140 lines
3.5 KiB
JavaScript
140 lines
3.5 KiB
JavaScript
const jwt = require('jsonwebtoken');
|
|
const config = require('../config/config');
|
|
const { User } = require('../models');
|
|
|
|
/**
|
|
* Middleware to verify JWT token
|
|
*/
|
|
exports.verifyToken = async (req, res, next) => {
|
|
try {
|
|
// Get token from header
|
|
const authHeader = req.headers.authorization;
|
|
|
|
if (!authHeader || !authHeader.startsWith('Bearer ')) {
|
|
return res.status(401).json({
|
|
success: false,
|
|
message: 'No token provided. Authorization header must be in format: Bearer <token>'
|
|
});
|
|
}
|
|
|
|
// Extract token
|
|
const token = authHeader.substring(7); // Remove 'Bearer ' prefix
|
|
|
|
// Verify token
|
|
const decoded = jwt.verify(token, config.jwt.secret);
|
|
|
|
// Attach user info to request
|
|
req.user = decoded;
|
|
|
|
next();
|
|
} catch (error) {
|
|
if (error.name === 'TokenExpiredError') {
|
|
return res.status(401).json({
|
|
success: false,
|
|
message: 'Token expired. Please login again.'
|
|
});
|
|
} else if (error.name === 'JsonWebTokenError') {
|
|
return res.status(401).json({
|
|
success: false,
|
|
message: 'Invalid token. Please login again.'
|
|
});
|
|
} else {
|
|
return res.status(500).json({
|
|
success: false,
|
|
message: 'Error verifying token',
|
|
error: error.message
|
|
});
|
|
}
|
|
}
|
|
};
|
|
|
|
/**
|
|
* Middleware to check if user is admin
|
|
*/
|
|
exports.isAdmin = async (req, res, next) => {
|
|
try {
|
|
// Verify token first (should be called after verifyToken)
|
|
if (!req.user) {
|
|
return res.status(401).json({
|
|
success: false,
|
|
message: 'Authentication required'
|
|
});
|
|
}
|
|
|
|
// Check if user has admin role
|
|
if (req.user.role !== 'admin') {
|
|
return res.status(403).json({
|
|
success: false,
|
|
message: 'Access denied. Admin privileges required.'
|
|
});
|
|
}
|
|
|
|
next();
|
|
} catch (error) {
|
|
return res.status(500).json({
|
|
success: false,
|
|
message: 'Error checking admin privileges',
|
|
error: error.message
|
|
});
|
|
}
|
|
};
|
|
|
|
/**
|
|
* Middleware to check if user owns the resource or is admin
|
|
*/
|
|
exports.isOwnerOrAdmin = async (req, res, next) => {
|
|
try {
|
|
// Verify token first (should be called after verifyToken)
|
|
if (!req.user) {
|
|
return res.status(401).json({
|
|
success: false,
|
|
message: 'Authentication required'
|
|
});
|
|
}
|
|
|
|
const resourceUserId = req.params.userId || req.body.userId;
|
|
|
|
// Allow if admin or if user owns the resource
|
|
if (req.user.role === 'admin' || req.user.userId === resourceUserId) {
|
|
next();
|
|
} else {
|
|
return res.status(403).json({
|
|
success: false,
|
|
message: 'Access denied. You can only access your own resources.'
|
|
});
|
|
}
|
|
} catch (error) {
|
|
return res.status(500).json({
|
|
success: false,
|
|
message: 'Error checking resource ownership',
|
|
error: error.message
|
|
});
|
|
}
|
|
};
|
|
|
|
/**
|
|
* Optional auth middleware - attaches user if token present, but doesn't fail if missing
|
|
*/
|
|
exports.optionalAuth = async (req, res, next) => {
|
|
try {
|
|
const authHeader = req.headers.authorization;
|
|
|
|
if (authHeader && authHeader.startsWith('Bearer ')) {
|
|
const token = authHeader.substring(7);
|
|
|
|
try {
|
|
const decoded = jwt.verify(token, config.jwt.secret);
|
|
req.user = decoded;
|
|
} catch (error) {
|
|
// Token invalid or expired - continue as guest
|
|
req.user = null;
|
|
}
|
|
}
|
|
|
|
next();
|
|
} catch (error) {
|
|
// Any error - continue as guest
|
|
next();
|
|
}
|
|
};
|