From 434c8b28563d39dac843c1a0fa213fa3ca35398b Mon Sep 17 00:00:00 2001 From: Milton Bittencourt Date: Mon, 17 Oct 2022 22:55:25 -0300 Subject: [PATCH 1/5] Improve login security --- app/angular/service/authService.js | 3 +++ package.json | 2 +- server_app/user/handler.js | 4 ++-- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/app/angular/service/authService.js b/app/angular/service/authService.js index 5e077256..07e3ed57 100644 --- a/app/angular/service/authService.js +++ b/app/angular/service/authService.js @@ -1,9 +1,12 @@ import angular from "angular"; +import { Buffer } from 'buffer'; const authService = function ($http, $cookies) { const service = {}; service.login = function (credentials) { + credentials.username = Buffer.from(credentials.username).toString('base64'); + credentials.password = Buffer.from(credentials.password).toString('base64'); return $http.post("/users/login", credentials).then(function (res) { const user = res.data; const today = new Date(); diff --git a/package.json b/package.json index 41909313..5c6c79cd 100644 --- a/package.json +++ b/package.json @@ -112,4 +112,4 @@ "resolutions": { "styled-components": "^5" } -} \ No newline at end of file +} diff --git a/server_app/user/handler.js b/server_app/user/handler.js index efdd1843..37c331ed 100644 --- a/server_app/user/handler.js +++ b/server_app/user/handler.js @@ -8,8 +8,8 @@ router.use(bodyParser.json()); const userLogin = async(req, res) => { try { - const username = req.body.username; - const password = req.body.password; + const username = Buffer.from(req.body.username, 'base64').toString('ascii'); + const password = Buffer.from(req.body.password, 'base64').toString('ascii'); const sessionId = req.sessionID; const validation = userValitor.validateLoginParams({username, password}); From 3bb78002bf9424f25d67f0387bf651dc7471b237 Mon Sep 17 00:00:00 2001 From: Milton Bittencourt Date: Mon, 17 Oct 2022 23:32:17 -0300 Subject: [PATCH 2/5] Improve register security --- app/angular/service/authService.js | 16 ++++++++++------ server_app/user/handler.js | 8 ++++---- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/app/angular/service/authService.js b/app/angular/service/authService.js index 07e3ed57..555582ac 100644 --- a/app/angular/service/authService.js +++ b/app/angular/service/authService.js @@ -5,9 +5,11 @@ const authService = function ($http, $cookies) { const service = {}; service.login = function (credentials) { - credentials.username = Buffer.from(credentials.username).toString('base64'); - credentials.password = Buffer.from(credentials.password).toString('base64'); - return $http.post("/users/login", credentials).then(function (res) { + const body = { + "username": Buffer.from(credentials.username).toString('base64'), + "password": Buffer.from(credentials.password).toString('base64') + } + return $http.post("/users/login", body).then((res) => { const user = res.data; const today = new Date(); const expired = new Date(today); @@ -26,9 +28,11 @@ const authService = function ($http, $cookies) { }; service.register = function (credentials) { - return $http.post("/users/create", credentials).then(function (res) { - // implement resp here!! - }); + const body = { + "email": Buffer.from(credentials.email).toString('base64'), + "password": Buffer.from(credentials.password).toString('base64') + } + return $http.post("/users/create", body).then((res) => {}); }; service.isAuthenticated = function () { diff --git a/server_app/user/handler.js b/server_app/user/handler.js index 37c331ed..2af338ab 100644 --- a/server_app/user/handler.js +++ b/server_app/user/handler.js @@ -34,8 +34,8 @@ const userLogin = async(req, res) => { const userCreate = async(req, res) => { try { const username = req.body.username; - const mail = req.body.email; - const password = req.body.password; + const mail = Buffer.from(req.body.email, 'base64').toString('ascii'); + const password = Buffer.from(req.body.password, 'base64').toString('ascii'); const validation = userValitor.validateSignUpParams({username, mail, password}); @@ -43,9 +43,9 @@ const userCreate = async(req, res) => { return res.status(422).send(validation.message); } - const createdUser = await userService.create({username, mail, password}); + await userService.create({username, mail, password}); - return res.status(200).json(createdUser); + return res.sendStatus(201); } catch (error) { console.error(error); if(error.code == 'USER_ERROR_ALREADY_EXISTS') { From c34f669a9ccb518e9f48c3e3c85edc569cd14cc7 Mon Sep 17 00:00:00 2001 From: Milton Bittencourt Date: Mon, 17 Oct 2022 23:42:54 -0300 Subject: [PATCH 3/5] Improve reset password security --- app/angular/service/authService.js | 7 ++++++- server_app/user/handler.js | 4 ++-- server_app/user/handler.test.js | 4 ++-- 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/app/angular/service/authService.js b/app/angular/service/authService.js index 555582ac..a457d9c1 100644 --- a/app/angular/service/authService.js +++ b/app/angular/service/authService.js @@ -53,7 +53,12 @@ const authService = function ($http, $cookies) { }; service.resetPassword = (mail, code, newPassword) => { - return $http.post("/users/reset", { mail, code, newPassword }); + const body = { + "mail": Buffer.from(mail).toString('base64'), + "newPassword": Buffer.from(newPassword).toString('base64'), + "code": code + } + return $http.post("/users/reset", body); }; return service; diff --git a/server_app/user/handler.js b/server_app/user/handler.js index 2af338ab..4ae6ec95 100644 --- a/server_app/user/handler.js +++ b/server_app/user/handler.js @@ -83,9 +83,9 @@ const userRecoveryValidate = async(req, res) => { const resetPassword = async(req, res) => { try { - const mail = req.body.mail; + const mail = Buffer.from(req.body.mail, 'base64').toString('ascii'); + const newPassword = Buffer.from(req.body.newPassword, 'base64').toString('ascii'); const code = req.body.code; - const newPassword = req.body.newPassword; const isValid = await userService.resetPassword(mail, code, newPassword); return res.status(200).json({valid: isValid}); } catch (error) { diff --git a/server_app/user/handler.test.js b/server_app/user/handler.test.js index 4fef93b7..4254c5f1 100644 --- a/server_app/user/handler.test.js +++ b/server_app/user/handler.test.js @@ -50,13 +50,13 @@ describe("Test /users/create", () => { expect(response.statusCode).toBe(422); }); - test("It should response 200 when user created", async () => { + test("It should response 201 when user created", async () => { const response = await request(app).post("/users/create").send({"username": "user", "email": "mail@mail.com", "password": "123456"}); mockUserService.create.mockResolvedValue({ "userId": "123456", "userName": "someusername" }); - expect(response.statusCode).toBe(200); + expect(response.statusCode).toBe(201); expect(mockUserService.create).toHaveBeenCalled(); }); From 6500ad950cbbecf64bec7c1aab21f18aaa25afdd Mon Sep 17 00:00:00 2001 From: Milton Bittencourt Date: Mon, 17 Oct 2022 23:58:30 -0300 Subject: [PATCH 4/5] Hide user from recovery request --- server_app/user/handler.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/server_app/user/handler.js b/server_app/user/handler.js index 4ae6ec95..e23a4270 100644 --- a/server_app/user/handler.js +++ b/server_app/user/handler.js @@ -58,8 +58,8 @@ const userCreate = async(req, res) => { const userRecovery = async(req, res) => { try { const email = req.body.email; - const recoveredUser = await userService.recovery(email); - return res.status(202).json(recoveredUser); + await userService.recovery(email); + return res.sendStatus(202); } catch (error) { console.error(error); if(error.code == 'USER_DO_NOT_EXISTS') { From cbda97d00c913824fb71d73c83c90bcb6b8bfa07 Mon Sep 17 00:00:00 2001 From: Milton Bittencourt Date: Tue, 18 Oct 2022 00:22:19 -0300 Subject: [PATCH 5/5] Short reuse refac --- app/angular/service/authService.js | 16 ++++++++++------ server_app/helpers/crypto.js | 5 +++++ server_app/user/handler.js | 13 +++++++------ 3 files changed, 22 insertions(+), 12 deletions(-) diff --git a/app/angular/service/authService.js b/app/angular/service/authService.js index a457d9c1..1b575baf 100644 --- a/app/angular/service/authService.js +++ b/app/angular/service/authService.js @@ -6,8 +6,8 @@ const authService = function ($http, $cookies) { service.login = function (credentials) { const body = { - "username": Buffer.from(credentials.username).toString('base64'), - "password": Buffer.from(credentials.password).toString('base64') + "username": service.encode(credentials.username), + "password": service.encode(credentials.password) } return $http.post("/users/login", body).then((res) => { const user = res.data; @@ -29,8 +29,8 @@ const authService = function ($http, $cookies) { service.register = function (credentials) { const body = { - "email": Buffer.from(credentials.email).toString('base64'), - "password": Buffer.from(credentials.password).toString('base64') + "email": service.encode(credentials.email), + "password": service.encode(credentials.password) } return $http.post("/users/create", body).then((res) => {}); }; @@ -54,13 +54,17 @@ const authService = function ($http, $cookies) { service.resetPassword = (mail, code, newPassword) => { const body = { - "mail": Buffer.from(mail).toString('base64'), - "newPassword": Buffer.from(newPassword).toString('base64'), + "mail": service.encode(mail), + "newPassword": service.encode(newPassword), "code": code } return $http.post("/users/reset", body); }; + service.encode = (data) => { + return Buffer.from(data).toString('base64'); + } + return service; }; diff --git a/server_app/helpers/crypto.js b/server_app/helpers/crypto.js index 7fe79b78..53d7595f 100644 --- a/server_app/helpers/crypto.js +++ b/server_app/helpers/crypto.js @@ -28,7 +28,12 @@ const decrypt = (hash) => { return decrypted.toString(); }; +const decode = (hash) => { + return Buffer.from(hash, 'base64').toString('ascii'); +}; + module.exports = { encrypt, decrypt, + decode }; diff --git a/server_app/user/handler.js b/server_app/user/handler.js index e23a4270..44e83b97 100644 --- a/server_app/user/handler.js +++ b/server_app/user/handler.js @@ -2,14 +2,15 @@ const express = require("express"); const bodyParser = require("body-parser"); const userService = require("./service"); const userValitor = require("./validator"); +const decipher = require("../helpers/crypto"); const router = express.Router(); router.use(bodyParser.json()); const userLogin = async(req, res) => { try { - const username = Buffer.from(req.body.username, 'base64').toString('ascii'); - const password = Buffer.from(req.body.password, 'base64').toString('ascii'); + const username = decipher.decode(req.body.username); + const password = decipher.decode(req.body.password); const sessionId = req.sessionID; const validation = userValitor.validateLoginParams({username, password}); @@ -34,8 +35,8 @@ const userLogin = async(req, res) => { const userCreate = async(req, res) => { try { const username = req.body.username; - const mail = Buffer.from(req.body.email, 'base64').toString('ascii'); - const password = Buffer.from(req.body.password, 'base64').toString('ascii'); + const mail = decipher.decode(req.body.email); + const password = decipher.decode(req.body.password); const validation = userValitor.validateSignUpParams({username, mail, password}); @@ -83,8 +84,8 @@ const userRecoveryValidate = async(req, res) => { const resetPassword = async(req, res) => { try { - const mail = Buffer.from(req.body.mail, 'base64').toString('ascii'); - const newPassword = Buffer.from(req.body.newPassword, 'base64').toString('ascii'); + const mail = decipher.decode(req.body.mail); + const newPassword = decipher.decode(req.body.newPassword); const code = req.body.code; const isValid = await userService.resetPassword(mail, code, newPassword); return res.status(200).json({valid: isValid});