slate/pages/api/sign-in.js

import * as Logging from "~/common/logging";
import * as Environment from "~/node_common/environment";
import * as Utilities from "~/node_common/utilities";
import * as Data from "~/node_common/data";
import * as Strings from "~/common/strings";
import * as Validations from "~/common/validations";

import { encryptPasswordClient } from "~/common/utilities";

import JWT from "jsonwebtoken";

export default async (req, res) => {
  if (!Strings.isEmpty(Environment.ALLOWED_HOST) && req.headers.host !== Environment.ALLOWED_HOST) {
    return res.status(403).send({ decorator: "SERVER_SIGN_IN_NOT_ALLOWED", error: true });
  }

  // NOTE(jim): We don't need to validate here.
  if (Strings.isEmpty(req.body.data.username)) {
    return res.status(500).send({ decorator: "SERVER_SIGN_IN_NO_USERNAME", error: true });
  }

  if (Strings.isEmpty(req.body.data.password)) {
    return res.status(500).send({ decorator: "SERVER_SIGN_IN_NO_PASSWORD", error: true });
  }

  const username = req.body.data.username.toLowerCase();
  let user;
  if (Validations.email(username)) {
    try {
      user = await Data.getUserByEmail({ email: username });
    } catch (e) {
      Logging.error(e);
    }
  } else {
    try {
      user = await Data.getUserByUsername({
        username: req.body.data.username.toLowerCase(),
      });
    } catch (e) {
      Logging.error(e);
    }
  }

  if (!user) {
    return res.status(404).send({ decorator: "SERVER_SIGN_IN_USER_NOT_FOUND", error: true });
  }

  if (user.error) {
    return res.status(500).send({ decorator: "SERVER_SIGN_IN_USER_NOT_FOUND", error: true });
  }

  // Note(amine): Twitter users won't have a password,
  // we should think in the future how to handle this use case
  if ((!user.salt || !user.password) && user.twitterId) {
    return res.status(403).send({ decorator: "SERVER_TWITTER_LOGIN_ONLY", error: true });
  }

  let userUpdates = { id: user.id, lastActive: new Date() };

  let hash = await Utilities.encryptPassword(req.body.data.password, user.salt);

  let updatePassword = user.authVersion === 1; //NOTE(martina): if they are v1, we may need to update their password
  if (hash !== user.password) {
    //NOTE(martina): this was added to deal with a specific case where the passwords of some v1 users could either be the v1 hashing schema or v2 (so we try both)
    if (user.authVersion === 1) {
      const clientHash = await encryptPasswordClient(req.body.data.password);
      hash = await Utilities.encryptPassword(clientHash, user.salt);
      if (hash !== user.password) {
        return res.status(403).send({ decorator: "SERVER_SIGN_IN_WRONG_CREDENTIALS", error: true });
      }
      updatePassword = false; //NOTE(martina): means the user's password is already v2 hashed, and doesn't need to be updated
    } else {
      return res.status(403).send({ decorator: "SERVER_SIGN_IN_WRONG_CREDENTIALS", error: true });
    }
  }

  if (user.authVersion === 1) {
    userUpdates.authVersion = 2;
    userUpdates.revertedVersion = false;
  }

  if (updatePassword) {
    const newHash = await encryptPasswordClient(req.body.data.password);
    const doubledHash = await Utilities.encryptPassword(newHash, user.salt);
    userUpdates.password = doubledHash;
  }

  await Data.updateUserById(userUpdates);

  if (!user.email) {
    return res
      .status(200)
      .send({ decorator: "SERVER_SIGN_IN_SHOULD_MIGRATE", shouldMigrate: true });
  }
  const authorization = Utilities.parseAuthHeader(req.headers.authorization);
  if (authorization && !Strings.isEmpty(authorization.value)) {
    const verfied = JWT.verify(authorization.value, Environment.JWT_SECRET);

    if (user.username === verfied.username) {
      return res.status(200).send({
        message: "You are already authenticated. Welcome back!",
        viewer: user,
      });
    }
  }

  const token = JWT.sign({ id: user.id, username: user.username }, Environment.JWT_SECRET);

  return res.status(200).send({ decorator: "SERVER_SIGN_IN", success: true, token });
};