:construction: Heavy token logic refactor, mid way, Onboarding next...

backend/lib/routes/user/email.js

@@ -22,15 +22,27 @@ module.exports = {
         cors: true,
         handler: async function (request, h) {
             const { userService } = request.server.services()
-            const userEmail = request.payload.email
+            const userCredentials = request.payload
             try {
-                const emailSent = await userService.emailSent(userEmail)
+                const emailSent = await userService.emailSent(userCredentials)
+                const hashedSessionToken = Object.keys(
+                    userService.activeSessions,
+                ).find(hashedToken => {
+                    return (
+                        userService.activeSessions[`${hashedToken}`].email ===
+                        userCredentials.email
+                    )
+                })
                 return {
                     ok: true,
                     handler: pluginConfig.handlerType,
-                    data: { emailSentSuccessfully: emailSent.wasSuccessfull },
+                    data: {
+                        emailSentSuccessfully: emailSent.wasSuccessfull,
+                        hashedSessionToken: hashedSessionToken,
+                    },
                 }
             } catch (err) {
+                console.log('err :=>', err)
                 return {
                     ok: false,
                     handler: pluginConfig.handlerType,

backend/lib/routes/user/getaccess.js

@@ -25,21 +25,30 @@ module.exports = {
         },
         handler: async function (request, h) {
             const { userService } = request.server.services()
-            const res = request.payload
-            const token = await userService.createToken({
-                ...res,
+            const hash = request.payload.hash
+            const accessToken = await userService.createToken({
+                ...hash,
                 // NOTE: Set Expiration Time for Access Token Here
                 // expires: 60 * 2,
                 // TESTING:
                 expires: 30,
             })
+            userService.activeSessions[`${hash}`].accessToken = accessToken
+            const accessTokenInHashedSessions =
+                userService.activeSessions[`${hash}`].accessToken ===
+                accessToken
+                    ? true
+                    : false
+
+            // TODO: instead of putting the token in the return headers,
+            // simply put it in the activeSessions Object
             try {
                 const response = h.response({
                     ok: true,
                     handler: pluginConfig.handlerType,
-                    data: token,
+                    data: accessTokenInHashedSessions,
                 })
-                response.header('Authorization', token)
+                // response.header('Authorization', token)
                 return response
             } catch (err) {
                 return {

backend/lib/routes/user/validatesession.js

@@ -14,15 +14,18 @@ const pluginConfig = {
 }
 
 module.exports = {
-    method: 'GET',
+    method: 'POST',
     path: '/validatesession',
     options: {
         ...pluginConfig.docs.get,
         tags: ['api'],
-        auth: 'default_jwt',
-        cors: true,
+        auth: false,
+        cors: {
+            headers: ['Authorization'],
+            exposedHeaders: ['Authorization', 'Access-Control-Expose-Headers'],
+        },
         handler: async function (request, h) {
-            const sessionToken = request.headers.authorization
+            const sessionToken = request.payload
             const { userService } = request.server.services()
             try {
                 const validatedSessionToken =

backend/lib/routes/user/verifyemail.js

@@ -14,7 +14,7 @@ const pluginConfig = {
 
 module.exports = {
     method: 'GET',
-    path: '/verify/{hashedEmail}',
+    path: '/verify/{hashedSessionToken}',
     options: {
         ...pluginConfig.docs.get,
         tags: ['api'],
@@ -22,23 +22,19 @@ module.exports = {
         cors: true,
         handler: async function (request, h) {
             const { userService } = request.server.services()
-            const hash = request.params.hashedEmail
-
+            const hash = request.params.hashedSessionToken
             try {
-                // Is there an userService.activeSession?
-                // If there is, issue a new access token
-                // We need the session token from the frontend
-                // If NOT, throw error (kicks back to login)
-                const hashToMatch = Object.keys(userService.hashedEmails).find(
-                    email => {
-                        return email === hash
-                    },
-                )
+                const hashToMatch = Object.keys(
+                    userService.activeSessions,
+                ).find(hashedToken => {
+                    return hashedToken === hash
+                })
                 const now = Date.now()
                 // TODO: convert this back to a date object
-                const expiration = userService.hashedEmails[hashToMatch]
+                const expiration =
+                    userService.activeSessions[`${hash}`].expiration
                 if (now > expiration) {
-                    delete userService.hashedEmails[hashToMatch]
+                    delete userService.activeSessions[hashToMatch]
                     throw new Error(
                         'you took to long to respond to the email...',
                     )
@@ -50,7 +46,11 @@ module.exports = {
                 return {
                     ok: true,
                     handler: pluginConfig.handlerType,
-                    data: { hashesMatch: hashToMatch === hash },
+                    data: {
+                        hashesMatch: hashToMatch === hash,
+                        sessionToken:
+                            userService.activeSessions[`${hash}`].sessionToken,
+                    },
                 }
             } catch (err) {
                 console.log('err :=>', err)

backend/lib/services/user.js

@@ -14,14 +14,17 @@ apiKey.apiKey = process.env.BREVO_KEY
 
 const apiInstance = new SibApiV3Sdk.TransactionalEmailsApi()
 
-const hashEmail = async email => {
+const hashToken = async token => {
+    // QUESTION: How to best create random salt...?
+    const salt = crypto.randomBytes(16).toString('base64')
     try {
-        return crypto.createHmac('sha256', '').update(email).digest('hex')
+        return crypto.createHmac('sha256', salt).update(token).digest('hex')
     } catch (err) {
         // console.error('ERROR :=>', err)
         throw new Error(err.message)
     }
 }
+
 const hasher = async (pwd, steak) => {
     const hash = await pwd.hash(steak)
     const result = await pwd.verify(steak, hash)
@@ -41,7 +44,8 @@ const hasher = async (pwd, steak) => {
             try {
                 squirtle = await pwd.hash(steak)
                 // console.log('improvedHash', squirtle)
-                // const saveHash = Auth.insert({user_email: matchingEmails}).into('token')
+                // const saveHash = Auth.insert({user_email:
+                // matchingEmails}).into('token')
                 return squirtle
             } catch (err) {
                 console.error(
@@ -61,25 +65,19 @@ module.exports = class UserService extends Schmervice.Service {
     constructor(...args) {
         super(...args)
         const pwd = new SecurePassword()
-        // TODO: Invalidate this application state somehow after a certain time period has passed
-        // TODO: Remove hashedEmails in preference of activeSessions
-        this.hashedEmails = {
-            // NOTE: key is email hash and value is timestamp in ms
+        // TODO: Invalidate this application state somehow after a
+        // certain time period has passed
+        this.activeSessions = {
             // abc123456: '123456689',
+            // eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...hashedSessionToken: {
+            // email: rawEmailString,
+            // name: 'Joe Doe',
+            // seeking: 'candidate'
+            // sessionToken: rawSessionToken, // use for expires instead of expires?
+            // expires: expirationTime in seconds
+            // }
         }
 
-        // this.activeSessions = [
-        // {
-        // user: {
-        // useremail: email,
-        // hashedEmail: hashedEmail,
-        // username: name,
-        // },
-        // expiration: 1203984710234
-        // },
-        // token: 'tokenString + expirationDate + salt'
-        // ]
-
         this.pwd = {
             hash: Util.promisify(pwd.hash.bind(pwd)),
             verify: Util.promisify(pwd.verify.bind(pwd)),
@@ -230,20 +228,6 @@ module.exports = class UserService extends Schmervice.Service {
         return JWT.sign(obj, key, { expiresIn: data.expires })
     }
 
-    async registerSession(user, hashedEmail, token) {
-        const sessionRequester = {
-            user: user,
-            hashedEmail: hashedEmail,
-            token: token,
-        }
-
-        const alreadyExists = this.activeSessions.find(
-            sessionRequester => sessionRequester.hashedEmail === hashedEmail,
-        )
-        if (!alreadyExists) {
-            this.activeSessions.push(sessionRequester)
-        }
-    }
     /**
      * Validates whether a token has expired or not
      * @param {User} user
@@ -293,6 +277,7 @@ module.exports = class UserService extends Schmervice.Service {
         return passwordRow ? passwordRow.token : null
     }
 
+    // TODO: rewrite for new activeSessions object
     async checkEmailRegistry(userEmail) {
         const hashedEmail = await hashEmail(userEmail)
         const now = Date.now()
@@ -316,32 +301,37 @@ module.exports = class UserService extends Schmervice.Service {
      * Sends a Transactional Email via Brevo
      * @ returns {Object}
      */
-    async emailSent(userEmail) {
-        const hashedEmail = await hashEmail(userEmail)
-        if (Object.keys(this.hashedEmails).includes(hashedEmail)) {
-            return new Error('email address already in cache!!')
+    async emailSent(userCredentials) {
+        const hashedSessionToken = await hashToken(userCredentials.sessionToken)
+        if (Object.keys(this.activeSessions).includes(hashedSessionToken)) {
+            return new Error('session already in cache!!')
         }
         // Set expiration time for ten minutes from now
-        const duration = 1000 * 60 * 10
+        // QUESTION: should we use the sessionToken's expiration time instead?
+        const duration = 600000
+
+        this.activeSessions[hashedSessionToken] = {
+            email: userCredentials.email,
+            name: userCredentials.name,
+            seeking: userCredentials.seeking,
+            sessionToken: userCredentials.sessionToken,
+            expiration: Date.now() + duration,
+        }
 
-        this.hashedEmails[hashedEmail] = Date.now() + duration
-        // TODO: See FrontEnd in Auth.vue and VerifyView.vue notes:
-        // if user closes browser, they'll need to be issued first session token based off of this:
-        // this.hashedEmails[hashedEmail][email] = userEmail
         const sendSmtpEmail = {
             to: [
                 {
-                    email: userEmail,
+                    email: userCredentials.email,
                 },
             ],
             templateId: 1,
             params: {
                 // TODO: Change this in production...
-                link: `localhost:3000/verify/${hashedEmail}`,
+                link: `localhost:3000/verify/${hashedSessionToken}`,
             },
         }
 
-        await apiInstance.sendTransacEmail(sendSmtpEmail).then(
+        return await apiInstance.sendTransacEmail(sendSmtpEmail).then(
             data => {
                 return { wasSuccessfull: true, data: data }
             },

frontend/src/components/onboarding/Auth.vue

@@ -51,9 +51,11 @@ export default {
             const sessionToken = await this.getSessionToken({
                 ...this.answered,
             })
-            // TODO: Flawed thinking, what if user closes browser and answers email later??
-            document.cookie = `siimee_session=${sessionToken}; max-age=600; path=/; secure`
-            await this.authenticator.sendAuthEmail(this.answered)
+            const sessionInfo = await this.authenticator.sendAuthEmail({
+                ...this.answered,
+                sessionToken: sessionToken,
+            })
+            document.cookie = `siimee_session=${sessionInfo.hashedSessionToken}; max-age=600; path=/; secure`
         } catch (err) {
             // TODO: render an error page in this component displaying which
             // error occurred and how to reach out to staff

frontend/src/router/index.js

@@ -67,7 +67,7 @@ const routes = [
         meta: { requiresAuth: true, requiresCompleteProfile: false },
     },
     {
-        path: `/verify/:email?`,
+        path: `/verify/:hashedToken?`,
         component: VerifyView,
         name: `VerifyView`,
         meta: { requiresAuth: true, requiresCompleteProfile: false },

frontend/src/services/auth.service.js

@@ -11,19 +11,18 @@ class Authenticator {
     async checkIfEmailIsRegistered(email) {
         return await db.post('/user/checkemailregistry/', email)
     }
-    async verifyAuthEmail(hashedEmail) {
-        const isVerified = await db.get(`/user/verify/${hashedEmail}`)
-        return isVerified.hashesMatch
+    async verifyAuthSession(hashedSessionToken) {
+        return await db.get(`/user/verify/${hashedSessionToken}`)
     }
     async getSessionToken(req) {
         return await db.post('/user/getsession', req, true)
     }
-    async getAccessToken(req) {
-        return await db.post('/user/getaccess', req, true)
+    //async getAccessToken(req) {
+    async assignAccessTokenToSession(req) {
+        return await db.post('/user/getaccess', req)
     }
-    // TODO: Possible Security issue, returned .payload has user email in plain text...
     async validateSession(token) {
-        return await db.get('/user/validatesession', token)
+        return await db.post('/user/validatesession', token, true)
     }
 }
 

frontend/src/views/OnboardingView.vue

@@ -62,6 +62,11 @@ export default {
         invalidResponse: false,
         authenticator: {},
     }),
+    // TODO: Heavy refactor comes next, now only cookie is session_token,
+    // which is currently a hashed Key hashedSessions{} registry on the backend
+    // In VerifyView.vue we have  a grabTokenFromHash() method which we can
+    // use here to verify any routes
+    // AccessToken lives on backend within hashedSessions{} registry
     async created() {
         this.survey = await surveyFactory.createSurvey()
         this.authenticator = new Authenticator()
@@ -109,8 +114,10 @@ export default {
         },
         // TODO: Possible Security issue, returned .payload has user email in plain text...
         async verifyBothTokens() {
+            // Validate both tokens on the backend at the same time
             const sessionTokenIsValid = await this.verifySessionToken(
                 sessionToken,
+                accessToken,
             )
             const accessTokenIsValid = await this.verifyAccessToken(accessToken)
             if (

frontend/src/views/VerifyView.vue

@@ -15,13 +15,13 @@ export default {
     }),
     async created() {
         this.authenticator = new Authenticator()
-        hash = this.$route.params.email
+        hash = this.$route.params.hashedToken
         sessionToken = this.grabCookie('siimee_session')
         try {
             this.isHashInUrl(hash)
-            await this.doesEmailMatch(hash)
             await this.doesSessionTokenExist(sessionToken)
-            await this.isSessionTokenValid(sessionToken)
+            const rawSessionToken = await this.grabTokenFromHash(hash)
+            await this.isSessionTokenValid(hash, rawSessionToken)
         } catch (err) {
             console.error(err)
         }
@@ -40,37 +40,33 @@ export default {
                 ? cookies[`${cookieKey}`]
                 : undefined
         },
-        // QUESTION: This will likely be needed in OnboardingView.vue
-        async getAccessToken(payload) {
-            const accessToken = await this.authenticator.getAccessToken({
-                payload,
-            })
-            document.cookie = `siimee_access=${accessToken}; max-age=600; path=/; secure`
-        },
         isHashInUrl(hash) {
             if (!hash) throw new Error('URL contains no hash!')
         },
-        async doesEmailMatch(hashEmail) {
-            const hashesMatch = await this.authenticator.verifyAuthEmail(
-                hashEmail,
-            )
-            if (!hashesMatch) throw new Error('Hash is not in registry!')
-        },
-        // TODO: Flawed thinking, what if user closed browser and then answered email?
-        // session token won't exist, it will need to be generated here using the hashEmail, problem is:
-        // hashEmail cannot access
         async doesSessionTokenExist(sessionToken) {
             if (!sessionToken)
                 throw new Error('sessionToken not in cookie store!')
         },
-        async isSessionTokenValid(sessionToken) {
+        // TODO: Next is to put this into OnboardingView
+        // TODO: validate routes using sole SessionToken Grabbed from hash in cookie
+        async grabTokenFromHash(hashedToken) {
+            const sessionData = await this.authenticator.verifyAuthSession(
+                hashedToken,
+            )
+            if (!sessionData.hashesMatch)
+                throw new Error('Hash is not in registry!')
+            else return sessionData.sessionToken
+        },
+        async isSessionTokenValid(hash, sessionToken) {
             const sessionTokenIsValid =
                 await this.authenticator.validateSession(sessionToken)
+            console.log('sessionTokenIsValid :=>', sessionTokenIsValid)
             if (sessionTokenIsValid.error) {
                 throw new Error(sessionTokenIsValid.error)
             } else {
-                // TODO: Does accessToken need sessionToken data?
-                await this.getAccessToken(sessionTokenIsValid.payload)
+                await this.authenticator.assignAccessTokenToSession({
+                    hash,
+                })
             }
         },
     },