From 69f72dfff1505f2ce6d1c0449a61f867ab78365f Mon Sep 17 00:00:00 2001 From: Fred Boniface Date: Sat, 8 Jul 2023 18:39:24 +0100 Subject: [PATCH] Return unauthorised at the controller level rather than at middleware level Signed-off-by: Fred Boniface --- app.js | 7 ++++--- src/controllers/ldb.controllers.js | 17 ++++++++++++----- src/controllers/pis.controllers.js | 26 +++++++++++++++++++++++--- src/controllers/train.controllers.js | 10 ++++++++++ src/middlewares/auth.middlewares.js | 18 ++++++++---------- 5 files changed, 57 insertions(+), 21 deletions(-) diff --git a/app.js b/app.js index 301ec24..3a0d875 100644 --- a/app.js +++ b/app.js @@ -66,12 +66,13 @@ app.use(cors()); // Allow access from any origin app.use(express.json()); //JSON Parsing for POST Requests app.use(compression()); // Compress API Data if supported by client app.use(limiter); +app.use(authenticate); // 2023 Rationalisation Routes (/api/v2, /misc) -app.use('/api/v2/pis', authenticate, pis2Rtr); // API Version 2 -app.use('/api/v2/live',authenticate, live2Rtr); // API Version 2 +app.use('/api/v2/pis', pis2Rtr); // API Version 2 +app.use('/api/v2/live', live2Rtr); // API Version 2 app.use('/api/v2/ref', ref2Rtr); // API Version 2 -app.use('/api/v2/timetable', authenticate, tt2Rtr); // API Version 2 +app.use('/api/v2/timetable', tt2Rtr); // API Version 2 app.use('/api/v2/user', user2Rtr); // API Version 2 app.use('/misc', miscRtr); // Non public-api endpoints (Stats, Issue, etc.) diff --git a/src/controllers/ldb.controllers.js b/src/controllers/ldb.controllers.js index 3d37540..2a3962c 100644 --- a/src/controllers/ldb.controllers.js +++ b/src/controllers/ldb.controllers.js @@ -12,6 +12,11 @@ async function get(req, res, next){ // API v1 only } async function getTrain(req, res, next) { // API v2 Only + if (!req.isAuthed) { + const err = new Error('Unauthorized'); + err.status = 401; + throw err; + } let type = req.params.searchType; let id = req.params.id; try { @@ -25,12 +30,11 @@ async function getTrain(req, res, next) { // API v2 Only res.json(await ldb.getServicesByOther(id)); break; default: - res.status(404); - res.json({status: 'error', message:'Invalid search type'}); + res.status(400).json({status: 'error', message:'Invalid search type'}); } } catch (err) { - console.error('Unknown Error', err.message); err.status = 500; + console.error('Unknown Error', err.message); next(err); } } @@ -40,11 +44,14 @@ async function getStation(req, res, next) { // API v2 Only let id = req.params.id; try { if (type == 'staff') { + if (!req.isAuthed) { + const err = new Error('Unauthorized'); + err.status = 401; + throw err; + } res.json(await ldb.get(id, true)); - next(); } else { res.json(await ldb.get(id, false)); - next(); } } catch (err) { console.error('Unknown Error', err.message); diff --git a/src/controllers/pis.controllers.js b/src/controllers/pis.controllers.js index 3ca125b..b29e6dc 100644 --- a/src/controllers/pis.controllers.js +++ b/src/controllers/pis.controllers.js @@ -1,6 +1,11 @@ const pis = require('../services/pis.services'); async function byOrigDest(req, res, next){ + if (!req.isAuthed) { + const err = new Error('Unauthorized'); + err.status = 401; + throw err; + } try { let start = req.params.start; let end = req.params.end; @@ -13,33 +18,48 @@ async function byOrigDest(req, res, next){ /* Used in /api/v2 */ async function byStartEndCRS(req, res, next){ + if (!req.isAuthed) { + const err = new Error('Unauthorized'); + err.status = 401; + return next(err); + } try { let startCrs = req.params.startCrs; let endCrs = req.params.endCrs; res.json(await pis.findPisByOrigDest(startCrs,endCrs)); } catch (err) { console.error('Unknown Error', err.message); - next(err); + return next(err); } } /* Used in /api/v2 */ async function byCode(req, res, next){ + if (!req.isAuthed) { + const err = new Error('Unauthorized'); + err.status = 401; + return next(err); + } try { let code = req.params.code; res.json(await pis.findPisByCode(code)); } catch (err) { console.error('Unknown Error', err.message); - next(err); + return next(err); } } async function random(req, res, next){ + if (!req.isAuthed) { + const err = new Error('Unauthorized'); + err.status = 401; + return next(err); + } try { res.json(await pis.findRandom()); } catch (err) { console.error('Unknown Error', err.message); - next(err); + return next(err); } } diff --git a/src/controllers/train.controllers.js b/src/controllers/train.controllers.js index 5cfef33..b258751 100644 --- a/src/controllers/train.controllers.js +++ b/src/controllers/train.controllers.js @@ -1,6 +1,11 @@ const train = require('../services/trainService.services'); async function getByHeadcodeToday(req, res, next){ + if (!req.isAuthed) { + const err = new Error('Unauthorized'); + err.status = 401; + throw err; + } try { var searchHeadcode = req.params.id; res.json(await train.findByHeadcodeToday(searchHeadcode)); @@ -12,6 +17,11 @@ async function getByHeadcodeToday(req, res, next){ } async function get(req, res, next) { + if (!req.isAuthed) { + const err = new Error('Unauthorized'); + err.status = 401; + throw err; + } let date = req.params.date; let searchType = req.params.searchType; let id = req.params.id; diff --git a/src/middlewares/auth.middlewares.js b/src/middlewares/auth.middlewares.js index 37955ec..a37fe94 100644 --- a/src/middlewares/auth.middlewares.js +++ b/src/middlewares/auth.middlewares.js @@ -6,25 +6,23 @@ module.exports = async function authCheck(req, res, next) { try { var uuid = req.headers.uuid; } catch(err) { - log.out('authMiddlewares: No authentication attempted', 'dbug'); - err.status = 401; - return next(err); + log.out('authMiddlewares: User !isAuthed', 'dbug'); + req.isAuthed = false; + return next(); } try { var result = await utils.isAuthed(uuid) || false; if (!result) { req.isAuthed = false; - const err = new Error('Unauthorised'); - err.status = 401; - log.out('authMiddlewares: Authentication attempted with incorrect key', + log.out('authMiddlewares: User !isAuthed', 'warn'); - return next(err); } else { req.isAuthed = true; - log.out('authMiddlewares: User authenticated', 'dbug'); - return next(); + log.out('authMiddlewares: User isAuthed', 'dbug'); } + return next(); } catch(err) { - return next(err); + req.isAuthed = false; + return next(); } }; \ No newline at end of file