diff --git a/config.js b/config.js index 1ac83ab..5f9c851 100644 --- a/config.js +++ b/config.js @@ -20,7 +20,8 @@ config.mail.from = "name"; * Session purge settings */ // Maximum session length in days -config.maxSessionLength = 30; +config.maxSessionLength = 1; +config.maxRefreshLength = 360; /* * SSL settings diff --git a/index.js b/index.js index 96bb89e..0fd863a 100644 --- a/index.js +++ b/index.js @@ -35,6 +35,11 @@ mongoose.connect(config.db.connection, { useNewUrlParser: true, useUnifiedTopolo app.use(cors()); app.use(express.urlencoded({ extended: true })) app.use(express.json()); +app.use(function(req, res, next) { + res.header("Access-Control-Allow-Origin", "*"); // update to match the domain you will make the request from + res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept"); + next(); + }); // Sanitize data to prevent NoSQL injections app.use(mongoSanitize()); diff --git a/routes/user.route.js b/routes/user.route.js index 68b559f..f9be9f1 100644 --- a/routes/user.route.js +++ b/routes/user.route.js @@ -235,6 +235,27 @@ userRoutes.route('/favorite/get').post((req, res) => { }) }) +userRoutes.route('/refresh').post((req, res) => { + utils.account.checkRefresh(req.body.userId, req.body.refresh, valid => { + if (valid) { + let s = new Session(); + s.sessionId = generateSession(); + s.userId = u._id; + s.date = new Date(); + + s.save() + .then(() => { + res.json(s); + }) + .catch(() => { + res.status(500).send("Error logging in user"); + }); + } else { + res.status(401).send("Incorrect refresh token"); + } + } +}); + module.exports = userRoutes; diff --git a/schema/session.model.js b/schema/session.model.js index e9b819f..cbdf415 100644 --- a/schema/session.model.js +++ b/schema/session.model.js @@ -11,6 +11,9 @@ let Session = new Schema({ }, date: { type: Date + }, + type: { + type: Number // 0 for sessionID, 1 for refresh token } }, { collection: 'sessions' diff --git a/utils/account.js b/utils/account.js index 0aa88db..2a230b0 100644 --- a/utils/account.js +++ b/utils/account.js @@ -1,10 +1,22 @@ let User = require('../schema/user.model'); let Session = require('../schema/session.model'); +const bcrypt = require('bcrypt'); // checkSession(userId, sessionId) checks if the sessionId is valid for the user const checkSession = (userId, sessionId, f) => { Session.find({ userId: userId, sessionId: sessionId }, (err, res) => { - if (res) { + if (res && res.type == 0) { + f(true); + return; + } + f(false); + }); +} + +// checkRefresh(userId, sessionId) checks if the refresh token is valid for the user +const checkRefresh = (userId, sessionId, f) => { + Session.find({ userId: userId, sessionId: sessionId }, (err, res) => { + if (res && res.type == 1) { f(true); return; } diff --git a/utils/cron.js b/utils/cron.js index 668662d..9e68e29 100644 --- a/utils/cron.js +++ b/utils/cron.js @@ -1,6 +1,7 @@ const config = require('../config'); let Session = require('../schema/session.model'); const maxSessionLength = config.maxSessionLength; +const maxRefreshLength = config.maxRefreshLength; // purgeSessions() purge sessions that have existed for longer than maxSessionLength const purgeSessions = () => { @@ -9,7 +10,12 @@ const purgeSessions = () => { for (let i = 0; i < arr.length; i++) { let timeDifference = new Date().getTime() - arr[i].date; let dayDifference = timeDifference / (1000 * 3600 * 24); - if (dayDifference > maxSessionLength) { + if (arr[i].type == 0 && dayDifference > maxSessionLength) { + arr[i].delete().catch(e => { + console.log(e); + }); + } + if (arr[i].type == 1 && dayDifference > maxRefreshLength) { arr[i].delete().catch(e => { console.log(e); });