diff --git a/api/src/middlewares/authenticateToken.ts b/api/src/middlewares/authenticateToken.ts index 0c02127..dc1f42e 100644 --- a/api/src/middlewares/authenticateToken.ts +++ b/api/src/middlewares/authenticateToken.ts @@ -23,11 +23,6 @@ export const authenticateAccessToken: RequestHandler = async ( return next() } - if (await isPublicRoute(req)) { - req.user = publicUser - return next() - } - const nextFunction = isAuthorizingRoute(req) ? () => authorize(req, res, next) : next @@ -48,7 +43,7 @@ export const authenticateAccessToken: RequestHandler = async ( return res.sendStatus(401) } - authenticateToken( + await authenticateToken( req, res, nextFunction, @@ -57,8 +52,12 @@ export const authenticateAccessToken: RequestHandler = async ( ) } -export const authenticateRefreshToken: RequestHandler = (req, res, next) => { - authenticateToken( +export const authenticateRefreshToken: RequestHandler = async ( + req, + res, + next +) => { + await authenticateToken( req, res, next, @@ -67,7 +66,7 @@ export const authenticateRefreshToken: RequestHandler = (req, res, next) => { ) } -const authenticateToken = ( +const authenticateToken = async ( req: Request, res: Response, next: NextFunction, @@ -90,26 +89,37 @@ const authenticateToken = ( const authHeader = req.headers['authorization'] const token = authHeader?.split(' ')[1] - if (!token) return res.sendStatus(401) - jwt.verify(token, key, async (err: any, data: any) => { - if (err) return res.sendStatus(401) + try { + if (!token) throw 'Unauthorized' - // verify this valid token's entry in DB - const user = await verifyTokenInDB( - data?.userId, - data?.clientId, - token, - tokenType - ) + jwt.verify(token, key, async (err: any, data: any) => { + if (err) throw 'Unauthorized' - if (user) { - if (user.isActive) { - req.user = user - if (tokenType === 'accessToken') req.accessToken = token - return next() - } else return res.sendStatus(401) + // verify this valid token's entry in DB + const user = await verifyTokenInDB( + data?.userId, + data?.clientId, + token, + tokenType + ) + + if (user) { + if (user.isActive) { + req.user = user + if (tokenType === 'accessToken') req.accessToken = token + return next() + } else throw 'Unauthorized' + } + + throw 'Unauthorized' + }) + } catch (error) { + if (await isPublicRoute(req)) { + req.user = publicUser + return next() } - return res.sendStatus(401) - }) + + res.sendStatus(401) + } } diff --git a/api/src/middlewares/authorize.ts b/api/src/middlewares/authorize.ts index 3901b3e..6b389fb 100644 --- a/api/src/middlewares/authorize.ts +++ b/api/src/middlewares/authorize.ts @@ -5,7 +5,7 @@ import { PermissionSettingForRoute, PermissionType } from '../controllers/permission' -import { getPath } from '../utils' +import { getPath, isPublicRoute } from '../utils' export const authorize: RequestHandler = async (req, res, next) => { const { user } = req @@ -17,6 +17,9 @@ export const authorize: RequestHandler = async (req, res, next) => { // no need to check for permissions when user is admin if (user.isAdmin) return next() + // no need to check for permissions when route is Public + if (await isPublicRoute(req)) return next() + const dbUser = await User.findOne({ id: user.userId }) if (!dbUser) return res.sendStatus(401) diff --git a/api/src/utils/isPublicRoute.ts b/api/src/utils/isPublicRoute.ts index d971d93..0b121ee 100644 --- a/api/src/utils/isPublicRoute.ts +++ b/api/src/utils/isPublicRoute.ts @@ -22,7 +22,7 @@ export const isPublicRoute = async (req: Request): Promise => { } export const publicUser: RequestUser = { - userId: 12345, + userId: 0, clientId: 'public_app', username: 'publicUser', displayName: 'Public User',