Stateful session management: Store session which associate with user, and store in the menory on server.

Sign Up:

app.route('/api/signup')

  .post(createUser);
import {Request, Response} from 'express';

import {db} from './database';

import * as argon2 from 'argon2';

import {validatePassword} from './password-validation';

import {randomBytes} from './security.utils';

import {sessionStore} from './session-store';

export function createUser (req: Request, res: Response) {

  const credentials = req.body;

  const errors = validatePassword(credentials.password);

  if (errors.length > 0) {

    res.status(400).json({

      errors

    });

  } else {

    createUserAndSession(res, credentials);

  }

}

async function createUserAndSession(res, credentials) {

  // Create a password digest

  const passwordDigest = await argon2.hash(credentials.password);

  // Save into db

  const user = db.createUser(credentials.email, passwordDigest);

  // create random session id

  const sessionId = await randomBytes(32).then(bytes => bytes.toString('hex'));

  // link sessionId with user

  sessionStore.createSession(sessionId, user);

  // set sessionid into cookie

  res.cookie('SESSIONID', sessionId, {

    httpOnly: true, // js cannot access cookie

    secure: true // enable https only

  });

  // send back to UI

  res.status(200).json({id: user.id, email: user.email});

}

Password validation:

import * as passwordValidator from 'password-validator';

// Create a schema

const schema = new passwordValidator();

// Add properties to it

schema

  .is().min(7)                                    // Minimum length 7

  .has().uppercase()                              // Must have uppercase letters

  .has().lowercase()                              // Must have lowercase letters

  .has().digits()                                 // Must have digits

  .has().not().spaces()                           // Should not have spaces

  .is().not().oneOf(['Passw0rd', 'Password123']); // Blacklist these values

export function validatePassword(password: string) {

  return schema.validate(password, {list: true});

}

Random bytes generator:

const util = require('util');

const crypto = require('crypto');

// convert a callback based code to promise based

export const randomBytes = util.promisify(

  crypto.randomBytes

);

Session storage:

import {Session} from './session';

import {User} from '../src/app/model/user';

class SessionStore {

  private sessions: {[key: string]: Session} = {};

  createSession(sessionId: string, user: User) {

    this.sessions[sessionId] = new Session(sessionId, user);

  }

  findUserBySessionId(sessionId: string): User | undefined {

    const session = this.sessions[sessionId];

    return this.isSessionValid(sessionId) ? session.user : undefined;

  }

  isSessionValid(sessionId: string): boolean {

    const session = this.sessions[sessionId];

    return session && session.isValid();

  }

  destroySession(sessionId: string): void {

    delete this.sessions[sessionId];

  }

}

// We want only global singleton

export const sessionStore = new SessionStore();

In menory database:

import * as _ from 'lodash';

import {LESSONS, USERS} from './database-data';

import {DbUser} from './db-user';

class InMemoryDatabase {

  userCounter = 0;

    createUser(email, passwordDigest) {

      const id = ++this.userCounter;

      const user: DbUser = {

        id,

        email,

        passwordDigest

      };

      USERS[id] = user;

      return user;

    }

  findUserByEmail(email: string): DbUser {

    const users = _.values(USERS);

    return _.find(users, user => user.email === email);

  }

}

export const db = new InMemoryDatabase();

Login:

app.route('/api/login')

  .post(login);
import {Request, Response} from 'express';

import {db} from './database';

import {DbUser} from './db-user';

import * as argon2 from 'argon2';

import {randomBytes} from './security.utils';

import {sessionStore} from './session-store';

export function login(req: Request, res: Response) {

  const info = req.body;

  const user = db.findUserByEmail(info.email);

  if (!user) {

    res.sendStatus(403);

  } else {

    loginAndBuildResponse(info, user, res);

  }

}

async function loginAndBuildResponse(credentials: any, user: DbUser, res: Response) {

  try {

    const sessionId = await attemptLogin(credentials, user);

    res.cookie('SESSIONID', sessionId, {httpOnly: true, secure: true});

    res.status(200).json({id: user.id, email: user.email});

  } catch (err) {

    res.sendStatus(403);

  }

}

async function attemptLogin(info: any, user: DbUser) {

  const isPasswordValid = await argon2.verify(user.passwordDigest, info.password);

  if (!isPasswordValid) {

    throw new Error('Password Invalid');

  }

  const sessionId = await randomBytes(32).then(bytes => bytes.toString('hex'));

  sessionStore.createSession(sessionId, user);

  return sessionId;

}

Logout:

app.route('/api/logout')

  .post(logout);
import {Response, Request} from 'express';

import {sessionStore} from './session-store';

export const logout = (req: Request, res: Response) => {

  console.log(req.cookies['SESSIONID']);

  const sessionId = req.cookies['SESSIONID'];

  sessionStore.destroySession(sessionId);

  res.clearCookie('SESSIONID');

  res.sendStatus(200);

};

[Node] Stateful Session Management for login, logout and signup的更多相关文章

  1. Spring Security笔记:自定义Login/Logout Filter、AuthenticationProvider、AuthenticationToken

    在前面的学习中,配置文件中的<http>...</http>都是采用的auto-config="true"这种自动配置模式,根据Spring Securit ...

  2. login/logout切换

    1. 前端按钮 <img border="0" width="18" height="18" src="<%=base ...

  3. YII session存储 调用login方法

    当要进行用户的session存储的时候,可以调用里面的login方法进行存储

  4. node express session

    在express4.0版本以上,需要单独增加session模块:express-session:https://www.npmjs.com/package/express-session 具体做法是, ...

  5. node中session存储与销毁,及session的生命周期

    1.首先在使用session之前需要先配置session的过期时间等,在入口文件app.js中 app.use(express.session({ cookie: { maxAge: config.g ...

  6. session management

    The session does not created until the HttpServletRequest.getSession() method is called.

  7. Use Spring transaction to simplify Hibernate session management

    Spring对Hibernate有很好的支持    DataSource ->SessionFactory-> HibernateTranscationManagerHibernate中通 ...

  8. node中session的管理

    请看这个博客:   http://spartan1.iteye.com/blog/1729148 我自己的理解 session俗称会话. 第一次访问服务器的时候由服务器创建,相当于一个cookie(就 ...

  9. Apache Shiro Session Management

    https://shiro.apache.org/session-management.html#session-management https://shiro.apache.org/session ...

随机推荐

  1. SSH之IDEA2017整合Struts2+Spring+Hibernate

    转自:https://blog.csdn.net/sysushui/article/details/68937005

  2. DispatcherServlet 前置控制器

    1.DispatcherServlet作用 DispatcherServlet是前端控制器设计模式的实现,提供Spring Web MVC的集中访问点,而且负责职责的分派,而且与Spring IoC容 ...

  3. 初学Larevel 2014-08-21 11:24 90人阅读 评论(0) 收藏

    添加第一个路由时就遇到了 404错误,查了一下说要这样才能 版权声明:本文为博主原创文章,未经博主允许不得转载.

  4. Java 开发 2.0: 现实世界中的 Redis

    原文地址:http://www.ibm.com/developerworks/cn/java/j-javadev2-22/ 之前,我已在本系列中讨论过 NoSQL 的概念,也介绍了一些与 Java 平 ...

  5. n阶幻方问题

    转载自:http://blog.csdn.net/fengchaokobe/article/details/7437767 目录        第一节 n阶幻方问题       第二节 由n阶幻方引发 ...

  6. jquery.base64.js

    (function($) { $.base64 = function(options) { var defaults = { data:"", type:0, unicode:tr ...

  7. xcode 条件调试

    添加条件 有时候我们可能会在某个循环中创建断点,但一次又一次地点击 continue 直到我们想要的条件出现,显然是一种非常低效的方式.好在 Xcode 为我们提供了条件断点. 首先在下列代码中插入一 ...

  8. windows 手动添加服务

    windows 手动添加服务方法一:修改注册表 在注册表编辑器,展开分支"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" ...

  9. 如何在VMware中创建虚拟机

    今天给大家分享如何在VMware中创建虚拟机,具体的教程如下.在这里小编提前下载了Ubuntu14.04桌面系统,为后面在虚拟机中安装Ubuntu14.04桌面系统做准备. 1.从官网上或者直接百度上 ...

  10. css line-height详解

    行高指的是文本行的基线间的距离(更简单来说,行高是指文字尺寸与行距之间的和). 而基线(Base line),指的是一行字横排时下沿的基础线, 基线并不是汉字的下端沿,而是英文字母x的下端沿,同时还有 ...