-
Notifications
You must be signed in to change notification settings - Fork 15
Expand file tree
/
Copy pathauth-home-made-token.js
More file actions
88 lines (71 loc) · 2.14 KB
/
Copy pathauth-home-made-token.js
File metadata and controls
88 lines (71 loc) · 2.14 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
import express from "express";
import { createServer } from "http";
// Example in-memory "database" for teaching purposes only
const users = [
{
id: 1,
username: "alice",
password: "password123",
role: "user",
},
{
id: 2,
username: "admin",
password: "admin123",
role: "admin",
},
];
function getUserByUsername(username) {
return users.find((user) => user.username === username) ?? null;
}
function issueToken(user) {
const payload = { userId: user.id, username: user.username, role: user.role };
return Buffer.from(JSON.stringify(payload)).toString("base64");
}
function decodeToken(token) {
try {
return JSON.parse(Buffer.from(token, "base64").toString("utf8"));
} catch {
return null;
}
}
const app = express();
app.use(express.json());
app.post("/login", (req, res) => {
const { username, password } = req.body;
const user = getUserByUsername(username);
if (!user || user.password !== password) {
return res.status(401).json({ error: "Invalid credentials" });
}
const token = issueToken(user);
res.json({ message: "Logged in with base64 token", token });
});
function requireTokenAuth(req, res, next) {
const authHeader = req.headers["authorization"];
const token = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : null;
if (!token) {
return res.status(401).json({ error: "No token provided" });
}
const payload = decodeToken(token);
if (!payload) {
return res.status(401).json({ error: "Invalid token" });
}
req.user = payload;
next();
}
app.get("/protected", requireTokenAuth, (req, res) => {
res.json({ data: "Token-protected resource", user: req.user });
});
// Admin-only route — great for demonstrating role forgery
app.get("/admin", requireTokenAuth, (req, res) => {
if (req.user.role !== "admin") {
return res.status(403).json({ error: "Admins only" });
}
res.json({ data: "Secret admin data", user: req.user });
});
app.post("/logout", (req, res) => {
res.json({ message: "Logged out (token must be discarded client-side)" });
});
app.listen(3000, () => {
console.log("> Ready on http://localhost:3000 (base64 token example)");
});