fix(refactor): merging write-api auth middlewares with core middlewares

2025-11-10 07:55:46 +01:00 · 2020-10-01 10:52:05 -04:00
parent ec5c48b188
commit f6433ef2c5
6 changed files with 261 additions and 95 deletions
--- a/src/middleware/user.js
+++ b/src/middleware/user.js
@@ -1,6 +1,8 @@
 'use strict';

 const nconf = require('nconf');
+const winston = require('winston');
+const passport = require('passport');

 const meta = require('../meta');
 const user = require('../user');
@@ -11,12 +13,49 @@ const auth = require('../routes/authentication');

 const controllers = {
 	helpers: require('../controllers/helpers'),
+	authentication: require('../controllers/authentication'),
 };

 module.exports = function (middleware) {
 	async function authenticate(req, res) {
 		if (req.loggedIn) {
 			return true;
+		} else if (req.headers.hasOwnProperty('authorization')) {
+			passport.authenticate('bearer', { session: false }, function (err, user) {
+				if (err) { throw new Error(err); }
+				if (!user) { return false; }
+
+				// If the token received was a master token, a _uid must also be present for all calls
+				if (user.hasOwnProperty('uid')) {
+					req.login(user, async function (err) {
+						if (err) { throw new Error(err); }
+
+						await controllers.authentication.onSuccessfulLogin(req, user.uid);
+						req.uid = user.uid;
+						req.loggedIn = req.uid > 0;
+						return true;
+					});
+				} else if (user.hasOwnProperty('master') && user.master === true) {
+					if (req.body.hasOwnProperty('_uid') || req.query.hasOwnProperty('_uid')) {
+						user.uid = req.body._uid || req.query._uid;
+						delete user.master;
+
+						req.login(user, async function (err) {
+							if (err) { throw new Error(err); }
+
+							await controllers.authentication.onSuccessfulLogin(req, user.uid);
+							req.uid = user.uid;
+							req.loggedIn = req.uid > 0;
+							return true;
+						});
+					} else {
+						throw new Error('A master token was received without a corresponding `_uid` in the request body');
+					}
+				} else {
+					winston.warn('[api/authenticate] Unable to find user after verifying token');
+					return false;
+				}
+			})(req, res);
 		}

 		await plugins.fireHook('response:middleware.authenticate', {
@@ -180,7 +219,7 @@ module.exports = function (middleware) {
 		req.session.returnTo = returnTo;
 		req.session.forceLogin = 1;
 		if (res.locals.isAPI) {
-			res.status(401).json({});
+			controllers.helpers.formatApiResponse(401, res);
 		} else {
 			res.redirect(nconf.get('relative_path') + '/login?local=1');
 		}