Add user admin level

The higher the level, the more rights a user has Fix error not checking password in authenication

Add user admin level
f2657291 · Markus Grigull · b7d9e0bb · f2657291 · f2657291 · f2657291
Commit f2657291 authored 8 years ago by Markus Grigull
--- a/auth.js
+++ b/auth.js
@@ -20,5 +20,17 @@ module.exports = {
      req.decoded = decoded;
      next();
    });
+  },
+
+  validateAdminLevel: function(requiredLevel) {
+    return function(req, res, next) {
+      // check admin level
+      var userLevel = req.decoded._doc.adminLevel;
+      if (userLevel >= requiredLevel) {
+        next();
+      } else {
+        return res.status(401).send({ success: false, message: 'Invalid authorization' });
+      }
+    }
  }
 }
--- a/routes/users.js
+++ b/routes/users.js
@@ -13,7 +13,7 @@ var router = express.Router();
 router.use('/users', auth.validateToken);

 // routes
-router.route('/users').get(function(req, res) {
+router.get('/users', auth.validateAdminLevel(1), function(req, res) {
  // get all users
  User.find(function(err, users) {
    if (err) {
@@ -39,7 +39,7 @@ router.route('/users').post(function(req, res) {
  });
 });

-router.route('/users/:id').put(function(req, res) {
+router.route('/users/:id').put(auth.validateAdminLevel(1), function(req, res) {
  // get user
  User.findOne({ _id: req.params.id }, function(err, user) {
    if (err) {
@@ -62,7 +62,7 @@ router.route('/users/:id').put(function(req, res) {
  });
 });

-router.route('/users/:id').get(function(req, res) {
+router.route('/users/:id').get(auth.validateAdminLevel(1), function(req, res) {
  User.findOne({ _id: req.params.id }, function(err, user) {
    if (err) {
      return res.send(err);
@@ -72,7 +72,7 @@ router.route('/users/:id').get(function(req, res) {
  });
 });

-router.route('/users/:id').delete(function(req, res) {
+router.route('/users/:id').delete(auth.validateAdminLevel(1), function(req, res) {
  User.remove({ _id: req.params.id }, function(err) {
    if (err) {
      return res.send(err);
@@ -98,10 +98,17 @@ router.route('/authenticate').post(function(req, res) {
      return res.status(401).send({ success: false, message: 'Invalid credentials' });
    }

-    // create authentication token
-    var token = jwt.sign(user, config.secret, {});
+    // validate password
+    user.verifyPassword(req.body.password, function(err, isMatch) {
+      if (err || !isMatch) {
+        return res.status(401).send({ success: false, message: 'Invalid credentials' });
+      }
+
+      // create authentication token
+      var token = jwt.sign(user, config.secret, {});

-    return res.send({ success: true, message: 'Authenticated', token: token});
+      return res.send({ success: true, message: 'Authenticated', token: token});
+    });
  });
 });


--- a/server.js
+++ b/server.js
@@ -29,13 +29,3 @@ app.use('/api/v1', users);
 app.listen(config.port, function() {
  console.log('Express server listening on port ' + config.port);
 });
-
-var newUser = User({ username: 'admin', password: 'test' });
-newUser.save(function(err) {
-  if (err) {
-    console.log(err);
-    return;
-  }
-
-  console.log('Created default admin user from config file');
-});