Skip to content
Snippets Groups Projects

Feature/jwt backend

Merged Feature/jwt backend
feature/jwt-backend into main
Merged fhurtado14 requested to merge feature/jwt-backend into main
Compare
and
21 files
+ 359
21273
Compare changes
  • Side-by-side
  • Inline
Files
21
backend/config/auth/authenticateJWT.js
+ 140
1
@@ -25,4 +25,143 @@ const authenticateJWT = (req, res, next) => {
});
};
module.exports = authenticateJWT;
/*
Function to authenticate admin only functions
(create, delete, searchByName)
*/
const authenticateAdminOnly = (req, res, next) => {
// Check for bypass header - used in Postman
const bypassToken = req.headers["x-dev-bypass"];
if (bypassToken === "allow-dev-access") {
console.log("Bypassing authentication due to Postman bypass header.");
req.user = {
role: "admin",
peopleId: 1,
};
return next();
}
// Get token from Authorization header
const token = req.headers.authorization?.split(" ")[1];
// return early if no token provided
if (!token) {
return res
.status(401)
.json({ message: "Access denied. No token provided." });
}
try {
// Verify the token
const decoded = jwt.verify(token, JWT_SECRET);
req.user = decoded; // Add the decoded token to the request object for later use
// extract the role from the token
const role = decoded.role;
if (!role) {
return res.status(403).json({ message: "Role information is missing." });
}
// Handle role-based validation
if (role === "admin" || role === "classChampion" || role === "orgLeader") {
// Admins pass automatically
req.user = decoded;
return next();
} else {
// Other roles are not authenticated
return res
.status(403)
.json({ message: "User is not authorized to access this resource." });
}
} catch (err) {
return res.status(403).json({ message: "Invalid or expired token." });
}
};
/*
Function to authenticate functions that can be used by admin or
users themselves
(update, fullInfo)
*/
const authenticateAdminAndPersonal = (req, res, next) => {
// Check for bypass header - used in Postman
const bypassToken = req.headers["x-dev-bypass"];
if (bypassToken === "allow-dev-access") {
console.log("Bypassing authentication due to Postman bypass header.");
req.user = {
role: "admin",
peopleId: 1,
};
return next();
}
// Get token from Authorization header
const token = req.headers.authorization?.split(" ")[1];
// return early if no token provided
if (!token) {
return res
.status(401)
.json({ message: "Access denied. No token provided." });
}
try {
// Verify the token
const decoded = jwt.verify(token, JWT_SECRET);
req.user = decoded; // Add the decoded token to the request object for later use
// extract the role from the token
const role = decoded.role;
const peopleId = decoded.peopleId;
const reqPeopleId = req.params;
console.log("Role: ", role);
console.log("PeopleId: ", peopleId);
console.log("param gotten from url: ", reqPeopleId);
if (!role) {
return res.status(403).json({ message: "Role information is missing." });
}
// Handle role-based validation
if (role === "admin" || role === "classChampion" || role === "orgLeader") {
// Admins pass automatically
req.user = decoded;
console.log("admin passing");
return next();
} else if (role === "user") {
// need to verify the user is making the request on themselves
if (!reqPeopleId) {
return res
.status(400)
.json({ message: "peopleId is required as a URL parameter." });
}
if (reqPeopleId === peopleId) {
req.user = decoded;
return next();
}
// condition is not met
return res
.status(403)
.json({ message: "User is not authorized to access this resource." });
} else {
// Other roles are not authenticated
return res
.status(403)
.json({ message: "User is not authorized to access this resource." });
}
} catch (err) {
return res.status(403).json({ message: "Invalid or expired token." });
}
};
module.exports = {
authenticateJWT,
authenticateAdminOnly,
authenticateAdminAndPersonal,
};