Jackie/rentall-app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5d3c124d3e26b8ac5eea6fbf85a408c2e0c79f70
rentall-app/backend/middleware/auth.js
jackiettran b56e031ee5 ability to ban and unban users
2026-01-07 00:39:20 -05:00

164 lines
4.0 KiB
JavaScript
Raw Blame History

const jwt = require("jsonwebtoken");
const { User } = require("../models"); // Import from models/index.js to get models with associations
const logger = require("../utils/logger");
const authenticateToken = async (req, res, next) => {
// First try to get token from cookie
let token = req.cookies?.accessToken;
if (!token) {
return res.status(401).json({
error: "Access token required",
code: "NO_TOKEN",
});
}
try {
const decoded = jwt.verify(token, process.env.JWT_ACCESS_SECRET);
const userId = decoded.id;
if (!userId) {
return res.status(401).json({
error: "Invalid token format",
code: "INVALID_TOKEN_FORMAT",
});
}
const user = await User.findByPk(userId);
if (!user) {
return res.status(401).json({
error: "User not found",
code: "USER_NOT_FOUND",
});
}
// Check if user is banned
if (user.isBanned) {
return res.status(403).json({
error: "Your account has been suspended. Please contact support for more information.",
code: "USER_BANNED",
});
}
// Validate JWT version to invalidate old tokens after password change
if (decoded.jwtVersion !== user.jwtVersion) {
return res.status(401).json({
error: "Session expired due to password change. Please log in again.",
code: "JWT_VERSION_MISMATCH",
});
}
req.user = user;
next();
} catch (error) {
// Check if token is expired
if (error.name === "TokenExpiredError") {
return res.status(401).json({
error: "Token expired",
code: "TOKEN_EXPIRED",
});
}
const reqLogger = logger.withRequestId(req.id);
reqLogger.error("Auth middleware error", {
error: error.message,
stack: error.stack,
tokenPresent: !!token,
userId: req.user?.id
});
return res.status(403).json({
error: "Invalid token",
code: "INVALID_TOKEN",
});
}
};
// Optional authentication - doesn't return 401 if no token, just continues
const optionalAuth = async (req, res, next) => {
// Try to get token from cookie
let token = req.cookies?.accessToken;
if (!token) {
// No token is fine for optional auth, just continue
req.user = null;
return next();
}
try {
const decoded = jwt.verify(token, process.env.JWT_ACCESS_SECRET);
const userId = decoded.id;
if (!userId) {
req.user = null;
return next();
}
const user = await User.findByPk(userId);
if (!user) {
req.user = null;
return next();
}
// Banned users are treated as unauthenticated for optional auth
if (user.isBanned) {
req.user = null;
return next();
}
// Validate JWT version to invalidate old tokens after password change
if (decoded.jwtVersion !== user.jwtVersion) {
req.user = null;
return next();
}
req.user = user;
next();
} catch (error) {
// Token invalid/expired is fine for optional auth
req.user = null;
next();
}
};
// Require verified email middleware - must be used after authenticateToken
const requireVerifiedEmail = (req, res, next) => {
if (!req.user) {
return res.status(401).json({
error: "Authentication required",
code: "NO_AUTH",
});
}
if (!req.user.isVerified) {
return res.status(403).json({
error: "Email verification required. Please verify your email address to perform this action.",
code: "EMAIL_NOT_VERIFIED",
});
}
next();
};
// Require admin role middleware - must be used after authenticateToken
const requireAdmin = (req, res, next) => {
if (!req.user) {
return res.status(401).json({
error: "Authentication required",
code: "NO_AUTH",
});
}
if (req.user.role !== "admin") {
return res.status(403).json({
error: "Admin access required",
code: "INSUFFICIENT_PERMISSIONS",
});
}
next();
};
module.exports = { authenticateToken, optionalAuth, requireVerifiedEmail, requireAdmin };
Reference in New Issue View Git Blame Copy Permalink