kasvith · d0peCode · Jun 28, 2019 · Jun 28, 2019 · Jun 28, 2019 · Jun 29, 2019
diff --git a/.env.example b/.env.example
@@ -1,9 +1,13 @@
 NODE_ENV=dev
 APP="Your App"
 PORT=3000
+BASE_URI=http://localhost:3000
 MONGOURI=mongodb://localhost:27017/yourapp
 MONGOTESTURI=mongodb://localhost:27017/test-app
 APP_SECRET=somekey
 TRANSPORTER_SERVICE=example-gmail
 [email protected]
-TRANSPORTER_PASSWORD=gmail-application_password
+TRANSPORTER_PASSWORD=gmail-application_password
+DEFAULT_ADMIN_NAME=admin
+[email protected]
+DEFAULT_ADMIN_PASSWORD=password
diff --git a/README.md b/README.md
@@ -17,16 +17,14 @@
 - TRANSPORTER_PASSWORD is password to above email 
   - if gmail you need to generate special app-password, see for further support: https://support.google.com/mail/answer/185833?hl=en)
 
-## Changes from original project
+## Changelog
 
 - Fixed deprecation warnings with mongoose usage.
 - Updated dependencies to fix vulnerabilities.
 - Added email confirmation after registration.
+- Distinguish admin and user.
 
 ## TODO
 
-- Split users and admins to two collections:
-  - Rename auth.controller.js to user.controller.js
-  - create user.route.js and refactor auth.route.js to contain only this demonstration "/secret" routes
 - Integrate Swagger UI documentation
 - Write unit tests
diff --git a/src/config/index.js b/src/config/index.js
@@ -2,6 +2,7 @@ require('dotenv').config() // load .env file
 
 module.exports = {
   port: process.env.PORT,
+  baseURI: process.env.BASE_URI,
   app: process.env.APP,
   env: process.env.NODE_ENV,
   secret: process.env.APP_SECRET,
@@ -13,5 +14,10 @@ module.exports = {
     service: process.env.TRANSPORTER_SERVICE,
     email: process.env.TRANSPORTER_EMAIL,
     password: process.env.TRANSPORTER_PASSWORD
+  },
+  admin: {
+    name: process.env.DEFAULT_ADMIN_NAME,
+    email: process.env.DEFAULT_ADMIN_EMAIL,
+    password: process.env.DEFAULT_ADMIN_PASSWORD
   }
 }
diff --git a/src/controllers/admin.controller.js b/src/controllers/admin.controller.js
@@ -0,0 +1,29 @@
+'use strict'
+
+const Admin = require('../models/admin.model')
+const jwt = require('jsonwebtoken')
+const config = require('../config')
+const httpStatus = require('http-status')
+const generateToken = require('../models/utils/findAndGenerateToken')
+
+exports.register = async (req, res, next) => {
+  try {
+    const admin = new Admin(req.body)
+    const savedAdmin = await admin.save()
+    res.status(httpStatus.CREATED)
+    res.send(savedAdmin.transform())
+  } catch (error) {
+    return next(Admin.checkDuplicateEmailError(error))
+  }
+}
+
+exports.login = async (req, res, next) => {
+  try {
+    const admin = await generateToken(req.body, 'admin')
+    const payload = { sub: admin.id }
+    const token = jwt.sign(payload, config.secret)
+    return res.json({ message: 'OK', token: token })
+  } catch (error) {
+    next(error)
+  }
+}
diff --git a/src/controllers/auth.controller.js b/src/controllers/auth.controller.js
diff --git a/src/controllers/user.controller.js b/src/controllers/user.controller.js
@@ -0,0 +1,115 @@
+'use strict'
+
+const User = require('../models/user.model')
+const jwt = require('jsonwebtoken')
+const config = require('../config')
+const httpStatus = require('http-status')
+const uuidv1 = require('uuid/v1')
+const generateToken = require('../models/utils/findAndGenerateToken')
+const passport = require('../services/passport')
+const bcrypt = require('bcrypt-nodejs')
+const transporter = require('../services/transporter')
+const APIError = require('../utils/APIError')
+
+exports.register = async (req, res, next) => {
+  try {
+    const activationKey = uuidv1()
+    const body = req.body
+    body.activationKey = activationKey
+    const user = new User(body)
+    const savedUser = await user.save()
+    res.status(httpStatus.CREATED)
+    res.send(savedUser.transform())
+  } catch (error) {
+    return next(User.checkDuplicateEmailError(error))
+  }
+}
+
+exports.login = async (req, res, next) => {
+  try {
+    const user = await generateToken(req.body, 'user')
+    const payload = {sub: user.id}
+    const token = jwt.sign(payload, config.secret)
+    return res.json({ message: 'OK', token: token })
+  } catch (error) {
+    next(error)
+  }
+}
+
+exports.update = async (req, res, next) => {
+  try {
+    if (!passport.user || !req.body.password) {
+      res.status(httpStatus.UNAUTHORIZED)
+      return res.send(new APIError(`Password mismatch`, httpStatus.UNAUTHORIZED))
+    }
+
+    const user = await User.findOne({ 'email': passport.user.email }).exec()
+    if (!user.passwordMatches(req.body.password)) {
+      res.status(httpStatus.UNAUTHORIZED)
+      return res.send(new APIError(`Password mismatch`, httpStatus.UNAUTHORIZED))
+    }
+
+    if (req.body.newPassword) req.body.password = bcrypt.hashSync(req.body.newPassword)
+    await User.findOneAndUpdate(
+      { '_id': passport.user._id },
+      { $set: req.body }
+    )
+    return res.json({ message: 'OK' })
+  } catch (error) {
+    next(error)
+  }
+}
+
+exports.confirm = async (req, res, next) => {
+  try {
+    await User.findOneAndUpdate(
+      { 'activationKey': req.query.key },
+      { 'active': true }
+    )
+    return res.json({ message: 'OK' })
+  } catch (error) {
+    next(error)
+  }
+}
+
+exports.reset = {
+  async sendMail (req, res, next) {
+    try {
+      const resetPasswordKey = uuidv1()
+      await User.findOneAndUpdate(
+        { '_id': passport.user._id },
+        { 'resetPasswordKey': resetPasswordKey }
+      )
+      const mailOptions = {
+        from: 'noreply',
+        to: passport.user.email,
+        subject: 'Reset password',
+        html: `<div><h1>Hello user!</h1><p>Click <a href="${config.baseURI}/api/user/resetConfirm?key=${resetPasswordKey}">link</a> to reset your password.</p></div><div><h1>Hello developer!</h1><p>Feel free to change this template ;).</p></div>`
+      }
+
+      transporter.sendMail(mailOptions, function (error, info) {
+        if (error) {
+          next(error)
+        } else {
+          return res.json({ message: 'OK' })
+        }
+      })
+    } catch (error) {
+      next(error)
+    }
+  },
+  async updatePass (req, res, next) {
+    try {
+      if (!req.query.key) return res.status(httpStatus.BAD_REQUEST)
+      const newPassword = uuidv1()
+      const newPasswordHash = bcrypt.hashSync(newPassword)
+      await User.findOneAndUpdate(
+        { 'resetPasswordKey': req.query.key },
+        { $set: { 'password': newPasswordHash, 'resetPasswordKey': '' } }
+      )
+      return res.json({ message: 'OK', newPassword: newPassword })
+    } catch (error) {
+      next(error)
+    }
+  }
+}
diff --git a/src/middlewares/authorization.js b/src/middlewares/authorization.js
@@ -1,18 +1,16 @@
 'use strict'
 
-const User = require('../models/user.model')
 const passport = require('passport')
 const APIError = require('../utils/APIError')
 const httpStatus = require('http-status')
 const bluebird = require('bluebird')
 
 // handleJWT with roles
-const handleJWT = (req, res, next, roles) => async (err, user, info) => {
+const handleJWT = (req, res, next, role) => async (err, user, info) => {
   const error = err || info
   const logIn = bluebird.promisify(req.logIn)
   const apiError = new APIError(
-    error ? error.message : 'Unauthorized',
-    httpStatus.UNAUTHORIZED
+    error ? error.message : 'Unauthorized', httpStatus.UNAUTHORIZED
   )
 
   // log user in
@@ -24,7 +22,7 @@ const handleJWT = (req, res, next, roles) => async (err, user, info) => {
   }
 
   // see if user is authorized to do the action
-  if (!roles.includes(user.role)) {
+  if (role && role.includes('admin') && !user.admin) {
     return next(new APIError('Forbidden', httpStatus.FORBIDDEN))
   }
 
@@ -34,11 +32,11 @@ const handleJWT = (req, res, next, roles) => async (err, user, info) => {
 }
 
 // exports the middleware
-const authorize = (roles = User.roles) => (req, res, next) =>
+const authorize = (role) => (req, res, next) =>
   passport.authenticate(
     'jwt',
     { session: false },
-    handleJWT(req, res, next, roles)
+    handleJWT(req, res, next, role)
   )(req, res, next)
 
 module.exports = authorize
diff --git a/src/models/admin.model.js b/src/models/admin.model.js
@@ -0,0 +1,50 @@
+'use strict'
+const mongoose = require('mongoose')
+const bcrypt = require('bcrypt-nodejs')
+const Schema = mongoose.Schema
+const hashPass = require('./utils/hashPass')
+const checkDuplicateEmailError = require('./utils/checkDuplicateEmailError')
+
+const adminSchema = new Schema({
+  email: {
+    type: String,
+    required: true,
+    unique: true,
+    lowercase: true
+  },
+  password: {
+    type: String,
+    required: true,
+    minlength: 4,
+    maxlength: 128
+  },
+  name: {
+    type: String,
+    maxlength: 50
+  },
+  admin: {
+    type: Boolean,
+    default: true
+  }
+}, {
+  timestamps: true
+})
+
+hashPass(adminSchema, 'save')
+
+adminSchema.method({
+  transform () {
+    const transformed = {}
+    const fields = ['id', 'name', 'email', 'createdAt']
+    fields.forEach((field) => { transformed[field] = this[field] })
+    return transformed
+  },
+
+  passwordMatches (password) {
+    return bcrypt.compareSync(password, this.password)
+  }
+})
+
+adminSchema.statics = { checkDuplicateEmailError }
+
+module.exports = mongoose.model('Admin', adminSchema)