maxim.dolgolyov/Learn_System
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
76883b569c6c3acefac9892a46273654b40dcb55
Learn_System/backend/src/middleware/auth.js
T
Maxim Dolgolyov 76883b569c feat(perm): central permission registry + key validation in linter 
- backend/src/permissions/registry.js: single source of truth (PERMISSIONS map)
  with all 24 keys (16 teacher + 8 student, student keys also cover free_student).
  Exports isKnown(), listKeys(), byRole(), buildDefaultsMap().
- auth.js: PERM_DEFAULTS now sourced from registry.buildDefaultsMap();
  new perm() helper validates key at registration time (crashes early on typos).
  requirePermission() unchanged — backward compat preserved.
- permissionsController.js: ALL_PERMISSIONS now built from registry.byRole();
  inline 24-entry array removed. API response shape unchanged.
- check-route-auth.js: validates every requirePermission/perm call key against
  registry; lists unknown keys as errors before exit.
  perm() added to GUARDS list so it counts as route protection.

Discrepancy noted: auth.js had free_student with same 8 keys as student;
permissionsController never seeded free_student rows. Registry documents
this via roles:[] array; buildDefaultsMap() correctly covers free_student.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-17 14:22:18 +03:00

129 lines
5.0 KiB
JavaScript
Raw Blame History

const jwt = require('jsonwebtoken');
const db = require('../db/db');
const registry = require('../permissions/registry');
/* ── Default values for role_permissions — sourced from central registry ── */
const PERM_DEFAULTS = registry.buildDefaultsMap();
function authMiddleware(req, res, next) {
const header = req.headers.authorization;
if (!header || !header.startsWith('Bearer ')) {
return res.status(401).json({ error: 'Unauthorized' });
}
const token = header.slice(7);
try {
const payload = jwt.verify(token, process.env.JWT_SECRET, { algorithms: ['HS256'] });
// Re-fetch role + token_version from DB so changes take effect immediately
const fresh = db.prepare('SELECT role, token_version, is_banned FROM users WHERE id = ?').get(payload.id);
if (!fresh) return res.status(401).json({ error: 'User not found' });
if (fresh.is_banned) return res.status(403).json({ error: 'Аккаунт заблокирован' });
// Invalidate tokens issued before password change / role change.
// If DB has token_version set, token MUST carry matching tv.
// (payload.tv === undefined means old token without version — also revoke)
if (fresh.token_version != null && payload.tv !== fresh.token_version) {
return res.status(401).json({ error: 'Token revoked — please log in again' });
}
req.user = { ...payload, role: fresh.role };
next();
} catch {
res.status(401).json({ error: 'Token invalid or expired' });
}
}
function requireRole(...roles) {
return (req, res, next) => {
if (!roles.includes(req.user?.role)) {
return res.status(403).json({ error: 'Forbidden' });
}
next();
};
}
/* ── Check permission; user override → role override → hardcoded default ── */
function requirePermission(key) {
return (req, res, next) => {
if (req.user?.role === 'admin') return next();
const role = req.user?.role;
const uid = req.user?.id;
if (!role) return res.status(401).json({ error: 'Unauthorized' });
// 1. User-level override
const userRow = db.prepare(
'SELECT enabled FROM user_permissions WHERE user_id = ? AND permission = ?'
).get(uid, key);
if (userRow !== undefined) {
return userRow.enabled === 1 ? next() : res.status(403).json({ error: 'Permission denied' });
}
// 2. Role-level
const roleRow = db.prepare(
'SELECT enabled FROM role_permissions WHERE role = ? AND permission = ?'
).get(role, key);
const enabled = roleRow !== undefined ? roleRow.enabled === 1 : (PERM_DEFAULTS[role]?.[key] ?? false);
if (enabled) return next();
return res.status(403).json({ error: 'Permission denied' });
};
}
/* ── Parent link JWT auth (separate from user auth) ───────────────────── */
function parentAuth(req, res, next) {
const header = req.headers.authorization;
if (!header || !header.startsWith('Bearer '))
return res.status(401).json({ error: 'Unauthorized' });
const token = header.slice(7);
try {
const payload = jwt.verify(token, process.env.JWT_SECRET, { algorithms: ['HS256'] });
if (payload.type !== 'parent')
return res.status(401).json({ error: 'Invalid token type' });
const link = db.prepare(
'SELECT id, student_id, is_active, expires_at FROM parent_links WHERE id = ?'
).get(payload.linkId);
if (!link || !link.is_active)
return res.status(401).json({ error: 'Link revoked' });
if (link.expires_at && new Date(link.expires_at) < new Date())
return res.status(401).json({ error: 'Link expired' });
req.parent = { linkId: link.id, studentId: link.student_id };
next();
} catch {
res.status(401).json({ error: 'Token invalid or expired' });
}
}
/* Alias: requireAuth = authMiddleware */
const requireAuth = authMiddleware;
/**
* perm(key) — ergonomic alias for requirePermission(key).
* Throws at module-load time if `key` is not in the registry,
* so typos are caught at startup rather than at runtime.
*/
function perm(key) {
if (!registry.isKnown(key)) {
throw new Error(`[auth] Unknown permission key: "${key}". Add it to backend/src/permissions/registry.js`);
}
return requirePermission(key);
}
/* optionalAuth: попытаться установить req.user, но не блокировать при отсутствии токена */
function optionalAuth(req, res, next) {
const header = req.headers.authorization || '';
if (!header.startsWith('Bearer ')) return next();
const token = header.slice(7);
try {
const payload = jwt.verify(token, process.env.JWT_SECRET, { algorithms: ['HS256'] });
const fresh = db.prepare('SELECT role, token_version, is_banned FROM users WHERE id = ?').get(payload.id);
if (fresh && !fresh.is_banned) {
if (fresh.token_version == null || payload.tv === fresh.token_version) {
req.user = { ...payload, role: fresh.role };
}
}
} catch {}
next();
}
module.exports = { authMiddleware, requireAuth, optionalAuth, requireRole, requirePermission, perm, parentAuth };
Reference in New Issue View Git Blame Copy Permalink