Security | JWT Authentification

Security is a top priority when it comes to web application development. Etherial.TS takes security seriously and provides a comprehensive security system that safeguards your applications from threats, vulnerabilities, and unauthorized access. In this section, we'll delve into the essential aspects of security in Etherial.TS and how it manages security internally.

Internal Security Management

Etherial.TS is designed with a proactive approach to security, incorporating several layers of protection to ensure that your applications are secure by default. Here's an overview of how Etherial.TS manages security internally:

Middleware and Validation: Etherial.TS includes built-in middleware and validation mechanisms to sanitize and validate incoming data, guarding against common vulnerabilities like SQL injection and cross-site scripting (XSS).
User Authentication: Etherial.TS provides robust user authentication mechanisms, including JSON Web Tokens (JWT), Sessions, and Basic Authentication. These mechanisms allow you to implement user-specific security measures and access control.
Customizable Security: Etherial.TS's security system is highly customizable. You can tailor it to fit your application's specific requirements, whether you need advanced authentication logic, role-based access control (RBAC), or other security measures.
Security Components: Etherial.TS includes dedicated security components that streamline security implementation, making it easier for developers to protect their applications effectively.

Using HTTP

Generating Tokens

Generating tokens is a crucial step in authentication, and Etherial.TS simplifies this process by providing a straightforward method through the http_security module. Here's how you can use it in your controller:

import etherial from "etherial";

// ...

const user = /* Retrieve user data from your database or authentication process */;

const token = etherial.http_security.generateToken({
    user_id: user.id,
    // You can include additional claims or user-specific data in the token payload as needed.
});

// Now, you can use the 'token' for authentication and authorization.

Using the `@ShouldBeAuthentificate` Decorator

The @ShouldBeAuthentificate decorator is applied to controller methods or routes that require authentication. Here's how you can use it in a controller:

import {
    Controller,
    Get,
    Request,
    Response,
} from "etherial/components/http/provider";

import { ShouldBeAuthentificate } from "etherial/components/http.security";

import { User } from "../models/User";

@Controller()
export default class UsersController {

    @Get("/users/me")
    @ShouldBeAuthentificate()
    public async me(req: Request & { user: User }, res: Response): Promise<any> {

        // req.user is the user object retrieved from the JWT token
        // It's automatically attached by the @ShouldBeAuthentificate decorator

        res.success({
            status: 200,
            data: {
                user: req.user,
            },
        });

    }

}

Here's how it works:

Import the @ShouldBeAuthentificate decorator from etherial/components/http.security.
Apply the @ShouldBeAuthentificate decorator to the controller method or route that requires authentication. In this example, the me method can only be accessed by authenticated users.
When a request is made to the /users/me route, the @ShouldBeAuthentificate decorator checks if the user is authenticated. If the user is authenticated (i.e., they have a valid token or session), the request proceeds. Otherwise, an unauthorized error response is generated.
Inside the controller method, you can access the authenticated user's information through the req.user object, which is automatically attached by the @ShouldBeAuthentificate decorator. This allows you to work with the user's data securely.

Example app.ts (Configuration steps)

import etherial from "etherial";

import {
    Request,
    Response,
} from "etherial/components/http/provider"

import { Http } from "etherial/components/http";
import { Database } from "etherial/components/database";
import { HttpSecurity } from "etherial/components/http.security";

import * as bodyParser from "body-parser";
import * as cors from "cors";
import * as methodOverride from "method-override";

import { User } from "./models/User";

class App {

    run({ http, database, http_security }: { http: Http; database: Database, http_security: HttpSecurity }) {

        http.app.use(cors());
        http.app.use(methodOverride());
        http.app.use(bodyParser.json());

        //Custom authentification checker
        http_security.setCustomAuthentificationChecker(({user_id}) => {
            return User.findOne({
                where: {
                    id: user_id
                }
            })
        })

        //Custom error handler when token is invalid
        http.app.use((err: { name: string }, req: Request, res: Response, next: any) => {

            if (err.name === 'UnauthorizedError') {
                res.error({status: 403, errors: [ {location: 'api', param: '0', value: '0', msg: 'api.errors.token.invalid'}]})
            } else {
                next()
            }
    
        })

        http.notFoundRoute((req, res) => {
            res.error({ status: 404, error: "api.not_found" });
        });

        return Promise.all([
            http.listen(),
            database.sequelize.sync({
                alter: true,
            }),
        ]);
        
    }

}

export default App;

Example Auth Controller (Token Generation)

//src/routes/auth.ts
import etherial from "etherial";

import {
    Controller,
    Post,
    Request,
    Response,
} from "etherial/components/http/provider";

import { ShouldValidateForm } from "etherial/components/http/validator";

import { User } from "../models/User";

import * as AuthForm from "../forms/auth_form";

import * as bcrypt from "bcrypt"

@Controller()
export default class AuthController {

    @Post("/auth")
    @ShouldValidateForm(AuthForm.Create)
    public async create(
        req: Request & { form: AuthForm.Create },
        res: Response
    ): Promise<any> {

        let user = await User.findOne({
            where: {
                email: req.form.email.toLowerCase(),
            },
        });

        if (user) {

            if (bcrypt.compareSync(req.form.device, user.password)) {

                res.success({
                    status: 200,
                    data: {
                        token: etherial.http_security.generateToken({
                            user_id: user.id,
                        }),
                    },
                });

            } else {

                res.error({
                    status: 400,
                    errors: ["api.form.errors.invalid_login"],
                });

            }

        } else {

            res.error({
                status: 400,
                errors: ["api.form.errors.invalid_login"],
            });

        }
    }

}

Example : User Controller (use of ShouldBeAuthentificate)

//src/routes/users.ts
import {
    Controller,
    Get,
    Request,
    Response,
} from "etherial/components/http/provider";

import { ShouldBeAuthentificate } from "etherial/components/http.security";

import { User } from "../models/User";

@Controller()
export default class UsersController {

    @Get("/users/me")
    @ShouldBeAuthentificate()
    public async me(req: Request & { user: User }, res: Response): Promise<any> {

        //req.user is the user object from the database retreived from JWT token

        res.success({
            status: 200,
            data: {
                user: req.user,
            },
        });

    }

}

PreviousHttp Security | Config & Commands NextTranslation (WIP)

Last updated 2 years ago

hashtagInternal Security Management

hashtagUsing HTTP

hashtagGenerating Tokens

hashtagUsing the @ShouldBeAuthentificate Decorator

hashtagExample app.ts (Configuration steps)

hashtagExample Auth Controller (Token Generation)

hashtagExample : User Controller (use of ShouldBeAuthentificate)