:construction: Reversed session/access token roles

backend/lib/auth/strategies/jwt.js

@@ -1,5 +1,15 @@
 'use strict'
 const JWT = require('jsonwebtoken')
+const crypto = require('crypto')
+
+const hashToken = async token => {
+    const salt = process.env.APP_SESSION_SALT
+    try {
+        return crypto.createHmac('sha256', salt).update(token).digest('hex')
+    } catch (err) {
+        throw new Error(err.message)
+    }
+}
 
 module.exports = options => {
     return {
@@ -7,29 +17,28 @@ module.exports = options => {
         verifyOptions: {
             algorithms: ['HS256'],
         },
-        // NOTE: TASK 3 Not yet done, but this passes a hashedSessionToken
-        // through headers in failed attempt to never have raw JWT's in front end
-
-        // Always check rawAccessToken, if it fails, we check the session, if session
-        // is valid, then we reissue it
-        // if session is NOT valid, DELETE the session (and kick user back to login)
+        //  TODO: Always check rawAccessToken, if it fails, we check the session, if
+        // session is valid, then we reissue it if session is NOT valid, DELETE
+        // the session (and kick user back to login)
         // TODO: set up cron job to occassionaly clean up activeSessions
-        validate: (decoded, request, h) => {
-            // NOTE: this won't work as it immediately invalidates anything that isn't a raw jwt
-            const hashedSessionToken = request.headers.authorization
+        validate: async (decoded, request, h) => {
+            const accessTokenFromHeaders = request.headers.authorization
+            const hashedAccessTokenFromHeaders = await hashToken(
+                accessTokenFromHeaders,
+            )
+            const accessToken =
+                request.server.app.activeSessions[hashedAccessTokenFromHeaders]
+                    .accessToken
             const sessionToken =
-                request.server.app.activeSessions[hashedSessionToken]
+                request.server.app.activeSessions[hashedAccessTokenFromHeaders]
                     .sessionToken
-            console.log('sessionToken :=>', sessionToken)
+            console.log('sessionToken from jwt strategy :=>', sessionToken)
             try {
                 const validatedJwt = JWT.verify(
-                    sessionToken,
+                    accessToken,
                     process.env.APP_SECRET,
                 )
-                return {
-                    isValid: true,
-                    credentials: validatedJwt.email,
-                }
+                return { isValid: true, credentials: validatedJwt.email }
             } catch (err) {
                 console.error('ERROR :=>', err)
                 return { isValid: false, error: err.message }

backend/lib/plugins/user.js

@@ -14,7 +14,7 @@ const UserLoginRoute = require('../routes/user/login')
 const UserSignupRoute = require('../routes/user/signup')
 const UserEmailRoute = require('../routes/user/email.js')
 const UserVerifyActiveRoute = require('../routes/user/verifyactivesession.js')
-const UserGetSessionRoute = require('../routes/user/getsession.js')
+const UserGetAccessRoute = require('../routes/user/getaccess.js')
 const UserValidateSessionRoute = require('../routes/user/validatesession.js')
 const UserByEmail = require('../routes/user/user-by-email.js')
 const UserPassword = require('../routes/user/authentication')
@@ -56,7 +56,7 @@ module.exports = {
         await server.route(UserProfilesListRoute)
         await server.route(UserEmailRoute)
         await server.route(UserVerifyActiveRoute)
-        await server.route(UserGetSessionRoute)
+        await server.route(UserGetAccessRoute)
         await server.route(UserValidateSessionRoute)
         await server.route(UserByEmail)
         await server.route(UserPassword)

backend/lib/routes/user/email.js

@@ -25,7 +25,7 @@ module.exports = {
             const userCredentials = request.payload
             try {
                 const emailSent = await userService.emailSent(userCredentials)
-                const hashedSessionToken = Object.keys(
+                const hashedAccessToken = Object.keys(
                     userService.activeSessions,
                 ).find(hashedToken => {
                     return (
@@ -35,15 +35,15 @@ module.exports = {
                 })
                 // Registers the activeSessions object for use by jwt auth strategy
                 request.server.app.activeSessions = userService.activeSessions
-                if (!hashedSessionToken.length) {
-                    throw Error('hashedSessionToken not Found!!')
+                if (!hashedAccessToken.length) {
+                    throw Error('hashedAccessToken not Found!!')
                 }
                 return {
                     ok: true,
                     handler: pluginConfig.handlerType,
                     data: {
                         emailSentSuccessfully: emailSent.wasSuccessfull,
-                        hashedSessionToken: hashedSessionToken,
+                        hashedAccessToken: hashedAccessToken,
                     },
                 }
             } catch (err) {

backend/lib/routes/user/getsession.js → backend/lib/routes/user/getaccess.js

@@ -14,7 +14,7 @@ const pluginConfig = {
 
 module.exports = {
     method: 'POST',
-    path: '/getsession',
+    path: '/getaccess',
     options: {
         ...pluginConfig.docs.get,
         tags: ['api'],
@@ -26,14 +26,14 @@ module.exports = {
         handler: async function (request, h) {
             const { userService } = request.server.services()
             const res = request.payload
-            const token = await userService.createToken(res)
+            const accessToken = await userService.createToken(res)
             try {
                 const response = h.response({
                     ok: true,
                     handler: pluginConfig.handlerType,
-                    data: token,
+                    data: accessToken,
                 })
-                response.header('Authorization', token)
+                response.header('Authorization', accessToken)
                 return response
             } catch (err) {
                 return {

backend/lib/routes/user/validatesession.js

@@ -25,11 +25,11 @@ module.exports = {
             exposedHeaders: ['Authorization', 'Access-Control-Expose-Headers'],
         },
         handler: async function (request, h) {
-            const hashedSessionToken = request.payload
+            const hashedAccessToken = request.payload
             const { userService } = request.server.services()
             try {
                 const validatedSessionToken =
-                    userService.validateSession(hashedSessionToken)
+                    userService.validateSession(hashedAccessToken)
                 return {
                     ok: true,
                     handler: pluginConfig.handlerType,

backend/lib/services/user.js

@@ -20,7 +20,6 @@ const hashToken = async token => {
     try {
         return crypto.createHmac('sha256', salt).update(token).digest('hex')
     } catch (err) {
-        // console.error('ERROR :=>', err)
         throw new Error(err.message)
     }
 }
@@ -278,12 +277,12 @@ module.exports = class UserService extends Schmervice.Service {
      * @ params {UserSession} {ValidatedTokens}
      * @returns Void
      */
-    _createAccessTokenIfExpired(userSession, validatedTokens) {
-        if (!validatedTokens.accessTokenIsValid.payload) {
-            const accessToken = this.createToken({
-                payload: validatedTokens.sessionTokenIsValid.payload,
+    _createSessionTokenIfExpired(userSession, validatedTokens) {
+        if (!validatedTokens.sessionTokenIsValid.payload) {
+            const sessionToken = this.createToken({
+                payload: validatedTokens.accessTokenIsValid.payload,
             })
-            userSession.accessToken = accessToken
+            userSession.sessionToken = sessionToken
         }
     }
     /**
@@ -292,8 +291,8 @@ module.exports = class UserService extends Schmervice.Service {
      * @param {HashedSessionToken} hashedSessionToken
      * @returns {PayloadFromActiveSessions}
      */
-    validateSession(hashedSessionToken) {
-        const userSession = this.activeSessions[hashedSessionToken]
+    validateSession(hashedAccessToken) {
+        const userSession = this.activeSessions[hashedAccessToken]
         if (!userSession) {
             throw new Error(
                 'hashedSessionToken not in activeSessions registry!',
@@ -301,12 +300,10 @@ module.exports = class UserService extends Schmervice.Service {
         }
         const tokens = this._grabTokensFromActiveSessions(userSession)
         const validatedTokens = this._validateTokens(tokens)
-        this._createAccessTokenIfExpired(userSession, validatedTokens)
+        this._createSessionTokenIfExpired(userSession, validatedTokens)
         return {
-            ...validatedTokens.sessionTokenIsValid.payload,
-            // sessionToken: this.activeSessions[hashedSessionToken].sessionToken,
-            // NOTE: this won't work as the jwt auth strategy needs a raw JWT string
-            sessionToken: hashedSessionToken,
+            ...validatedTokens.accessTokenIsValid.payload,
+            accessToken: this.activeSessions[hashedAccessToken].accessToken,
         }
     }
     /**
@@ -348,20 +345,20 @@ module.exports = class UserService extends Schmervice.Service {
      * @ returns {Object}
      */
     async emailSent(userCredentials) {
-        const hashedSessionToken = await hashToken(userCredentials.sessionToken)
-        if (Object.keys(this.activeSessions).includes(hashedSessionToken)) {
+        const hashedAccessToken = await hashToken(userCredentials.accessToken)
+        if (Object.keys(this.activeSessions).includes(hashedAccessToken)) {
             return new Error('session already in cache!!')
         }
         // Set expiration time for ten minutes from now
         const duration = 600000
 
-        this.activeSessions[hashedSessionToken] = {
+        this.activeSessions[hashedAccessToken] = {
             email: userCredentials.email,
             name: userCredentials.name,
             seeking: userCredentials.seeking,
-            sessionToken: userCredentials.sessionToken,
+            accessToken: userCredentials.accessToken,
             expiration: Date.now() + duration,
-            accessToken: null,
+            sessionToken: null,
         }
 
         const sendSmtpEmail = {
@@ -373,7 +370,7 @@ module.exports = class UserService extends Schmervice.Service {
             templateId: 1,
             params: {
                 // TODO: Change this in production...
-                link: `localhost:3000/verify/${hashedSessionToken}`,
+                link: `localhost:3000/verify/${hashedAccessToken}`,
             },
         }
 

frontend/src/components/onboarding/Auth.vue

@@ -48,14 +48,15 @@ export default {
                 password: userPass.val,
             })
             await this.createProfileForNewUser(newUserId, this.responses)
-            const sessionToken = await this.getSessionToken({
+            const accessToken = await this.getAccessToken({
                 ...this.answered,
             })
+            console.log('accessToken :=>', accessToken)
             const sessionInfo = await this.authenticator.sendAuthEmail({
                 ...this.answered,
-                sessionToken: sessionToken,
+                accessToken: accessToken,
             })
-            document.cookie = `siimee_session=${sessionInfo.hashedSessionToken}; max-age=600; path=/; secure`
+            document.cookie = `siimee_access=${sessionInfo.hashedAccessToken}; max-age=600; path=/; secure`
         } catch (err) {
             // TODO: render an error page in this component displaying which
             // error occurred and how to reach out to staff
@@ -69,8 +70,8 @@ export default {
                     'User has not answered minimum amount of questions to create profile',
                 )
         },
-        async getSessionToken(payload) {
-            return await this.authenticator.getSessionToken({
+        async getAccessToken(payload) {
+            return await this.authenticator.getAccessToken({
                 payload,
             })
         },

frontend/src/services/auth.service.js

@@ -7,14 +7,14 @@ class Authenticator {
     async sendAuthEmail(answered) {
         return await db.post('/user/sendemail/', answered)
     }
-    async verifyAuthSession(hashedSessionToken) {
-        return await db.get(`/user/verify/${hashedSessionToken}`)
+    async verifyAuthSession(hashedToken) {
+        return await db.get(`/user/verify/${hashedToken}`)
     }
-    async getSessionToken(req) {
-        return await db.post('/user/getsession', req, true)
+    async getAccessToken(req) {
+        return await db.post('/user/getaccess', req, true)
     }
-    async validateSession(hashedSessionToken) {
-        return await db.post('/user/validatesession', hashedSessionToken, true)
+    async validateSession(hashedAccessToken) {
+        return await db.post('/user/validatesession', hashedAccessToken, true)
     }
 }
 

frontend/src/views/OnboardingView.vue

@@ -43,7 +43,7 @@ import {
 import { surveyFactory } from '@/utils'
 import stepViews from '@/components/onboarding'
 import SurveyCompleteView from './SurveyCompleteView.vue'
-let hashedSessionToken = null
+let hashedAccessToken = null
 let currentProfileId = null
 
 export default {
@@ -64,22 +64,23 @@ export default {
     async created() {
         this.survey = await surveyFactory.createSurvey()
         this.authenticator = new Authenticator()
-        hashedSessionToken = this.grabStoredCookie('siimee_session')
+        hashedAccessToken = this.grabStoredCookie('siimee_access')
         try {
-            const sessionData = await this.verifySession(hashedSessionToken)
+            const sessionData = await this.verifySession(hashedAccessToken)
+            console.log('sessionData :=>', sessionData)
             // TODO: Move this logic onto the backend and have it
             // returned in verifySession(hashedSessionToken)
             const userId = await this.grabUserIdByEmail(
                 sessionData.email,
-                sessionData.sessionToken,
+                sessionData.accessToken,
             )
             currentProfileId = await this.grabProfileIdByUserId(
                 userId,
-                sessionData.sessionToken,
+                sessionData.accessToken,
             )
             this.responses = await this.grabResponsesByProfileId(
                 currentProfileId,
-                sessionData.sessionToken,
+                sessionData.accessToken,
             )
             this.currentStep = this.responses.length + 3
             this.goToStep(this.currentStep)
@@ -109,11 +110,11 @@ export default {
         },
         // TODO: sessionToken is flying around far too often,
         // see above TODO regarding moving most of this logic to the backend
-        async verifySession(hashedSessionToken) {
-            if (!hashedSessionToken)
+        async verifySession(hashedAccessToken) {
+            if (!hashedAccessToken)
                 return console.warn('WARNING :=> sessionToken is not defined')
             const validatedToken = await this.authenticator.validateSession(
-                hashedSessionToken,
+                hashedAccessToken,
             )
             if (validatedToken.error) {
                 throw new Error(validatedToken.error)
@@ -121,16 +122,16 @@ export default {
                 return validatedToken
             }
         },
-        async grabUserIdByEmail(email, sessionToken) {
-            const user = await fetchUserByEmail(email, sessionToken)
+        async grabUserIdByEmail(email, accessToken) {
+            const user = await fetchUserByEmail(email, accessToken)
             if (!user) {
                 throw new Error('User NOT found by email')
             } else return user.user_id
         },
-        async grabProfileIdByUserId(userId, sessionToken) {
+        async grabProfileIdByUserId(userId, accessToken) {
             const profilesFromUserId = await fetchProfilesByUserId(
                 userId,
-                sessionToken,
+                accessToken,
             )
             if (
                 profilesFromUserId.length === 1 &&
@@ -144,10 +145,10 @@ export default {
                 throw new Error('No Profile for User ID found')
             }
         },
-        async grabProfileByProfileId(profileId, sessionToken) {
+        async grabProfileByProfileId(profileId, accessToken) {
             const profile = await fetchProfileByProfileId(
                 profileId,
-                sessionToken,
+                accessToken,
             )
             if (!profile || profile.status === 401) {
                 throw new Error(`No Profile Found for profileId ${profileId}`)
@@ -155,11 +156,11 @@ export default {
                 return profile
             }
         },
-        async grabResponsesByProfileId(profileId, sessionToken) {
+        async grabResponsesByProfileId(profileId, accessToken) {
             const responses = []
             const profile = await this.grabProfileByProfileId(
                 profileId,
-                sessionToken,
+                accessToken,
             )
             if (!profile.responses.length || profile.responses.status === 401) {
                 throw new Error(`No Responses Found for profileId ${profileId}`)
@@ -199,7 +200,7 @@ export default {
                     currentProfileId,
                 )
                 try {
-                    await this.verifySession(hashedSessionToken)
+                    await this.verifySession(hashedAccessToken)
                 } catch (err) {
                     this.currentStep = 0
                     this.goToStep(this.currentStep)

frontend/src/views/VerifyView.vue

@@ -7,7 +7,7 @@
 <script>
 import { Authenticator } from '../services/auth.service.js'
 let hash = null
-let hashedSessionToken = null
+let hashedAccessToken = null
 export default {
     name: 'VerifyView',
     data: () => ({
@@ -16,10 +16,10 @@ export default {
     async created() {
         this.authenticator = new Authenticator()
         hash = this.$route.params.hashedToken
-        hashedSessionToken = this.grabCookie('siimee_session')
+        hashedAccessToken = this.grabCookie('siimee_access')
         try {
             this.isHashInUrl(hash)
-            await this.doesSessionTokenExist(hashedSessionToken)
+            await this.doesAccessTokenExist(hashedAccessToken)
             await this.verifyActiveSession(hash)
             await this.isSessionTokenValid(hash)
         } catch (err) {
@@ -43,9 +43,9 @@ export default {
         isHashInUrl(hash) {
             if (!hash) throw new Error('URL contains no hash!')
         },
-        async doesSessionTokenExist(hashedSessionToken) {
-            if (!hashedSessionToken)
-                throw new Error('sessionToken not in cookie store!')
+        async doesAccessTokenExist(hashedAccessToken) {
+            if (!hashedAccessToken)
+                throw new Error('accessToken not in cookie store!')
         },
         async verifyActiveSession(hashedToken) {
             const sessionData = await this.authenticator.verifyAuthSession(