pangolin_mirror/pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-02-18 02:46:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

rename super user to admin and middleware refactoring

Browse Source
This commit is contained in:
Milo Schwartz
2024-11-05 22:38:57 -05:00
parent 7b755a273c
commit 03051878ef
26 changed files with 790 additions and 529 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
server/routers/auth/index.ts
View File

@@ -11,7 +11,7 @@ export * from "./verifyResourceAccess";
export * from "./verifyTargetAccess";
export * from "./verifyRoleAccess";
export * from "./verifyUserAccess";
export * from "./verifySuperUser";
export * from "./verifyAdmin";
export * from "./verifyEmail";
export * from "./requestEmailVerificationCode";
export * from "./changePassword";

63
server/routers/auth/verifyAdmin.ts Normal file
View File

@@ -0,0 +1,63 @@
import { Request, Response, NextFunction } from "express";
import { db } from "@server/db";
import { roles, userOrgs } from "@server/db/schema";
import { and, eq } from "drizzle-orm";
import createHttpError from "http-errors";
import HttpCode from "@server/types/HttpCode";
export async function verifyAdmin(
req: Request,
res: Response,
next: NextFunction
) {
const userId = req.user?.userId;
const orgId = req.userOrgId;
let userOrg = req.userOrg;
if (!userId) {
return next(
createHttpError(HttpCode.UNAUTHORIZED, "User does not have orgId")
);
}
if (!userId) {
return next(
createHttpError(HttpCode.UNAUTHORIZED, "User not authenticated")
);
}
if (!userOrg) {
const userOrgRes = await db
.select()
.from(userOrgs)
.where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId!)))
.limit(1);
userOrg = userOrgRes[0];
}
if (!userOrg) {
return next(
createHttpError(
HttpCode.FORBIDDEN,
"User does not have access to this organization"
)
);
}
const userRole = await db
.select()
.from(roles)
.where(eq(roles.roleId, userOrg.roleId))
.limit(1);
if (userRole.length === 0 || !userRole[0].isAdmin) {
return next(
createHttpError(
HttpCode.FORBIDDEN,
"User does not have Admin access"
)
);
}
return next();
}

54
server/routers/auth/verifyOrgAccess.ts
View File

@@ -4,15 +4,15 @@ import { userOrgs } from "@server/db/schema";
import { and, eq } from "drizzle-orm";
import createHttpError from "http-errors";
import HttpCode from "@server/types/HttpCode";
import { AuthenticatedRequest } from "@server/types/Auth";
export function verifyOrgAccess(
export async function verifyOrgAccess(
req: Request,
res: Response,
next: NextFunction
) {
const userId = req.user!.userId; // Assuming you have user information in the request
const userId = req.user!.userId;
const orgId = req.params.orgId;
let userOrg = req.userOrg;
if (!userId) {
return next(
@@ -26,30 +26,36 @@ export function verifyOrgAccess(
);
}
db.select()
.from(userOrgs)
.where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
.then((result) => {
if (result.length === 0) {
next(
createHttpError(
HttpCode.FORBIDDEN,
"User does not have access to this organization"
)
try {
if (!userOrg) {
const userOrgRes = await db
.select()
.from(userOrgs)
.where(
and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId))
);
} else {
// User has access, attach the user's role to the request for potential future use
req.userOrgRoleId = result[0].roleId;
req.userOrgId = orgId;
next();
}
})
.catch((error) => {
userOrg = userOrgRes[0];
}
if (!userOrg) {
next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"Error verifying organization access"
HttpCode.FORBIDDEN,
"User does not have access to this organization"
)
);
});
} else {
// User has access, attach the user's role to the request for potential future use
req.userOrgRoleId = userOrg.roleId;
req.userOrgId = orgId;
return next();
}
} catch (e) {
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"Error verifying organization access"
)
);
}
}

115
server/routers/auth/verifyResourceAccess.ts
View File

@@ -1,49 +1,85 @@
import { Request, Response, NextFunction } from 'express';
import { db } from '@server/db';
import { resources, userOrgs, userResources, roleResources } from '@server/db/schema';
import { and, eq } from 'drizzle-orm';
import createHttpError from 'http-errors';
import HttpCode from '@server/types/HttpCode';
import { Request, Response, NextFunction } from "express";
import { db } from "@server/db";
import {
resources,
userOrgs,
userResources,
roleResources,
} from "@server/db/schema";
import { and, eq } from "drizzle-orm";
import createHttpError from "http-errors";
import HttpCode from "@server/types/HttpCode";
export async function verifyResourceAccess(req: Request, res: Response, next: NextFunction) {
const userId = req.user!.userId; // Assuming you have user information in the request
const resourceId = req.params.resourceId || req.body.resourceId || req.query.resourceId;
export async function verifyResourceAccess(
req: Request,
res: Response,
next: NextFunction
) {
const userId = req.user!.userId;
const resourceId =
req.params.resourceId || req.body.resourceId || req.query.resourceId;
let userOrg = req.userOrg;
if (!userId) {
return next(createHttpError(HttpCode.UNAUTHORIZED, 'User not authenticated'));
return next(
createHttpError(HttpCode.UNAUTHORIZED, "User not authenticated")
);
}
try {
// Get the resource
const resource = await db.select()
const resource = await db
.select()
.from(resources)
.where(eq(resources.resourceId, resourceId))
.limit(1);
if (resource.length === 0) {
return next(createHttpError(HttpCode.NOT_FOUND, `Resource with ID ${resourceId} not found`));
return next(
createHttpError(
HttpCode.NOT_FOUND,
`Resource with ID ${resourceId} not found`
)
);
}
if (!resource[0].orgId) {
return next(createHttpError(HttpCode.INTERNAL_SERVER_ERROR, `Resource with ID ${resourceId} does not have an organization ID`));
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
`Resource with ID ${resourceId} does not have an organization ID`
)
);
}
// Get user's role ID in the organization
const userOrgRole = await db.select()
.from(userOrgs)
.where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, resource[0].orgId)))
.limit(1);
if (userOrgRole.length === 0) {
return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have access to this organization'));
if (!userOrg) {
const userOrgRole = await db
.select()
.from(userOrgs)
.where(
and(
eq(userOrgs.userId, userId),
eq(userOrgs.orgId, resource[0].orgId)
)
)
.limit(1);
userOrg = userOrgRole[0];
}
const userOrgRoleId = userOrgRole[0].roleId;
if (!userOrg) {
return next(
createHttpError(
HttpCode.FORBIDDEN,
"User does not have access to this organization"
)
);
}
const userOrgRoleId = userOrg.roleId;
req.userOrgRoleId = userOrgRoleId;
req.userOrgId = resource[0].orgId;
// Check role-based resource access first
const roleResourceAccess = await db.select()
const roleResourceAccess = await db
.select()
.from(roleResources)
.where(
and(
@@ -54,25 +90,36 @@ export async function verifyResourceAccess(req: Request, res: Response, next: Ne
.limit(1);
if (roleResourceAccess.length > 0) {
// User's role has access to the resource
return next();
}
// If role doesn't have access, check user-specific resource access
const userResourceAccess = await db.select()
const userResourceAccess = await db
.select()
.from(userResources)
.where(and(eq(userResources.userId, userId), eq(userResources.resourceId, resourceId)))
.where(
and(
eq(userResources.userId, userId),
eq(userResources.resourceId, resourceId)
)
)
.limit(1);
if (userResourceAccess.length > 0) {
// User has direct access to the resource
return next();
}
// If we reach here, the user doesn't have access to the resource
return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have access to this resource'));
return next(
createHttpError(
HttpCode.FORBIDDEN,
"User does not have access to this resource"
)
);
} catch (error) {
return next(createHttpError(HttpCode.INTERNAL_SERVER_ERROR, 'Error verifying resource access'));
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"Error verifying resource access"
)
);
}
}

86
server/routers/auth/verifyRoleAccess.ts
View File

@@ -1,50 +1,82 @@
import { Request, Response, NextFunction } from 'express';
import { db } from '@server/db';
import { roles, userOrgs } from '@server/db/schema';
import { and, eq } from 'drizzle-orm';
import createHttpError from 'http-errors';
import HttpCode from '@server/types/HttpCode';
import logger from '@server/logger';
import { Request, Response, NextFunction } from "express";
import { db } from "@server/db";
import { roles, userOrgs } from "@server/db/schema";
import { and, eq } from "drizzle-orm";
import createHttpError from "http-errors";
import HttpCode from "@server/types/HttpCode";
import logger from "@server/logger";
export async function verifyRoleAccess(req: Request, res: Response, next: NextFunction) {
const userId = req.user?.userId; // Assuming you have user information in the request
const roleId = parseInt(req.params.roleId || req.body.roleId || req.query.roleId);
export async function verifyRoleAccess(
req: Request,
res: Response,
next: NextFunction
) {
const userId = req.user?.userId;
const roleId = parseInt(
req.params.roleId || req.body.roleId || req.query.roleId
);
let userOrg = req.userOrg;
if (!userId) {
return next(createHttpError(HttpCode.UNAUTHORIZED, 'User not authenticated'));
return next(
createHttpError(HttpCode.UNAUTHORIZED, "User not authenticated")
);
}
if (isNaN(roleId)) {
return next(createHttpError(HttpCode.BAD_REQUEST, 'Invalid role ID'));
return next(createHttpError(HttpCode.BAD_REQUEST, "Invalid role ID"));
}
try {
// Check if the role exists and belongs to the specified organization
const role = await db.select()
const role = await db
.select()
.from(roles)
.where(eq(roles.roleId, roleId))
.limit(1);
if (role.length === 0) {
return next(createHttpError(HttpCode.NOT_FOUND, `Role with ID ${roleId} not found`));
return next(
createHttpError(
HttpCode.NOT_FOUND,
`Role with ID ${roleId} not found`
)
);
}
// Check if the user has a role in the organization
const userOrgRole = await db.select()
.from(userOrgs)
.where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, role[0].orgId!)))
.limit(1);
if (userOrgRole.length === 0) {
return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have access to this organization'));
if (!userOrg) {
const userOrgRole = await db
.select()
.from(userOrgs)
.where(
and(
eq(userOrgs.userId, userId),
eq(userOrgs.orgId, role[0].orgId!)
)
)
.limit(1);
userOrg = userOrgRole[0];
}
req.userOrgRoleId = userOrgRole[0].roleId;
req.userOrgId = userOrgRole[0].orgId;
if (!userOrg) {
return next(
createHttpError(
HttpCode.FORBIDDEN,
"User does not have access to this organization"
)
);
}
req.userOrgRoleId = userOrg.roleId;
req.userOrgId = userOrg.orgId;
return next();
} catch (error) {
logger.error('Error verifying role access:', error);
return next(createHttpError(HttpCode.INTERNAL_SERVER_ERROR, 'Error verifying role access'));
logger.error("Error verifying role access:", error);
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"Error verifying role access"
)
);
}
}

96
server/routers/auth/verifySiteAccess.ts
View File

@@ -1,42 +1,81 @@
import { Request, Response, NextFunction } from 'express';
import { db } from '@server/db';
import { sites, userOrgs, userSites, roleSites, roles } from '@server/db/schema';
import { and, eq, or } from 'drizzle-orm';
import createHttpError from 'http-errors';
import HttpCode from '@server/types/HttpCode';
import { Request, Response, NextFunction } from "express";
import { db } from "@server/db";
import {
sites,
userOrgs,
userSites,
roleSites,
roles,
} from "@server/db/schema";
import { and, eq, or } from "drizzle-orm";
import createHttpError from "http-errors";
import HttpCode from "@server/types/HttpCode";
export async function verifySiteAccess(req: Request, res: Response, next: NextFunction) {
export async function verifySiteAccess(
req: Request,
res: Response,
next: NextFunction
) {
const userId = req.user!.userId; // Assuming you have user information in the request
const siteId = parseInt(req.params.siteId || req.body.siteId || req.query.siteId);
const siteId = parseInt(
req.params.siteId || req.body.siteId || req.query.siteId
);
if (!userId) {
return next(createHttpError(HttpCode.UNAUTHORIZED, 'User not authenticated'));
return next(
createHttpError(HttpCode.UNAUTHORIZED, "User not authenticated")
);
}
if (isNaN(siteId)) {
return next(createHttpError(HttpCode.BAD_REQUEST, 'Invalid site ID'));
return next(createHttpError(HttpCode.BAD_REQUEST, "Invalid site ID"));
}
try {
// Get the site
const site = await db.select().from(sites).where(eq(sites.siteId, siteId)).limit(1);
const site = await db
.select()
.from(sites)
.where(eq(sites.siteId, siteId))
.limit(1);
if (site.length === 0) {
return next(createHttpError(HttpCode.NOT_FOUND, `Site with ID ${siteId} not found`));
return next(
createHttpError(
HttpCode.NOT_FOUND,
`Site with ID ${siteId} not found`
)
);
}
if (!site[0].orgId) {
return next(createHttpError(HttpCode.INTERNAL_SERVER_ERROR, `Site with ID ${siteId} does not have an organization ID`));
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
`Site with ID ${siteId} does not have an organization ID`
)
);
}
// Get user's role ID in the organization
const userOrgRole = await db.select()
const userOrgRole = await db
.select()
.from(userOrgs)
.where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, site[0].orgId)))
.where(
and(
eq(userOrgs.userId, userId),
eq(userOrgs.orgId, site[0].orgId)
)
)
.limit(1);
if (userOrgRole.length === 0) {
return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have access to this organization'));
return next(
createHttpError(
HttpCode.FORBIDDEN,
"User does not have access to this organization"
)
);
}
const userOrgRoleId = userOrgRole[0].roleId;
@@ -44,7 +83,8 @@ export async function verifySiteAccess(req: Request, res: Response, next: NextFu
req.userOrgId = site[0].orgId;
// Check role-based site access first
const roleSiteAccess = await db.select()
const roleSiteAccess = await db
.select()
.from(roleSites)
.where(
and(
@@ -60,9 +100,12 @@ export async function verifySiteAccess(req: Request, res: Response, next: NextFu
}
// If role doesn't have access, check user-specific site access
const userSiteAccess = await db.select()
const userSiteAccess = await db
.select()
.from(userSites)
.where(and(eq(userSites.userId, userId), eq(userSites.siteId, siteId)))
.where(
and(eq(userSites.userId, userId), eq(userSites.siteId, siteId))
)
.limit(1);
if (userSiteAccess.length > 0) {
@@ -71,9 +114,18 @@ export async function verifySiteAccess(req: Request, res: Response, next: NextFu
}
// If we reach here, the user doesn't have access to the site
return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have access to this site'));
return next(
createHttpError(
HttpCode.FORBIDDEN,
"User does not have access to this site"
)
);
} catch (error) {
return next(createHttpError(HttpCode.INTERNAL_SERVER_ERROR, 'Error verifying site access'));
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"Error verifying site access"
)
);
}
}

48
server/routers/auth/verifySuperuser.ts
View File

@@ -1,48 +0,0 @@
import { Request, Response, NextFunction } from 'express';
import { db } from '@server/db';
import { roles, userOrgs } from '@server/db/schema';
import { and, eq } from 'drizzle-orm';
import createHttpError from 'http-errors';
import HttpCode from '@server/types/HttpCode';
import logger from '@server/logger';
export async function verifySuperUser(req: Request, res: Response, next: NextFunction) {
const userId = req.user?.userId; // Assuming you have user information in the request
const orgId = req.userOrgId;
if (!userId) {
return next(createHttpError(HttpCode.UNAUTHORIZED, 'User does not have orgId'));
}
if (!userId) {
return next(createHttpError(HttpCode.UNAUTHORIZED, 'User not authenticated'));
}
try {
// Check if the user has a role in the organization
const userOrgRole = await db.select()
.from(userOrgs)
.where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId!)))
.limit(1);
if (userOrgRole.length === 0) {
return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have access to this organization'));
}
// get userOrgRole[0].roleId
// Check if the user's role in the organization is a Super User role
const userRole = await db.select()
.from(roles)
.where(eq(roles.roleId, userOrgRole[0].roleId))
.limit(1);
if (userRole.length === 0 || !userRole[0].isSuperUserRole) {
return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have Super User access'));
}
return next();
} catch (error) {
logger.error('Error verifying role access:', error);
return next(createHttpError(HttpCode.INTERNAL_SERVER_ERROR, 'Error verifying role access'));
}
}

113
server/routers/auth/verifyTargetAccess.ts
View File

@@ -1,23 +1,33 @@
import { Request, Response, NextFunction } from 'express';
import { db } from '@server/db';
import { resources, targets, userOrgs } from '@server/db/schema';
import { and, eq } from 'drizzle-orm';
import createHttpError from 'http-errors';
import HttpCode from '@server/types/HttpCode';
import { Request, Response, NextFunction } from "express";
import { db } from "@server/db";
import { resources, targets, userOrgs } from "@server/db/schema";
import { and, eq } from "drizzle-orm";
import createHttpError from "http-errors";
import HttpCode from "@server/types/HttpCode";
export async function verifyTargetAccess(req: Request, res: Response, next: NextFunction) {
const userId = req.user!.userId; // Assuming you have user information in the request
export async function verifyTargetAccess(
req: Request,
res: Response,
next: NextFunction
) {
const userId = req.user!.userId;
const targetId = parseInt(req.params.targetId);
let userOrg = req.userOrg;
if (!userId) {
return next(createHttpError(HttpCode.UNAUTHORIZED, 'User not authenticated'));
return next(
createHttpError(HttpCode.UNAUTHORIZED, "User not authenticated")
);
}
if (isNaN(targetId)) {
return next(createHttpError(HttpCode.BAD_REQUEST, 'Invalid organization ID'));
return next(
createHttpError(HttpCode.BAD_REQUEST, "Invalid organization ID")
);
}
const target = await db.select()
const target = await db
.select()
.from(targets)
.where(eq(targets.targetId, targetId))
.limit(1);
@@ -42,43 +52,62 @@ export async function verifyTargetAccess(req: Request, res: Response, next: Next
);
}
const resource = await db.select()
.from(resources)
.where(eq(resources.resourceId, resourceId!))
.limit(1);
try {
const resource = await db
.select()
.from(resources)
.where(eq(resources.resourceId, resourceId!))
.limit(1);
if (resource.length === 0) {
return next(
createHttpError(
HttpCode.NOT_FOUND,
`resource with ID ${resourceId} not found`
)
);
}
if (resource.length === 0) {
return next(
createHttpError(
HttpCode.NOT_FOUND,
`Resource with ID ${resourceId} not found`
)
);
}
if (!resource[0].orgId) {
if (!resource[0].orgId) {
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
`resource with ID ${resourceId} does not have an organization ID`
)
);
}
if (!userOrg) {
const res = await db
.select()
.from(userOrgs)
.where(
and(
eq(userOrgs.userId, userId),
eq(userOrgs.orgId, resource[0].orgId)
)
);
userOrg = res[0];
}
if (!userOrg) {
next(
createHttpError(
HttpCode.FORBIDDEN,
"User does not have access to this organization"
)
);
} else {
req.userOrgRoleId = userOrg.roleId;
req.userOrgId = resource[0].orgId!;
next();
}
} catch (e) {
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
`resource with ID ${resourceId} does not have an organization ID`
"Error verifying organization access"
)
);
}
db.select()
.from(userOrgs)
.where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, resource[0].orgId)))
.then((result) => {
if (result.length === 0) {
next(createHttpError(HttpCode.FORBIDDEN, 'User does not have access to this organization'));
} else {
// User has access, attach the user's role to the request for potential future use
req.userOrgRoleId = result[0].roleId;
req.userOrgId = resource[0].orgId!;
next();
}
})
.catch((error) => {
next(createHttpError(HttpCode.INTERNAL_SERVER_ERROR, 'Error verifying organization access'));
});
}

24
server/routers/auth/verifyTotp.ts
View File

@@ -25,7 +25,7 @@ export type VerifyTotpResponse = {
export async function verifyTotp(
req: Request,
res: Response,
next: NextFunction,
next: NextFunction
): Promise<any> {
const parsedBody = verifyTotpBody.safeParse(req.body);
@@ -33,8 +33,8 @@ export async function verifyTotp(
return next(
createHttpError(
HttpCode.BAD_REQUEST,
fromError(parsedBody.error).toString(),
),
fromError(parsedBody.error).toString()
)
);
}
@@ -46,8 +46,8 @@ export async function verifyTotp(
return next(
createHttpError(
HttpCode.BAD_REQUEST,
"Two-factor authentication is already enabled",
),
"Two-factor authentication is already enabled"
)
);
}
@@ -55,13 +55,17 @@ export async function verifyTotp(
return next(
createHttpError(
HttpCode.BAD_REQUEST,
"User has not requested two-factor authentication",
),
"User has not requested two-factor authentication"
)
);
}
try {
const valid = await verifyTotpCode(code, user.twoFactorSecret, user.userId);
const valid = await verifyTotpCode(
code,
user.twoFactorSecret,
user.userId
);
let codes;
if (valid) {
@@ -101,8 +105,8 @@ export async function verifyTotp(
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"Failed to verify two-factor authentication code",
),
"Failed to verify two-factor authentication code"
)
);
}
}

35
server/routers/auth/verifyUserAccess.ts
View File

@@ -1,12 +1,6 @@
import { Request, Response, NextFunction } from "express";
import { db } from "@server/db";
import {
sites,
userOrgs,
userSites,
roleSites,
roles,
} from "@server/db/schema";
import { userOrgs } from "@server/db/schema";
import { and, eq, or } from "drizzle-orm";
import createHttpError from "http-errors";
import HttpCode from "@server/types/HttpCode";
@@ -16,9 +10,11 @@ export async function verifyUserAccess(
res: Response,
next: NextFunction
) {
const userId = req.user!.userId; // Assuming you have user information in the request
const userId = req.user!.userId;
const reqUserId = req.params.userId || req.body.userId || req.query.userId;
let userOrg = req.userOrg;
if (!userId) {
return next(
createHttpError(HttpCode.UNAUTHORIZED, "User not authenticated")
@@ -30,18 +26,21 @@ export async function verifyUserAccess(
}
try {
const userOrg = await db
.select()
.from(userOrgs)
.where(
and(
eq(userOrgs.userId, reqUserId),
eq(userOrgs.orgId, req.userOrgId!)
if (!userOrg) {
const res = await db
.select()
.from(userOrgs)
.where(
and(
eq(userOrgs.userId, reqUserId),
eq(userOrgs.orgId, req.userOrgId!)
)
)
)
.limit(1);
.limit(1);
userOrg = res[0];
}
if (userOrg.length === 0) {
if (userOrg) {
return next(
createHttpError(
HttpCode.FORBIDDEN,

50
server/routers/auth/verifyUserInRole.ts
View File

@@ -1,31 +1,51 @@
import { Request, Response, NextFunction } from 'express';
import { db } from '@server/db';
import { roles, userOrgs } from '@server/db/schema';
import { and, eq } from 'drizzle-orm';
import createHttpError from 'http-errors';
import HttpCode from '@server/types/HttpCode';
import logger from '@server/logger';
import { Request, Response, NextFunction } from "express";
import createHttpError from "http-errors";
import HttpCode from "@server/types/HttpCode";
import logger from "@server/logger";
export async function verifyUserInRole(req: Request, res: Response, next: NextFunction) {
export async function verifyUserInRole(
req: Request,
res: Response,
next: NextFunction
) {
try {
const roleId = parseInt(req.params.roleId || req.body.roleId || req.query.roleId);
const roleId = parseInt(
req.params.roleId || req.body.roleId || req.query.roleId
);
const userRoleId = req.userOrgRoleId;
if (isNaN(roleId)) {
return next(createHttpError(HttpCode.BAD_REQUEST, 'Invalid role ID'));
return next(
createHttpError(HttpCode.BAD_REQUEST, "Invalid role ID")
);
}
if (!userRoleId) {
return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have access to this organization'));
return next(
createHttpError(
HttpCode.FORBIDDEN,
"User does not have access to this organization"
)
);
}
if (userRoleId !== roleId) {
return next(createHttpError(HttpCode.FORBIDDEN, 'User does not have access to this role'));
return next(
createHttpError(
HttpCode.FORBIDDEN,
"User does not have access to this role"
)
);
}
return next();
} catch (error) {
logger.error('Error verifying role access:', error);
return next(createHttpError(HttpCode.INTERNAL_SERVER_ERROR, 'Error verifying role access'));
logger.error("Error verifying role access:", error);
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"Error verifying role access"
)
);
}
}
}