maxim.dolgolyov/Learn_System
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
97966ba2dfd2fbbed6bc24ca6b87c65cf98f6b9b
Learn_System/backend/src/middleware/auth.js
T
Maxim Dolgolyov fe122b7681 feat(admin): журнал событий безопасности (Tier 1-2) + аудит чувствительных действий (Tier 3) 
- security_events (миграция 047) + utils/securityLog.js (defensive, lazy stmt)
- Tier 1: login.success/fail, register, password.change в authController
- Tier 2: 403 (роль/разрешение) в middleware/auth, rate_limited в rateLimit
- Tier 3: audit() на выдачу доступа (access), начисление/сброс XP (gam), модерацию аватаров
- API GET/DELETE /api/admin/security-log (фильтр по категории + поиск, прунинг по дням)
- Frontend: вкладка «Безопасность» в admin.html + loadSecurityLog, расширены ACTION_LABELS

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-01 15:28:21 +03:00

134 lines
5.3 KiB
JavaScript
Raw Blame History

const jwt = require('jsonwebtoken');
const db = require('../db/db');
const registry = require('../permissions/registry');
const { logDenied } = require('../utils/securityLog');
/* ── Default values for role_permissions — sourced from central registry ── */
const PERM_DEFAULTS = registry.buildDefaultsMap();
function authMiddleware(req, res, next) {
const header = req.headers.authorization;
if (!header || !header.startsWith('Bearer ')) {
return res.status(401).json({ error: 'Unauthorized' });
}
const token = header.slice(7);
try {
const payload = jwt.verify(token, process.env.JWT_SECRET, { algorithms: ['HS256'] });
// Re-fetch role + token_version from DB so changes take effect immediately
const fresh = db.prepare('SELECT role, token_version, is_banned FROM users WHERE id = ?').get(payload.id);
if (!fresh) return res.status(401).json({ error: 'User not found' });
if (fresh.is_banned) return res.status(403).json({ error: 'Аккаунт заблокирован' });
// Invalidate tokens issued before password change / role change.
// If DB has token_version set, token MUST carry matching tv.
// (payload.tv === undefined means old token without version — also revoke)
if (fresh.token_version != null && payload.tv !== fresh.token_version) {
return res.status(401).json({ error: 'Token revoked — please log in again' });
}
req.user = { ...payload, role: fresh.role };
next();
} catch {
res.status(401).json({ error: 'Token invalid or expired' });
}
}
function requireRole(...roles) {
return (req, res, next) => {
if (!roles.includes(req.user?.role)) {
if (req.user) logDenied(req, 'forbidden', `роль ${req.user.role}; требуется ${roles.join('/')}`);
return res.status(403).json({ error: 'Forbidden' });
}
next();
};
}
/* ── Check permission; user override → role override → hardcoded default ── */
function requirePermission(key) {
return (req, res, next) => {
if (req.user?.role === 'admin') return next();
const role = req.user?.role;
const uid = req.user?.id;
if (!role) return res.status(401).json({ error: 'Unauthorized' });
// 1. User-level override
const userRow = db.prepare(
'SELECT enabled FROM user_permissions WHERE user_id = ? AND permission = ?'
).get(uid, key);
if (userRow !== undefined) {
if (userRow.enabled === 1) return next();
logDenied(req, 'perm_denied', key);
return res.status(403).json({ error: 'Permission denied' });
}
// 2. Role-level
const roleRow = db.prepare(
'SELECT enabled FROM role_permissions WHERE role = ? AND permission = ?'
).get(role, key);
const enabled = roleRow !== undefined ? roleRow.enabled === 1 : (PERM_DEFAULTS[role]?.[key] ?? false);
if (enabled) return next();
logDenied(req, 'perm_denied', key);
return res.status(403).json({ error: 'Permission denied' });
};
}
/* ── Parent link JWT auth (separate from user auth) ───────────────────── */
function parentAuth(req, res, next) {
const header = req.headers.authorization;
if (!header || !header.startsWith('Bearer '))
return res.status(401).json({ error: 'Unauthorized' });
const token = header.slice(7);
try {
const payload = jwt.verify(token, process.env.JWT_SECRET, { algorithms: ['HS256'] });
if (payload.type !== 'parent')
return res.status(401).json({ error: 'Invalid token type' });
const link = db.prepare(
'SELECT id, student_id, is_active, expires_at FROM parent_links WHERE id = ?'
).get(payload.linkId);
if (!link || !link.is_active)
return res.status(401).json({ error: 'Link revoked' });
if (link.expires_at && new Date(link.expires_at) < new Date())
return res.status(401).json({ error: 'Link expired' });
req.parent = { linkId: link.id, studentId: link.student_id };
next();
} catch {
res.status(401).json({ error: 'Token invalid or expired' });
}
}
/* Alias: requireAuth = authMiddleware */
const requireAuth = authMiddleware;
/**
* perm(key) — ergonomic alias for requirePermission(key).
* Throws at module-load time if `key` is not in the registry,
* so typos are caught at startup rather than at runtime.
*/
function perm(key) {
if (!registry.isKnown(key)) {
throw new Error(`[auth] Unknown permission key: "${key}". Add it to backend/src/permissions/registry.js`);
}
return requirePermission(key);
}
/* optionalAuth: попытаться установить req.user, но не блокировать при отсутствии токена */
function optionalAuth(req, res, next) {
const header = req.headers.authorization || '';
if (!header.startsWith('Bearer ')) return next();
const token = header.slice(7);
try {
const payload = jwt.verify(token, process.env.JWT_SECRET, { algorithms: ['HS256'] });
const fresh = db.prepare('SELECT role, token_version, is_banned FROM users WHERE id = ?').get(payload.id);
if (fresh && !fresh.is_banned) {
if (fresh.token_version == null || payload.tv === fresh.token_version) {
req.user = { ...payload, role: fresh.role };
}
}
} catch {}
next();
}
module.exports = { authMiddleware, requireAuth, optionalAuth, requireRole, requirePermission, perm, parentAuth };
Reference in New Issue View Git Blame Copy Permalink