BillTracker/middleware/requireAuth.cts

98 lines
2.9 KiB
TypeScript
Raw Normal View History

import type { Req, Res, Next } from '../types/http';
const crypto = require('crypto');
const {
getSessionUser,
COOKIE_NAME,
SINGLE_COOKIE_NAME,
cookieOpts,
publicUser,
recordLogin,
} = require('../services/authService.cts');
const { getDb, getSetting } = require('../db/database.cts');
const { standardizeError } = require('./errorFormatter.cts');
2026-05-03 19:51:57 -05:00
function getSingleModeUser(): any {
2026-05-03 19:51:57 -05:00
if (getSetting('auth_mode') !== 'single') return null;
const userId = getSetting('default_user_id');
if (!userId) return null;
// Single-user mode: validate only that the configured user exists, is active,
// and has role 'user'. Sessions are not relevant here.
const row = getDb()
.prepare(
`
SELECT id, username, display_name, role, must_change_password, first_login,
2026-05-14 21:00:07 -05:00
active, is_default_admin, last_seen_version
FROM users
WHERE id = ? AND role = 'user' AND active = 1
`,
)
.get(userId);
2026-05-03 19:51:57 -05:00
return row ? publicUser(row) : null;
}
function requireAuth(req: Req, res: Res, next: Next): any {
2026-05-03 19:51:57 -05:00
// Single-user mode: bypass session entirely, auto-attach the default user
const singleUser = getSingleModeUser();
if (singleUser) {
req.user = singleUser;
req.singleUserMode = true;
// Track logins via a presence cookie so login history works without a real session.
const existing = req.cookies?.[SINGLE_COOKIE_NAME];
if (existing) {
req.singleSessionId = existing;
} else {
const sessionId = crypto.randomUUID();
res.cookie(SINGLE_COOKIE_NAME, sessionId, {
httpOnly: true,
sameSite: 'strict',
secure: cookieOpts(req).secure,
maxAge: 30 * 86400 * 1000, // 30 days
path: '/',
});
req.singleSessionId = sessionId;
// Non-blocking — don't delay the first request
setImmediate(() => {
try {
recordLogin(singleUser.id, req.ip, req.get('user-agent'), sessionId);
} catch {}
});
}
2026-05-03 19:51:57 -05:00
return next();
}
const user = getSessionUser(req.cookies?.[COOKIE_NAME]);
2026-05-09 13:03:36 -05:00
if (!user) return res.status(401).json(standardizeError('Not authenticated', 'AUTH_ERROR'));
2026-05-03 19:51:57 -05:00
req.user = user;
next();
}
function requireUser(req: Req, res: Res, next: Next): any {
2026-05-04 23:34:24 -05:00
if (req.user?.is_default_admin) {
return res
.status(403)
.json(standardizeError('Default admin account does not have tracker access', 'FORBIDDEN'));
2026-05-04 23:34:24 -05:00
}
2026-05-03 20:40:48 -05:00
if (!['user', 'admin'].includes(req.user?.role)) {
return res
.status(403)
.json(standardizeError('Access denied: user account required', 'FORBIDDEN'));
2026-05-03 19:51:57 -05:00
}
next();
}
function requireAdmin(req: Req, res: Res, next: Next): any {
2026-05-03 19:51:57 -05:00
// In single-user mode the auto-attached user is never admin,
// so admin routes naturally stay protected by session.
if (req.user?.role !== 'admin') {
return res
.status(403)
.json(standardizeError('Access denied: admin account required', 'FORBIDDEN'));
2026-05-03 19:51:57 -05:00
}
next();
}
module.exports = { requireAuth, requireUser, requireAdmin };