* Added Much better session Management, key updating and deleting

* Force reload of JS if app numbers dont match * Added cool tag display on side of note * Cleaned up a bunch of code and tweaked little things to be better
2020-06-15 09:02:20 +00:00
parent d2624628d8
commit 071aaf22cd
18 changed files with 333 additions and 270 deletions
--- a/server/helpers/Auth.js
+++ b/server/helpers/Auth.js
@@ -6,26 +6,33 @@ let Auth = {}

 const tokenSecretKey = process.env.JSON_KEY

-Auth.createToken = (userId, masterKey, request = null) => {
+Auth.createToken = (userId, masterKey, pastId = null, pastCreatedDate = null) => {
 	return new Promise((resolve, reject) => {

-		const created = Math.floor(+new Date/1000)
+		const created = pastCreatedDate ? pastCreatedDate : Math.floor(+new Date/1000)
 		const userHash = cs.hash(String(userId)).toString('base64')

 		//Encrypt Master Password and save it to the server
+		const sessionId = pastId ? pastId : cs.createSmallSalt().slice(0,9) //Use existing session id
 		const salt = cs.createSmallSalt()
 		const tempPass = cs.createSmallSalt()
 		const encryptedMasterPass = cs.encrypt(tempPass, salt, masterKey)

-
-		db.promise().query(
-
-			'INSERT INTO user_active_session (salt, encrypted_master_password, created, uses, user_hash) VALUES (?,?,?,?,?)', 
-			[salt, encryptedMasterPass, created, 1, userHash])
+		//Deactivate all other session keys, they delete after 30 seconds
+		db.promise().query('UPDATE user_active_session SET active = 0  WHERE session_id = ?', [sessionId])
 		.then((r,f) => {

+			return db.promise().query(
+			'INSERT INTO user_active_session (salt, encrypted_master_password, created, uses, user_hash, session_id) VALUES (?,?,?,?,?,?)', 
+			[salt, encryptedMasterPass, created, 40, userHash, sessionId])
+
+		})
+		.then((r,f) => {
+
+			const sessionNum = r[0].insertId
+
 			//Required Data for JWT payload
-			const tokenPayload = {userId, tempPass, salt}
+			const tokenPayload = {userId, tempPass, sessionNum}

 			//Return token
 			const token = jwt.sign(tokenPayload, tokenSecretKey)
@@ -33,50 +40,85 @@ Auth.createToken = (userId, masterKey, request = null) => {
 		})
 	})
 }
+
 Auth.decodeToken = (token, request = null) => {
 	return new Promise((resolve, reject) => {

 		let decodedToken = null

+		//Delete all tokens older than 20 days before continuing or inacive and older than 1 minute
+		const now = (Math.floor((+new Date)/1000))
+		const twentyDays = (Math.floor((+new Date)/1000)) - (86400 * 20)
+		const thirtySeconds = (Math.floor((+new Date)/1000)) - (30)
+
 		//Decode Json web token
-		jwt.verify(token, tokenSecretKey, function(err, decoded){
-			if(err || decoded.tempPass == undefined || decoded.tempPass.length < 5 || decoded.salt == undefined || decoded.salt.length < 5){
-				return reject('Bad Token')
-			}
+			jwt.verify(token, tokenSecretKey, function(err, decoded){
+				if(err || decoded.tempPass == undefined || decoded.tempPass.length < 5){
+					throw new Error('Bad Token')
+				}

-			decodedToken = decoded
+				decodedToken = decoded

-			//Lookup session data in database
-			return db.promise().query('SELECT * FROM user_active_session WHERE salt = ? LIMIT 1', [decodedToken.salt])
-		})
-		.then((r,f) => {
+				db.promise().query('DELETE from user_active_session WHERE (created < ?) OR (active = false AND last_used < ?)', [twentyDays, thirtySeconds])
+				.then((r,f) => {
+
+				//Lookup session data in database
+				db.promise().query('SELECT * FROM user_active_session WHERE id = ? LIMIT 1', [decodedToken.sessionNum])
+				.then((r,f) => {
 			
-			const row = r[0][0]
-			if(row == undefined || row.length == 0){
-				return reject(false)
-			}
+					if(r == undefined || r[0].length == 0){
+						throw new Error('Active Session not found for token')
+					}

-			//Decrypt master key from database
-			const masterKey = cs.decrypt(decodedToken.tempPass, decodedToken.salt, row.encrypted_master_password)
-			if(masterKey == null){
-				return reject (false)
-			}
+					const row = r[0][0]

-			const userData = {
-				userId: decodedToken.userId, masterKey, tokenId: row.id
-			}
+					// console.log(decodedToken.sessionNum + ' uses -> ' + row.uses)

-			//Async update DB counts
-			db.promise().query('UPDATE user_active_session SET uses = uses + 1 WHERE salt = ? LIMIT 1', [decodedToken.salt])
+					if(row.uses <= 0){
+						throw new Error('Token is used up')
+					}

-			return resolve(userData)
+					//Decrypt master key from lookup
+					const masterKey = cs.decrypt(decodedToken.tempPass, row.salt, row.encrypted_master_password)
+					if(masterKey == null){
+						// console.log('Deleting invalid session')
+						Auth.terminateSession(row.session_id)
+						throw new Error ('Unable to decrypt password for session')
+					}

+					//Async update DB counts and disable session if needed
+					db.promise().query('UPDATE user_active_session SET uses = uses -1, last_used = ?  WHERE id = ? LIMIT 1', [now, decodedToken.sessionNum])
+					.then((r,f) => {
+
+						let userData = {
+							'userId': decodedToken.userId,
+							'masterKey': masterKey,
+							'sessionId': row.session_id, 
+							'created': row.created,
+							'remainingUses':(row.uses--),
+							'active': row.active
+						}
+
+						//Return token Data
+						return resolve(userData)
+						
+					})
+				})
+				.catch(error => {
+					//Token errors result in having sessions deleted
+					// console.log('-- Auth Token Error --')
+					// console.log(error)
+					reject(error)
+				})
+			})
 		})
 	})
 }
-Auth.reissueToken = () => {
-	//If token has more than 200 uses, renew it
+
+Auth.terminateSession = (sessionId) => {
+	return db.promise().query('DELETE from user_active_session WHERE session_id = ?', [sessionId])
 }
+
 Auth.deletAllLoginKeys = (userId) => {

 	const userHash = cs.hash(String(userId)).toString('base64')
@@ -86,8 +128,6 @@ Auth.deletAllLoginKeys = (userId) => {

 Auth.test = () => {

-	// return Auth.deletAllLoginKeys(testUserId)
-
 	const testUserId = 22
 	const testPass = cs.createSmallSalt()
 	Auth.createToken(testUserId, testPass)
@@ -100,7 +140,6 @@ Auth.test = () => {
 	.then(userData => {
 		
 		console.log('Test: Decrypted key Match -> ' + (testPass == userData.masterKey))
-
 		return Auth.deletAllLoginKeys(testUserId)
 	})
 	.then(results => {
@@ -108,16 +147,6 @@ Auth.test = () => {
 		console.log('Test: Remove user Json Web Tokens - Pass')
 	
 	})
-
-	//create token with userId and master key
-	// Auth.createToken()
-
-	//Thirt days ago
-			// const thirtyDays = (Math.floor((+new Date)/1000)) - (86400 * 30)
-			// const created = Math.floor(decoded.date/1000)
-			// if(created < thirtyDays){
-			// 	return reject('Token Expired')
-			// }
 }

 module.exports = Auth
--- a/server/helpers/CryptoString.js
+++ b/server/helpers/CryptoString.js
@@ -31,6 +31,9 @@ CryptoString.encrypt = (password, salt64, rawText) => {
 //Decrypt base64 string cipher text, 
 CryptoString.decrypt = (password, salt64, cipherTextString) => {

+	if(!password || !salt64 || !cipherTextString){ return '' }
+	if(password.length == 0 || salt64.length == 0 || cipherTextString == 0){ return '' }
+
 	let cipherText = Buffer.from(cipherTextString, 'base64')
 	const salt = Buffer.from(salt64, 'base64')

--- a/server/helpers/ProcessText.js
+++ b/server/helpers/ProcessText.js
@@ -69,7 +69,7 @@ ProcessText.deduceNoteTitle = (inTitle, inString) => {
 	//Remove inline styles that may be added by editor
 	// inString = inString.replace(/style=".*?"/g,'')

-	const tagFreeLength = ProcessText.removeHtml(inString).length
+	// const tagFreeLength = ProcessText.removeHtml(inString).length

 	//
 	// Simplified attempt!
@@ -80,7 +80,7 @@ ProcessText.deduceNoteTitle = (inTitle, inString) => {
 	// if(tagFreeLength > 200){
 	// 	sub += '... <i class="green caret down icon"></i>'
 	// }
-	inString += '</end>'
+	// inString += '</end>'

 	return {title, sub}