->to_abs->path; $api->post('/' => sub {
return shift->render( json => {
#Has valid session success => Mojo::JSON->true,
if ($hasBeenExtended) { message => 'Successful Auth',
#If logged in and requestine the login page redirect to the main page. });
if ($path eq '/api/login') {
#Force expire and redirect.
$c->res->code(303);
$c->redirect_to('/api');
return undef;
}
}
#Has expired or did not exist in the first place and the path is not login
elsif ($path ne '/api/login' && $path ne '/api/register') {
$c->res->code(303);
$c->redirect_to('/api/login');
return undef;
}
return 1;
});
$api->post("/register")->to('api-register#post_register');
$api->post("/upload")->to('api-upload#post_upload');
$api->post("/search")->to('api-upload#post_search');
$api->post("/admin-approve")->to('api-admin#post_admin_approve');
$api->post("/admin-merge")->to('api-admin#post_admin_merge');
$api->get("/login")->to('api-auth#get_login');
$api->post("/login")->to('api-auth#post_login');
$api->post("/logout")->to('api-auth#post_logout');
$api->post("/edit")->to('api-api#post_edit');
$api->post("/fetchuser")->to('api-api#post_fetchuser');
$api->post("/user-history")->to('api-user#post_user_history');
$api->any( '/' => sub {
my $self = shift;
return $self->render(json => { success => Mojo::JSON->true });
}); });
$api->post('/upload')->to('api-upload#post_upload');
$api->post('/search')->to('api-upload#post_search');
$api->post('/admin-approve')->to('api-admin#post_admin_approve');
$api->post('/admin-merge')->to('api-admin#post_admin_merge');
$api->post('/edit')->to('api-api#post_edit');
$api->post('/fetchuser')->to('api-api#post_fetchuser');
$api->post('/user-history')->to('api-user#post_user_history');
my $admin_routes = $r->under('/admin')->to('admin#under'); my $admin_routes = $r->under('/admin')->to('admin#under');
@ -200,15 +176,11 @@ $self->helper(generate_session => sub {
my ($self, $userId) = @_; my ($self, $userId) = @_;
my $sessionToken = $self->generate_session_token(); my $sessionToken = $self->generate_session_token();
my $expireDateTime = $self->session_token_expiry_date_time();
my $insertStatement = $self->db->prepare('INSERT INTO SessionTokens (SessionTokenName, UserIdAssignedTo_FK, ExpireDateTime) VALUES (?, ?, ?)'); my $insertStatement = $self->db->prepare('INSERT INTO SessionTokens (SessionTokenName, UserIdAssignedTo_FK, ExpireDateTime) VALUES (?, ?, ?)');
my $rowsAdded = $insertStatement->execute($sessionToken, $userId, $expireDateTime); my $rowsAdded = $insertStatement->execute($sessionToken, $userId, DateTime->now()->add( years => 1 ));
$self->session(expires => $expireDateTime); return $sessionToken;
$self->session->{$self->app->config->{sessionTokenJsonName}} = $sessionToken;
return {$self->app->config->{sessionTokenJsonName} => $sessionToken, $self->app->config->{sessionExpiresJsonName} => $expireDateTime};
}); });
$self->helper(generate_session_token => sub { $self->helper(generate_session_token => sub {
@ -282,6 +254,7 @@ $self->helper(get_session_expiry => sub {
sessiontokenname => $sessionToken, sessiontokenname => $sessionToken,
})->delete_all; })->delete_all;
## TODO Does this need a seperate session cookie?
$self->session(expires => 1); $self->session(expires => 1);
$self->session->{$self->app->config->{sessionTokenJsonName}} = $sessionToken; $self->session->{$self->app->config->{sessionTokenJsonName}} = $sessionToken;

View file

@ -3,121 +3,113 @@ use Mojo::Base 'Mojolicious::Controller';
use Data::Dumper; use Data::Dumper;
use Mojo::JSON; use Mojo::JSON;
has error_messages => sub {
return {
email => {
required => { message => 'No email sent.', status => 400 },
email => { message => 'Email is invalid.', status => 400 },
},
password => {
required => { message => 'No password sent.', status => 400 },
},
};
};
#FIXME placeholders sub auth {
#Because of "before_dispatch" this will never be accessed unless the user is not logged in. my $c = shift;
sub get_login {
my $self = shift; my $session_key = $c->req->json( '/session_key' );
return $self->render( success => Mojo::JSON->true, text => 'This will be the login page.', status => 200 );
my $session_result = $c->schema->resultset('SessionToken')->find({ sessiontokenname => $session_key });
if ( defined $session_result ) {
$c->stash( api_user => $session_result->user );
return 1;
}
$c->render(
json => {
success => Mojo::JSON->false,
message => 'Invalid Session',
},
status => 401,
);
return 0;
} }
#TODO set session cookie and add it to the database.
#FIXME This suffers from replay attacks, consider a challenge response. Would TLS solve this, most likely.
#SessionToken
#Because of "before_dispatch" this will never be accessed unless the user is not logged in.
sub post_login { sub post_login {
my $self = shift; my $c = shift;
my $json = $self->req->json; my $validation = $c->validation;
$self->app->log->debug( "\n\nStart of login");
$self->app->log->debug( "JSON: " . Dumper $json ); my $json = $c->req->json;
if ( ! defined $json ){ if ( ! defined $json ){
$self->app->log->debug('Path Error: file:' . __FILE__ . ', line: ' . __LINE__); return $c->render( json => {
return $self->render( json => {
success => Mojo::JSON->false, success => Mojo::JSON->false,
message => 'No json sent.', message => 'No json sent.',
}, },
status => 400,); #Malformed request status => 400); #Malformed request
} }
my $email = $json->{email}; $validation->input( $json );
if ( ! defined $email ){ $validation->required('email')->email;
$self->app->log->debug('Path Error: file:' . __FILE__ . ', line: ' . __LINE__); $validation->required('password');
return $self->render( json => {
success => Mojo::JSON->false, my $email = $validation->param('email');
message => 'No email sent.', my $password = $validation->param('password');
},
status => 400,); #Malformed request if ( $validation->has_error ) {
} my $failed_vals = $validation->failed;
elsif ( ! $self->valid_email($email) ) { for my $val ( @$failed_vals ) {
$self->app->log->debug('Path Error: file:' . __FILE__ . ', line: ' . __LINE__); my $check = shift @{ $validation->error($val) };
return $self->render( json => { return $c->render(
success => Mojo::JSON->false, json => {
message => 'email is invalid.', success => Mojo::JSON->false,
}, message => $c->error_messages->{$val}->{$check}->{message},
status => 400,); #Malformed request },
status => $c->error_messages->{$val}->{$check}->{status},
);
}
} }
my $password = $json->{password}; my $user_result = $c->schema->resultset('User')->find({ email => $email });
if ( ! defined $password ){
$self->app->log->debug('Path Error: file:' . __FILE__ . ', line: ' . __LINE__);
return $self->render( json => {
success => Mojo::JSON->false,
message => 'No password sent.',
},
status => 400,); #Malformed request
}
if ( defined $user_result ) {
if ( $user_result->check_password($password) ) {
my $session_key = $c->generate_session( $user_result->userid );
#FIXME There is a timing attack here determining if an email exists or not. return $c->render( json => {
if ($self->does_email_exist($email) && $self->check_password_email($email, $password)) { success => Mojo::JSON->true,
#Match. session_key => $session_key,
$self->app->log->debug('Path Success: file:' . __FILE__ . ', line: ' . __LINE__); });
}
my $userId = $self->get_userid_foreign_key($email); } else {
return $c->render(
#Generates and stores json => {
my $hash = $self->generate_session($userId); success => Mojo::JSON->false,
message => 'Email or password is invalid.',
$self->app->log->debug('session dump:' . Dumper ($hash)); },
status => 401
return $self->render( json => { );
success => Mojo::JSON->true,
$self->config->{sessionTokenJsonName} => $hash->{$self->config->{sessionTokenJsonName}},
$self->config->{sessionExpiresJsonName} => $hash->{$self->config->{sessionExpiresJsonName}},
});
}
else{
#Mismatch
$self->app->log->debug('Path Error: file:' . __FILE__ . ', line: ' . __LINE__);
return $self->render( json => {
success => Mojo::JSON->false,
message => 'Email or password is invalid.',
},
status => 401,); #Unauthorized request
} }
} }
sub post_logout { sub post_logout {
my $self = shift; my $c = shift;
my $json = $self->req->json; my $session_key = $c->req->json( '/session_key' );
$self->app->log->debug( "\n\nStart of logout");
$self->app->log->debug( "JSON: " . Dumper $json );
#If the session token exists. my $session_result = $c->schema->resultset('SessionToken')->find({ sessiontokenname => $session_key });
if ($self->expire_current_session()) {
$self->app->log->debug('Path Success: file:' . __FILE__ . ', line: ' . __LINE__); if ( defined $session_result ) {
return $self->render( json => { $session_result->delete;
success => Mojo::JSON->true,
message => 'you were successfully logged out.',
});
}
#Due to the "before_dispatch" hook, this most likely will not be called. i.e. race conditions.
#FIXME untested.
#An invalid token was presented, most likely because it has expired.
else {
$self->app->log->debug('Path Error: file:' . __FILE__ . ', line: ' . __LINE__);
return $self->render( json => {
success => Mojo::JSON->false,
message => 'the session has expired or did not exist in the first place.',
},
status => 401,); #Unauthorized request
} }
$c->render( json => {
success => Mojo::JSON->true,
message => 'Logged Out',
});
} }
1; 1;

View file

@ -105,9 +105,6 @@ sub post_register{
my $postcode = $validation->param('postcode'); my $postcode = $validation->param('postcode');
my $password = $validation->param('password'); my $password = $validation->param('password');
# TODO Replace with Password Column encoding
my $hashedPassword = $c->generate_hashed_password($password);
if ($usertype eq 'customer'){ if ($usertype eq 'customer'){
# TODO replace with actually using the value on the post request # TODO replace with actually using the value on the post request
my $ageForeignKey = $c->get_age_foreign_key( $validation->param('age') ); my $ageForeignKey = $c->get_age_foreign_key( $validation->param('age') );
@ -124,7 +121,7 @@ sub post_register{
postcode => $postcode, postcode => $postcode,
}, },
email => $email, email => $email,
hashedpassword => $hashedPassword, hashedpassword => $password,
joindate => DateTime->now, joindate => DateTime->now,
}); });
}); });
@ -145,7 +142,7 @@ sub post_register{
postcode => $postcode, postcode => $postcode,
}, },
email => $email, email => $email,
hashedpassword => $hashedPassword, hashedpassword => $password,
joindate => DateTime->now, joindate => DateTime->now,
}); });
}); });

View file

@ -107,7 +107,7 @@ Related object: L<Pear::LocalLoop::Schema::Result::User>
=cut =cut
__PACKAGE__->belongs_to( __PACKAGE__->belongs_to(
"useridassignedto_fk", "user",
"Pear::LocalLoop::Schema::Result::User", "Pear::LocalLoop::Schema::Result::User",
{ userid => "useridassignedto_fk" }, { userid => "useridassignedto_fk" },
{ is_deferrable => 0, on_delete => "NO ACTION", on_update => "NO ACTION" }, { is_deferrable => 0, on_delete => "NO ACTION", on_update => "NO ACTION" },

View file

@ -25,7 +25,7 @@ use base 'DBIx::Class::Core';
=cut =cut
__PACKAGE__->load_components("InflateColumn::DateTime"); __PACKAGE__->load_components("InflateColumn::DateTime", "PassphraseColumn");
=head1 TABLE: C<Users> =head1 TABLE: C<Users>
@ -82,7 +82,18 @@ __PACKAGE__->add_columns(
"joindate", "joindate",
{ data_type => "datetime", is_nullable => 0 }, { data_type => "datetime", is_nullable => 0 },
"hashedpassword", "hashedpassword",
{ data_type => "text", is_nullable => 0 }, {
data_type => "varchar",
is_nullable => 0,
size => 100,
passphrase => 'crypt',
passphrase_class => 'BlowfishCrypt',
passphrase_args => {
salt_random => 1,
cost => 8,
},
passphrase_check_method => 'check_password',
},
); );
=head1 PRIMARY KEY =head1 PRIMARY KEY

View file

@ -0,0 +1,41 @@
package Test::Pear::LocalLoop;
use Mojo::Base -base;
use File::Temp;
use Test::Mojo;
has config => sub {
my $file = File::Temp->new;
print $file <<'END';
{
dsn => "dbi:SQLite::memory:",
user => undef,
pass => undef,
}
END
$file->seek( 0, SEEK_END );
return $file;
};
has framework => sub {
my $self = shift;
$ENV{MOJO_CONFIG} = $self->config->filename;
my $t = Test::Mojo->new('Pear::LocalLoop');
my $schema = $t->app->schema;
$schema->deploy;
$schema->resultset('AgeRange')->populate([
[ qw/ agerangestring / ],
[ '20-35' ],
[ '35-50' ],
[ '50+' ],
]);
return $t;
};
1;

73
t/api/login.t Normal file
View file

@ -0,0 +1,73 @@
use Mojo::Base -strict;
use Test::More;
use Mojo::JSON;
use Test::Pear::LocalLoop;
my $framework = Test::Pear::LocalLoop->new;
my $t = $framework->framework;
my $schema = $t->app->schema;
my $account_token = 'a';
my $email = 'rufus@shinra.energy';
my $password = 'MakoGold';
$schema->resultset('AccountToken')->create({
accounttokenname => $account_token
});
my $test_json = {
'usertype' => 'customer',
'token' => $account_token,
'username' => 'RufusShinra',
'email' => $email,
'postcode' => 'LA1 1AA',
'password' => $password,
'age' => '20-35'
};
$t->post_ok('/api/register' => json => $test_json)
->status_is(200)
->json_is('/success', Mojo::JSON->true);
use Data::Dumper;
is $schema->resultset('User')->count, 1, 'found a user';
$t->post_ok('/api' => json => {
session_key => 'invalid',
})
->status_is(401)
->json_is('/success', Mojo::JSON->false)
->json_like('/message', qr/Invalid Session/);
$t->post_ok('/api/login' => json => {
email => 'nonexistant@test.com',
password => 'doesnt matter',
})
->status_is(401)
->json_is('/success', Mojo::JSON->false);
$t->post_ok('/api/login' => json => {
email => $email,
password => $password,
})
->status_is(200)
->json_is('/success', Mojo::JSON->true)
->json_has('/session_key');
my $session_key = $t->tx->res->json->{session_key};
$t->post_ok('/api' => json => { session_key => $session_key })
->status_is(200)
->json_is('/success', Mojo::JSON->true)
->json_like('/message', qr/Successful Auth/);
is $schema->resultset('SessionToken')->count, 1, 'One Session';
$t->post_ok('/api/logout' => json => { session_key => $session_key })
->status_is(200)
->json_is('/success', Mojo::JSON->true)
->json_like('/message', qr/Logged Out/);
is $schema->resultset('SessionToken')->count, 0, 'No Sessions';
done_testing;

View file

@ -1,43 +1,55 @@
use Mojo::Base -strict;
use File::Temp;
use Test::More; use Test::More;
use Test::Mojo; use Test::Mojo;
use Mojo::JSON; use Mojo::JSON;
use Time::Fake; use Time::Fake;
use FindBin; my $file = File::Temp->new;
BEGIN { print $file <<'END';
$ENV{MOJO_MODE} = 'testing'; {
$ENV{MOJO_LOG_LEVEL} = 'debug'; dsn => "dbi:SQLite::memory:",
user => undef,
pass => undef,
} }
END
$file->seek( 0, SEEK_END );
my $t = Test::Mojo->new("Pear::LocalLoop"); $ENV{MOJO_CONFIG} = $file->filename;
my $dbh = $t->app->db; my $t = Test::Mojo->new('Pear::LocalLoop');
my $schema = $t->app->schema;
$schema->deploy;
#Dump all pf the test tables and start again. $schema->resultset('AgeRange')->populate([
my $sqlDeployment = Mojo::File->new("$FindBin::Bin/../dropschema.sql")->slurp; [ qw/ agerangestring / ],
for (split ';', $sqlDeployment){ [ '20-35' ],
$dbh->do($_) or die $dbh->errstr; [ '35-50' ],
} [ '50+' ],
]);
my $sqlDeployment = Mojo::File->new("$FindBin::Bin/../schema.sql")->slurp; $schema->resultset('AccountToken')->create({
for (split ';', $sqlDeployment){ accounttokenname => 'a',
$dbh->do($_) or die $dbh->errstr; });
}
my $accountToken = 'a'; my $accountToken = 'a';
my $tokenStatement = $dbh->prepare('INSERT INTO AccountTokens (AccountTokenName) VALUES (?)');
$tokenStatement->execute($accountToken);
my $sessionTimeSeconds = 60 * 60 * 24 * 7; #1 week. my $sessionTimeSeconds = 60 * 60 * 24 * 7; #1 week.
my $sessionTokenJsonName = 'sessionToken'; my $sessionTokenJsonName = 'session_key';
my $sessionExpiresJsonName = 'sessionExpires'; my $sessionExpiresJsonName = 'sessionExpires';
my $location_is = sub {
my ($t, $value, $desc) = @_;
$desc ||= "Location: $value";
local $Test::Builder::Level = $Test::Builder::Level + 1;
return $t->success(is($t->tx->res->headers->location, $value, $desc));
};
#This depends on "register.t" working #This depends on "register.t" working
#Valid customer, this also tests that redirects are disabled for register. #Valid customer, this also tests that redirects are disabled for register.
print "test 1 - Initial create user account\n";
my $email = 'rufus@shinra.energy'; my $email = 'rufus@shinra.energy';
my $password = 'MakoGold'; my $password = 'MakoGold';
my $testJson = { my $testJson = {
@ -53,9 +65,7 @@ $t->post_ok('/api/register' => json => $testJson)
->status_is(200) ->status_is(200)
->json_is('/success', Mojo::JSON->true); ->json_is('/success', Mojo::JSON->true);
#Test login, this also checks that redirects are disabled for login when logged out. #Test login, this also checks that redirects are disabled for login when logged out.
print "test 2 - Login (cookies)\n";
$testJson = { $testJson = {
'email' => $email, 'email' => $email,
'password' => $password, 'password' => $password,
@ -63,26 +73,7 @@ $testJson = {
$t->post_ok('/api/login' => json => $testJson) $t->post_ok('/api/login' => json => $testJson)
->status_is(200) ->status_is(200)
->json_is('/success', Mojo::JSON->true) ->json_is('/success', Mojo::JSON->true)
->json_has("/$sessionTokenJsonName") ->json_has("/$sessionTokenJsonName");
->json_has("/$sessionExpiresJsonName");
print "test 3 - Login, no redirect on login paths (cookies)\n";
#No redirect, as you're logged in.
$t->get_ok('/api/')
->status_is(200);
my $location_is = sub {
my ($t, $value, $desc) = @_;
$desc ||= "Location: $value";
local $Test::Builder::Level = $Test::Builder::Level + 1;
return $t->success(is($t->tx->res->headers->location, $value, $desc));
};
print "test 4 - Login, redirect to root as already logged in (cookies)\n";
#Check for redirect to root when logged in.
$t->get_ok('/api/login')
->status_is(303)
->$location_is('/api');
#Does login/logout work with a cookie based session. #Does login/logout work with a cookie based session.

View file

@ -1,33 +1,12 @@
use Mojo::Base -strict; use Mojo::Base -strict;
use File::Temp;
use Test::More; use Test::More;
use Test::Mojo;
use Mojo::JSON; use Mojo::JSON;
use Test::Pear::LocalLoop;
my $file = File::Temp->new; my $framework = Test::Pear::LocalLoop->new;
my $t = $framework->framework;
print $file <<'END';
{
dsn => "dbi:SQLite::memory:",
user => undef,
pass => undef,
}
END
$file->seek( 0, SEEK_END );
$ENV{MOJO_CONFIG} = $file->filename;
my $t = Test::Mojo->new('Pear::LocalLoop');
my $schema = $t->app->schema; my $schema = $t->app->schema;
$schema->deploy;
$schema->resultset('AgeRange')->populate([
[ qw/ agerangestring / ],
[ '20-35' ],
[ '35-50' ],
[ '50+' ],
]);
#Variables to be used for uniqueness when testing. #Variables to be used for uniqueness when testing.
my @names = ('a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z'); my @names = ('a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z');