borg/drone-detector
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8ae7b75365928abd708821215d1ab4a6b58b1901
drone-detector/server/routes/tenant.js
Alexander Borg 04d15485bf Fix jwt-token
2025-09-20 06:25:08 +02:00

1119 lines
32 KiB
JavaScript
Raw Blame History

/**
* Tenant Self-Management Routes
* Allows tenant admins to manage their own tenant settings
*/
const express = require('express');
const multer = require('multer');
const path = require('path');
const fs = require('fs');
const router = express.Router();
const { Tenant, User } = require('../models');
const { authenticateToken } = require('../middleware/auth');
const { requirePermissions, requireAnyPermission, hasPermission } = require('../middleware/rbac');
const MultiTenantAuth = require('../middleware/multi-tenant-auth');
// Initialize multi-tenant auth
const multiAuth = new MultiTenantAuth();
// Configure multer for logo uploads
const storage = multer.diskStorage({
destination: function (req, file, cb) {
const uploadDir = path.join(__dirname, '../uploads/logos');
// Create directory if it doesn't exist
if (!fs.existsSync(uploadDir)) {
fs.mkdirSync(uploadDir, { recursive: true });
}
cb(null, uploadDir);
},
filename: function (req, file, cb) {
// Use tenant ID and timestamp for unique filename
const tenantId = req.user.tenant_id;
const ext = path.extname(file.originalname);
const filename = `tenant-${tenantId}-${Date.now()}${ext}`;
cb(null, filename);
}
});
const upload = multer({
storage: storage,
limits: {
fileSize: 5 * 1024 * 1024 // 5MB limit
},
fileFilter: function (req, file, cb) {
// Accept only image files
if (file.mimetype.startsWith('image/')) {
cb(null, true);
} else {
cb(new Error('Only image files are allowed'), false);
}
}
});
/**
* GET /tenant/info
* Get current tenant information
*/
router.get('/info', authenticateToken, requirePermissions(['tenant.view']), async (req, res) => {
try {
// Determine tenant from request
const tenantId = await multiAuth.determineTenant(req);
if (!tenantId) {
return res.status(400).json({
success: false,
message: 'Unable to determine tenant'
});
}
const tenant = await Tenant.findOne({ where: { slug: tenantId } });
if (!tenant) {
return res.status(404).json({
success: false,
message: 'Tenant not found'
});
}
// Return tenant info (excluding sensitive data)
const tenantInfo = {
id: tenant.id,
name: tenant.name,
slug: tenant.slug,
domain: tenant.domain,
subscription_type: tenant.subscription_type,
is_active: tenant.is_active,
auth_provider: tenant.auth_provider,
branding: tenant.branding,
features: tenant.features,
admin_email: tenant.admin_email,
admin_phone: tenant.admin_phone,
billing_email: tenant.billing_email,
created_at: tenant.created_at,
// IP restriction info (for security admins only)
ip_restriction_enabled: hasPermission(req.user.role, 'security.view') ? tenant.ip_restriction_enabled : undefined,
ip_whitelist: hasPermission(req.user.role, 'security.view') ? tenant.ip_whitelist : undefined,
ip_restriction_message: hasPermission(req.user.role, 'security.view') ? tenant.ip_restriction_message : undefined
};
res.json({
success: true,
data: tenantInfo
});
} catch (error) {
console.error('Error fetching tenant info:', error);
res.status(500).json({
success: false,
message: 'Failed to fetch tenant information'
});
}
});
/**
* POST /tenant/logo-upload
* Upload tenant logo (branding admin or higher)
*/
router.post('/logo-upload', authenticateToken, requirePermissions(['branding.edit']), upload.single('logo'), async (req, res) => {
try {
if (!req.file) {
return res.status(400).json({
success: false,
message: 'No file uploaded'
});
}
// Determine tenant from request
const tenantId = await multiAuth.determineTenant(req);
if (!tenantId) {
return res.status(400).json({
success: false,
message: 'Invalid tenant'
});
}
// Get tenant by slug
const tenant = await Tenant.findOne({ where: { slug: tenantId } });
if (!tenant) {
return res.status(404).json({
success: false,
message: 'Tenant not found'
});
}
// Clean up old logo file if it exists
if (tenant.branding?.logo_url) {
const oldLogoPath = tenant.branding.logo_url.replace('/uploads/logos/', '');
const oldFilePath = path.join(__dirname, '../uploads/logos', oldLogoPath);
if (fs.existsSync(oldFilePath)) {
fs.unlinkSync(oldFilePath);
}
}
// Create logo URL
const logoUrl = `/uploads/logos/${req.file.filename}`;
// Update tenant branding with new logo
const updatedBranding = {
...tenant.branding,
logo_url: logoUrl
};
await tenant.update({ branding: updatedBranding });
console.log(`✅ Tenant "${tenantId}" logo uploaded by user "${req.user.username}"`);
res.json({
success: true,
message: 'Logo uploaded successfully',
data: {
logo_url: logoUrl,
branding: updatedBranding
}
});
} catch (error) {
console.error('Error uploading logo:', error);
// Clean up uploaded file on error
if (req.file && fs.existsSync(req.file.path)) {
fs.unlinkSync(req.file.path);
}
res.status(500).json({
success: false,
message: 'Failed to upload logo'
});
}
});
/**
* PUT /tenant/branding
* Update tenant branding (branding admin or higher)
*/
router.put('/branding', authenticateToken, requirePermissions(['branding.edit']), async (req, res) => {
try {
// Determine tenant from request
const tenantId = await multiAuth.determineTenant(req);
if (!tenantId) {
return res.status(400).json({
success: false,
message: 'Unable to determine tenant'
});
}
const tenant = await Tenant.findOne({ where: { slug: tenantId } });
if (!tenant) {
return res.status(404).json({
success: false,
message: 'Tenant not found'
});
}
const { logo_url, primary_color, secondary_color, company_name } = req.body;
// Validate colors
const colorRegex = /^#([A-Fa-f0-9]{6}|[A-Fa-f0-9]{3})$/;
if (primary_color && !colorRegex.test(primary_color)) {
return res.status(400).json({
success: false,
message: 'Invalid primary color format'
});
}
if (secondary_color && !colorRegex.test(secondary_color)) {
return res.status(400).json({
success: false,
message: 'Invalid secondary color format'
});
}
// Update branding
const updatedBranding = {
...tenant.branding,
logo_url: logo_url || tenant.branding?.logo_url || '',
primary_color: primary_color || tenant.branding?.primary_color || '#3B82F6',
secondary_color: secondary_color || tenant.branding?.secondary_color || '#1F2937',
company_name: company_name || tenant.branding?.company_name || ''
};
await tenant.update({ branding: updatedBranding });
console.log(`✅ Tenant "${tenantId}" branding updated by user "${req.user.username}"`);
res.json({
success: true,
message: 'Branding updated successfully',
data: { branding: updatedBranding }
});
} catch (error) {
console.error('Error updating tenant branding:', error);
res.status(500).json({
success: false,
message: 'Failed to update branding'
});
}
});
/**
* PUT /tenant/security
* Update tenant security settings (security admin or higher)
*/
router.put('/security', authenticateToken, requirePermissions(['security.edit']), async (req, res) => {
try {
console.log('🔒 Security settings update request:', req.body);
// Determine tenant from request
const tenantId = await multiAuth.determineTenant(req);
console.log('🔍 Security update - tenant:', tenantId);
if (!tenantId) {
return res.status(400).json({
success: false,
message: 'Unable to determine tenant'
});
}
const tenant = await Tenant.findOne({ where: { slug: tenantId } });
if (!tenant) {
return res.status(404).json({
success: false,
message: 'Tenant not found'
});
}
console.log('🔍 Current tenant settings:', {
ip_restriction_enabled: tenant.ip_restriction_enabled,
ip_whitelist: tenant.ip_whitelist,
ip_restriction_message: tenant.ip_restriction_message
});
const { ip_restriction_enabled, ip_whitelist, ip_restriction_message } = req.body;
// Validate IP whitelist if provided
if (ip_whitelist && Array.isArray(ip_whitelist)) {
for (const ip of ip_whitelist) {
// Basic IP validation (could be enhanced)
if (typeof ip !== 'string' || ip.trim().length === 0) {
return res.status(400).json({
success: false,
message: 'Invalid IP address in whitelist'
});
}
}
}
// Update security settings
const updates = {};
if (typeof ip_restriction_enabled === 'boolean') {
updates.ip_restriction_enabled = ip_restriction_enabled;
console.log('🔧 Setting ip_restriction_enabled to:', ip_restriction_enabled);
}
if (ip_whitelist) {
updates.ip_whitelist = ip_whitelist;
console.log('🔧 Setting ip_whitelist to:', ip_whitelist);
}
if (ip_restriction_message) {
updates.ip_restriction_message = ip_restriction_message;
console.log('🔧 Setting ip_restriction_message to:', ip_restriction_message);
}
console.log('🔧 Final updates object:', updates);
await tenant.update(updates);
await tenant.reload(); // Refresh the tenant object
console.log('🔧 After update - tenant settings:', {
ip_restriction_enabled: tenant.ip_restriction_enabled,
ip_whitelist: tenant.ip_whitelist,
ip_restriction_message: tenant.ip_restriction_message
});
console.log(`✅ Tenant "${tenantId}" security settings updated by user "${req.user.username}"`);
res.json({
success: true,
message: 'Security settings updated successfully',
data: {
ip_restriction_enabled: tenant.ip_restriction_enabled,
ip_whitelist: tenant.ip_whitelist,
ip_restriction_message: tenant.ip_restriction_message
}
});
} catch (error) {
console.error('Error updating tenant security:', error);
res.status(500).json({
success: false,
message: 'Failed to update security settings'
});
}
});
/**
* GET /tenant/users
* Get users in current tenant (user admin or higher)
*/
router.get('/users', authenticateToken, requirePermissions(['users.view']), async (req, res) => {
try {
// Determine tenant from request
const tenantId = await multiAuth.determineTenant(req);
if (!tenantId) {
return res.status(400).json({
success: false,
message: 'Unable to determine tenant'
});
}
const tenant = await Tenant.findOne({ where: { slug: tenantId } });
if (!tenant) {
return res.status(404).json({
success: false,
message: 'Tenant not found'
});
}
// Get users in this tenant
const users = await User.findAll({
where: { tenant_id: tenant.id },
attributes: ['id', 'username', 'email', 'role', 'is_active', 'last_login', 'created_at'],
order: [['created_at', 'DESC']]
});
res.json({
success: true,
data: users
});
} catch (error) {
console.error('Error fetching tenant users:', error);
res.status(500).json({
success: false,
message: 'Failed to fetch users'
});
}
});
/**
* POST /tenant/users
* Create a new user in current tenant (user admin or higher, local auth only)
*/
router.post('/users', authenticateToken, requirePermissions(['users.create']), async (req, res) => {
try {
// Determine tenant from request
const tenantId = await multiAuth.determineTenant(req);
if (!tenantId) {
return res.status(400).json({
success: false,
message: 'Unable to determine tenant'
});
}
const tenant = await Tenant.findOne({ where: { slug: tenantId } });
if (!tenant) {
return res.status(404).json({
success: false,
message: 'Tenant not found'
});
}
// Check if tenant uses local authentication
if (tenant.auth_provider !== 'local') {
return res.status(400).json({
success: false,
message: `User creation is only available for local authentication. This tenant uses ${tenant.auth_provider}.`
});
}
const { username, email, password, role = 'viewer', is_active = true } = req.body;
// Validate required fields
if (!username || !email || !password) {
return res.status(400).json({
success: false,
message: 'Username, email, and password are required'
});
}
// Validate role
const validRoles = ['admin', 'operator', 'viewer'];
if (!validRoles.includes(role)) {
return res.status(400).json({
success: false,
message: 'Invalid role. Must be admin, operator, or viewer'
});
}
// Check if username or email already exists in this tenant
const existingUser = await User.findOne({
where: {
tenant_id: tenant.id,
[require('sequelize').Op.or]: [
{ username },
{ email }
]
}
});
if (existingUser) {
return res.status(400).json({
success: false,
message: 'Username or email already exists in this tenant'
});
}
// Create user
const user = await User.create({
username,
email,
password_hash: password, // Will be hashed by the model
role,
is_active,
tenant_id: tenant.id,
created_by: req.user.id
});
console.log(`✅ User "${username}" created in tenant "${tenantId}" by admin "${req.user.username}"`);
// Return user data (without password)
const userData = {
id: user.id,
username: user.username,
email: user.email,
role: user.role,
is_active: user.is_active,
created_at: user.created_at
};
res.status(201).json({
success: true,
message: 'User created successfully',
data: userData
});
} catch (error) {
console.error('Error creating tenant user:', error);
res.status(500).json({
success: false,
message: 'Failed to create user'
});
}
});
/**
* PUT /tenant/users/:userId/status
* Update user status (activate/deactivate) (user admin or higher, local auth only)
*/
router.put('/users/:userId/status', authenticateToken, requirePermissions(['users.edit']), async (req, res) => {
try {
// Determine tenant from request
const tenantId = await multiAuth.determineTenant(req);
if (!tenantId) {
return res.status(400).json({
success: false,
message: 'Unable to determine tenant'
});
}
const tenant = await Tenant.findOne({ where: { slug: tenantId } });
if (!tenant) {
return res.status(404).json({
success: false,
message: 'Tenant not found'
});
}
// Check if tenant uses local authentication
if (tenant.auth_provider !== 'local') {
return res.status(400).json({
success: false,
message: `User management is only available for local authentication. This tenant uses ${tenant.auth_provider}.`
});
}
const { userId } = req.params;
const { is_active } = req.body;
if (typeof is_active !== 'boolean') {
return res.status(400).json({
success: false,
message: 'is_active must be a boolean value'
});
}
// Find user in this tenant
const user = await User.findOne({
where: {
id: userId,
tenant_id: tenant.id
}
});
if (!user) {
return res.status(404).json({
success: false,
message: 'User not found in this tenant'
});
}
// Prevent self-deactivation
if (user.id === req.user.id && !is_active) {
return res.status(400).json({
success: false,
message: 'You cannot deactivate your own account'
});
}
// Update user status
await user.update({ is_active });
console.log(`✅ User "${user.username}" ${is_active ? 'activated' : 'deactivated'} in tenant "${tenantId}" by admin "${req.user.username}"`);
res.json({
success: true,
message: `User ${is_active ? 'activated' : 'deactivated'} successfully`,
data: {
id: user.id,
username: user.username,
is_active: user.is_active
}
});
} catch (error) {
console.error('Error updating user status:', error);
res.status(500).json({
success: false,
message: 'Failed to update user status'
});
}
});
/**
* PUT /tenant/users/:userId
* Update user details (user admin or higher, local auth only)
*/
router.put('/users/:userId', authenticateToken, requirePermissions(['users.edit']), async (req, res) => {
try {
// Determine tenant from request
const tenantId = await multiAuth.determineTenant(req);
if (!tenantId) {
return res.status(400).json({
success: false,
message: 'Unable to determine tenant'
});
}
const tenant = await Tenant.findOne({ where: { slug: tenantId } });
if (!tenant) {
return res.status(404).json({
success: false,
message: 'Tenant not found'
});
}
// Check if tenant uses local authentication
if (tenant.auth_provider !== 'local') {
return res.status(400).json({
success: false,
message: `User management is only available for local authentication. This tenant uses ${tenant.auth_provider}.`
});
}
const { userId } = req.params;
const { email, first_name, last_name, phone, role, password } = req.body;
// Find user in this tenant
const user = await User.findOne({
where: {
id: userId,
tenant_id: tenant.id
}
});
if (!user) {
return res.status(404).json({
success: false,
message: 'User not found in this tenant'
});
}
// Prepare update data
const updateData = {};
if (email !== undefined) updateData.email = email;
if (first_name !== undefined) updateData.first_name = first_name;
if (last_name !== undefined) updateData.last_name = last_name;
if (phone !== undefined) updateData.phone = phone;
// Role update with permission check
if (role !== undefined) {
// Check if current user has permission to assign this role
if (!hasPermission(req.user.role, 'users.edit')) {
return res.status(403).json({
success: false,
message: 'Insufficient permissions to change user roles'
});
}
updateData.role = role;
}
// Password update
if (password && password.trim()) {
const bcrypt = require('bcryptjs');
updateData.password_hash = await bcrypt.hash(password.trim(), 10);
}
// Update user
await user.update(updateData);
console.log(`✅ User "${user.username}" updated in tenant "${tenantId}" by admin "${req.user.username}"`);
// Return updated user data (without password)
const userData = {
id: user.id,
username: user.username,
email: user.email,
first_name: user.first_name,
last_name: user.last_name,
phone: user.phone,
role: user.role,
is_active: user.is_active,
created_at: user.created_at,
updated_at: user.updated_at
};
res.json({
success: true,
message: 'User updated successfully',
data: userData
});
} catch (error) {
console.error('Error updating user:', error);
res.status(500).json({
success: false,
message: 'Failed to update user'
});
}
});
/**
* DELETE /tenant/users/:userId
* Delete a user permanently (user admin or higher, local auth only)
*/
router.delete('/users/:userId', authenticateToken, requirePermissions(['users.delete']), async (req, res) => {
try {
// Determine tenant from request
const tenantId = await multiAuth.determineTenant(req);
if (!tenantId) {
return res.status(400).json({
success: false,
message: 'Unable to determine tenant'
});
}
const tenant = await Tenant.findOne({ where: { slug: tenantId } });
if (!tenant) {
return res.status(404).json({
success: false,
message: 'Tenant not found'
});
}
// Check if tenant uses local authentication
if (tenant.auth_provider !== 'local') {
return res.status(400).json({
success: false,
message: `User deletion is only available for local authentication. This tenant uses ${tenant.auth_provider}.`
});
}
const { userId } = req.params;
// Find user in this tenant
const user = await User.findOne({
where: {
id: userId,
tenant_id: tenant.id
}
});
if (!user) {
return res.status(404).json({
success: false,
message: 'User not found in this tenant'
});
}
// Prevent self-deletion
if (user.id === req.user.id) {
return res.status(400).json({
success: false,
message: 'Cannot delete your own account'
});
}
// Store user info for logging before deletion
const userInfo = {
id: user.id,
username: user.username,
email: user.email
};
// Delete the user
await user.destroy();
console.log(`🗑️ User "${userInfo.username}" (${userInfo.email}) deleted from tenant "${tenantId}" by admin "${req.user.username}"`);
res.json({
success: true,
message: 'User deleted successfully'
});
} catch (error) {
console.error('Error deleting user:', error);
res.status(500).json({
success: false,
message: 'Failed to delete user'
});
}
});
/**
* DELETE /tenant/users/:userId
* Delete user permanently (user admin or higher, local auth only)
*/
router.delete('/users/:userId', authenticateToken, requirePermissions(['users.delete']), async (req, res) => {
try {
// Determine tenant from request
const tenantId = await multiAuth.determineTenant(req);
if (!tenantId) {
return res.status(400).json({
success: false,
message: 'Unable to determine tenant'
});
}
const tenant = await Tenant.findOne({ where: { slug: tenantId } });
if (!tenant) {
return res.status(404).json({
success: false,
message: 'Tenant not found'
});
}
// Check if tenant uses local authentication
if (tenant.auth_provider !== 'local') {
return res.status(400).json({
success: false,
message: `User management is only available for local authentication. This tenant uses ${tenant.auth_provider}.`
});
}
const { userId } = req.params;
// Find user in this tenant
const user = await User.findOne({
where: {
id: userId,
tenant_id: tenant.id
}
});
if (!user) {
return res.status(404).json({
success: false,
message: 'User not found in this tenant'
});
}
// Prevent self-deletion
if (user.id === req.user.id) {
return res.status(400).json({
success: false,
message: 'Cannot delete your own user account'
});
}
// Store username for logging before deletion
const deletedUsername = user.username;
// Delete the user permanently
await user.destroy();
console.log(`⚠️ User "${deletedUsername}" permanently deleted from tenant "${tenantId}" by admin "${req.user.username}"`);
res.json({
success: true,
message: 'User deleted successfully'
});
} catch (error) {
console.error('Error deleting user:', error);
res.status(500).json({
success: false,
message: 'Failed to delete user'
});
}
});
/**
* GET /tenant/auth
* Get authentication configuration (auth admins or higher)
*/
router.get('/auth', authenticateToken, requirePermissions(['auth.view']), async (req, res) => {
try {
// Determine tenant from request
const tenantId = await multiAuth.determineTenant(req);
if (!tenantId) {
return res.status(400).json({
success: false,
message: 'Unable to determine tenant'
});
}
const tenant = await Tenant.findOne({ where: { slug: tenantId } });
if (!tenant) {
return res.status(404).json({
success: false,
message: 'Tenant not found'
});
}
// Return auth configuration (excluding sensitive credentials)
const authConfig = {
auth_provider: tenant.auth_provider,
auth_config: tenant.auth_config ? {
...tenant.auth_config,
// Hide sensitive fields
client_secret: tenant.auth_config.client_secret ? '***HIDDEN***' : undefined,
bind_password: tenant.auth_config.bind_password ? '***HIDDEN***' : undefined,
service_password: tenant.auth_config.service_password ? '***HIDDEN***' : undefined,
certificate: tenant.auth_config.certificate ? '***HIDDEN***' : undefined
} : {},
session_timeout: tenant.session_timeout || 480,
require_mfa: tenant.require_mfa || false,
allow_concurrent_sessions: tenant.allow_concurrent_sessions !== false
};
console.log(`✅ Auth config retrieved for tenant "${tenantId}" by "${req.user.username}"`);
res.json({
success: true,
data: authConfig
});
} catch (error) {
console.error('Error retrieving auth config:', error);
res.status(500).json({
success: false,
message: 'Failed to retrieve authentication configuration'
});
}
});
/**
* PUT /tenant/auth
* Update authentication configuration (auth admins or higher)
*/
router.put('/auth', authenticateToken, requirePermissions(['auth.edit']), async (req, res) => {
try {
// Determine tenant from request
const tenantId = await multiAuth.determineTenant(req);
if (!tenantId) {
return res.status(400).json({
success: false,
message: 'Unable to determine tenant'
});
}
const tenant = await Tenant.findOne({ where: { slug: tenantId } });
if (!tenant) {
return res.status(404).json({
success: false,
message: 'Tenant not found'
});
}
const {
auth_provider,
auth_config,
session_timeout,
require_mfa,
allow_concurrent_sessions,
role_mappings
} = req.body;
// Validate auth provider
const validProviders = ['local', 'saml', 'oauth', 'ldap', 'ad'];
if (auth_provider && !validProviders.includes(auth_provider)) {
return res.status(400).json({
success: false,
message: 'Invalid authentication provider'
});
}
// Validate session timeout
if (session_timeout && (session_timeout < 15 || session_timeout > 1440)) {
return res.status(400).json({
success: false,
message: 'Session timeout must be between 15 and 1440 minutes'
});
}
// Prepare update data
const updateData = {};
if (auth_provider) updateData.auth_provider = auth_provider;
if (auth_config) {
// Merge with existing config, preserving hidden sensitive fields
const existingConfig = tenant.auth_config || {};
updateData.auth_config = {
...existingConfig,
...auth_config,
// Restore hidden fields if they weren't changed
client_secret: auth_config.client_secret === '***HIDDEN***' ? existingConfig.client_secret : auth_config.client_secret,
bind_password: auth_config.bind_password === '***HIDDEN***' ? existingConfig.bind_password : auth_config.bind_password,
service_password: auth_config.service_password === '***HIDDEN***' ? existingConfig.service_password : auth_config.service_password,
certificate: auth_config.certificate === '***HIDDEN***' ? existingConfig.certificate : auth_config.certificate
};
}
if (session_timeout !== undefined) updateData.session_timeout = session_timeout;
if (require_mfa !== undefined) updateData.require_mfa = require_mfa;
if (allow_concurrent_sessions !== undefined) updateData.allow_concurrent_sessions = allow_concurrent_sessions;
if (role_mappings) updateData.role_mappings = role_mappings;
// Update tenant
await tenant.update(updateData);
console.log(`✅ Auth config updated for tenant "${tenantId}" by admin "${req.user.username}"`);
// Return updated config (with hidden sensitive fields)
const updatedConfig = {
auth_provider: tenant.auth_provider,
auth_config: tenant.auth_config ? {
...tenant.auth_config,
client_secret: tenant.auth_config.client_secret ? '***HIDDEN***' : undefined,
bind_password: tenant.auth_config.bind_password ? '***HIDDEN***' : undefined,
service_password: tenant.auth_config.service_password ? '***HIDDEN***' : undefined,
certificate: tenant.auth_config.certificate ? '***HIDDEN***' : undefined
} : {},
session_timeout: tenant.session_timeout,
require_mfa: tenant.require_mfa,
allow_concurrent_sessions: tenant.allow_concurrent_sessions,
role_mappings: tenant.role_mappings
};
res.json({
success: true,
message: 'Authentication configuration updated successfully',
data: updatedConfig
});
} catch (error) {
console.error('Error updating auth config:', error);
res.status(500).json({
success: false,
message: 'Failed to update authentication configuration'
});
}
});
/**
* POST /tenant/auth/test
* Test authentication configuration (auth admins or higher)
*/
router.post('/auth/test', authenticateToken, requirePermissions(['auth.edit']), async (req, res) => {
try {
// Determine tenant from request
const tenantId = await multiAuth.determineTenant(req);
if (!tenantId) {
return res.status(400).json({
success: false,
message: 'Unable to determine tenant'
});
}
const tenant = await Tenant.findOne({ where: { slug: tenantId } });
if (!tenant) {
return res.status(404).json({
success: false,
message: 'Tenant not found'
});
}
const { test_username, test_password } = req.body;
// Simulate authentication test based on provider
const authProvider = tenant.auth_provider;
let testResult = {
success: false,
message: 'Authentication test not implemented for this provider',
details: {}
};
switch (authProvider) {
case 'local':
testResult = {
success: true,
message: 'Local authentication is always available',
details: { provider: 'local' }
};
break;
case 'saml':
// In real implementation, this would test SAML SSO endpoint
testResult = {
success: true,
message: 'SAML configuration appears valid (test connection would be performed in production)',
details: {
provider: 'saml',
sso_url: tenant.auth_config?.sso_url,
entity_id: tenant.auth_config?.entity_id
}
};
break;
case 'oauth':
// In real implementation, this would test OAuth endpoint
testResult = {
success: true,
message: 'OAuth configuration appears valid (test connection would be performed in production)',
details: {
provider: 'oauth',
oauth_provider: tenant.auth_config?.oauth_provider,
client_id: tenant.auth_config?.client_id
}
};
break;
case 'ldap':
case 'ad':
// In real implementation, this would test LDAP/AD connection
testResult = {
success: true,
message: `${authProvider.toUpperCase()} configuration appears valid (test connection would be performed in production)`,
details: {
provider: authProvider,
server: tenant.auth_config?.ldap_server || tenant.auth_config?.domain_controller
}
};
break;
}
console.log(`✅ Auth test performed for tenant "${tenantId}" by admin "${req.user.username}"`);
res.json({
success: true,
message: 'Authentication test completed',
data: testResult
});
} catch (error) {
console.error('Error testing auth config:', error);
res.status(500).json({
success: false,
message: 'Failed to test authentication configuration'
});
}
});
module.exports = router;
Reference in New Issue View Git Blame Copy Permalink