Fix jwt-token
This commit is contained in:
@@ -84,12 +84,19 @@ const updateProfileSchema = Joi.object({
|
||||
|
||||
// POST /api/users/register - Register new user (ULTRA SECURE)
|
||||
router.post('/register', registrationLimiter, validateRequest(registerSchema), async (req, res) => {
|
||||
return registerLocal(req, res);
|
||||
});
|
||||
|
||||
/**
|
||||
* Register local user - can be called from both direct route and auth route
|
||||
*/
|
||||
async function registerLocal(req, res) {
|
||||
try {
|
||||
console.log('🔒 Registration attempt started');
|
||||
|
||||
// Step 1: Determine tenant context - CRITICAL SECURITY CHECK
|
||||
const multiAuth = new MultiTenantAuth();
|
||||
const tenantId = await multiAuth.determineTenant(req);
|
||||
const tenantId = req.tenant?.id || await multiAuth.determineTenant(req);
|
||||
console.log('🔍 Registration - Determined tenant:', tenantId);
|
||||
|
||||
if (!tenantId) {
|
||||
@@ -138,7 +145,7 @@ router.post('/register', registrationLimiter, validateRequest(registerSchema), a
|
||||
}
|
||||
|
||||
// Step 6: Additional security - Check if registration is explicitly enabled in auth config
|
||||
const authConfig = await multiAuth.getTenantAuthConfig(tenantId);
|
||||
const authConfig = req.tenant?.authConfig || await multiAuth.getTenantAuthConfig(tenantId);
|
||||
if (!authConfig.enabled) {
|
||||
console.log('❌ Registration BLOCKED - Auth config disabled');
|
||||
return res.status(403).json({
|
||||
@@ -192,7 +199,7 @@ router.post('/register', registrationLimiter, validateRequest(registerSchema), a
|
||||
|
||||
res.status(201).json({
|
||||
success: true,
|
||||
data: userResponse,
|
||||
data: { user: userResponse },
|
||||
message: 'User registered successfully'
|
||||
});
|
||||
|
||||
@@ -212,7 +219,7 @@ router.post('/register', registrationLimiter, validateRequest(registerSchema), a
|
||||
error: process.env.NODE_ENV === 'development' ? error.message : 'Internal server error'
|
||||
});
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
// POST /api/users/login - User login (direct API access - for legacy support)
|
||||
router.post('/login', validateRequest(loginSchema), async (req, res) => {
|
||||
@@ -385,6 +392,20 @@ router.get('/', authenticateToken, requireRole(['admin']), async (req, res) => {
|
||||
*/
|
||||
async function loginLocal(req, res, next) {
|
||||
try {
|
||||
// Validate required fields
|
||||
if (!req.body.username || !req.body.password) {
|
||||
return res.status(400).json({
|
||||
success: false,
|
||||
message: 'Validation error for field' +
|
||||
(!req.body.username && !req.body.password ? 's: username, password' :
|
||||
!req.body.username ? ': username' : ': password'),
|
||||
details: [
|
||||
...(!req.body.username ? [{ field: 'username', message: '"username" is required' }] : []),
|
||||
...(!req.body.password ? [{ field: 'password', message: '"password" is required' }] : [])
|
||||
]
|
||||
});
|
||||
}
|
||||
|
||||
const { username, password } = req.body;
|
||||
|
||||
// Get tenant information from request (set by multi-tenant auth middleware)
|
||||
@@ -458,8 +479,8 @@ async function loginLocal(req, res, next) {
|
||||
userId: user.id,
|
||||
username: user.username,
|
||||
role: user.role,
|
||||
tenantId: user.tenant_id,
|
||||
tenantSlug: req.tenant?.id
|
||||
tenantId: req.tenant?.id, // This should be the tenant slug
|
||||
provider: user.auth_provider
|
||||
},
|
||||
process.env.JWT_SECRET,
|
||||
{ expiresIn: '24h' }
|
||||
@@ -490,3 +511,4 @@ async function loginLocal(req, res, next) {
|
||||
|
||||
module.exports = router;
|
||||
module.exports.loginLocal = loginLocal;
|
||||
module.exports.registerLocal = registerLocal;
|
||||
|
||||
Reference in New Issue
Block a user