freeCodeCamp/api-server/server/middlewares/request-authorization.js

import { isEmpty } from 'lodash';

import { getUserById as _getUserById } from '../utils/user-stats';
import {
  getAccessTokenFromRequest,
  errorTypes,
  authHeaderNS
} from '../utils/getSetAccessToken';
import { homeLocation } from '../../../config/env';
import { jwtSecret as _jwtSecret } from '../../../config/secrets';

import { wrapHandledError } from '../utils/create-handled-error';

const authRE = /^\/auth\//;
const confirmEmailRE = /^\/confirm-email$/;
const newsShortLinksRE = /^\/n\/|^\/p\//;
const publicUserRE = /^\/api\/users\/get-public-profile$/;
const publicUsernameRE = /^\/api\/users\/exists$/;
const resubscribeRE = /^\/resubscribe\//;
const showCertRE = /^\/certificate\/showCert\//;
// note: signin may not have a trailing slash
const signinRE = /^\/signin/;
const statusRE = /^\/status\/ping$/;
const unsubscribedRE = /^\/unsubscribed\//;
const unsubscribeRE = /^\/u\/|^\/unsubscribe\/|^\/ue\//;
const updateHooksRE = /^\/hooks\/update-paypal$|^\/hooks\/update-stripe$/;

// note: this would be replaced by webhooks later
const donateRE = /^\/donate\/charge-stripe$/;

const _pathsAllowedREs = [
  authRE,
  confirmEmailRE,
  newsShortLinksRE,
  publicUserRE,
  publicUsernameRE,
  resubscribeRE,
  showCertRE,
  signinRE,
  statusRE,
  unsubscribedRE,
  unsubscribeRE,
  updateHooksRE,
  donateRE
];

export function isAllowedPath(path, pathsAllowedREs = _pathsAllowedREs) {
  return pathsAllowedREs.some(re => re.test(path));
}

export default ({ jwtSecret = _jwtSecret, getUserById = _getUserById } = {}) =>
  function requestAuthorisation(req, res, next) {
    const { path } = req;
    if (!isAllowedPath(path)) {
      const { accessToken, error, jwt } = getAccessTokenFromRequest(
        req,
        jwtSecret
      );
      if (!accessToken && error === errorTypes.noTokenFound) {
        throw wrapHandledError(
          new Error('Access token is required for this request'),
          {
            type: 'info',
            redirect: `${homeLocation}/signin`,
            message: 'Access token is required for this request',
            status: 403
          }
        );
      }
      if (!accessToken && error === errorTypes.invalidToken) {
        throw wrapHandledError(new Error('Access token is invalid'), {
          type: 'info',
          redirect: `${homeLocation}/signin`,
          message: 'Your access token is invalid',
          status: 403
        });
      }
      if (!accessToken && error === errorTypes.expiredToken) {
        throw wrapHandledError(new Error('Access token is no longer valid'), {
          type: 'info',
          redirect: `${homeLocation}/signin`,
          message: 'Access token is no longer valid',
          status: 403
        });
      }
      res.set(authHeaderNS, jwt);
      if (isEmpty(req.user)) {
        const { userId } = accessToken;
        return getUserById(userId)
          .then(user => {
            if (user) {
              req.user = user;
            }
            return;
          })
          .then(next)
          .catch(next);
      } else {
        return Promise.resolve(next());
      }
    }
    return Promise.resolve(next());
  };
chore: Add tests for jwt authorization 2019-02-20 18:18:50 +00:00			`import { isEmpty } from 'lodash';`
fix: Centralise user deserialization 2019-03-04 21:10:12 +00:00
			`import { getUserById as _getUserById } from '../utils/user-stats';`
feat: Use new (tested) accessToken utils to authoize requests 2019-02-20 23:05:31 +00:00			`import {`
			`getAccessTokenFromRequest,`
			`errorTypes,`
			`authHeaderNS`
			`} from '../utils/getSetAccessToken';`
chore(server): Move api-server in to it's own DIR 2018-08-31 16:04:04 +01:00			`import { homeLocation } from '../../../config/env';`
feat: Use new (tested) accessToken utils to authoize requests 2019-02-20 23:05:31 +00:00			`import { jwtSecret as _jwtSecret } from '../../../config/secrets';`
fix(api): Use /internal for API entry 2018-08-29 20:52:41 +01:00
feat(auth): Authorise 'external' requests through JWT (#17224) 2018-05-23 21:10:56 +01:00			`import { wrapHandledError } from '../utils/create-handled-error';`

fix(api): add /auth paths to whitelist (#38383) 2020-03-18 17:49:42 +05:30			`const authRE = /^\/auth\//;`
fix(api): update routes for authorization bypass (#38387) 2020-03-18 22:35:42 +05:30			`const confirmEmailRE = /^\/confirm-email$/;`
fix(csrf): remove all csrf bypass 2020-03-06 17:51:58 +01:00			`const newsShortLinksRE = /^\/n\/\|^\/p\//;`
fix(api): update routes for authorization bypass (#38387) 2020-03-18 22:35:42 +05:30			`const publicUserRE = /^\/api\/users\/get-public-profile$/;`
			`const publicUsernameRE = /^\/api\/users\/exists$/;`
fix(api): add /auth paths to whitelist (#38383) 2020-03-18 17:49:42 +05:30			`const resubscribeRE = /^\/resubscribe\//;`
fix(csrf): remove all csrf bypass 2020-03-06 17:51:58 +01:00			`const showCertRE = /^\/certificate\/showCert\//;`
fix(api): add /auth paths to whitelist (#38383) 2020-03-18 17:49:42 +05:30			`// note: signin may not have a trailing slash`
fix(csrf): remove all csrf bypass 2020-03-06 17:51:58 +01:00			`const signinRE = /^\/signin/;`
fix(api): update routes for authorization bypass (#38387) 2020-03-18 22:35:42 +05:30			`const statusRE = /^\/status\/ping$/;`
fix(csrf): remove all csrf bypass 2020-03-06 17:51:58 +01:00			`const unsubscribedRE = /^\/unsubscribed\//;`
fix(api): add /auth paths to whitelist (#38383) 2020-03-18 17:49:42 +05:30			`const unsubscribeRE = /^\/u\/\|^\/unsubscribe\/\|^\/ue\//;`
feat(api): add and update webhooks routing 2020-03-19 12:20:04 +05:30			`const updateHooksRE = /^\/hooks\/update-paypal$\|^\/hooks\/update-stripe$/;`
fix: Allow un-authed loopback api calls 2019-02-15 21:02:38 +00:00
fix(donate): allow calls to the API without auth This is also dependent on 170e3dbf4f65d0592c52e73ba56625c301255149 2020-03-21 01:39:29 +05:30			`// note: this would be replaced by webhooks later`
			`const donateRE = /^\/donate\/charge-stripe$/;`

fix: negative sentiment → neutral language (#39522) The existing terminology carries negative sentiment that can be interpreted in a racial or sense. Updating the name to have no potential for such a connection. Co-authored-by: Justin Rogers <justrog@gmail.com> 2020-09-07 11:04:44 +05:30			`const _pathsAllowedREs = [`
fix(api): add /auth paths to whitelist (#38383) 2020-03-18 17:49:42 +05:30			`authRE,`
fix(api): update routes for authorization bypass (#38387) 2020-03-18 22:35:42 +05:30			`confirmEmailRE,`
feat(donate): PayPal integration 2020-03-13 12:25:57 +03:00			`newsShortLinksRE,`
fix(api): update routes for authorization bypass (#38387) 2020-03-18 22:35:42 +05:30			`publicUserRE,`
			`publicUsernameRE,`
fix(api): add /auth paths to whitelist (#38383) 2020-03-18 17:49:42 +05:30			`resubscribeRE,`
fix(csrf): remove all csrf bypass 2020-03-06 17:51:58 +01:00			`showCertRE,`
			`signinRE,`
fix(api): update routes for authorization bypass (#38387) 2020-03-18 22:35:42 +05:30			`statusRE,`
fix(csrf): remove all csrf bypass 2020-03-06 17:51:58 +01:00			`unsubscribedRE,`
fix(api): add /auth paths to whitelist (#38383) 2020-03-18 17:49:42 +05:30			`unsubscribeRE,`
fix(donate): allow calls to the API without auth This is also dependent on 170e3dbf4f65d0592c52e73ba56625c301255149 2020-03-21 01:39:29 +05:30			`updateHooksRE,`
			`donateRE`
feat(donate): PayPal integration 2020-03-13 12:25:57 +03:00			`];`
fix: Allow un-authed loopback api calls 2019-02-15 21:02:38 +00:00
fix: negative sentiment → neutral language (#39522) The existing terminology carries negative sentiment that can be interpreted in a racial or sense. Updating the name to have no potential for such a connection. Co-authored-by: Justin Rogers <justrog@gmail.com> 2020-09-07 11:04:44 +05:30			`export function isAllowedPath(path, pathsAllowedREs = _pathsAllowedREs) {`
			`return pathsAllowedREs.some(re => re.test(path));`
fix: Allow un-authed loopback api calls 2019-02-15 21:02:38 +00:00			`}`
Feat: News in the client app (#34392) 2018-11-29 12:12:15 +00:00
feat: Use new (tested) accessToken utils to authoize requests 2019-02-20 23:05:31 +00:00			`export default ({ jwtSecret = _jwtSecret, getUserById = _getUserById } = {}) =>`
chore: Add tests for jwt authorization 2019-02-20 18:18:50 +00:00			`function requestAuthorisation(req, res, next) {`
fix(ci): Fix lint errors thrown in CI 2019-02-16 13:51:46 +00:00			`const { path } = req;`
fix: negative sentiment → neutral language (#39522) The existing terminology carries negative sentiment that can be interpreted in a racial or sense. Updating the name to have no potential for such a connection. Co-authored-by: Justin Rogers <justrog@gmail.com> 2020-09-07 11:04:44 +05:30			`if (!isAllowedPath(path)) {`
feat: Use new (tested) accessToken utils to authoize requests 2019-02-20 23:05:31 +00:00			`const { accessToken, error, jwt } = getAccessTokenFromRequest(`
			`req,`
			`jwtSecret`
			`);`
			`if (!accessToken && error === errorTypes.noTokenFound) {`
fix(ci): Fix lint errors thrown in CI 2019-02-16 13:51:46 +00:00			`throw wrapHandledError(`
			`new Error('Access token is required for this request'),`
			`{`
			`type: 'info',`
			redirect: `${homeLocation}/signin`,
			`message: 'Access token is required for this request',`
			`status: 403`
			`}`
			`);`
			`}`
feat: Use new (tested) accessToken utils to authoize requests 2019-02-20 23:05:31 +00:00			`if (!accessToken && error === errorTypes.invalidToken) {`
			`throw wrapHandledError(new Error('Access token is invalid'), {`
feat(auth): Authorise 'external' requests through JWT (#17224) 2018-05-23 21:10:56 +01:00			`type: 'info',`
fix(api): Use /internal for API entry 2018-08-29 20:52:41 +01:00			redirect: `${homeLocation}/signin`,
feat(auth): Authorise 'external' requests through JWT (#17224) 2018-05-23 21:10:56 +01:00			`message: 'Your access token is invalid',`
			`status: 403`
fix(ci): Fix lint errors thrown in CI 2019-02-16 13:51:46 +00:00			`});`
			`}`
feat: Use new (tested) accessToken utils to authoize requests 2019-02-20 23:05:31 +00:00			`if (!accessToken && error === errorTypes.expiredToken) {`
cleanup: typos and remove commented out code (#36573) 2019-08-09 21:27:26 +03:00			`throw wrapHandledError(new Error('Access token is no longer valid'), {`
feat(auth): Authorise 'external' requests through JWT (#17224) 2018-05-23 21:10:56 +01:00			`type: 'info',`
fix(api): Use /internal for API entry 2018-08-29 20:52:41 +01:00			redirect: `${homeLocation}/signin`,
cleanup: typos and remove commented out code (#36573) 2019-08-09 21:27:26 +03:00			`message: 'Access token is no longer valid',`
feat(auth): Authorise 'external' requests through JWT (#17224) 2018-05-23 21:10:56 +01:00			`status: 403`
fix(ci): Fix lint errors thrown in CI 2019-02-16 13:51:46 +00:00			`});`
			`}`
feat: Use new (tested) accessToken utils to authoize requests 2019-02-20 23:05:31 +00:00			`res.set(authHeaderNS, jwt);`
chore: Add tests for jwt authorization 2019-02-20 18:18:50 +00:00			`if (isEmpty(req.user)) {`
feat: Use new (tested) accessToken utils to authoize requests 2019-02-20 23:05:31 +00:00			`const { userId } = accessToken;`
chore: Add tests for jwt authorization 2019-02-20 18:18:50 +00:00			`return getUserById(userId)`
fix(ci): Fix lint errors thrown in CI 2019-02-16 13:51:46 +00:00			`.then(user => {`
			`if (user) {`
			`req.user = user;`
			`}`
			`return;`
			`})`
			`.then(next)`
			`.catch(next);`
			`} else {`
chore: Add tests for jwt authorization 2019-02-20 18:18:50 +00:00			`return Promise.resolve(next());`
fix(ci): Fix lint errors thrown in CI 2019-02-16 13:51:46 +00:00			`}`
fix(external): Ensure req.user on verified web token (#17225) 2018-05-24 12:19:51 +01:00			`}`
chore: Add tests for jwt authorization 2019-02-20 18:18:50 +00:00			`return Promise.resolve(next());`
fix(ci): Fix lint errors thrown in CI 2019-02-16 13:51:46 +00:00			`};`