feat(chapter-6): Initial set of samples

Author: petebacondarwin

1820EN_06_Code/01_https_server/package.json

@@ -0,0 +1,10 @@
+{
+  "name": "https-server",
+  "description": "",
+  "version": "0.0.1",
+  "private": true,
+  "dependencies": {
+    "express": "~3.0"
+  },
+  "devDependencies": { }
+}

1820EN_06_Code/01_https_server/server.js

@@ -0,0 +1,20 @@
+var fs = require('fs');
+var http = require('http');
+var https = require('https');
+var privateKey  = fs.readFileSync('cert/privatekey.pem').toString();
+var certificate = fs.readFileSync('cert/certificate.pem').toString();
+var credentials = {key: privateKey, cert: certificate};
+
+var express = require('express');
+
+var app = express();
+var secureServer = https.createServer(credentials, app);
+var server = http.createServer(app);
+
+// ... Add your routes and middleware here
+
+// Start up the server on the port specified in the config
+server.listen(5678);
+console.log('Angular App Server - listening on port: 5678');
+secureServer.listen(95678);
+console.log('Angular App Server - listening on secure port: 95678');

1820EN_06_Code/02_ngSanitize/app.js

@@ -0,0 +1,5 @@
+angular.module('expressionsEscaping', ['ngSanitize'])
+  .controller('ExpressionsEscapingCtrl', function ($scope, $sanitize) {
+    $scope.msg = 'Hello, <b>World</b>!';
+    $scope.safeMsg = $sanitize($scope.msg);
+  });

1820EN_06_Code/02_ngSanitize/index.html

@@ -0,0 +1,15 @@
+<!doctype html>
+<html>
+<head>
+    <meta charset="utf-8">
+    <script src="http://code.angularjs.org/1.0.2/angular.js"></script>
+    <script src="http://code.angularjs.org/1.0.2/angular-sanitize.js"></script>
+    <script src="app.js"></script>
+</head>
+<body ng-app="expressionsEscaping" ng-controller="ExpressionsEscapingCtrl">
+    <p ng-bind="msg"></p>
+    <p ng-bind-html-unsafe="msg"></p>
+    <p ng-bind-html="msg"></p>
+    <p ng-bind-html-unsafe="safeMsg"></p>
+</body>
+</html>

1820EN_06_Code/03_JSON_vulnerability/package.json

@@ -0,0 +1,10 @@
+{
+  "name": "https-server",
+  "description": "",
+  "version": "0.0.1",
+  "private": true,
+  "dependencies": {
+    "express": "~3.0"
+  },
+  "devDependencies": { }
+}

1820EN_06_Code/03_JSON_vulnerability/protectJSON.js

@@ -0,0 +1,23 @@
+// JSON vulnerability protection
+// we prepend the data with ")]},\n", which will be stripped by $http in AngularJS
+module.exports = function(req, res, next) {
+  var _send = res.send;
+  res.send = function(body) {
+    var contentType = res.getHeader('Content-Type');
+    if ( contentType && contentType.indexOf('application/json') !== -1 ) {
+      if (2 == arguments.length) {
+        // res.send(body, status) backwards compat
+        if ('number' != typeof body && 'number' == typeof arguments[1]) {
+          this.statusCode = arguments[1];
+        } else {
+          this.statusCode = body;
+          body = arguments[1];
+        }
+      }
+      body = ")]}',\n" + body;
+      return _send.call(res, body);
+    }
+    _send.apply(res, arguments);
+  };
+  next();
+};

1820EN_06_Code/03_JSON_vulnerability/server.js

@@ -0,0 +1,12 @@
+var http = require('http');
+var express = require('express');
+var protectJSON = require('./protectJSON');
+
+var app = express();
+var server = http.createServer(app);
+
+use(protectJSON);
+
+// Start up the server on the port specified in the config
+server.listen(5678);
+console.log('Angular App Server - listening on port: 5678');

1820EN_06_Code/04_XSRF/server.js

@@ -0,0 +1,12 @@
+var http = require('http');
+var express = require('express');
+var xsrf = require('./xsrf');
+
+var app = express();
+var server = http.createServer(app);
+
+use(xsrf);
+
+// Start up the server on the port specified in the config
+server.listen(5678);
+console.log('Angular App Server - listening on port: 5678');

1820EN_06_Code/04_XSRF/xsrf.js

@@ -0,0 +1,37 @@
+var crypto = require('crypto');
+
+function uid(len) {
+  return crypto.randomBytes(Math.ceil(len * 3 / 4))
+    .toString('base64')
+    .slice(0, len)
+    .replace(/\//g, '-')
+    .replace(/\+/g, '_');
+}
+
+// The xsrf middleware provide AngularJS style XSRF-TOKEN provision and validation
+// Add it to your server configuration after the session middleware:
+//   app.use(xsrf);
+//  
+module.exports = function(req, res, next) {
+  // Generate XSRF token
+  var token = req.session._csrf || (req.session._csrf = uid(24));
+  // Get the token in the current request
+  var requestToken = req.headers['x-xsrf-token'];
+  // Add it to the cookie
+  res.cookie('XSRF-TOKEN', token);
+
+  // Ignore if it is just a read-only request
+  switch(req.method) {
+    case 'GET':
+    case 'HEAD':
+    case 'OPTIONS':
+      break;
+    default:
+      // Check the token in the request against the one stored in the session
+      if ( requestToken !== token ) {
+        return res.send(403);
+      }
+  }
+  // All is OK, continue as you were.
+  return next();
+};

1820EN_06_Code/05_security_module/src/authorization.js

@@ -0,0 +1,45 @@
+angular.module('security.authorization', ['security.service'])
+
+// This service provides guard methods to support AngularJS routes.
+// You can add them as resolves to routes to require authorization levels
+// before allowing a route change to complete
+.provider('securityAuthorization', {
+
+  requireAdminUser: ['securityAuthorization', function(securityAuthorization) {
+    return securityAuthorization.requireAdminUser();
+  }],
+
+  requireAuthenticatedUser: ['securityAuthorization', function(securityAuthorization) {
+    return securityAuthorization.requireAuthenticatedUser();
+  }],
+
+  $get: ['security', 'securityRetryQueue', function(security, queue) {
+    var service = {
+
+      // Require that there is an authenticated user
+      // (use this in a route resolve to prevent non-authenticated users from entering that route)
+      requireAuthenticatedUser: function() {
+        var promise = security.requestCurrentUser().then(function(userInfo) {
+          if ( !security.isAuthenticated() ) {
+            return queue.pushRetryFn('unauthenticated-client', service.requireAuthenticatedUser);
+          }
+        });
+        return promise;
+      },
+
+      // Require that there is an administrator logged in
+      // (use this in a route resolve to prevent non-administrators from entering that route)
+      requireAdminUser: function() {
+        var promise = security.requestCurrentUser().then(function(userInfo) {
+          if ( !security.isAdmin() ) {
+            return queue.pushRetryFn('unauthorized-client', service.requireAdminUser);
+          }
+        });
+        return promise;
+      }
+
+    };
+
+    return service;
+  }]
+});

1820EN_06_Code/05_security_module/src/index.js

@@ -0,0 +1,6 @@
+// Based loosely around work by Witold Szczerba - https://github.com/witoldsz/angular-http-auth
+angular.module('security', [
+  'security.service',
+  'security.interceptor',
+  'security.login',
+  'security.authorization']);

1820EN_06_Code/05_security_module/src/interceptor.js

@@ -0,0 +1,23 @@
+angular.module('security.interceptor', ['security.retryQueue'])
+
+// This http interceptor listens for authentication failures
+.factory('securityInterceptor', ['$injector', 'securityRetryQueue', function($injector, queue) {
+  return function(promise) {
+    // Intercept failed requests
+    return promise.then(null, function(originalResponse) {
+      if(originalResponse.status === 401) {
+        // The request bounced because it was not authorized - add a new request to the retry queue
+        promise = queue.pushRetryFn('unauthorized-server', function retryRequest() {
+          // We must use $injector to get the $http service to prevent circular dependency
+          return $injector.get('$http')(originalResponse.config);
+        });
+      }
+      return promise;
+    });
+  };
+}])
+
+// We have to add the interceptor to the queue as a string because the interceptor depends upon service instances that are not available in the config block.
+.config(['$httpProvider', function($httpProvider) {
+  $httpProvider.responseInterceptors.push('securityInterceptor');
+}]);

1820EN_06_Code/05_security_module/src/login/LoginFormController.js

@@ -0,0 +1,45 @@
+angular.module('security.login.form', ['services.localizedMessages'])
+
+// The LoginFormController provides the behaviour behind a reusable form to allow users to authenticate.
+// This controller and its template (login/form.tpl.html) are used in a modal dialog box by the security service.
+.controller('LoginFormController', ['$scope', 'security', 'localizedMessages', function($scope, security, localizedMessages) {
+  // The model for this form 
+  $scope.user = {};
+
+  // Any error message from failing to login
+  $scope.authError = null;
+
+  // The reason that we are being asked to login - for instance because we tried to access something to which we are not authorized
+  // We could do something diffent for each reason here but to keep it simple...
+  $scope.authReason = null;
+  if ( security.getLoginReason() ) {
+    $scope.authReason = ( security.isAuthenticated() ) ?
+      localizedMessages.get('login.reason.notAuthorized') :
+      localizedMessages.get('login.reason.notAuthenticated');
+  }
+
+  // Attempt to authenticate the user specified in the form's model
+  $scope.login = function() {
+    // Clear any previous security errors
+    $scope.authError = null;
+
+    // Try to login
+    security.login($scope.user.email, $scope.user.password).then(function(loggedIn) {
+      if ( !loggedIn ) {
+        // If we get here then the login failed due to bad credentials
+        $scope.authError = localizedMessages.get('login.error.invalidCredentials');
+      }
+    }, function(x) {
+      // If we get here then there was a problem with the login request to the server
+      $scope.authError = localizedMessages.get('login.error.serverError', { exception: x });
+    });
+  };
+
+  $scope.clearForm = function() {
+    user = {};
+  };
+
+  $scope.cancelLogin = function() {
+    security.cancelLogin();
+  };
+}]);

1820EN_06_Code/05_security_module/src/login/form.tpl.html

@@ -0,0 +1,23 @@
+<form name="form" novalidate class="login-form">
+    <div class="modal-header">
+        <h4>Sign in</h4>
+    </div>
+    <div class="modal-body">
+        <div class="alert alert-warning" ng-show="authReason">
+            {{authReason}}
+        </div>
+        <div class="alert alert-error" ng-show="authError">
+            {{authError}}
+        </div>
+        <div class="alert alert-info">Please enter your login details</div>
+        <label>E-mail</label>
+        <input name="login" type="email" ng-model="user.email" required autofocus>
+        <label>Password</label>
+        <input name="pass" type="password" ng-model="user.password" required>
+    </div>
+    <div class="modal-footer">
+        <button class="btn btn-primary login" ng-click="login()" ng-disabled='form.$invalid'>Sign in</button>
+        <button class="btn clear" ng-click="clearForm()">Clear</button>
+        <button class="btn btn-warning cancel" ng-click="cancelLogin()">Cancel</button>
+    </div>
+</form>

1820EN_06_Code/05_security_module/src/login/login.js

@@ -0,0 +1 @@
+angular.module('security.login', ['security.login.form', 'security.login.toolbar']);

1820EN_06_Code/05_security_module/src/login/toolbar.js

@@ -0,0 +1,23 @@
+angular.module('security.login.toolbar', [])
+
+// The loginToolbar directive is a reusable widget that can show login or logout buttons
+// and information the current authenticated user
+.directive('loginToolbar', ['security', function(security) {
+  var directive = {
+    templateUrl: 'security/login/toolbar.tpl.html',
+    restrict: 'E',
+    replace: true,
+    scope: true,
+    link: function($scope, $element, $attrs, $controller) {
+      $scope.isAuthenticated = security.isAuthenticated;
+      $scope.login = security.showLogin;
+      $scope.logout = security.logout;
+      $scope.$watch(function() {
+        return security.currentUser;
+      }, function(currentUser) {
+        $scope.currentUser = currentUser;
+      });
+    }
+  };
+  return directive;
+}]);

1820EN_06_Code/05_security_module/src/login/toolbar.tpl.html

@@ -0,0 +1,16 @@
+<ul class="nav pull-right">
+  <li class="divider-vertical"></li>
+  <li ng-show="isAuthenticated()">
+      <a href="#">{{currentUser.firstName}} {{currentUser.lastName}}</a>
+  </li>
+  <li ng-show="isAuthenticated()" class="logout">
+      <form class="navbar-form">
+          <button class="btn logout" ng-click="logout()">Log out</button>
+      </form>
+  </li>
+  <li ng-hide="isAuthenticated()" class="login">
+      <form class="navbar-form">
+          <button class="btn login" ng-click="login()">Log in</button>
+      </form>
+  </li>
+</ul>