const express = require('express'), bodyParser = require('body-parser'),

1. const
2. express = require('express'),
3. bodyParser = require('body-parser'),
4. cookieParser = require('cookie-parser'),
5. randomBytes = require('random-bytes'),
6.  
7. app = express(),
8.  
9. // application constants
10. PORT = 9090,
11. USERNAME = "demo",
12. PASSWORD = "pass123$";
13.  
14.  
15. app.use(cookieParser());
16. app.use(bodyParser.urlencoded({ extended: false}));
17. app.use(bodyParser.json());
18. app.use(express.static('public'));
19.  
20. app.listen(PORT, err => {
21. if(err){
22. console.error(`ERROR: Can not start server on ${PORT}`);
23. return;
24. }
25.  
26. console.log(`SUCCESS: Server started on port ${PORT}`);
27. });
28.  
29. app.get('/', (req, res) => {
30. if(req.cookies['csrf-token'] && req.cookies['session-id']){
31. res.redirect('/form.html');
32. return;
33. }
34. res.redirect('/login.html');
35. });
36.  
37. // handle user login and token generation
38. app.post('/login', (req, res) => {
39.  
40. let username = req.body.username;
41. let password = req.body.password;
42.  
43. // validate user input
44. if(username === undefined || username === ""){
45. res.status(400).json({ success:false, message: "Username undefined"});
46. return;
47. }
48.  
49. if(password === undefined || password === ""){
50. res.status(400).json({ success:false, message: "Password undefined"});
51. return;
52. }
53.  
54. if(username === USERNAME && password === PASSWORD) {
55.  
56. // generate session info
57. let session_id = Buffer.from(randomBytes.sync(32)).toString('base64');
58. let csrf_token = Buffer.from(randomBytes.sync(32)).toString('base64');
59.  
60. res.setHeader('Set-Cookie', [
61. `session-id=${session_id}`,
62. `csrf-token=${csrf_token}`,
63. `time=${Date.now()}`
64. ]);
65.  
66. res.sendFile('public/form.html', { root: __dirname });
67.  
68. } else {
69.  
70. res.status(405).json({ success:false, message:"Unauthorized user"});
71. res.redirect('/');
72.  
73. }
74. });
75.  
76. app.post('/post', (req, res) => {
77.  
78. let session_id = req.cookies['session-id'];
79. let csrf_token = req.cookies['csrf-token'];
80.  
81. if(session_id){
82.  
83. // compare csrf tokens in cookies and request body
84. if(csrf_token === req.body.csrf_token){
85. res.status(200).json({ success:true });
86. } else {
87. res.status(400).json({ success:false });
88. }
89.  
90. } else {
91. res.sendFile('public/login.html', { root: __dirname });
92. }
93. });
94.  
95. // logout user from the application
96. app.post('/logout', (req, res) => {
97.  
98. let session_id = req.cookies['session-id'];
99. delete SESSION_DATA[session_id]; // remove csrf token from memory
100.  
101. res.clearCookie('session-id');
102. res.clearCookie('time');
103.  
104. res.sendFile('public/login.html', { root: __dirname });
105.  
106. });
107.  
108.  
109. // explicit calls to routes
110. app.get('/login', (req, res) => {
111.  
112. const session_id = req.cookies['session-id'];
113.  
114. if(session_id && SESSION_DATA[session_id]){
115. res.sendFile('public/form.html', { root: __dirname });
116. } else {
117. res.sendFile('public/login.html', { root: __dirname });
118. }
119. })