Basic account auth and password hash working.

Justin Slattery · Justin Slattery · commit 6792648a6575 · 2011-03-21T22:07:49.000-07:00
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+*.swp
diff --git a/.monitor b/.monitor
diff --git a/controllers/controllers.js b/controllers/controllers.js
@@ -2,11 +2,13 @@
 //Controllers
 //
 var NodeChatController = {
-    init: function() {
+    init: function(options) {
         this.socket = new io.Socket(null, {port: 8000});
         var mysocket = this.socket;
+        this.userName = options.userName;
+        this.hashPass = options.hashPass;
 
-        this.model = new models.NodeChatModel();
+        this.model = new models.NodeChatModel({userName: this.userName, hashPass: this.hashPass});
         this.view = new NodeChatView({model: this.model, socket: this.socket, el: $('#content')});
         var view = this.view;
 
@@ -18,11 +20,3 @@ var NodeChatController = {
         return this;
     }
 };
-
-//
-// Bootstrap the app
-//
-$(document).ready(function () {
-    window.app = NodeChatController.init({});
-});
-
diff --git a/core.js b/core.js
@@ -1,11 +1,16 @@
-var app = require('express').createServer()
+var express = require('express')
+    , app = express.createServer()
+    , connect = require('connect')
     , jade = require('jade')
     , socket = require('socket.io').listen(app)
     , _ = require('underscore')._
     , Backbone = require('backbone')
-    , redis = require('redis')
+    , models = require('./models/models')
+    , auth = require('./lib/auth');
+
+var redis = require('redis')
     , rc = redis.createClient()
-    , models = require('./models/models');
+    , redisStore = require('connect-redis');
 
 rc.on('error', function(err) {
     console.log('Error ' + err);
@@ -16,41 +21,81 @@ rc.on('error', function(err) {
 app.set('view engine', 'jade');
 app.set('view options', {layout: false});
 
+//configure express to use redis as session store
+app.use(express.bodyParser());
+app.use(express.cookieParser());
+app.use(express.session({ store: new redisStore(), secret: 'Secretly I am an elephant' }));
+
 
 //setup routes
+app.get('/logout', function(req, res){
+    // destroy the user's session to log them out
+    // will be re-created next request
+    req.session.destroy(function(){
+        res.redirect('home');
+    });
+});
+
+app.get('/login', function(req, res){
+    console.log('GET /login');
+    res.render('login');
+});
+
+app.get('/disconnect', function(req, res){
+    res.render('disconnect');
+});
+
+app.post('/login', function(req, res){
+    console.log('POST /login');
+    auth.authenticateUser(req.body.username, req.body.password, function(err, user){
+        if (user) {
+            // Regenerate session when signing in
+            // to prevent fixation 
+            req.session.regenerate(function(){
+                // Store the user's primary key 
+                // in the session store to be retrieved,
+                // or in this case the entire user object
+                console.log('regenerated session id ' + req.session.id);
+                req.session.cookie.maxAge = 100 * 24 * 60 * 60 * 1000; //Force longer cookie age
+                req.session.cookie.httpOnly = false;
+                req.session.user = user;
+                req.session.hashPass = user.hashPass || 'No Hash';
+
+                console.log('Storing new hash for user ' + user.name + ': ' + req.session.hash);
+                res.redirect('/');
+            });
+        } else {
+            req.session.error = 'Authentication failed, please check your username and password.';
+            res.redirect('back');
+        }
+    });
+});
+
 app.get('/*.(js|css)', function(req, res){
     res.sendfile('./'+req.url);
 });
 
-app.get('/', function(req, res){
-    res.render('index');
+app.get('/', restrictAccess, function(req, res){
+    res.render('index', {
+        locals: { name: req.session.user.name, hashPass: JSON.stringify(req.session.hashPass) }
+    });
 });
 
+//This method decides what a valid login looks like. In this case, just verify that we have a session object for the user
+function restrictAccess(req, res, next) {
+    if (req.session.user) {
+        next();
+    } else {
+        req.session.error = 'Access denied!';
+        res.redirect('/login');
+    }
+};
+
 
 //create local state
 var activeClients = 0;
 var nodeChatModel = new models.NodeChatModel();
 
-rc.lrange('chatentries', -10, -1, function(err, data) {
-    if (err)
-    {
-        console.log('Error: ' + err);
-    }
-    else if (data) {
-        _.each(data, function(jsonChat) {
-            var chat = new models.ChatEntry();
-            chat.mport(jsonChat);
-            nodeChatModel.chats.add(chat);
-        });
-
-        console.log('Revived ' + nodeChatModel.chats.length + ' chats');
-    }
-    else {
-        console.log('No data returned for key');
-    }
-});
-
-
 socket.on('connection', function(client){
     activeClients += 1;
     client.on('disconnect', function(){clientDisconnect(client)});
diff --git a/lib/auth.js b/lib/auth.js
@@ -0,0 +1,87 @@
+/* Auth.js 
+ *
+ * Handles new user accounts and authentication
+ *
+ */
+
+(function () {
+    if (typeof exports !== 'undefined') {
+        auth = exports;
+        redis = require('redis');
+        rc = redis.createClient();
+
+        //joose is required to support the hash lib we are using
+        require('joose');
+        require('joosex-namespace-depended');
+        require('hash');
+    } 
+    else {
+        auth = this.auth = {};
+    }
+
+    auth.authenticateUser = function(name, pass, fn) {
+        console.log('[authenticate] Starting auth for ' + name + ' with password ' + pass);
+        
+        var rKey = 'user:' + name;
+        rc.get(rKey, function(err, data){
+            if(err) return fn(new Error('[authenticate] SET failed for key: ' + rKey + ' for value: ' + name));
+
+            if (!data) {
+                console.log('[authenticate] user: ' + name + ' not found in store. Creating new user.');
+                auth.createNewUserAccount(name, pass, fn);
+            }
+            else {
+                console.log('[authenticate] user: ' + name + ' found in store. Verifying password.');
+                auth.verifyUserAccount(data, pass, fn)
+            }
+        });
+    };
+
+    auth.verifyUserAccount = function(foundUserName, pass, fn) {
+        var rKey = 'user:' + foundUserName;
+
+        var user = {};
+        user.name = foundUserName;
+
+        rc.get(rKey + '.salt', function(err, data){
+            if(err) return fn(new Error('[authenticate] GET failed for key: ' + rKey + '.salt')); 
+
+            var calculatedHash = Hash.sha512(data + '_' + pass);
+            rc.get(rKey + '.hashPass', function(err, data) {
+                if(err) return fn(new Error('[authenticate] GET failed for key: ' + rKey + '.hashPass'));
+
+                if (calculatedHash === data) {
+                    user.hashPass = calculatedHash;
+                    console.log('[authenticate] Auth succeeded for ' + foundUserName + ' with password ' + pass);
+                    return fn(null, user);
+                }
+
+                fn(new Error('invalid password'));
+            });
+        });
+    }
+
+    auth.createNewUserAccount = function(name, pass, fn) {
+        var rKey = 'user:' + name;
+
+        rc.set(rKey, name, function(err, data){
+            if(err) return fn(new Error('[authenticate] SET failed for key: ' + rKey + ' for value: ' + name));
+
+            var salt = new Date().getTime();
+            rc.set(rKey + '.salt', salt, function(err, data) {
+                if(err) return fn(new Error('[authenticate] SET failed for key: ' + rKey + '.salt' + ' for value: ' + salt));
+
+                var hashPass = Hash.sha512(salt + '_' + pass);
+                rc.set(rKey + '.hashPass', hashPass, function(err, data) {
+                    if(err) return fn(new Error('[authenticate] SET failed for key: ' + rKey + '.hashPass' + ' for value: ' + hashPass));
+
+                    var user = {};
+                    user.name = name;
+                    user.hashPass = hashPass;
+                    return fn(null, user);
+                }); 
+            }); 
+        }); 
+    }
+})()
+
diff --git a/nodemon-ignore b/nodemon-ignore
@@ -0,0 +1,2 @@
+*.swp
+*.css
diff --git a/views/index.jade b/views/index.jade
@@ -9,21 +9,42 @@ html(lang="en")
     script(type="text/javascript", src="/models/models.js")
     script(type="text/javascript", src="/controllers/controllers.js")
     script(type="text/javascript", src="/views/views.js")
-      body
+    script
+      //Fake out FF and IE8
+      function log() {
+          if (typeof console == 'undefined') {
+              return;
+          }
+          console.log.apply(console, arguments);
+      }
+
+      $(document).ready(function () { 
+        window.app = NodeChatController.init({hashPass: !{locals.hashPass}, userName: '!{locals.name}'}); 
+      });
+  body
     #heading
       h1 nodechat
     #content
       p 
         | connected clients
         span#client_count 0
+      p 
+        a(href='/logout') logout
+
+      p
+        label You are logged in as: 
+          = locals.name 
+        br
+        label Your password hash is: 
+          = locals.hashPass
+        br
+        | don't you feel secure? :)
+
       p
         | Fun Chat Messages
         ul#chat_list
-
+          
       form(method="post", action="#", onsubmit="return false")#messageForm
-        p
-          label Name:
-            input(type='text', name='user_name')
         p
           label Message:
             input(type='text', name='message')
diff --git a/views/login.jade b/views/login.jade
@@ -0,0 +1,19 @@
+!!! 5
+html(lang="en")
+  head
+    title nodechat login
+  body
+    #heading
+      h1 nodechat login
+    #content
+      p
+        | You may logon with any user name that has not already been claimed. Your account will be created automatically.
+      form(method="post", action="/login")
+        p
+          label Username:
+            input(type='text', name='username')
+        p
+          label Password:
+            input(type='password', name='password')
+        P
+          input(type='submit', value='send')
diff --git a/views/views.js b/views/views.js
@@ -30,6 +30,7 @@ var ClientCountView = Backbone.View.extend({
 
 var NodeChatView = Backbone.View.extend({
     initialize: function(options) {
+        _.bindAll(this, 'sendMessage');
         this.model.chats.bind('add', this.addChat);
         this.socket = options.socket;
         this.clientCountView = new ClientCountView({model: new models.ClientCountModel(), el: $('#client_count')});
@@ -62,8 +63,7 @@ var NodeChatView = Backbone.View.extend({
 
     , sendMessage: function(){
         var inputField = $('input[name=message]');
-        var nameField = $('input[name=user_name]');
-        var chatEntry = new models.ChatEntry({name: nameField.val(), text: inputField.val()});
+        var chatEntry = new models.ChatEntry({name: this.model.get('userName'), text: inputField.val()});
         this.socket.send(chatEntry.xport());
         inputField.val('');
     }
