sample-node-secured-api/server.js at main · zemuldo-tutorials/sample-node-secured-api · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
const express = require('express')
const jwt = require('jsonwebtoken');
const app = express()
const port = 3000

const db = []
const accessTokenSecret = "some-very-private-and-long-secret";
const refreshTokenSecret = "some-other-private-and-long-secret";

app.use(express.json())

app.get('/', (req, res) => {
    res.send('Hello World!')
})

app.post('/register', (req, res) => {
    const { username, password } = req.body

    if (!username) return res.status(400).send('Missing username')
    if (!password) return res.status(400).send('Missing password')

    const exists = db.find(user => user.username === username)

    if (exists) return res.status(400).send('User already exists')

    db.push({ username, password })

    res.send('User created')
})

app.post('/login', (req, res) => {
    const { username, password } = req.body

    const user = db.find(user => user.username === username)

    if (!user) return res.status(404).send('User does not exist')

    if (user.password === password) {
        return res.send({
            accessToken: jwt.sign({ username, exp: Math.floor(Date.now() / 1000) + 20 }, accessTokenSecret),
            refreshToken: jwt.sign({ username, exp: Math.floor(Date.now() / 1000) + 90 }, refreshTokenSecret)
        })
    }
    return res.status(401).send('Password is incorrect')
})

app.get("/user_profile", (req, res) => {
    const token = req.headers['authorization']

    if (!token) return res.status(401).send('Access denied')

    try {
        const { username } = jwt.verify(token, accessTokenSecret)
        return res.send({ username })

    } catch (err) {
        return res.status(401).send('Access denied')
    }
})

app.post('/renew_access_token', (req, res) => {
    const {refreshToken} = req.body
    try {
        const details = jwt.verify(refreshToken, refreshTokenSecret)
        return res.send({
            accessToken: jwt.sign({ ...details, exp: Math.floor(Date.now() / 1000) + 20 }, accessTokenSecret),
            refreshToken: jwt.sign({ username: details.username, exp: Math.floor(Date.now() / 1000) + 90 }, refreshTokenSecret)
        })
    } catch (err) {
        return res.status(403).send('Access denied')
    }
})

app.listen(port, () => {
    console.log(`Example app listening on port ${port}`)
})