krikkert/habitica
1
0
Fork 0
mirror of https://github.com/HabitRPG/habitica.git synced 2025-12-17 14:47:53 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
60f34dafb0eaf51ef89fc95dd93968228bfd2cb4
habitica/website/server/middlewares/auth.js
Matteo Pagliazzi 60f34dafb0 Deprecate API v2 (was Revert "Revert "Deprecate API v2"") (#7802) 
* Revert "Revert "Deprecate API v2""

* fix path in shops controller
2016-08-01 22:36:10 +02:00

88 lines
2.2 KiB
JavaScript
Raw Blame History

import {
NotAuthorized,
} from '../libs/errors';
import {
model as User,
} from '../models/user';
// Strins won't be translated here because getUserLanguage has not run yet
// Authenticate a request through the x-api-user and x-api key header
// If optional is true, don't error on missing authentication
export function authWithHeaders (optional = false) {
return function authWithHeadersHandler (req, res, next) {
let userId = req.header('x-api-user');
let apiToken = req.header('x-api-key');
if (!userId || !apiToken) {
if (optional) return next();
return next(new NotAuthorized(res.t('missingAuthHeaders')));
}
return User.findOne({
_id: userId,
apiToken,
})
.exec()
.then((user) => {
if (!user) throw new NotAuthorized(res.t('invalidCredentials'));
if (user.auth.blocked) throw new NotAuthorized(res.t('accountSuspended', {userId: user._id}));
res.locals.user = user;
req.session.userId = user._id;
return next();
})
.catch(next);
};
}
// Authenticate a request through a valid session
export function authWithSession (req, res, next) {
let userId = req.session.userId;
// Always allow authentication with headers
if (!userId) {
if (!req.header('x-api-user') || !req.header('x-api-key')) {
return next(new NotAuthorized(res.t('invalidCredentials')));
} else {
return authWithHeaders()(req, res, next);
}
}
return User.findOne({
_id: userId,
})
.exec()
.then((user) => {
if (!user) throw new NotAuthorized(res.t('invalidCredentials'));
res.locals.user = user;
return next();
})
.catch(next);
}
export function authWithUrl (req, res, next) {
let userId = req.query._id;
let apiToken = req.query.apiToken;
// Always allow authentication with headers
if (!userId || !apiToken) {
if (!req.header('x-api-user') || !req.header('x-api-key')) {
return next(new NotAuthorized(res.t('missingAuthParams')));
} else {
return authWithHeaders()(req, res, next);
}
}
return User.findOne({ _id: userId, apiToken }).exec()
.then((user) => {
if (!user) throw new NotAuthorized(res.t('invalidCredentials'));
res.locals.user = user;
return next();
})
.catch(next);
}
Reference in New Issue View Git Blame Copy Permalink