37 lines
1.1 KiB
JavaScript
37 lines
1.1 KiB
JavaScript
const { getTokenByToken } = require("../functions/api");
|
|
|
|
const permissionError = new Error('PermissionError')
|
|
permissionError.name = "Inadequate Permission Error"
|
|
permissionError.status = 401
|
|
permissionError.message = "Inadequate permission to complete this response"
|
|
|
|
async function auth(req, res, next) {
|
|
try {
|
|
const token = await getTokenByToken(req.header("auth-token"));
|
|
|
|
if (!token || !token.isValid){
|
|
throw permissionError;
|
|
}
|
|
|
|
//if token is a match
|
|
req.token = token;
|
|
req.user = await token.getUser();
|
|
|
|
const route = req.originalUrl.split("?")[0]; // Removing query parameters
|
|
//if route is from user/ and permission is canRead allow it to do CRUD
|
|
if (route.includes("/user/") && token.permission === "canRead") {
|
|
return next();
|
|
}
|
|
if ((req.method === "GET" && token.permission === "canRead") || (["GET", "POST", "PUT", "DELETE"].includes(req.method) && token.permission === "canWrite")) {
|
|
return next();
|
|
}
|
|
|
|
throw permissionError
|
|
|
|
} catch (error) {
|
|
next(error);
|
|
}
|
|
}
|
|
module.exports = { auth };
|
|
|