signed_cookies.js

// This approach is vulnerable because we are not destroying user cookies on server upon logout.
// Then any malicious person can steal a user's cookie and he now have access to the account forever.
// So lets destroy this person-cookie association (or SESSIONS) in the server

const express = require('express')
const app = express()
const { createReadStream } = require('fs')
const cookieParser = require('cookie-parser')
var path = require('path');

const SECRET_TOKEN = 'sdfqiwuhjeilfudhqwme'  //anything random

app.use(express.urlencoded({ extended: false }));  //gives the ability to use req.body
app.use(cookieParser(SECRET_TOKEN))  //gives us the ability to use req.cookies
app.set('view engine', 'pug');
app.set('views', path.join(__dirname, ''));

const USERS = {
    alice: 'password2',
    bob: 'pass'
}  
const BALANCES = {
    alice:500, bob:300
}

app.get('/', (req, res) => {
    const username = req.signedCookies.username
    console.log(req)
    if(username){
    res.render('dashboard', {title: 'Welcome', username: username, balance:BALANCES[username]})
    } else {
        res.redirect('/login')
        }
})

app.get('/login', (req, res) => {
    if(req.signedCookies.username){
        res.redirect('/')
    } else {
        createReadStream('index.html').pipe(res)
    }
})

app.post('/login', (req, res) => {
    console.log(req.body)
    const username = req.body.username
    const password = USERS[username]

    if(req.body.password === password){
        res.cookie('username', username, {signed: true})
        res.redirect('/')
    } else {
        res.redirect('/login')
    }

})

app.get('/logout', (req,res) => {
    res.clearCookie('username')
    res.redirect('/login')
})

app.listen(4000, () => {
    console.log('Listening on port 4000')
})