const jwt = require('jsonwebtoken'); const { createErrorResponse, getLanguageFromRequest } = require('../utils/i18n'); // Allow models to be injected for testing let models = null; try { models = require('../models'); } catch (error) { // Models will be injected during testing } // Function to set models (used in testing) function setModels(testModels) { models = testModels; } async function authenticateToken(req, res, next) { const authHeader = req.headers['authorization']; if (!authHeader) { const errorResponse = createErrorResponse(req, 401, 'NO_TOKEN'); errorResponse.json.redirectToLogin = true; return res.status(errorResponse.status).json(errorResponse.json); } // Check for proper Bearer token format if (!authHeader.startsWith('Bearer ')) { const errorResponse = createErrorResponse(req, 401, 'INVALID_TOKEN'); errorResponse.json.redirectToLogin = true; return res.status(errorResponse.status).json(errorResponse.json); } const token = authHeader.split(' ')[1]; if (!token) { const errorResponse = createErrorResponse(req, 401, 'NO_TOKEN'); errorResponse.json.redirectToLogin = true; return res.status(errorResponse.status).json(errorResponse.json); } try { if (!process.env.JWT_SECRET) { throw new Error('JWT_SECRET environment variable is not set'); } const decoded = jwt.verify(token, process.env.JWT_SECRET); // Log what's in the token for debugging console.log('🔍 JWT Token decoded:', { userId: decoded.userId, username: decoded.username, role: decoded.role, tenantId: decoded.tenantId, provider: decoded.provider }); // For older tokens without tenantId, we need to look up the user's tenant let tenantId = decoded.tenantId; const user = await models.User.findByPk(decoded.userId, { attributes: ['id', 'username', 'email', 'role', 'is_active', 'tenant_id'], include: [{ model: models.Tenant, as: 'tenant', attributes: ['slug', 'name'] }] }); if (!user) { const errorResponse = createErrorResponse(req, 401, 'USER_NOT_FOUND'); errorResponse.json.redirectToLogin = true; return res.status(errorResponse.status).json(errorResponse.json); } if (!user.is_active) { const errorResponse = createErrorResponse(req, 401, 'ACCOUNT_DEACTIVATED'); errorResponse.json.redirectToLogin = true; return res.status(errorResponse.status).json(errorResponse.json); } // Set user context with expected properties for compatibility req.user = { id: user.id, userId: user.id, // For backward compatibility username: user.username, email: user.email, role: user.role, is_active: user.is_active, tenant_id: user.tenant_id, tenant: user.tenant, tenantId: tenantId || (user.tenant ? user.tenant.slug : undefined) // Include tenantId in user object }; // Set tenant context - prefer JWT tenantId, fallback to user's tenant if (tenantId) { req.tenantId = tenantId; console.log('✅ Tenant context from JWT:', tenantId); } else if (user.tenant && user.tenant.slug) { req.tenantId = user.tenant.slug; console.log('✅ Tenant context from user record:', user.tenant.slug); } else { console.log('⚠️ No tenant context available'); } next(); } catch (error) { // Log authentication errors for monitoring (but not in tests) if (process.env.NODE_ENV !== 'test' || error.name === 'TypeError') { console.error('🔐 Authentication error:', { error: error.name, message: error.message, userAgent: req.headers['user-agent'], ip: req.ip || req.connection.remoteAddress, path: req.path }); } // Handle specific JWT errors with detailed responses if (error.name === 'TokenExpiredError') { const errorResponse = createErrorResponse(req, 401, 'TOKEN_EXPIRED'); errorResponse.json.redirectToLogin = true; return res.status(errorResponse.status).json(errorResponse.json); } if (error.name === 'JsonWebTokenError') { const errorResponse = createErrorResponse(req, 401, 'INVALID_TOKEN'); errorResponse.json.redirectToLogin = true; return res.status(errorResponse.status).json(errorResponse.json); } if (error.name === 'NotBeforeError') { const errorResponse = createErrorResponse(req, 401, 'TOKEN_NOT_ACTIVE'); errorResponse.json.redirectToLogin = true; return res.status(errorResponse.status).json(errorResponse.json); } // Generic authentication error const errorResponse = createErrorResponse(req, 401, 'AUTHENTICATION_FAILED'); errorResponse.json.redirectToLogin = true; return res.status(errorResponse.status).json(errorResponse.json); } } function requireRole(roles) { return (req, res, next) => { if (!req.user) { return res.status(401).json({ success: false, message: 'Authentication required', error: 'NO_AUTH', errorCode: 'AUTH_REQUIRED', redirectToLogin: true }); } const userRoles = Array.isArray(roles) ? roles : [roles]; if (!userRoles.includes(req.user.role)) { return res.status(403).json({ success: false, message: `Access denied. This action requires ${userRoles.join(' or ')} permissions, but you have ${req.user.role} permissions.`, error: 'INSUFFICIENT_PERMISSIONS', errorCode: 'PERMISSION_DENIED', userRole: req.user.role, requiredRoles: userRoles, redirectToLogin: false // Don't redirect for permission issues }); } next(); }; } module.exports = { authenticateToken, requireRole, setModels };