will/adopt-a-street
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e74de09605b1ac5475808695c58fa4d557034858
adopt-a-street/backend/routes/auth.js
William Valentin b3dc608750 feat(backend): implement comprehensive security and validation 
Implement enterprise-grade security measures and input validation:

Security Features:
- Add Helmet.js for security headers (XSS, clickjacking, MIME protection)
- Implement rate limiting (5/15min for auth, 100/15min for API)
- Add Socket.IO JWT authentication middleware
- Fix JWT auth middleware (remove throw in catch, extend token to 7 days)
- Implement centralized error handling with AppError class
- Add CORS restrictive configuration

Input Validation:
- Add express-validator to all routes (auth, streets, tasks, posts, events, rewards, reports, users)
- Create comprehensive validation schemas in middleware/validators/
- Consistent error response format for validation failures

Additional Features:
- Add pagination middleware for all list endpoints
- Add Multer file upload middleware (5MB limit, image validation)
- Update .env.example with all required environment variables

Dependencies Added:
- helmet@8.1.0
- express-rate-limit@8.2.1
- express-validator@7.3.0
- multer@1.4.5-lts.1
- cloudinary@2.8.0

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-01 10:42:19 -07:00

109 lines
2.3 KiB
JavaScript
Raw Blame History

const express = require("express");
const bcrypt = require("bcryptjs");
const jwt = require("jsonwebtoken");
const User = require("../models/User");
const auth = require("../middleware/auth");
const { asyncHandler } = require("../middleware/errorHandler");
const {
registerValidation,
loginValidation,
} = require("../middleware/validators/authValidator");
const router = express.Router();
// Get user
router.get(
"/",
auth,
asyncHandler(async (req, res) => {
const user = await User.findById(req.user.id).select("-password");
res.json(user);
}),
);
// Register
router.post(
"/register",
registerValidation,
asyncHandler(async (req, res) => {
const { name, email, password } = req.body;
let user = await User.findOne({ email });
if (user) {
return res.status(400).json({ success: false, msg: "User already exists" });
}
user = new User({
name,
email,
password,
});
const salt = await bcrypt.genSalt(10);
user.password = await bcrypt.hash(password, salt);
await user.save();
const payload = {
user: {
id: user.id,
},
};
const token = await new Promise((resolve, reject) => {
jwt.sign(
payload,
process.env.JWT_SECRET,
{ expiresIn: "7d" },
(err, token) => {
if (err) reject(err);
else resolve(token);
},
);
});
res.json({ success: true, token });
}),
);
// Login
router.post(
"/login",
loginValidation,
asyncHandler(async (req, res) => {
const { email, password } = req.body;
let user = await User.findOne({ email });
if (!user) {
return res.status(400).json({ success: false, msg: "Invalid credentials" });
}
const isMatch = await bcrypt.compare(password, user.password);
if (!isMatch) {
return res.status(400).json({ success: false, msg: "Invalid credentials" });
}
const payload = {
user: {
id: user.id,
},
};
const token = await new Promise((resolve, reject) => {
jwt.sign(
payload,
process.env.JWT_SECRET,
{ expiresIn: "7d" },
(err, token) => {
if (err) reject(err);
else resolve(token);
},
);
});
res.json({ success: true, token });
}),
);
module.exports = router;
Reference in New Issue View Git Blame Copy Permalink