2

I have a profile section in my angular app and right now i have 5 users let's say.

I have a route where users have to change the password. I want to verify if users are correctly logged in and has passed authentication and they cannot change password for any other users.

router.get('/change-password/:username', (req, res) => {
  User.findOne({
    username: req.params.username
  }).then(user => {
    if (user) {
      res.status(200).json(user);
    } else if (!user) {
      res.status(404).json({
        message: 'user not found'
      });
    }
  });
});

what if user A is logged in and he change the parameter to B and then change the password ? is there any way I dont pass parameter and get current user who is logged In

Muhammad Ali
  • 369
  • 7
  • 23
  • You need to use a token in the angular side and send it to the node, so you verify it in the req.params, see in [this tutorial](http://jasonwatmore.com/post/2018/05/23/angular-6-jwt-authentication-example-tutorial) how to send a token with JWT from angular – Gaspar Apr 29 '19 at 12:13
  • As Gaspar said you need some sort of token, this token will be given to your users the moment they are logged and it will represent them when they call for your api. Most popular is jwt, you can save it in cookie and validate it using middleware for your protected routes. – noitse Apr 29 '19 at 12:15
  • I will answer it, so you can understand more – Gaspar Apr 29 '19 at 12:16
  • @Gaspar can you add some code example that will match my question? it would be great : ) – Muhammad Ali Apr 29 '19 at 12:19

1 Answers1

2

Basically is like this, when you log the user in from back end, you send a response with a token to the front end. You save this token to the local storage to have it in every request to the back end. Them, you use a middleware function to check if the token is provided in the header of the request like a bearer. So the answer is: you don't have to check the auth every request, you just check if the token is provided by middleware and if it is correct. If you are using express, the most apps use a middleware in the auth service class like this:

module.exports.isAuthorized  = function(req, res, next) {

    User.findById(req.session.userId).exec(function (error, user) {
        if (error) {
            return next(error);
        } else {      
            if (user === null) {     
                var err = new Error('Not authorized! Go back!');
                err.status = 400;
                return next(err);
            } else {
                return next();
            }
        }
    });
}

At the node.js routes:

var auth = require('./auth');

// GET route after registering
router.get('/clientPage', auth.isAuthorized, function (req, res, next) {console.log("1114");
    res.sendFile(path.join(__dirname + '/../views/clientPage.html'));
});

As you can see, the second param says that before make the request, it will execute the middleware function auth.isAuthorized.

Gaspar
  • 1,515
  • 13
  • 20