Angular Security course

Author: jhades

server/create-user.route.ts

@@ -21,7 +21,10 @@ export function createUser(req: Request, res:Response) {
     else {
 
         createUserAndSession(res, credentials)
-            .catch(() => {res.sendStatus(500)});
+            .catch((err) => {
+            console.log("Error creating new user", err);
+            res.sendStatus(500);
+        });
 
     }
 
@@ -33,7 +36,7 @@ async function createUserAndSession(res:Response, credentials) {
 
     const user = db.createUser(credentials.email, passwordDigest);
 
-    const sessionToken = await createSessionToken(user.id.toString());
+    const sessionToken = await createSessionToken(user);
 
     const csrfToken = await createCsrfToken();
 

server/database-data.ts

@@ -5,18 +5,18 @@ export const USERS: { [key: number]: DbUser } = {
         id: 1,
         email: 'admin@gmail.com',
         // ADMIN user (password is Password10) can read all lessons and also can login on behalf of other users
-        passwordDigest: '$argon2i$v=19$m=4096,t=3,p=1$PcKtsL4a6+xuPbMCKPep7A$rrFO2lKZcAVguIMaSGaf3hMrKtb6wUG4zN/wDG+xNts',
+        passwordDigest: '$argon2i$v=19$m=4096,t=3,p=1$vfrhde0OMBNSSE9rRWtVrQ$gBaNgJFPBZfzuvrzfX8iSr2+OCD8K8Iu/JjwpYp8/TY',
         roles: {
-            'READ:LESSONS': true
+            'STUDENT': true
         }
     },
     2: {
-        id: 1,
+        id: 2,
         email: 'user@gmail.com',
         // normal user (password is Password10), does not have access to login as another user functionality
-        passwordDigest: '$argon2i$v=19$m=4096,t=3,p=1$PcKtsL4a6+xuPbMCKPep7A$rrFO2lKZcAVguIMaSGaf3hMrKtb6wUG4zN/wDG+xNts',
+        passwordDigest: '$argon2i$v=19$m=4096,t=3,p=1$vfrhde0OMBNSSE9rRWtVrQ$gBaNgJFPBZfzuvrzfX8iSr2+OCD8K8Iu/JjwpYp8/TY',
         roles: {
-            'READ:LESSONS': true,
+            'STUDENT': true,
             'ADMIN': true
         }
     }

server/database.ts

@@ -6,7 +6,7 @@ import {DbUser} from "./db-user";
 
 class InMemoryDatabase {
 
-    userCounter = 0;
+    userCounter = 2;
 
     readAllLessons() {
         return _.values(LESSONS);
@@ -30,7 +30,9 @@ class InMemoryDatabase {
             id,
             email,
             passwordDigest,
-            roles: ["READ:LESSONS"]
+            roles: {
+                "STUDENT":true
+            }
         };
 
         USERS[id] = user;
@@ -43,9 +45,15 @@ class InMemoryDatabase {
 
     findUserByEmail(email:string) :DbUser {
 
+        console.log("Finding user by email:", email);
+
         const users = _.values(USERS);
 
-        return _.find(users, user => user.email === email);
+        const user = _.find(users, user => user.email === email);
+
+        console.log("user retrieved:", user);
+
+        return user;
     }
 
     findUserById(userId:string) :DbUser {

server/login.route.ts

@@ -42,7 +42,7 @@ async function loginAndBuildResponse(credentials:any, user:DbUser,  res: Respons
     }
     catch(err) {
 
-        console.log("Login failed!");
+        console.log("Login failed:", err);
         res.sendStatus(403);
 
     }

server/read-all-lessons.route.ts

@@ -4,12 +4,12 @@ import {db} from "./database";
 
 export function readAllLessons(req, res) {
 
-    const userRoles = req["user"].roles;
+    const user = req["user"];
 
-    if (userRoles && userRoles['READ:LESSONS']) {
+    if (user.isStudent) {
         res.status(200).json({lessons:db.readAllLessons()});
     }
     else {
-        res.SendStatus(403);
+        res.sendStatus(403);
     }
 }

server/security.utils.ts

@@ -23,11 +23,14 @@ const SESSION_DURATION = 1000;
 
 
 export async function createSessionToken(user: DbUser) {
-    return signJwt({}, RSA_PRIVATE_KEY, {
+    return signJwt({
+            isAdmin: !!user.roles["ADMIN"],
+            isStudent: !!user.roles["STUDENT"]
+        },
+        RSA_PRIVATE_KEY, {
         algorithm: 'RS256',
         expiresIn: 240,
-        subject: user.id,
-        roles: user.roles
+        subject: user.id.toString()
     });
 }
 

src/app/admin/admin.component.ts

@@ -27,7 +27,7 @@ export class AdminComponent {
 
         const val = this.form.value;
 
-        if (val.email) {
+        if (val.userEmail) {
             this.authService.loginAsUser(val.email)
                 .subscribe(
                     () => {

src/app/login/login.component.ts

@@ -21,7 +21,7 @@ export class LoginComponent implements OnInit {
     constructor(private fb:FormBuilder, private authService: AuthService, private router: Router) {
 
         this.form = this.fb.group({
-            email: ['user@gmail.com',Validators.required],
+            email: ['test@gmail.com',Validators.required],
             password: ['Password10',Validators.required]
         });
 

src/app/services/auth.service.ts

@@ -24,6 +24,7 @@ export class AuthService {
 
     constructor(private http: HttpClient) {
         http.get<User>('/api/user')
+            .do(console.log)
             .subscribe(user => this.subject.next(user ? user : ANONYMOUS_USER));
     }