krikkert/habitica
1
0
Fork 0
mirror of https://github.com/HabitRPG/habitica.git synced 2025-12-19 07:37:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

port middlewares to authenticate users with headers and sessions

Browse Source
This commit is contained in:
Matteo Pagliazzi
2015-11-07 15:37:38 +01:00
parent 0cf964728e
commit ac7d3e642f
3 changed files with 67 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
website/src/controllers/api-v2/auth.js
View File

@@ -53,6 +53,7 @@ api.authWithSession = function(req, res, next) { //[todo] there is probably a mo
}); });
}; };
// TODO passing auth params as query params is not safe as they are logged by browser history, ...
api.authWithUrl = function(req, res, next) { api.authWithUrl = function(req, res, next) {
User.findOne({_id:req.query._id, apiToken:req.query.apiToken}, function(err,user){ User.findOne({_id:req.query._id, apiToken:req.query.apiToken}, function(err,user){
if (err) return next(err); if (err) return next(err);

66
website/src/middlewares/api-v3/auth.js Normal file
View File

@@ -0,0 +1,66 @@
// Middlewares used to authenticate requests
import {
NotAuthorized,
} from '../../libs/api-v3/errors';
import {
UserModel as User,
} from '../../models/user';
// TODO use i18n
const missingAuthHeaders = 'Missing authentication headers.';
const userNotFound = 'User not found.';
const accountSuspended = (user) => {
return `Account has been suspended, please contact leslie@habitica.com
with your UUID ${user._id} for assistance.`;
};
// TODO adopt JSDoc syntax?
// Authenticate a request through the x-api-user and x-api key header
export function authWithHeaders (req, res, next) {
let userId = req.header['x-api-user'];
let apiToken = req.header['x-api-key'];
if (!userId || !apiToken) {
// TODO use i18n?
// TODO use badrequest error?
return next(new NotAuthorized(missingAuthHeaders));
}
// TODO use promises?
User.findOne({
_id: userId,
apiToken,
}, (err, user) => {
if (err) return next(err);
if (!user) return next(new NotAuthorized(userNotFound));
// TODO better handling for this case
if (user.blocked) return next(new NotAuthorized(accountSuspended(user)));
res.locals.user = user;
// TODO use either session/cookie or headers, not both
req.session.userId = user._id;
return next();
});
}
// Authenticate a request through a valid session
// TODO should use json web token
export function authWithSession (req, res, next) {
let session = req.session;
if (!session || !session.userId) {
return next(new NotAuthorized(userNotFound));
}
User.findOne({
_id: session.userId,
}, (err, user) => {
if (err) return next(err);
if (!user) return next(new NotAuthorized(userNotFound));
res.locals.user = user;
return next();
});
}

1
website/src/middlewares/api-v3/errorHandler.js
View File

@@ -21,7 +21,6 @@ export default function errorHandler (err, req, res, next) {
// In case of a CustomError class, use it's data // In case of a CustomError class, use it's data
// Otherwise try to identify the type of error (mongoose validation, mongodb unique, ...) // Otherwise try to identify the type of error (mongoose validation, mongodb unique, ...)
// If we can't identify it, respond with a generic 500 error // If we can't identify it, respond with a generic 500 error
let responseErr = err instanceof CustomError ? err : null; let responseErr = err instanceof CustomError ? err : null;
if (!responseErr) { if (!responseErr) {