I have written a 'route protector' for my Node.js script. It basically takes in a name and a token and compares this information against a database so as to restrict access to certain pages/routes. It all seems to work fine. My problem is when I try to 'compare' the information returned from the database call...it always returns 'false' when it should not (i.e. the information from the database call and the comparison information match).
My 'route' that calls the 'sessionChecker' code:
app.get('/_member_id', csrfProtection, function(req, res){
if (typeof req.session.user != "undefined") {
if (sessionCheck(req.session.user, req.session.token)) {
//render to another page
} else {
//route to a login page here
} //sessionCheck returned "true"...OR NOT...
} else {
res.render('pages/forbidden'),
console.log("FORBIDDEN ENTRY");
}
});
Here is the 'sessionChecker':
function sessionCheck(initiator, keycard, req, res, next) {
var _knocker;
var _init_convert = JSON.stringify(initiator);
var _key_convert = JSON.stringify(keycard);
console.log('initiator in sessionCheck is: ' + initiator);
console.log('keycard in sessionCheck is: ' + keycard);
console.log('_init_convert in sessionCheck is: ' + _init_convert);
console.log('_key_convert in sessionCheck is: ' + _key_convert);
if (typeof initiator != "undefined") {
_knocker = "member";
} else {
_knocker = "customer";
} //'initiator' is NOT "undefined" (indicates a MEMBER)...OR NOT (indicates a CUSTOMER)...
console.log('_knocker in sessionCheck is: ' + _knocker);
if(typeof keycard != "undefined") {
db.findByToken(_knocker, keycard)
.then(function(user) {
console.log('I RETURNED FROM db.findByToken', user);
if ((JSON.stringify(user.username) == _init_convert) && (JSON.stringify(user.token) == _key_convert)) {
console.log('I will return TRUE');
return true
} else {
console.log('I will return FALSE');
return false
}
})
.catch(function(err) {
console.log('An ERROR has been thrown in sessionCheck...!', err);
});
} else {
next(new Error('No session token'));
} //req.session.token EXTANT
};
Output to console:
initiator in sessionCheck is: member1
keycard in sessionCheck is: h9Cb-BVJ
_init_convert in sessionCheck is: "member1"
_key_convert in sessionCheck is: "h9Cb-BVJ"
_knocker in sessionCheck is: member
I RETURNED FROM db.findByToken [ { email: '[email protected]',
username: 'member1',
govname: 'Stephen,S',
birthdate: '5-2-1982',
location: 'Nevada',
service: 'unknown',
status: 'active',
login: '2019-12-21-14-20',
legacy: '2019-12-21',
token: 'h9Cb-BVJ' } ]
I will return FALSE
As can be seen in the output...the data seems to match (user.username, user.token from database call equal information that was passed to function)...however a return value of 'false' is still thrown...why? I thank you in advance for any response.
So db.findByToken returns an array, not an object.
if ((JSON.stringify(user.username) == _init_convert) && (JSON.stringify(user.token) == _key_convert)) {
will be
if ((JSON.stringify(user[0].username) == _init_convert) && (JSON.stringify(user[0].token) == _key_convert)) {
But some points to remember,
!= use the strict one !== or ===