Stan
94 lines
2.6 KiB
JavaScript
94 lines
2.6 KiB
JavaScript
/*
|
|
* Authentication middleware for protecting routes.
|
|
*
|
|
* Provides middleware functions to:
|
|
* - requireAdminAuth - Protect admin-only routes
|
|
* - requireUserAuth - Protect user-only routes
|
|
* - requireAnyAuth - Protect routes requiring any authenticated user
|
|
*/
|
|
|
|
import { validateSession } from '../services/authService.js';
|
|
|
|
/**
|
|
* Extract auth token from request (cookie or Authorization header).
|
|
*/
|
|
function getAuthToken(req) {
|
|
return req.cookies?.auth_token || req.headers.authorization?.replace('Bearer ', '') || null;
|
|
}
|
|
|
|
/*
|
|
* Determine whether a request originates from API/JSON consumers. This decides
|
|
* whether an unauthenticated request should receive a `401` JSON body (for
|
|
* XHR/fetch callers) or a redirect to the appropriate login page (for browser
|
|
* navigation). `req.originalUrl` is used instead of `req.path` so the check
|
|
* also works when this middleware runs behind a `Router` mount point.
|
|
*/
|
|
function isApiRequest(req) {
|
|
return (
|
|
req.originalUrl?.startsWith('/api/') ||
|
|
req.xhr ||
|
|
req.headers.accept?.includes('application/json')
|
|
);
|
|
}
|
|
|
|
/**
|
|
* Middleware to require admin authentication.
|
|
* Redirects to login page for HTML requests, returns 401 for API requests.
|
|
*/
|
|
export function requireAdminAuth(req, res, next) {
|
|
const token = getAuthToken(req);
|
|
const session = token ? validateSession(token) : null;
|
|
|
|
if (!session || session.type !== 'admin') {
|
|
if (isApiRequest(req)) {
|
|
return res.status(401).json({ message: 'Admin authentication required.' });
|
|
}
|
|
|
|
/* Redirect to admin login page */
|
|
return res.redirect('/login-admin');
|
|
}
|
|
|
|
req.session = session;
|
|
next();
|
|
}
|
|
|
|
/**
|
|
* Middleware to require user authentication.
|
|
* Redirects to login page for HTML requests, returns 401 for API requests.
|
|
*/
|
|
export function requireUserAuth(req, res, next) {
|
|
const token = getAuthToken(req);
|
|
const session = token ? validateSession(token) : null;
|
|
|
|
if (!session || session.type !== 'user') {
|
|
if (isApiRequest(req)) {
|
|
return res.status(401).json({ message: 'User authentication required.' });
|
|
}
|
|
|
|
/* Redirect to user login page */
|
|
return res.redirect('/login-user');
|
|
}
|
|
|
|
req.session = session;
|
|
next();
|
|
}
|
|
|
|
/**
|
|
* Middleware to require any authentication (admin or user).
|
|
*/
|
|
export function requireAnyAuth(req, res, next) {
|
|
const token = getAuthToken(req);
|
|
const session = token ? validateSession(token) : null;
|
|
|
|
if (!session) {
|
|
if (isApiRequest(req)) {
|
|
return res.status(401).json({ message: 'Authentication required.' });
|
|
}
|
|
|
|
return res.redirect('/');
|
|
}
|
|
|
|
req.session = session;
|
|
next();
|
|
}
|