145 lines
3.5 KiB
JavaScript
145 lines
3.5 KiB
JavaScript
const jwt = require('jsonwebtoken');
|
|
|
|
// Allow models to be injected for testing
|
|
let models = null;
|
|
try {
|
|
models = require('../models');
|
|
} catch (error) {
|
|
// Models will be injected during testing
|
|
}
|
|
|
|
// Function to set models (used in testing)
|
|
function setModels(testModels) {
|
|
models = testModels;
|
|
}
|
|
|
|
async function authenticateToken(req, res, next) {
|
|
const authHeader = req.headers['authorization'];
|
|
|
|
if (!authHeader) {
|
|
return res.status(401).json({
|
|
success: false,
|
|
message: 'Access token required'
|
|
});
|
|
}
|
|
|
|
// Check for proper Bearer token format
|
|
if (!authHeader.startsWith('Bearer ')) {
|
|
return res.status(401).json({
|
|
success: false,
|
|
message: 'Invalid token format'
|
|
});
|
|
}
|
|
|
|
const token = authHeader.split(' ')[1];
|
|
|
|
if (!token) {
|
|
return res.status(401).json({
|
|
success: false,
|
|
message: 'Access token required'
|
|
});
|
|
}
|
|
|
|
try {
|
|
const decoded = jwt.verify(token, process.env.JWT_SECRET);
|
|
|
|
// Log what's in the token for debugging
|
|
console.log('🔍 JWT Token decoded:', {
|
|
userId: decoded.userId,
|
|
username: decoded.username,
|
|
role: decoded.role,
|
|
tenantId: decoded.tenantId,
|
|
provider: decoded.provider
|
|
});
|
|
|
|
// For older tokens without tenantId, we need to look up the user's tenant
|
|
let tenantId = decoded.tenantId;
|
|
|
|
const user = await models.User.findByPk(decoded.userId, {
|
|
attributes: ['id', 'username', 'email', 'role', 'is_active', 'tenant_id'],
|
|
include: [{
|
|
model: models.Tenant,
|
|
as: 'tenant',
|
|
attributes: ['slug', 'name']
|
|
}]
|
|
});
|
|
|
|
if (!user || !user.is_active) {
|
|
return res.status(401).json({
|
|
success: false,
|
|
message: 'Invalid or inactive user'
|
|
});
|
|
}
|
|
|
|
// Set user context with expected properties for compatibility
|
|
req.user = {
|
|
id: user.id,
|
|
userId: user.id, // For backward compatibility
|
|
username: user.username,
|
|
email: user.email,
|
|
role: user.role,
|
|
is_active: user.is_active,
|
|
tenant_id: user.tenant_id,
|
|
tenant: user.tenant
|
|
};
|
|
|
|
// Set tenant context - prefer JWT tenantId, fallback to user's tenant
|
|
if (tenantId) {
|
|
req.tenantId = tenantId;
|
|
console.log('✅ Tenant context from JWT:', tenantId);
|
|
} else if (user.tenant && user.tenant.slug) {
|
|
req.tenantId = user.tenant.slug;
|
|
console.log('✅ Tenant context from user record:', user.tenant.slug);
|
|
} else {
|
|
console.log('⚠️ No tenant context available');
|
|
}
|
|
|
|
next();
|
|
} catch (error) {
|
|
// Only log unexpected errors, not common JWT validation failures
|
|
if (process.env.NODE_ENV !== 'test' || error.name === 'TypeError') {
|
|
console.error('Token verification error:', error);
|
|
}
|
|
|
|
// Handle specific JWT errors
|
|
if (error.name === 'TokenExpiredError') {
|
|
return res.status(401).json({
|
|
success: false,
|
|
message: 'Token expired'
|
|
});
|
|
}
|
|
|
|
return res.status(401).json({
|
|
success: false,
|
|
message: 'Invalid token'
|
|
});
|
|
}
|
|
}
|
|
|
|
function requireRole(roles) {
|
|
return (req, res, next) => {
|
|
if (!req.user) {
|
|
return res.status(401).json({
|
|
success: false,
|
|
message: 'Authentication required'
|
|
});
|
|
}
|
|
|
|
const userRoles = Array.isArray(roles) ? roles : [roles];
|
|
if (!userRoles.includes(req.user.role)) {
|
|
return res.status(403).json({
|
|
success: false,
|
|
message: 'Insufficient permissions'
|
|
});
|
|
}
|
|
|
|
next();
|
|
};
|
|
}
|
|
|
|
module.exports = {
|
|
authenticateToken,
|
|
requireRole,
|
|
setModels
|
|
};
|