Livebeat/backend/endpoints/user.ts

import { Request, Response } from "express";
import { verifyPassword } from "../lib/crypto";
import { User } from "../models/user/user.model";
import { sign, decode, verify } from 'jsonwebtoken';
import { JWT_SECRET, logger } from "../app";
import { IUser } from "../models/user/user.interface";

export async function GetUser(req: Request, res: Response) {
    
}

export async function DeleteUser(req: Request, res: Response) {
    
}

export async function PatchUser(req: Request, res: Response) {
    
}

export async function LoginUser(req: Request, res: Response) {
    const username = req.body.username;
    const password = req.body.password;
    const twoFA = req.body.twoFA;

    const user = await User.findOne({ name: username });

    // Check if user exists
    if (user == undefined) {
        setTimeout(() => {
            res.status(404).send({ message: "Either the username or password is wrong." });
        }, Math.random() * 1500 + 400);
        return;
    }

    // Check if 2FA is turned on (the attack doesn't know yet if the password is wrong)
    if (user.twoFASecret != undefined) {
        if (twoFA == undefined) {
            res.status(401).send({ message: "2FA code is required." });
            return;
        }
        // TODO: Implement 2FA logic here
    }

    // Check if password is wrong
    if (!await verifyPassword(password + user.salt, user.password)) {
        res.status(404).send({ message: 'Either the username or password is wrong.' });
        return;
    }

    // We're good. Create JWT token.
    const token = sign({ user: user._id }, JWT_SECRET!, { notBefore: Date.now(), expiresIn: '30d' });

    logger.info(`User ${user.name} logged in.`)
    res.status(200).send({ token });
}

/**
 * This middleware validates any tokens that are required to access most of the endpoints.
 * Note: This validation doesn't contain any permission checking. 
 */
export async function MW_User(req: Request, res: Response, next: () => void) {
    if (req.headers.token === undefined) {
        res.status(401).send();
        return;
    }
    const token = req.headers.token.toString();

    try {
        // Verify token
        if(await verify(token, JWT_SECRET!, { algorithms: ['HS256'] })) {
            // Token is valid, now look if user is in db (in case he got deleted)
            const id: number = Number(decode(token, { json: true })!.id);
            const db = await User.findOne({ where: { id } });
            if (db !== undefined) {
                next();
                return;
            } else {
                res.status(401).send();
            }
        } else {
            res.status(401).send();
        }
    } catch (err) {
        if (err) res.status(401).send();
    }
}