68 lines
2.1 KiB
JavaScript
68 lines
2.1 KiB
JavaScript
const { tokenModel } = require("../database/model/tokenModel");
|
|
const { userModel } = require("../database/model/userModel");
|
|
const { compareHash } = require("../functions/bcrypt");
|
|
const { checkToken } = require("../functions/api");
|
|
const { isValid } = require("../functions/isValid");
|
|
|
|
|
|
async function auth(req, res, next) {
|
|
try {
|
|
const authToken = req.header("auth-token");
|
|
if (!authToken) {
|
|
const error = new Error("No Token key was supplied. Invalid request");
|
|
throw error;
|
|
}
|
|
|
|
const splitAuthToken = authToken.split("-");
|
|
const rowid = splitAuthToken[0];
|
|
const suppliedToken = splitAuthToken.slice(1).join("-");
|
|
|
|
const token = await tokenModel.findByPk(rowid, { include: userModel });
|
|
|
|
if (!token) {
|
|
const error = new Error("Token key not found. Invalid request");
|
|
throw error;
|
|
}
|
|
|
|
const isMatch = await compareHash(suppliedToken, token.token);
|
|
|
|
console.log(isMatch);
|
|
if (!isMatch) {
|
|
const error = new Error("Token key not found. Invalid request");
|
|
throw error;
|
|
}
|
|
//if token is a match
|
|
req.token = token;
|
|
req.user = await token.getUser();
|
|
const permission = await checkToken(suppliedToken, rowid);
|
|
|
|
const route = req.originalUrl.split("?")[0]; // Removing query parameters
|
|
//if route is from user/ and permission is canRead allow it to do CRUD
|
|
if (route.includes("/user/") && permission === "canRead") {
|
|
next();
|
|
}
|
|
if ((req.method === "GET" && permission === "canRead") || (["GET", "POST", "PUT", "DELETE"].includes(req.method) && permission === "canWrite")) {
|
|
next();
|
|
}
|
|
|
|
if (!isValid(token.expiration)){
|
|
req.token.destroy();
|
|
throw new Error("Token expired");
|
|
}
|
|
|
|
|
|
} catch (error) {
|
|
next(error);
|
|
}
|
|
}
|
|
|
|
module.exports = { auth };
|
|
|
|
/*
|
|
else {
|
|
const error = new Error("Insufficient permission");
|
|
error.status = 401;
|
|
throw error;
|
|
}
|
|
|
|
*/ |