borg/drone-detector
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
155ff8984a70457f1b9364fcf555714a70b0a9c8
drone-detector/server/middleware/auth.js
Alexander Borg 3f1b50871a Fix jwt-token
2025-09-19 08:14:41 +02:00

174 lines
5.6 KiB
JavaScript
Raw Blame History

const jwt = require('jsonwebtoken');
const { createErrorResponse, getLanguageFromRequest } = require('../utils/i18n');
// Allow models to be injected for testing
let models = null;
try {
models = require('../models');
} catch (error) {
// Models will be injected during testing
}
// Function to set models (used in testing)
function setModels(testModels) {
models = testModels;
}
async function authenticateToken(req, res, next) {
const authHeader = req.headers['authorization'];
if (!authHeader) {
const errorResponse = createErrorResponse(req, 401, 'NO_TOKEN');
errorResponse.json.redirectToLogin = true;
return res.status(errorResponse.status).json(errorResponse.json);
}
// Check for proper Bearer token format
if (!authHeader.startsWith('Bearer ')) {
const errorResponse = createErrorResponse(req, 401, 'INVALID_TOKEN');
errorResponse.json.redirectToLogin = true;
return res.status(errorResponse.status).json(errorResponse.json);
}
const token = authHeader.split(' ')[1];
if (!token) {
const errorResponse = createErrorResponse(req, 401, 'NO_TOKEN');
errorResponse.json.redirectToLogin = true;
return res.status(errorResponse.status).json(errorResponse.json);
}
try {
const decoded = jwt.verify(token, process.env.JWT_SECRET);
// Log what's in the token for debugging
console.log('🔍 JWT Token decoded:', {
userId: decoded.userId,
username: decoded.username,
role: decoded.role,
tenantId: decoded.tenantId,
provider: decoded.provider
});
// For older tokens without tenantId, we need to look up the user's tenant
let tenantId = decoded.tenantId;
const user = await models.User.findByPk(decoded.userId, {
attributes: ['id', 'username', 'email', 'role', 'is_active', 'tenant_id'],
include: [{
model: models.Tenant,
as: 'tenant',
attributes: ['slug', 'name']
}]
});
if (!user) {
const errorResponse = createErrorResponse(req, 401, 'USER_NOT_FOUND');
errorResponse.json.redirectToLogin = true;
return res.status(errorResponse.status).json(errorResponse.json);
}
if (!user.is_active) {
const errorResponse = createErrorResponse(req, 401, 'ACCOUNT_DEACTIVATED');
errorResponse.json.redirectToLogin = true;
return res.status(errorResponse.status).json(errorResponse.json);
}
// Set user context with expected properties for compatibility
req.user = {
id: user.id,
userId: user.id, // For backward compatibility
username: user.username,
email: user.email,
role: user.role,
is_active: user.is_active,
tenant_id: user.tenant_id,
tenant: user.tenant,
tenantId: tenantId || (user.tenant ? user.tenant.slug : undefined) // Include tenantId in user object
};
// Set tenant context - prefer JWT tenantId, fallback to user's tenant
if (tenantId) {
req.tenantId = tenantId;
console.log('✅ Tenant context from JWT:', tenantId);
} else if (user.tenant && user.tenant.slug) {
req.tenantId = user.tenant.slug;
console.log('✅ Tenant context from user record:', user.tenant.slug);
} else {
console.log('⚠️ No tenant context available');
}
next();
} catch (error) {
// Log authentication errors for monitoring (but not in tests)
if (process.env.NODE_ENV !== 'test' || error.name === 'TypeError') {
console.error('🔐 Authentication error:', {
error: error.name,
message: error.message,
userAgent: req.headers['user-agent'],
ip: req.ip || req.connection.remoteAddress,
path: req.path
});
}
// Handle specific JWT errors with detailed responses
if (error.name === 'TokenExpiredError') {
const errorResponse = createErrorResponse(req, 401, 'TOKEN_EXPIRED');
errorResponse.json.redirectToLogin = true;
return res.status(errorResponse.status).json(errorResponse.json);
}
if (error.name === 'JsonWebTokenError') {
const errorResponse = createErrorResponse(req, 401, 'INVALID_TOKEN');
errorResponse.json.redirectToLogin = true;
return res.status(errorResponse.status).json(errorResponse.json);
}
if (error.name === 'NotBeforeError') {
const errorResponse = createErrorResponse(req, 401, 'TOKEN_NOT_ACTIVE');
errorResponse.json.redirectToLogin = true;
return res.status(errorResponse.status).json(errorResponse.json);
}
// Generic authentication error
const errorResponse = createErrorResponse(req, 401, 'AUTHENTICATION_FAILED');
errorResponse.json.redirectToLogin = true;
return res.status(errorResponse.status).json(errorResponse.json);
}
}
function requireRole(roles) {
return (req, res, next) => {
if (!req.user) {
return res.status(401).json({
success: false,
message: 'Authentication required',
error: 'NO_AUTH',
errorCode: 'AUTH_REQUIRED',
redirectToLogin: true
});
}
const userRoles = Array.isArray(roles) ? roles : [roles];
if (!userRoles.includes(req.user.role)) {
return res.status(403).json({
success: false,
message: `Access denied. This action requires ${userRoles.join(' or ')} permissions, but you have ${req.user.role} permissions.`,
error: 'INSUFFICIENT_PERMISSIONS',
errorCode: 'PERMISSION_DENIED',
userRole: req.user.role,
requiredRoles: userRoles,
redirectToLogin: false // Don't redirect for permission issues
});
}
next();
};
}
module.exports = {
authenticateToken,
requireRole,
setModels
};
Reference in New Issue View Git Blame Copy Permalink