Fix jwt-token

2025-09-23 15:56:52 +02:00
parent 4747900c7b
commit 25d910ed3f
3 changed files with 47 additions and 17 deletions
--- a/management/src/contexts/AuthContext.jsx
+++ b/management/src/contexts/AuthContext.jsx
@@ -17,21 +17,36 @@ export const AuthProvider = ({ children }) => {
  const [loading, setLoading] = useState(true)

  useEffect(() => {
-    // Check for existing token on app start
+    // Check for existing token on app start and validate it
+    checkAuthStatus()
+  }, [])
+
+  const checkAuthStatus = async () => {
    const token = localStorage.getItem('management_token')
    const savedUser = localStorage.getItem('management_user')
    
-    if (token && savedUser) {
-      try {
-        setUser(JSON.parse(savedUser))
-      } catch (error) {
-        console.error('Error parsing saved user:', error)
-        localStorage.removeItem('management_token')
-        localStorage.removeItem('management_user')
-      }
+    if (!token || !savedUser) {
+      setLoading(false)
+      return
    }
-    setLoading(false)
-  }, [])
+    
+    try {
+      // Validate token by making a simple API call
+      const response = await api.get('/management/tenants?limit=1')
+      // If successful, use saved user data
+      const parsedUser = JSON.parse(savedUser)
+      setUser(parsedUser)
+      console.log('✅ Management token validated for user:', parsedUser.username)
+    } catch (error) {
+      console.warn('🔓 Management token validation failed:', error.response?.status, error.response?.data?.message)
+      // Clear invalid auth data (but don't redirect here, let the api interceptor handle it)
+      localStorage.removeItem('management_token')
+      localStorage.removeItem('management_user')
+      setUser(null)
+    } finally {
+      setLoading(false)
+    }
+  }

  const login = async (username, password) => {
    try {
@@ -73,6 +88,7 @@ export const AuthProvider = ({ children }) => {
    loading,
    login,
    logout,
+    checkAuthStatus,
    isAuthenticated: !!user,
    isAdmin: user?.role === 'admin' || user?.role === 'super_admin' || user?.role === 'platform_admin',
    isSuperAdmin: user?.role === 'super_admin',
--- a/server/routes/dataRetention.js
+++ b/server/routes/dataRetention.js
@@ -32,10 +32,11 @@ const requireManagementAuth = async (req, res, next) => {
      });
    }

-    // Verify JWT token
+    // Verify JWT token using management secret
    let decoded;
    try {
-      decoded = jwt.verify(token, process.env.JWT_SECRET || 'your-super-secret-jwt-key-change-in-production');
+      const MANAGEMENT_SECRET = process.env.MANAGEMENT_JWT_SECRET || 'mgmt-super-secret-change-in-production';
+      decoded = jwt.verify(token, MANAGEMENT_SECRET);
    } catch (jwtError) {
      await auditLogger.logAuthFailure(req, req.path, `Invalid JWT token: ${jwtError.message}`);
      return res.status(401).json({
@@ -45,8 +46,8 @@ const requireManagementAuth = async (req, res, next) => {
      });
    }

-    // Verify this is a management user
-    if (decoded.type !== 'management') {
+    // Verify this is a management user with proper role
+    if (!decoded.isManagement || !['super_admin', 'platform_admin'].includes(decoded.role)) {
      await auditLogger.logPermissionDenied(null, req, req.path, 'Not a management user token');
      return res.status(403).json({
        success: false,
@@ -56,7 +57,7 @@ const requireManagementAuth = async (req, res, next) => {
    }

    // Verify user still exists and is active
-    const managementUser = await ManagementUser.findByPk(decoded.id);
+    const managementUser = await ManagementUser.findByPk(decoded.userId);
    if (!managementUser || !managementUser.is_active) {
      await auditLogger.logPermissionDenied(decoded, req, req.path, 'Management user not found or inactive');
      return res.status(403).json({
--- a/server/utils/dataRetentionAuditLogger.js
+++ b/server/utils/dataRetentionAuditLogger.js
@@ -10,6 +10,7 @@ class DataRetentionAuditLogger {
  constructor() {
    this.logDir = process.env.SECURITY_LOG_DIR || './logs';
    this.logFile = path.join(this.logDir, 'data_retention_access.log');
+    this.loggedWriteError = false; // Flag to avoid spamming write error messages
  }

  async ensureLogDir() {
@@ -49,11 +50,23 @@ class DataRetentionAuditLogger {
      } catch (writeError) {
        // Fallback to console logging if file writing fails (e.g., permission issues)
        console.log('[DATA_RETENTION_AUDIT]', JSON.stringify(logEntry));
+        
+        // Only log the file write error once to avoid spam
+        if (!this.loggedWriteError) {
+          console.warn('Failed to write security log to file, using console logging:', writeError.message);
+          this.loggedWriteError = true;
+        }
      }
      
    } catch (error) {
      // Fallback to console logging for any errors
-      console.log('[DATA_RETENTION_AUDIT_ERROR]', error.message, JSON.stringify(event, null, 2));
+      console.log('[DATA_RETENTION_AUDIT_ERROR]', error.message);
+      console.log('[DATA_RETENTION_AUDIT_FALLBACK]', JSON.stringify({
+        timestamp: new Date().toISOString(),
+        event: event.type || 'UNKNOWN',
+        result: event.result || 'error',
+        error: event.error || error.message
+      }));
    }
  }