chore: code refactor

api/src/middlewares/authenticateToken.ts

@@ -23,11 +23,6 @@ export const authenticateAccessToken: RequestHandler = async (
     return next()
   }
 
-  if (await isPublicRoute(req)) {
-    req.user = publicUser
-    return next()
-  }
-
   const nextFunction = isAuthorizingRoute(req)
     ? () => authorize(req, res, next)
     : next
@@ -48,7 +43,7 @@ export const authenticateAccessToken: RequestHandler = async (
     return res.sendStatus(401)
   }
 
-  authenticateToken(
+  await authenticateToken(
     req,
     res,
     nextFunction,
@@ -57,8 +52,12 @@ export const authenticateAccessToken: RequestHandler = async (
   )
 }
 
-export const authenticateRefreshToken: RequestHandler = (req, res, next) => {
+export const authenticateRefreshToken: RequestHandler = async (
-  authenticateToken(
+  req,
+  res,
+  next
+) => {
+  await authenticateToken(
     req,
     res,
     next,
@@ -67,7 +66,7 @@ export const authenticateRefreshToken: RequestHandler = (req, res, next) => {
   )
 }
 
-const authenticateToken = (
+const authenticateToken = async (
   req: Request,
   res: Response,
   next: NextFunction,
@@ -90,26 +89,37 @@ const authenticateToken = (
 
   const authHeader = req.headers['authorization']
   const token = authHeader?.split(' ')[1]
-  if (!token) return res.sendStatus(401)
 
-  jwt.verify(token, key, async (err: any, data: any) => {
+  try {
-    if (err) return res.sendStatus(401)
+    if (!token) throw 'Unauthorized'
 
-    // verify this valid token's entry in DB
+    jwt.verify(token, key, async (err: any, data: any) => {
-    const user = await verifyTokenInDB(
+      if (err) throw 'Unauthorized'
-      data?.userId,
-      data?.clientId,
-      token,
-      tokenType
-    )
 
-    if (user) {
+      // verify this valid token's entry in DB
-      if (user.isActive) {
+      const user = await verifyTokenInDB(
-        req.user = user
+        data?.userId,
-        if (tokenType === 'accessToken') req.accessToken = token
+        data?.clientId,
-        return next()
+        token,
-      } else return res.sendStatus(401)
+        tokenType
+      )
+
+      if (user) {
+        if (user.isActive) {
+          req.user = user
+          if (tokenType === 'accessToken') req.accessToken = token
+          return next()
+        } else throw 'Unauthorized'
+      }
+
+      throw 'Unauthorized'
+    })
+  } catch (error) {
+    if (await isPublicRoute(req)) {
+      req.user = publicUser
+      return next()
     }
-    return res.sendStatus(401)
+
-  })
+    res.sendStatus(401)
+  }
 }

api/src/middlewares/authorize.ts

@@ -5,7 +5,7 @@ import {
   PermissionSettingForRoute,
   PermissionType
 } from '../controllers/permission'
-import { getPath } from '../utils'
+import { getPath, isPublicRoute } from '../utils'
 
 export const authorize: RequestHandler = async (req, res, next) => {
   const { user } = req
@@ -17,6 +17,9 @@ export const authorize: RequestHandler = async (req, res, next) => {
   // no need to check for permissions when user is admin
   if (user.isAdmin) return next()
 
+  // no need to check for permissions when route is Public
+  if (await isPublicRoute(req)) return next()
+
   const dbUser = await User.findOne({ id: user.userId })
   if (!dbUser) return res.sendStatus(401)
 

api/src/utils/isPublicRoute.ts

@@ -22,7 +22,7 @@ export const isPublicRoute = async (req: Request): Promise<boolean> => {
 }
 
 export const publicUser: RequestUser = {
-  userId: 12345,
+  userId: 0,
   clientId: 'public_app',
   username: 'publicUser',
   displayName: 'Public User',