Authentication middleware complete for requests with an authroization header

src/controllers/middleware/auth.js

@@ -0,0 +1,28 @@
+import {MiddleWare} from './index';
+import {API} from '../../models/api/API';
+import {Logger} from '../../models/logger'
+import {AuthModel} from '../../models/auth/authModel';
+
+export class AuthMiddleWare extends MiddleWare {
+    static async authUser(req, res, next) {
+        let errors = new API.errors(res);
+
+        if (!req.headers.authorization) {
+            errors.addError(403, 'Forbidden', 'You cannot access this resource without authorization');
+            errors.endpoint();
+            return;
+        }
+        
+        let token = req.headers.authorization;
+        let user = await AuthModel.getUserFromToken(token);
+        if (user == -1) {
+            errors.addError(403, 'Forbidden', 'You cannot access this resource without authorization');
+            errors.endpoint();
+            return;
+        }
+        
+        req.user = user;
+
+        next();
+    }
+}

src/controllers/middleware/index.js

@@ -20,3 +20,4 @@ export class MiddleWare {
 }
 
 MiddleWare.RateLimits = require('./rateLimits').RateLimits;
+MiddleWare.Auth = require('./auth').AuthMiddleWare;

src/controllers/routes/router.js

@@ -14,25 +14,26 @@ export class Router {
 
         app.get('/', [MiddleWare.RateLimits.request, Router.frontPage]);
         
-        // app.get('/user/:id', [MiddleWare.RateLimits.request]);
-        // app.delete('/user/:id', [MiddleWare.RateLimits.request]);
         app.post('/user', [MiddleWare.RateLimits.request, Controllers.UserController.newUser]);
         app.post('/login', [MiddleWare.RateLimits.request, Controllers.LoginController.authenticate]);
+        
+        app.get('/auth/user/:id', [MiddleWare.RateLimits.request, MiddleWare.Auth.authUser]);
+        app.delete('/auth/user/:id', [MiddleWare.RateLimits.request, MiddleWare.Auth.authUser]);
 
         app.post('/unauth/permanote', [MiddleWare.RateLimits.request, Controllers.PermaLinkController.unauthentacatedPermaLink]);
         app.get('/note/:endpoint', [MiddleWare.RateLimits.request, Controllers.PermaLinkController.getNote]);
 
-        app.post('/auth/note'); // Passes through auth middleware which if authenticated passes user obj and token to the note handling function for it to deal with
-        app.post('/aith/group');
+        app.post('/auth/note', [MiddleWare.RateLimits.request, MiddleWare.Auth.authUser]); // Passes through auth middleware which if authenticated passes user obj and token to the note handling function for it to deal with
+        app.post('/aith/group', [MiddleWare.RateLimits.request, MiddleWare.Auth.authUser]);
         
-        app.get('/auth/getallnotes');
-        app.get('/auth/getallgroups');
+        app.get('/auth/getallnotes', [MiddleWare.RateLimits.request, MiddleWare.Auth.authUser]);
+        app.get('/auth/getallgroups', [MiddleWare.RateLimits.request, MiddleWare.Auth.authUser]);
 
-        app.post('/auth/movenote');
-        app.post('/auth/movegroup');
+        app.post('/auth/movenote', [MiddleWare.RateLimits.request, MiddleWare.Auth.authUser]);
+        app.post('/auth/movegroup', [MiddleWare.RateLimits.request, MiddleWare.Auth.authUser]);
 
-        app.delete('/auth/deletenote');
-        app.delete('/auth/deletegroup');
+        app.delete('/auth/deletenote', [MiddleWare.RateLimits.request, MiddleWare.Auth.authUser]);
+        app.delete('/auth/deletegroup', [MiddleWare.RateLimits.request, MiddleWare.Auth.authUser]);
 
         app.get('*', [MiddleWare.RateLimits.request, StatusCodes.pageNotFound]);
         Logger.info('HTTP endpoints settup');

src/models/auth/authModel.js

@@ -0,0 +1,8 @@
+import {Database} from '../database/database';
+
+export class AuthModel {
+    static async getUserFromToken(token) {
+        let id = await Database.auth.getIDByToken(token);
+        return await Database.users.getUserByID(id.id);
+    }
+}