Merge pull request #375 from brmodeloweb/feature/improve-security

Feature/improve security
brmodeloweb · Oct 19, 2022 · 4e6151b · 4e6151b
2 parents 7e8a5aa + cbda97d
commit 4e6151b
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 18 deletions.
diff --git a/app/angular/service/authService.js b/app/angular/service/authService.js
@@ -1,10 +1,15 @@
 import angular from "angular";
+import { Buffer } from 'buffer';
 
 const authService = function ($http, $cookies) {
 	const service = {};
 
 	service.login = function (credentials) {
-		return $http.post("/users/login", credentials).then(function (res) {
+		const body = {
+			"username": service.encode(credentials.username),
+			"password": service.encode(credentials.password)
+		}
+		return $http.post("/users/login", body).then((res) => {
 			const user = res.data;
 			const today = new Date();
 			const expired = new Date(today);
@@ -23,9 +28,11 @@ const authService = function ($http, $cookies) {
 	};
 
 	service.register = function (credentials) {
-		return $http.post("/users/create", credentials).then(function (res) {
-			// implement resp here!!
-		});
+		const body = {
+			"email": service.encode(credentials.email),
+			"password": service.encode(credentials.password)
+		}
+		return $http.post("/users/create", body).then((res) => {});
 	};
 
 	service.isAuthenticated = function () {
@@ -46,9 +53,18 @@ const authService = function ($http, $cookies) {
 	};
 
 	service.resetPassword = (mail, code, newPassword) => {
-		return $http.post("/users/reset", { mail, code, newPassword });
+		const body = {
+			"mail": service.encode(mail),
+			"newPassword": service.encode(newPassword),
+			"code": code
+		}
+		return $http.post("/users/reset", body);
 	};
 
+	service.encode = (data) => {
+		return Buffer.from(data).toString('base64');
+	}
+
 	return service;
 };
 

diff --git a/package.json b/package.json
@@ -112,4 +112,4 @@
   "resolutions": {
     "styled-components": "^5"
   }
-}
+}
diff --git a/server_app/helpers/crypto.js b/server_app/helpers/crypto.js
@@ -28,7 +28,12 @@ const decrypt = (hash) => {
 	return decrypted.toString();
 };
 
+const decode = (hash) => {
+	return Buffer.from(hash, 'base64').toString('ascii');
+};
+
 module.exports = {
 	encrypt,
 	decrypt,
+	decode
 };
diff --git a/server_app/user/handler.js b/server_app/user/handler.js
@@ -2,14 +2,15 @@ const express = require("express");
 const bodyParser = require("body-parser");
 const userService = require("./service");
 const userValitor = require("./validator");
+const decipher = require("../helpers/crypto");
 
 const router = express.Router();
 router.use(bodyParser.json());
 
 const userLogin = async(req, res) => {
   try {
-    const username = req.body.username;
-    const password = req.body.password;
+    const username = decipher.decode(req.body.username);
+    const password = decipher.decode(req.body.password);
     const sessionId = req.sessionID;
 
     const validation = userValitor.validateLoginParams({username, password});
@@ -34,18 +35,18 @@ const userLogin = async(req, res) => {
 const userCreate = async(req, res) => {
   try {
     const username = req.body.username;
-    const mail = req.body.email;
-    const password = req.body.password;
+    const mail = decipher.decode(req.body.email);
+    const password = decipher.decode(req.body.password); 
 
     const validation = userValitor.validateSignUpParams({username, mail, password});
 
     if(!validation.valid) {
       return res.status(422).send(validation.message);
     }
 
-    const createdUser = await userService.create({username, mail, password});
+    await userService.create({username, mail, password});
 
-    return res.status(200).json(createdUser);
+    return res.sendStatus(201);
   } catch (error) {
     console.error(error);
     if(error.code == 'USER_ERROR_ALREADY_EXISTS') {
@@ -58,8 +59,8 @@ const userCreate = async(req, res) => {
 const userRecovery = async(req, res) => {
   try {
     const email = req.body.email; 
-    const recoveredUser = await userService.recovery(email);
-    return res.status(202).json(recoveredUser);
+    await userService.recovery(email);
+    return res.sendStatus(202);
   } catch (error) {
     console.error(error);
     if(error.code == 'USER_DO_NOT_EXISTS') {
@@ -83,9 +84,9 @@ const userRecoveryValidate = async(req, res) => {
 
 const resetPassword = async(req, res) => {
   try {
-    const mail = req.body.mail; 
+    const mail = decipher.decode(req.body.mail);
+    const newPassword = decipher.decode(req.body.newPassword);
     const code = req.body.code; 
-    const newPassword = req.body.newPassword; 
     const isValid = await userService.resetPassword(mail, code, newPassword);
     return res.status(200).json({valid: isValid});
   } catch (error) {

diff --git a/server_app/user/handler.test.js b/server_app/user/handler.test.js
@@ -50,13 +50,13 @@ describe("Test /users/create", () => {
     expect(response.statusCode).toBe(422);
   });
 
-  test("It should response 200 when user created", async () => {
+  test("It should response 201 when user created", async () => {
     const response = await request(app).post("/users/create").send({"username": "user", "email": "[email protected]", "password": "123456"});
     mockUserService.create.mockResolvedValue({
       "userId": "123456",
       "userName": "someusername"
     });
-    expect(response.statusCode).toBe(200);
+    expect(response.statusCode).toBe(201);
     expect(mockUserService.create).toHaveBeenCalled();
   });
-Original file line number
+Diff line change
@@ Expand Up / @@ -112,4 +112,4 @@ @@
       "resolutions": {
         "styled-components": "^5"
       }
-    }
+    }