freesewing/sites/backend/src/middleware.mjs

import cors from 'cors'
import http from 'passport-http'
import jwt from 'passport-jwt'
import { ApikeyModel } from './models/apikey.mjs'
import { UserModel } from './models/user.mjs'

/*
 * In v2 we ended up with a bug where we did not properly track the last login
 * So in v3 we switch to `lastSeen` and every authenticated API call we update
 * this field. It's a bit of a perf hit to write to the database on ever API call
 * but it's worth it to actually know which accounts are used and which are not.
 */
async function checkAccess(uid, tools, type) {
  const User = new UserModel(tools)
  const ok = await User.papersPlease(uid, type)

  return ok
}

function loadExpressMiddleware(app) {
  app.use(cors())
}

function loadPassportMiddleware(passport, tools) {
  passport.use(
    new http.BasicStrategy(async (key, secret, done) => {
      const Apikey = new ApikeyModel(tools)
      await Apikey.verify(key, secret)
      /*
       * We check more than merely the API key
       */
      const ok = Apikey.verified ? await checkAccess(Apikey.record.userId, tools, 'key') : false

      return ok
        ? done(null, {
            ...Apikey.record,
            apikey: true,
            uid: Apikey.record.userId,
          })
        : done(false)
    })
  )
  passport.use(
    new jwt.Strategy(
      {
        jwtFromRequest: jwt.ExtractJwt.fromAuthHeaderAsBearerToken(),
        ...tools.config.jwt,
      },
      async (jwt_payload, done) => {
        /*
         * We check more than merely the token
         */
        const ok = await checkAccess(jwt_payload._id, tools, 'jwt')

        return ok
          ? done(null, {
              ...jwt_payload,
              uid: jwt_payload._id,
              level: tools.config.roles.levels[jwt_payload.role] || 0,
            })
          : done(false)
      }
    )
  )
}

export { loadExpressMiddleware, loadPassportMiddleware }
wip(backend): Started work on v3 backend 2022-10-29 22:21:24 +02:00			`import cors from 'cors'`
wip(backend): Work on routes, auth, and email templates 2022-11-05 18:55:59 +01:00			`import http from 'passport-http'`
wip(backend): Started work on v3 backend 2022-10-29 22:21:24 +02:00			`import jwt from 'passport-jwt'`
wip(backend): Work on routes, auth, and email templates 2022-11-05 18:55:59 +01:00			`import { ApikeyModel } from './models/apikey.mjs'`
feat(backend): Track lastSeen and calls in middleware 2023-08-13 10:33:24 +02:00			`import { UserModel } from './models/user.mjs'`

			`/*`
			`* In v2 we ended up with a bug where we did not properly track the last login`
			* So in v3 we switch to `lastSeen` and every authenticated API call we update
			`* this field. It's a bit of a perf hit to write to the database on ever API call`
			`* but it's worth it to actually know which accounts are used and which are not.`
			`*/`
feat(backen): Do more checks in middleware 2023-08-17 16:02:22 +02:00			`async function checkAccess(uid, tools, type) {`
feat(backend): Track lastSeen and calls in middleware 2023-08-13 10:33:24 +02:00			`const User = new UserModel(tools)`
feat(backen): Do more checks in middleware 2023-08-17 16:02:22 +02:00			`const ok = await User.papersPlease(uid, type)`

			`return ok`
feat(backend): Track lastSeen and calls in middleware 2023-08-13 10:33:24 +02:00			`}`
wip(backend): Started work on v3 backend 2022-10-29 22:21:24 +02:00
			`function loadExpressMiddleware(app) {`
			`app.use(cors())`
			`}`

wip(backend): Work on routes, auth, and email templates 2022-11-05 18:55:59 +01:00			`function loadPassportMiddleware(passport, tools) {`
			`passport.use(`
			`new http.BasicStrategy(async (key, secret, done) => {`
			`const Apikey = new ApikeyModel(tools)`
			`await Apikey.verify(key, secret)`
feat(backend): Track lastSeen and calls in middleware 2023-08-13 10:33:24 +02:00			`/*`
feat(backen): Do more checks in middleware 2023-08-17 16:02:22 +02:00			`* We check more than merely the API key`
feat(backend): Track lastSeen and calls in middleware 2023-08-13 10:33:24 +02:00			`*/`
feat(backen): Do more checks in middleware 2023-08-17 16:02:22 +02:00			`const ok = Apikey.verified ? await checkAccess(Apikey.record.userId, tools, 'key') : false`
feat(backend): Track lastSeen and calls in middleware 2023-08-13 10:33:24 +02:00
feat(backen): Do more checks in middleware 2023-08-17 16:02:22 +02:00			`return ok`
			`? done(null, {`
			`...Apikey.record,`
			`apikey: true,`
			`uid: Apikey.record.userId,`
			`})`
wip(backend): Better handling of data 2022-11-08 21:04:32 +01:00			`: done(false)`
wip(backend): Work on routes, auth, and email templates 2022-11-05 18:55:59 +01:00			`})`
			`)`
wip(backend): Started work on v3 backend 2022-10-29 22:21:24 +02:00			`passport.use(`
			`new jwt.Strategy(`
			`{`
			`jwtFromRequest: jwt.ExtractJwt.fromAuthHeaderAsBearerToken(),`
wip(backend): Work on routes, auth, and email templates 2022-11-05 18:55:59 +01:00			`...tools.config.jwt,`
wip(backend): Started work on v3 backend 2022-10-29 22:21:24 +02:00			`},`
feat(backend): Track lastSeen and calls in middleware 2023-08-13 10:33:24 +02:00			`async (jwt_payload, done) => {`
			`/*`
feat(backen): Do more checks in middleware 2023-08-17 16:02:22 +02:00			`* We check more than merely the token`
feat(backend): Track lastSeen and calls in middleware 2023-08-13 10:33:24 +02:00			`*/`
feat(backen): Do more checks in middleware 2023-08-17 16:02:22 +02:00			`const ok = await checkAccess(jwt_payload._id, tools, 'jwt')`
feat(backend): Track lastSeen and calls in middleware 2023-08-13 10:33:24 +02:00
feat(backen): Do more checks in middleware 2023-08-17 16:02:22 +02:00			`return ok`
			`? done(null, {`
			`...jwt_payload,`
			`uid: jwt_payload._id,`
			`level: tools.config.roles.levels[jwt_payload.role] \|\| 0,`
			`})`
			`: done(false)`
wip(backend): Started work on v3 backend 2022-10-29 22:21:24 +02:00			`}`
			`)`
			`)`
			`}`

wip(backend): Added prettier 2022-10-29 22:25:00 +02:00			`export { loadExpressMiddleware, loadPassportMiddleware }`