From a162b275a3f43df0ad3aaeb29a5ad4cbc4c059d0 Mon Sep 17 00:00:00 2001 From: Dave Richer Date: Mon, 22 Jan 2024 23:11:10 -0500 Subject: [PATCH] - Finish cleanup Signed-off-by: Dave Richer --- .../eventAuthorizationMIddleware.js | 3 +++ server/middleware/validateAdminMiddleware.js | 11 ++++++++ .../validateFirebaseIdTokenMiddleware.js | 26 +++++++++++++------ 3 files changed, 32 insertions(+), 8 deletions(-) diff --git a/server/middleware/eventAuthorizationMIddleware.js b/server/middleware/eventAuthorizationMIddleware.js index 8579a2e89..c766ceda5 100644 --- a/server/middleware/eventAuthorizationMIddleware.js +++ b/server/middleware/eventAuthorizationMIddleware.js @@ -1,5 +1,7 @@ /** * Checks if the event secret is correct + * It adds the following properties to the request object: + * - req.isEventAuthorized - Returns true if the event secret is correct * @param req * @param res * @param next @@ -9,6 +11,7 @@ function eventAuthorizationMiddleware(req, res, next) { return res.status(401).send("Unauthorized"); } + req.isEventAuthorized = true; next(); } diff --git a/server/middleware/validateAdminMiddleware.js b/server/middleware/validateAdminMiddleware.js index a93c7d659..cfd53b171 100644 --- a/server/middleware/validateAdminMiddleware.js +++ b/server/middleware/validateAdminMiddleware.js @@ -1,6 +1,15 @@ const logger = require("../utils/logger"); const adminEmail = require("../utils/adminEmail"); +/** + * Validate admin middleware + * It adds the following properties to the request object: + * - req.isAdmin - returns true if the user passed an admin check + * @param req + * @param res + * @param next + * @returns {*} + */ const validateAdminMiddleware = (req, res, next) => { if (!adminEmail.includes(req.user.email) && !req.user.ioadmin) { logger.log("admin-validation-failed", "ERROR", req.user.email, null, { @@ -9,6 +18,8 @@ const validateAdminMiddleware = (req, res, next) => { }); return res.sendStatus(404); } + + req.isAdmin = true; next(); }; diff --git a/server/middleware/validateFirebaseIdTokenMiddleware.js b/server/middleware/validateFirebaseIdTokenMiddleware.js index a9522a0bb..53d1cc775 100644 --- a/server/middleware/validateFirebaseIdTokenMiddleware.js +++ b/server/middleware/validateFirebaseIdTokenMiddleware.js @@ -1,15 +1,26 @@ const logger = require("../utils/logger"); const admin = require("firebase-admin"); +/** + * Middleware to validate Firebase ID Tokens. + * This middleware is used to protect API endpoints from unauthorized access. + * It adds the following properties to the request object: + * - req.user - the decoded Firebase ID Token + * @param req + * @param res + * @param next + * @returns {Promise} + */ const validateFirebaseIdTokenMiddleware = async (req, res, next) => { if ( - (!req.headers.authorization || + ( + !req.headers.authorization || !req.headers.authorization.startsWith("Bearer ")) && - !(req.cookies && req.cookies.__session) + !(req.cookies && req.cookies.__session + ) ) { console.error("Unauthorized attempt. No authorization provided."); - res.status(403).send("Unauthorized"); - return; + return res.status(403).send("Unauthorized"); } let idToken; @@ -32,8 +43,8 @@ const validateFirebaseIdTokenMiddleware = async (req, res, next) => { req, type: "no-cookie", }); - res.status(403).send("Unauthorized"); - return; + + return res.status(403).send("Unauthorized"); } try { @@ -51,8 +62,7 @@ const validateFirebaseIdTokenMiddleware = async (req, res, next) => { ...error, }); - res.status(401).send("Unauthorized"); - + return res.status(401).send("Unauthorized"); } };