Rewrite authentication to be more sensible

README.md

@@ -62,19 +62,18 @@ The server will then respond with a JSON object that looks something like this:
 ```
 The value of the error code will be `1` if the username already exists.
 
-### /login/
+### /auth/
 In order to log into an account, or essentially request a new authentication
 token, a `POST` request should be sent with the following data:
 ```javascript
 {
     "user": "FooBar", // Username goes here
-    "password": "hunter2", // Optional field if auth-key is present
-    "auth-key": "$2a$10$.X9YrNyd2R7b2ycAumHn.ONiINs2bCkRDupugu6sjZkUkPmXSaSra" // Optional field if password is present
+    "password": "hunter2", // Password goes here
 }
 ```
-Using the auth-key will reset and generate a new authentication key, whereas
-password will simply get the current auth-key. In either case the following data
-will be returned:
+Using this will then generate a new authentication key, **invalidating** any
+existing authentication key for that account. Note that you do not need to use
+/auth/ after registering as a new auth key is already generated.
 ```javascript
 {
     "logged_in": 1, // Value is 1 or 0 whether or not the login was successful
@@ -83,5 +82,5 @@ will be returned:
 }
 ```
 The error codes are as follows, `1` indicates the username could not be found,
-`2` indicates that the password is invalid and `3` indicates the provided
-authentication key was invalid.
+`2` indicates that the password is invalid and `3` indicates that the login
+request was malformed.

routes/user/login.js

@@ -1,6 +1,7 @@
 var Redis = require("ioredis");
 var redis = new Redis();
 var bcrypt = require('bcrypt-nodejs');
+var authgen = require("./../../utils/auth-keys.js");
 
 module.exports = {
   perform: function(a,b) {
@@ -10,49 +11,34 @@ module.exports = {
 
 var perform = function(req, res) {
   var username = req.body.user || req.query.user;
-  username = username.toLowerCase();
   var password = req.body.password || req.query.password;
-  var auth_key = req.body.auth_key || req.query.auth_key;
   var uquery   = 'user:' + username;
 
   redis.hgetall(uquery).then(function (result) {
     if (result.password && result !== undefined && result !== null) {
       var user_object = result;
-      if (auth_key !== "" && auth_key !== undefined && auth_key !== null) {
-        if (auth_key === user_object["auth-key"]) {
-          var timestamp_user = Date.now().toString() + username;
-          user_object["auth-key"] = bcrypt.hashSync(timestamp_user);
-          redis.set(uquery, "auth-key", user_object["auth-key"]);
-          res.send({"logged_in": 1,
-                   "auth-key": user_object["auth-key"],
-                   "error": 0});
-        } else {
-          res.send({"logged_in": 0,
-                   "error": 3});
-        }
-      } else {
-        bcrypt.compare(password, user_object["password"], function (err, matched) {
-          if (matched === true) {
-            if (undefined === user_object["auth-key"]) {
-              var timestamp_user = Date.now().toString() + username;
-              user_object["auth-key"] = bcrypt.hashSync(timestamp_user);
-              redis.set(uquery, JSON.stringify(user_object));
-              res.send({"logged_in": 1,
-                       "auth-key": user_object["auth-key"],
-                       "error": 0});
-            } else {
-              res.send({"logged_in": 1,
-                       "auth-key": user_object["auth-key"],
-                       "error": 0});
+      if (username && password) {
+        username = username.toLowerCase();
+        bcrypt.compare(password, user_object.password, function (err, matched) {
+          if (matched) {
+            var new_auth_key = authgen.generate(username);
+            var aquery = "auth-key:" + new_auth_key;
+            redis.set(aquery, username);
+            redis.hset(uquery, "auth-key", new_auth_key);
+            if (user_object["auth-key"]) {
+              redis.del("auth-key:" + user_object["auth-key"]);
             }
-            return;
+            res.send({"logged_in": 1,
+                     "auth-key": new_auth_key,
+                     "error": 0})
           } else {
             res.send({"logged_in": 0,
                      "error": 2});
-                     return;
           }
         });
-
+      } else {
+        res.send({"logged_in": 0,
+                 "error": 3});
       }
     } else {
       res.send({"logged_in": 0,

routes/user/register.js

@@ -1,6 +1,6 @@
 var Redis = require("ioredis");
 var redis = new Redis();
-var bcrypt = require('bcrypt-nodejs');
+var authgen = require("./../../utils/auth-keys.js");
 
 module.exports = {
   perform: function(a,b) {
@@ -11,8 +11,9 @@ module.exports = {
 var perform = function (req, res) {
   var tmp_username = req.body.user || req.query.user;
   var tmp_password = req.body.password || req.query.password;
-  tmp_username = tmp_username.toLowerCase();
+  tmp_username     = tmp_username.toLowerCase();
   var uquery       = 'user:' + tmp_username;
+  var aquery       = "";
   var user_object  = {};
 
   redis.hgetall(uquery).then(function (result) {
@@ -22,9 +23,11 @@ var perform = function (req, res) {
     } else {
       bcrypt.hash(tmp_password, null, null, function (err, hash) {
         user_object["password"] = hash;
-        user_object["auth-key"] = bcrypt.hashSync(Date.now().toString() + tmp_username);
+        user_object["auth-key"] = authgen.generate(tmp_username);
+        aquery = "auth-key:" + user_object["auth-key"];
         redis.hset(uquery, "password", user_object.password);
         redis.hset(uquery, "auth-key", user_object["auth-key"]);
+        redis.set(aquery, tmp_username);
         res.send({"registered": 1,
                  "auth-key": user_object["auth-key"],
                  "error": 0});

utils/auth-keys.js

@@ -0,0 +1,8 @@
+bcrypt = require("bcrypt-nodejs");
+
+module.exports = {
+  generate: function (user) {
+    var obfuscator = (Math.random()+1).toString(36).substring(7);
+    return bcrypt.hashSync(Date.now().toString() + user + obfuscator);
+  }
+}

utils/route-manager.js

@@ -1,13 +1,13 @@
 var express = require("express");
 var router = express.Router();
-var hello = require("./routes/misc/helloworld.js");
-var register = require("./routes/user/register.js");
-var login = require("./routes/user/login.js");
+var hello = require("../routes/misc/helloworld.js");
+var register = require("../routes/user/register.js");
+var login = require("../routes/user/login.js");
 
 module.exports = router;
 
 router.get('/hello/(:name)?', hello.perform);
 
-router.all('/register', register.perform);
+router.all('/register/', register.perform);
 
-router.all('/login', login.perform);
+router.all('/auth/', login.perform);