Angular Security course

jhades · jhades · commit 7224ff5bc24d · 2017-09-18T16:40:53.000+02:00
diff --git a/server/authentication.middleware.ts b/server/authentication.middleware.ts
diff --git a/server/authorization.middleware.ts b/server/authorization.middleware.ts
@@ -0,0 +1,27 @@
+
+import {Request, Response, NextFunction} from 'express';
+import * as _ from 'lodash';
+
+
+
+export function checkIfAuthorized(allowedRoles: string[], req: Request, res: Response, next: NextFunction) {
+
+    const userInfo = req['user'];
+
+    console.log("Checking authorization for user", userInfo);
+    console.log("Checking if user has the following roles", allowedRoles);
+
+    const roles = _.intersection(userInfo.roles, allowedRoles);
+
+    console.log("Common roles", roles);
+
+    if (userInfo && roles.length > 0) {
+        next();
+    }
+    else {
+        console.log("Unauthorized, only the following roles are allowed: ", allowedRoles);
+        res.sendStatus(403);
+    }
+}
+
+
diff --git a/server/database-data.ts b/server/database-data.ts
@@ -3,22 +3,17 @@ import {DbUser} from "./db-user";
 export const USERS: { [key: number]: DbUser } = {
     1: {
         id: 1,
-        email: 'admin@gmail.com',
+        email: 'student@gmail.com',
         // ADMIN user (password is Password10) can read all lessons and also can login on behalf of other users
         passwordDigest: '$argon2i$v=19$m=4096,t=3,p=1$vfrhde0OMBNSSE9rRWtVrQ$gBaNgJFPBZfzuvrzfX8iSr2+OCD8K8Iu/JjwpYp8/TY',
-        roles: {
-            'STUDENT': true
-        }
+        roles: ['STUDENT']
     },
     2: {
         id: 2,
-        email: 'user@gmail.com',
+        email: 'admin@gmail.com',
         // normal user (password is Password10), does not have access to login as another user functionality
         passwordDigest: '$argon2i$v=19$m=4096,t=3,p=1$vfrhde0OMBNSSE9rRWtVrQ$gBaNgJFPBZfzuvrzfX8iSr2+OCD8K8Iu/JjwpYp8/TY',
-        roles: {
-            'STUDENT': true,
-            'ADMIN': true
-        }
+        roles: ['STUDENT', 'ADMIN']
     }
 };
 
diff --git a/server/db-user.ts b/server/db-user.ts
@@ -4,5 +4,5 @@ export interface DbUser {
     id:number;
     email:string;
     passwordDigest:string,
-    roles: Object
+    roles: string[]
 }
diff --git a/server/get-user.route.ts b/server/get-user.route.ts
@@ -7,7 +7,9 @@ import {db} from "./database";
 
 export function getUser(req:Request, res:Response) {
 
-    const user = db.findUserById(req["userId"]);
+    const userInfo = req["user"];
+
+    const user = db.findUserById(userInfo.sub);
 
     if (user) {
         res.status(200).json({email:user.email, id:user.id, roles: user.roles});
diff --git a/server/login-as-user.route.ts b/server/login-as-user.route.ts
@@ -7,32 +7,29 @@ import {createSessionToken} from "./security.utils";
 
 export function loginAsUser(req, res) {
 
-    const adminUser = req["user"],
-          roles = adminUser.userRoles,
-          userEmail = req.body.email;
+    const user = req["user"],
+        impersonatedUserEmail = req.body.email;
 
-    if (roles && roles['ADMIN']) {
+    const impersonatedUser = db.findUserByEmail(impersonatedUserEmail);
 
-        const newUser = db.findUserByEmail(userEmail);
+    createSessionToken(impersonatedUser)
+        .then(sessionToken => {
 
-        createSessionToken(newUser)
-            .then(sessionToken => {
+            res.cookie("SESSIONID", sessionToken, {httpOnly:true, secure:true});
 
-                res.cookie("SESSIONID", sessionToken, {httpOnly:true, secure:true});
-
-                res.status(200).json({ id: newUser.id, email: newUser.email });
-
-            })
-            .catch(err => {
-                console.log("Error trying to login as user",err);
-                res.sendStatus(500);
+            res.status(200).json({
+                id: impersonatedUser.id,
+                email: impersonatedUser.email,
+                roles: impersonatedUser.roles
             });
 
+        })
+        .catch(err => {
+            console.log("Error trying to login as user",err);
+            res.sendStatus(500);
+        });
+
 
-    }
-    else {
-        res.SendStatus(403);
-    }
 }
 
 
diff --git a/server/read-all-lessons.route.ts b/server/read-all-lessons.route.ts
@@ -4,12 +4,6 @@ import {db} from "./database";
 
 export function readAllLessons(req, res) {
 
-    const user = req["user"];
-
-    if (user.isStudent) {
-        res.status(200).json({lessons:db.readAllLessons()});
-    }
-    else {
-        res.sendStatus(403);
-    }
+    res.status(200).json({lessons:db.readAllLessons()});
+
 }
diff --git a/server/security.utils.ts b/server/security.utils.ts
@@ -24,8 +24,7 @@ const SESSION_DURATION = 1000;
 
 export async function createSessionToken(user: DbUser) {
     return signJwt({
-            isAdmin: !!user.roles["ADMIN"],
-            isStudent: !!user.roles["STUDENT"]
+            roles: user.roles
         },
         RSA_PRIVATE_KEY, {
         algorithm: 'RS256',
diff --git a/server/server.ts b/server/server.ts
@@ -10,8 +10,11 @@ import {getUser} from "./get-user.route";
 import {logout} from "./logout.route";
 import {login} from "./login.route";
 import {retrieveUserIdFromRequest} from "./get-user.middleware";
-import {checkIfAuthenticated} from "./auth.middleware";
+import {checkIfAuthenticated} from "./authentication.middleware";
 import {checkCsrfToken} from "./csrf.middleware";
+import {loginAsUser} from "./login-as-user.route";
+import {checkIfAuthorized} from "./authorization.middleware";
+import * as _ from 'lodash';
 const bodyParser = require('body-parser');
 const cookieParser = require('cookie-parser');
 
@@ -33,11 +36,15 @@ const options = commandLineArgs(optionDefinitions);
 
 // REST API
 app.route('/api/lessons')
-    .get(checkIfAuthenticated, readAllLessons);
+    .get(checkIfAuthenticated, _.partial(checkIfAuthorized, ['STUDENT']), readAllLessons);
 
 app.route('/api/signup')
     .post(createUser);
 
+
+app.route('/api/admin')
+    .post(checkIfAuthenticated, _.partial(checkIfAuthorized, ['ADMIN']) , loginAsUser);
+
 app.route('/api/user')
     .get(getUser);
 
diff --git a/src/app/admin/admin.component.ts b/src/app/admin/admin.component.ts
@@ -18,7 +18,7 @@ export class AdminComponent {
         private router: Router) {
 
         this.form = this.fb.group({
-            userEmail: ['user@gmail.com',Validators.required]
+            userEmail: ['student@gmail.com',Validators.required]
         });
     }
 
@@ -28,10 +28,10 @@ export class AdminComponent {
         const val = this.form.value;
 
         if (val.userEmail) {
-            this.authService.loginAsUser(val.email)
+            this.authService.loginAsUser(val.userEmail)
                 .subscribe(
-                    () => {
-                        console.log("Logged in as user with email " + val.email);
+                    user => {
+                        console.log("Logged in as user with email " + user.email);
                         this.router.navigateByUrl('/');
                     }
                 );

Original file line number	Diff line number	Diff line change
`@@ -4,5 +4,5 @@ export interface DbUser {`
`4`	`4`	`id:number;`
`5`	`5`	`email:string;`
`6`	`6`	`passwordDigest:string,`
`7`		`- roles: Object`
	`7`	`+ roles: string[]`
`8`	`8`	`}`