[enh] there should be a signed cookie authentification

index.js

@@ -24,21 +24,6 @@ curl -X PUT 'http://localhost:9200/changelog'  -d '
 const authorizationToken = process.env.AUTH_TOKEN || "hello";
 const port = process.env.APP_PORT || 3000;
 
-function requireAuthentication( req, res, next ){
-  const userAuth = req.get("AuthorizationToken") || req.query.authorizationToken;
-  console.log( "userAuth : "+userAuth)
-  if( userAuth && userAuth === authorizationToken ) next(); 
-  else res.end("Auth required");
-}
-
-
-const elasticsearch = require('elasticsearch');
-var client = new elasticsearch.Client({
-  host: process.env.ES_CONNECT,
-//  log: 'trace',
-  apiVersion: '7.7'
-});
-
 
 const express = require('express');
 const app = express();
@@ -46,9 +31,6 @@ const app = express();
 app.set('view engine', 'pug');
 app.use(express.static('public'));
 
-app.all('*', requireAuthentication)
-
-
 const bodyParser = require('body-parser');
 app.use(bodyParser.json());
 app.use(bodyParser.raw());
@@ -56,73 +38,30 @@ app.use(bodyParser.text({ type : "text/*" }));
 app.disable('x-powered-by');       
 
 
-const routes = {
+var cookieParser = require('cookie-parser')
-    main: (req, res) => {
+app.use(cookieParser('secret'))
-      client.search({index:"changelog", "size":100,"sort":"created_at:desc"}).then( (results,err) => {
+function requireAuthentication( req, res, next ){
-        res.render('index', { 
+  var userAuth = '';
-          title: 'changelog', 
-          error: err, 
-          data: JSON.stringify( results), 
-          authorizationToken: authorizationToken
-        });
  
-      });
+  if( req.signedCookies.AuthorizationToken){
-
+    userAuth = req.signedCookies.AuthorizationToken;
-    },
-    search: (req, res) => {
-      const query = req.query.q;
-      const search = {
-        index:"changelog",
-        size:100,
-        body:{
-          query:{
-            multi_match:{
-              query:     query
   }
+  else if( "AuthorizationToken" in req.query  ){
+    userAuth = req.query.AuthorizationToken;
+    res.cookie('AuthorizationToken', userAuth, {signed: true}); 
+  }else if (req.get("AuthorizationToken") ){
+    userAuth = req.get('AuthorizationToken'); 
   }
-        },
+  console.log( `user : ${userAuth}, auth: ${authorizationToken}` )
-        sort:"_score,created_at:desc"
+  if( userAuth && userAuth === authorizationToken ){
-      };
+    next();
-      client.search(search).then( (results,err) => {
-        res.json(results );
-        
-      }, (err) => {
-        res.status(404);
-        res.json({data: {} });
-      });
-
-    },
-    health: (req, res) => {
-      
-      // Do an ES request
-      client.ping({ requestTimeout: 100}).then( 
-        () => {
-          res.json({"health":100,"msg":"OK"});
-        }, () => {
-          res.json({"health":0,"msg":"Lost connection to ES"});
-      });
-    },
-    add: (req, res) => {
-
-      const body = req.body;
-      body.created_at = new Date().toISOString();
-      client.index({
-          index: 'changelog',
-          body: body
-      }).then( (e) => {
-        res.end("ok");
-        
-      }, (e) => {
-        res.status(400);
-        res.end("error");
-      });
   } 
-};
+  else res.end("Auth required");}
-
+app.all('*', requireAuthentication);
 
+const routes = require( "./routes");
 app.get('/health', routes.health);
 app.get('/search', routes.search);
-
 app.post('/*', routes.add);
 app.get('/*', routes.main);
 app.patch('/*', routes.main);

package-lock.json

@@ -212,6 +212,15 @@
       "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.4.0.tgz",
       "integrity": "sha512-+Hp8fLp57wnUSt0tY0tHEXh4voZRDnoIrZPqlo3DPiI4y9lwg/jqx+1Om94/W6ZaPDOUbnjOt/99w66zk+l1Xg=="
     },
+    "cookie-parser": {
+      "version": "1.4.5",
+      "resolved": "https://registry.npmjs.org/cookie-parser/-/cookie-parser-1.4.5.tgz",
+      "integrity": "sha512-f13bPUj/gG/5mDr+xLmSxxDsB9DQiTIfhJS/sqjrmfAWiAN+x2O4i/XguTL9yDZ+/IFDanJ+5x7hC4CXT9Tdzw==",
+      "requires": {
+        "cookie": "0.4.0",
+        "cookie-signature": "1.0.6"
+      }
+    },
     "cookie-signature": {
       "version": "1.0.6",
       "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz",

package.json

@@ -10,6 +10,7 @@
   "license": "GPLv3",
   "dependencies": {
     "body-parser": "^1.18.3",
+    "cookie-parser": "^1.4.5",
     "elasticsearch": "^16.7.1",
     "express": "^4.17.1",
     "lodash": "^4.17.10",

routes/index.js

@@ -0,0 +1,73 @@
+"use strict"
+
+const elasticsearch = require('elasticsearch');
+var client = new elasticsearch.Client({
+  host: process.env.ES_CONNECT,
+//  log: 'trace',
+  apiVersion: '7.7'
+});
+
+
+const routes = {
+    main: (req, res) => {
+      client.search({index:"changelog", "size":100,"sort":"created_at:desc"}).then( (results,err) => {
+        res.render('index', { 
+          title: 'changelog', 
+          error: err, 
+          data: JSON.stringify( results), 
+          authorizationToken: process.env.AUTH_TOKEN
+        });
+        
+      });
+
+    },
+    search: (req, res) => {
+      const query = req.query.q;
+      const search = {
+        index:"changelog",
+        size:100,
+        body:{
+          query:{
+            multi_match:{
+              query:     query
+            }
+          }
+        },
+        sort:"_score,created_at:desc"
+      };
+      client.search(search).then( (results,err) => {
+        res.json(results );
+        
+      }, (err) => {
+        res.status(404);
+        res.json({data: {} });
+      });
+
+    },
+    health: (req, res) => {
+      
+      // Do an ES request
+      client.ping({ requestTimeout: 100}).then( 
+        () => {
+          res.json({"health":100,"msg":"OK"});
+        }, () => {
+          res.json({"health":0,"msg":"Lost connection to ES"});
+      });
+    },
+    add: (req, res) => {
+
+      const body = req.body;
+      body.created_at = new Date().toISOString();
+      client.index({
+          index: 'changelog',
+          body: body
+      }).then( (e) => {
+        res.end("ok");
+        
+      }, (e) => {
+        res.status(400);
+        res.end("error");
+      });
+    }
+};
+module.exports = routes;

views/index.pug

@@ -31,6 +31,5 @@ html(lang="en")
 
   script.
     var initData = !{data};
-    var authorizationToken = "  !{authorizationToken}";
 
   script(type = "text/javascript",src='/js/app.js')