const jwt = require('jsonwebtoken'); // Allow models to be injected for testing let models = null; try { models = require('../models'); } catch (error) { // Models will be injected during testing } // Function to set models (used in testing) function setModels(testModels) { models = testModels; } async function authenticateToken(req, res, next) { const authHeader = req.headers['authorization']; if (!authHeader) { return res.status(401).json({ success: false, message: 'Access token required' }); } // Check for proper Bearer token format if (!authHeader.startsWith('Bearer ')) { return res.status(401).json({ success: false, message: 'Invalid token format' }); } const token = authHeader.split(' ')[1]; if (!token) { return res.status(401).json({ success: false, message: 'Access token required' }); } try { const decoded = jwt.verify(token, process.env.JWT_SECRET); // Log what's in the token for debugging console.log('🔍 JWT Token decoded:', { userId: decoded.userId, username: decoded.username, role: decoded.role, tenantId: decoded.tenantId, provider: decoded.provider }); // For older tokens without tenantId, we need to look up the user's tenant let tenantId = decoded.tenantId; const user = await models.User.findByPk(decoded.userId, { attributes: ['id', 'username', 'email', 'role', 'is_active', 'tenant_id'], include: [{ model: models.Tenant, as: 'tenant', attributes: ['slug', 'name'] }] }); if (!user) { return res.status(401).json({ success: false, message: 'User not found' }); } if (!user.is_active) { return res.status(401).json({ success: false, message: 'User account is inactive' }); } // Set user context with expected properties for compatibility req.user = { id: user.id, userId: user.id, // For backward compatibility username: user.username, email: user.email, role: user.role, is_active: user.is_active, tenant_id: user.tenant_id, tenant: user.tenant, tenantId: tenantId || (user.tenant ? user.tenant.slug : undefined) // Include tenantId in user object }; // Set tenant context - prefer JWT tenantId, fallback to user's tenant if (tenantId) { req.tenantId = tenantId; console.log('✅ Tenant context from JWT:', tenantId); } else if (user.tenant && user.tenant.slug) { req.tenantId = user.tenant.slug; console.log('✅ Tenant context from user record:', user.tenant.slug); } else { console.log('⚠️ No tenant context available'); } next(); } catch (error) { // Log authentication errors for monitoring (but not in tests) if (process.env.NODE_ENV !== 'test' || error.name === 'TypeError') { console.error('🔐 Authentication error:', { error: error.name, message: error.message, userAgent: req.headers['user-agent'], ip: req.ip || req.connection.remoteAddress, path: req.path }); } // Handle specific JWT errors with detailed responses if (error.name === 'TokenExpiredError') { return res.status(401).json({ success: false, error: 'TOKEN_EXPIRED', message: 'Token expired', redirectToLogin: true }); } if (error.name === 'JsonWebTokenError') { return res.status(401).json({ success: false, error: 'INVALID_TOKEN', message: 'Invalid token', redirectToLogin: true }); } if (error.name === 'NotBeforeError') { return res.status(401).json({ success: false, error: 'TOKEN_NOT_ACTIVE', message: 'Token not active', redirectToLogin: true }); } // Generic authentication error return res.status(401).json({ success: false, error: 'AUTHENTICATION_FAILED', message: 'Authentication failed', redirectToLogin: true }); } } function requireRole(roles) { return (req, res, next) => { if (!req.user) { return res.status(401).json({ success: false, message: 'Authentication required' }); } const userRoles = Array.isArray(roles) ? roles : [roles]; if (!userRoles.includes(req.user.role)) { return res.status(403).json({ success: false, message: 'Insufficient permissions' }); } next(); }; } module.exports = { authenticateToken, requireRole, setModels };