diff --git a/api/auth.ts b/api/auth.ts index 493f7c52..c1620c16 100644 --- a/api/auth.ts +++ b/api/auth.ts @@ -3,9 +3,10 @@ import * as fs from 'fs'; import * as jwt from 'jsonwebtoken'; import * as config from './config'; -const pubkey = fs.readFileSync(__dirname + '/auth.pub', 'ascii').trim(); +const pubkey = config.authentication ? fs.readFileSync(__dirname + '/auth.pub', 'ascii').trim() : null; const ezbidsPrivateKey = fs.readFileSync(`${__dirname}/ezbids.key`, 'ascii').trim(); const ezbidsPublicKey = fs.readFileSync(`${__dirname}/ezbids.pub`, 'ascii').trim(); + export const validateWithJWTConfig = (options?: Params) => { if (config.authentication) { return expressjwt({ @@ -15,9 +16,10 @@ export const validateWithJWTConfig = (options?: Params) => { }); } else { return (req: any, res: any, next: any) => { - req.user = { + req.auth = { sub: 0, }; + next(); }; } diff --git a/api/controllers.ts b/api/controllers.ts index b178493a..8d4cc9ab 100644 --- a/api/controllers.ts +++ b/api/controllers.ts @@ -100,10 +100,9 @@ router.get('/health', (req, res) => { * Session: $ref: '#/components/schemas/Session' */ router.post('/session', validateWithJWTConfig(), (req: Request, res: express.Response, next) => { - if (!req.auth.sub) res.sendStatus(HTTP_STATUS.BAD_REQUEST); - req.body.status = 'created'; req.body.request_headers = req.headers; + const session = new models.Session({ ...req.body, ownerId: req.auth.sub, diff --git a/api/controllers.utils.ts b/api/controllers.utils.ts index 3e2a3d26..c1ce462b 100644 --- a/api/controllers.utils.ts +++ b/api/controllers.utils.ts @@ -2,6 +2,7 @@ import { NextFunction, Response } from 'express'; import { Request } from 'express-jwt'; import { ISession, Session } from './models'; import { Types, Document } from 'mongoose'; +import * as config from './config'; export enum HTTP_STATUS { OK = 200, @@ -28,24 +29,30 @@ export const validateUserCanAccessSession = (onlyOwnerCanAccess: boolean) => { const sessionId = req.params.session_id; const userId = req.auth.sub as unknown as number; - if (!sessionId || !userId) { - return res.status(HTTP_STATUS.BAD_REQUEST).json({ err: 'No sessionId or userId found' }); + if (!sessionId) { + return res.status(HTTP_STATUS.BAD_REQUEST).json({ err: 'No sessionId found' }); + } + + if (config.authentication && !userId) { + return res.status(HTTP_STATUS.BAD_REQUEST).json({ err: 'No userId found' }); } return Session.findById(sessionId) .then((session) => { if (!session) return res - .status(HTTP_STATUS.BAD_REQUEST) + .status(HTTP_STATUS.NOT_FOUND) .json({ err: 'Could not find session with ID: ' + sessionId }); - const isOwner = userId === (session.ownerId || ''); - const isInAllowedUserList = session.allowedUsers.some((allowedUser) => allowedUser === userId); + if (config.authentication) { + const isOwner = userId === (session.ownerId || ''); + const isInAllowedUserList = session.allowedUsers.some((allowedUser) => allowedUser === userId); - if (onlyOwnerCanAccess && !isOwner) { - return res.status(HTTP_STATUS.UNAUTHORIZED).json({ err: 'unauthorized' }); - } else if (!onlyOwnerCanAccess && !isOwner && !isInAllowedUserList) { - return res.status(HTTP_STATUS.UNAUTHORIZED).json({ err: 'unauthorized' }); + if (onlyOwnerCanAccess && !isOwner) { + return res.status(HTTP_STATUS.UNAUTHORIZED).json({ err: 'unauthorized' }); + } else if (!onlyOwnerCanAccess && !isOwner && !isInAllowedUserList) { + return res.status(HTTP_STATUS.UNAUTHORIZED).json({ err: 'unauthorized' }); + } } req.ezBIDS = {