feature/IO-3255-simplified-parts-management - Checkoint

server/middleware/validateFirebaseIdTokenLiteMiddleware.js

@@ -0,0 +1,42 @@
+const logger = require("../utils/logger");
+const admin = require("firebase-admin");
+
+/**
+ * Lite Firebase ID token validator.
+ * - Only accepts Authorization: Bearer <token>
+ * - Sets req.user to the decoded token on success
+ */
+const validateFirebaseIdTokenLite = async (req, res, next) => {
+  const authHeader = req.headers.authorization || "";
+  const match = authHeader.match(/^Bearer\s+(.+)$/i);
+
+  if (!match) {
+    logger.log("api-authorization-call", "warn", null, null, {
+      type: "unauthorized",
+      reason: "missing Bearer token",
+      path: req.path,
+      body: req.body
+    });
+    return res.status(401).send("Unauthorized");
+  }
+
+  const idToken = match[1].trim();
+
+  try {
+    const decodedIdToken = await admin.auth().verifyIdToken(idToken);
+    req.user = decodedIdToken;
+    return next();
+  } catch (error) {
+    logger.log("api-unauthorized-call", "warn", null, null, {
+      type: "unauthorized",
+      reason: "invalid or expired token",
+      path: req.path,
+      body: req.body,
+      code: error?.errorInfo?.code || error?.code,
+      message: error?.message
+    });
+    return res.status(401).send("Unauthorized");
+  }
+};
+
+module.exports = validateFirebaseIdTokenLite;