fix: req field for auth, logic to allow access to project

api/auth.ts

@@ -3,9 +3,10 @@ import * as fs from 'fs';
 import * as jwt from 'jsonwebtoken';
 import * as config from './config';
 
-const pubkey = fs.readFileSync(__dirname + '/auth.pub', 'ascii').trim();
+const pubkey = config.authentication ? fs.readFileSync(__dirname + '/auth.pub', 'ascii').trim() : null;
 const ezbidsPrivateKey = fs.readFileSync(`${__dirname}/ezbids.key`, 'ascii').trim();
 const ezbidsPublicKey = fs.readFileSync(`${__dirname}/ezbids.pub`, 'ascii').trim();
+
 export const validateWithJWTConfig = (options?: Params) => {
     if (config.authentication) {
         return expressjwt({
@@ -15,9 +16,10 @@ export const validateWithJWTConfig = (options?: Params) => {
         });
     } else {
         return (req: any, res: any, next: any) => {
-            req.user = {
+            req.auth = {
                 sub: 0,
             };
+
             next();
         };
     }

api/controllers.ts

@@ -100,10 +100,9 @@ router.get('/health', (req, res) => {
  *    Session: $ref: '#/components/schemas/Session'
  */
 router.post('/session', validateWithJWTConfig(), (req: Request, res: express.Response, next) => {
-    if (!req.auth.sub) res.sendStatus(HTTP_STATUS.BAD_REQUEST);
-
     req.body.status = 'created';
     req.body.request_headers = req.headers;
+
     const session = new models.Session({
         ...req.body,
         ownerId: req.auth.sub,

api/controllers.utils.ts

@@ -2,6 +2,7 @@ import { NextFunction, Response } from 'express';
 import { Request } from 'express-jwt';
 import { ISession, Session } from './models';
 import { Types, Document } from 'mongoose';
+import * as config from './config';
 
 export enum HTTP_STATUS {
     OK = 200,
@@ -28,24 +29,30 @@ export const validateUserCanAccessSession = (onlyOwnerCanAccess: boolean) => {
         const sessionId = req.params.session_id;
         const userId = req.auth.sub as unknown as number;
 
-        if (!sessionId || !userId) {
-            return res.status(HTTP_STATUS.BAD_REQUEST).json({ err: 'No sessionId or userId found' });
+        if (!sessionId) {
+            return res.status(HTTP_STATUS.BAD_REQUEST).json({ err: 'No sessionId found' });
+        }
+
+        if (config.authentication && !userId) {
+            return res.status(HTTP_STATUS.BAD_REQUEST).json({ err: 'No userId found' });
         }
 
         return Session.findById(sessionId)
             .then((session) => {
                 if (!session)
                     return res
-                        .status(HTTP_STATUS.BAD_REQUEST)
+                        .status(HTTP_STATUS.NOT_FOUND)
                         .json({ err: 'Could not find session with ID: ' + sessionId });
 
-                const isOwner = userId === (session.ownerId || '');
-                const isInAllowedUserList = session.allowedUsers.some((allowedUser) => allowedUser === userId);
+                if (config.authentication) {
+                    const isOwner = userId === (session.ownerId || '');
+                    const isInAllowedUserList = session.allowedUsers.some((allowedUser) => allowedUser === userId);
 
-                if (onlyOwnerCanAccess && !isOwner) {
-                    return res.status(HTTP_STATUS.UNAUTHORIZED).json({ err: 'unauthorized' });
-                } else if (!onlyOwnerCanAccess && !isOwner && !isInAllowedUserList) {
-                    return res.status(HTTP_STATUS.UNAUTHORIZED).json({ err: 'unauthorized' });
+                    if (onlyOwnerCanAccess && !isOwner) {
+                        return res.status(HTTP_STATUS.UNAUTHORIZED).json({ err: 'unauthorized' });
+                    } else if (!onlyOwnerCanAccess && !isOwner && !isInAllowedUserList) {
+                        return res.status(HTTP_STATUS.UNAUTHORIZED).json({ err: 'unauthorized' });
+                    }
                 }
 
                 req.ezBIDS = {