Fix multiple security vulnerabilities (CWE-798, CWE-915, CWE-347, CWE-942)

authorization/controllers/authorization.controller.js

@@ -5,13 +5,17 @@ const uuid = require('uuid');
 
 exports.login = (req, res) => {
     try {
-        let refreshId = req.body.userId + jwtSecret;
         let salt = crypto.randomBytes(16).toString('base64');
-        let hash = crypto.createHmac('sha512', salt).update(refreshId).digest("base64");
-        req.body.refreshKey = salt;
-        let token = jwt.sign(req.body, jwtSecret);
+        let hash = crypto.createHmac('sha512', salt).update(req.body.userId + jwtSecret).digest("base64");
         let b = Buffer.from(hash);
-        let refresh_token = b.toString('base64');
+        let refresh_token = salt + '.' + b.toString('base64');
+        let token = jwt.sign({
+            userId: req.body.userId,
+            email: req.body.email,
+            permissionLevel: req.body.permissionLevel,
+            provider: req.body.provider,
+            name: req.body.name,
+        }, jwtSecret, {expiresIn: 36000});
         res.status(201).send({accessToken: token, refreshToken: refresh_token});
     } catch (err) {
         res.status(500).send({errors: err});
@@ -20,8 +24,13 @@ exports.login = (req, res) => {
 
 exports.refresh_token = (req, res) => {
     try {
-        req.body = req.jwt;
-        let token = jwt.sign(req.body, jwtSecret);
+        let token = jwt.sign({
+            userId: req.jwt.userId,
+            email: req.jwt.email,
+            permissionLevel: req.jwt.permissionLevel,
+            provider: req.jwt.provider,
+            name: req.jwt.name,
+        }, jwtSecret, {expiresIn: 36000});
         res.status(201).send({id: token});
     } catch (err) {
         res.status(500).send({errors: err});

common/config/env.config.js

@@ -1,8 +1,15 @@
+const jwtSecret = process.env.JWT_SECRET;
+if (!jwtSecret) {
+    console.error('FATAL: JWT_SECRET environment variable is not set.');
+    console.error('Generate one with: node -e "console.log(require(\'crypto\').randomBytes(32).toString(\'base64\'))"');
+    process.exit(1);
+}
+
 module.exports = {
     "port": 3600,
     "appEndpoint": "http://localhost:3600",
     "apiEndpoint": "http://localhost:3600",
-    "jwt_secret": "myS33!!creeeT",
+    "jwt_secret": jwtSecret,
     "jwt_expiration_in_seconds": 36000,
     "environment": "dev",
     "permissionLevels": {

common/middlewares/auth.validation.middleware.js

@@ -11,10 +11,14 @@ exports.verifyRefreshBodyField = (req, res, next) => {
 };
 
 exports.validRefreshNeeded = (req, res, next) => {
-    let b = Buffer.from(req.body.refresh_token, 'base64');
-    let refresh_token = b.toString();
-    let hash = crypto.createHmac('sha512', req.jwt.refreshKey).update(req.jwt.userId + secret).digest("base64");
-    if (hash === refresh_token) {
+    let parts = req.body.refresh_token.split('.');
+    if (parts.length !== 2) {
+        return res.status(400).send({error: 'Invalid refresh token'});
+    }
+    let salt = parts[0];
+    let expectedHash = Buffer.from(parts[1], 'base64').toString();
+    let hash = crypto.createHmac('sha512', salt).update(req.jwt.userId + secret).digest("base64");
+    if (hash === expectedHash) {
         req.body = req.jwt;
         return next();
     } else {

index.js

@@ -7,7 +7,7 @@ const AuthorizationRouter = require('./authorization/routes.config');
 const UsersRouter = require('./users/routes.config');
 
 app.use(function (req, res, next) {
-    res.header('Access-Control-Allow-Origin', '*');
+    res.header('Access-Control-Allow-Origin', req.headers.origin || 'http://localhost:3000');
     res.header('Access-Control-Allow-Credentials', 'true');
     res.header('Access-Control-Allow-Methods', 'GET,HEAD,PUT,PATCH,POST,DELETE');
     res.header('Access-Control-Expose-Headers', 'Content-Length');

users/controllers/users.controller.js

@@ -34,13 +34,21 @@ exports.getById = (req, res) => {
         });
 };
 exports.patchById = (req, res) => {
-    if (req.body.password) {
+    const allowedFields = ['firstName', 'lastName', 'email', 'password'];
+    const patchData = {};
+    Object.keys(req.body).forEach(key => {
+        if (allowedFields.includes(key)) {
+            patchData[key] = req.body[key];
+        }
+    });
+
+    if (patchData.password) {
         let salt = crypto.randomBytes(16).toString('base64');
-        let hash = crypto.createHmac('sha512', salt).update(req.body.password).digest("base64");
-        req.body.password = salt + "$" + hash;
+        let hash = crypto.createHmac('sha512', salt).update(patchData.password).digest("base64");
+        patchData.password = salt + "$" + hash;
     }
 
-    UserModel.patchUser(req.params.userId, req.body)
+    UserModel.patchUser(req.params.userId, patchData)
         .then((result) => {
             res.status(204).send({});
         });