iotsensor fixed but session valid broken

2024-01-25 03:26:56 +08:00
parent 7403f66c8a
commit 057fbe2afb
19 changed files with 173 additions and 237 deletions
--- a/consumerWebsite/middleware/apiKey.js
+++ b/consumerWebsite/middleware/apiKey.js
@ -1,65 +0,0 @@
-const { checkAPikey } = require("../functions/api.js");
-async function apikeyCheck(req, res, next) {
-	//const authHeader = req.headers.authorization
-	try {
-		let apikey = req.headers.authorization;
-		if (!apikey) {
-            res.status(401).json({
-                message: "No API key was supplied. Invalid request",
-            });
-			//throw new Error("No API key was supplied. Invalid request");
-		} else {
-			//split the string by the -
-			let splitAPIkey = apikey.split("-");
-			let rowid = splitAPIkey[0];
-
-			//rejoin withouth the rowid
-			let SuppliedKey = splitAPIkey.slice(1).join("-");
-			if (checkAPikey(SuppliedKey, rowid)) {
-				//get permission
-				let permission = await checkAPikey(SuppliedKey, rowid);
-				console.log(permission);
-				if (req.method === "GET" && permission === "canRead") {
-					return next();
-				}
-				//['POST', 'PUT', 'PATCH', 'DELETE'].includes(req.method)
-				if (
-					["GET", "POST", "PUT", "DELETE"].includes(req.method) &&
-					permission === "canWrite"
-				) {
-					console.log("write");
-					return next();
-				}
-				//throw status 403
-				res.status(403).json({
-					message:
-						"Your API key does not have the correct permissions to access this resource",
-				});
-			}
-		}
-	} catch (error) {
-		next(error);
-	}
-}
-
-module.exports = { apikeyCheck };
-
-/*
-//web server microservice
-1) take user supplied rowid-apikey
-2) split the string by -
-3) get the rowid or table id
-4) get the apikey
-5) compare the apikey with the one in database
-6) if match, return true
-*/
-
-/*
-
-I plan to seed some data in user and api
-Than use the system info and my API middleware will somehow check the supplied API key and check
-If it's correct API key and has canWrite perms
-I allow it to access put and post
-
-
-*/
--- a/consumerWebsite/middleware/authChecker.js
+++ b/consumerWebsite/middleware/authChecker.js
@ -1,31 +1,65 @@
-const { apikeyModel } = require("../database/model/apiKeyModel");
+const { tokenModel } = require("../database/model/tokenModel");
 const { userModel } = require("../database/model/userModel");
 const { compareHash } = require("../functions/bcrypt");
+const { checkToken } = require("../functions/api");
+const { isValid } = require("../functions/isValid");

-async function auth(req, res, next){
-    try{ 
-        //		let user = await Auth.checkToken({token: req.header('auth-token')});
-        let authToken = req.header('auth-token');
-        let splitAuthToken = authToken.split('-');
-        let rowid = splitAuthToken[0];
-        let suppliedToken = splitAuthToken.slice(1).join('-');

-        //get from db
-        let token = await apikeyModel.findByPk(rowid, {include: userModel});
-        if (!token) return false;
+async function auth(req, res, next) {
+    try {
+        const authToken = req.header("auth-token");
+        if (!authToken) {
+            const error = new Error("No Token key was supplied. Invalid request");
+            error.status = 401;
+            throw error;
+        }

-        //compare
-        let isMatch = await compareHash(suppliedToken, token.apikey);
-        if (!isMatch) return false;
+        const splitAuthToken = authToken.split("-");
+        const rowid = splitAuthToken[0];
+        const suppliedToken = splitAuthToken.slice(1).join("-");

-        //else do logic
-        //pass hashed token to req.token (IMPORTANT ITS NOT PASSED TO CLIENT)
-        req.token = token
-        req.user = await token.getUser(); //taking user seq obj from usermodel
-        next();
-    }catch(error){
+        const token = await tokenModel.findByPk(rowid, { include: userModel });
+
+        if (!token) {
+            const error = new Error("Token key not found. Invalid request");
+            error.status = 401;
+            throw error;
+        }
+
+        const isMatch = await compareHash(suppliedToken, token.token);
+
+        if (!isMatch) {
+            const error = new Error("Token key not found. Invalid request");
+            error.status = 401;
+            throw error;
+        }
+        //if token is a match
+        req.token = token;
+        req.user = await token.getUser();
+        const permission = await checkToken(suppliedToken, rowid);
+
+        const route = req.originalUrl.split("?")[0]; // Removing query parameters
+        //if route is from user/ and permission is canRead allow it to do CRUD
+        if (route.includes("/user/") && permission === "canRead") {
+            next();
+        }
+        else if ((req.method === "GET" && permission === "canRead") || (["GET", "POST", "PUT", "DELETE"].includes(req.method) && permission === "canWrite")) {
+            next();
+        }
+        else {
+            const error = new Error("Insufficient permission");
+            error.status = 401;
+            throw error;
+        }
+        if (!isValid(token.expiration)){
+            req.token.destroy();
+            throw new Error("Token expired");            
+        }
+
+     
+    } catch (error) {
        next(error);
    }
 }

-module.exports = { auth };
+module.exports = { auth };