From 3cd5a84cc1c2cb4c9f7dff4792ab617ff706757a Mon Sep 17 00:00:00 2001 From: Giuseppe Raffa <77052701+sesee3@users.noreply.github.com> Date: Sat, 4 Apr 2026 19:11:29 +0200 Subject: [PATCH] feat: implement internal and user security middlewares and refactor route structures to support view and API separation --- auth/src/middlewares/internal.security.js | 12 +++++++++ auth/src/middlewares/user.security.js | 22 ++++++++++++++++ auth/src/routes/auth.js | 18 +------------ auth/src/routes/sessions.js | 20 +++++++++++++++ auth/src/routes/users.js | 31 +++++------------------ auth/src/routes/views/auth.js | 8 ++++++ auth/src/routes/views/sessions.js | 7 +++++ auth/src/routes/views/user.js | 7 +++++ 8 files changed, 83 insertions(+), 42 deletions(-) create mode 100644 auth/src/middlewares/internal.security.js create mode 100644 auth/src/middlewares/user.security.js create mode 100644 auth/src/routes/views/auth.js create mode 100644 auth/src/routes/views/sessions.js create mode 100644 auth/src/routes/views/user.js diff --git a/auth/src/middlewares/internal.security.js b/auth/src/middlewares/internal.security.js new file mode 100644 index 0000000..2a14b11 --- /dev/null +++ b/auth/src/middlewares/internal.security.js @@ -0,0 +1,12 @@ +const API_KEY = process.env.INTERNAL_API_KEY; + +const internalAuth = (req, res, next) => { + const internalToken = req.headers['x-internal-api-key']; + if (internalToken === API_KEY) { + req.user = { id: 'system', role: 'internal_service' }; + return next(); + } + return res.status(403).json({ error: 'Accesso negato: Richiesta interna non autorizzata' }); +}; + +module.exports = internalAuth; diff --git a/auth/src/middlewares/user.security.js b/auth/src/middlewares/user.security.js new file mode 100644 index 0000000..4484eb5 --- /dev/null +++ b/auth/src/middlewares/user.security.js @@ -0,0 +1,22 @@ +const jwt = require('../tools/jwt'); + +const userAuth = (req, res, next) => { + const token = (req.cookies && req.cookies.auth_token) || jwt.getToken(req.headers['authorization']); + + if (!token) { + return res.status(401).json({ error: 'Accesso negato: Token utente mancante' }); + } + + const verified = jwt.verifyToken(token); + if (!verified.valid) { + return res.status(401).json({ + error: 'Sessione non valida o scaduta', + reason: verified.reason + }); + } + + req.user = verified.payload; + next(); +}; + +module.exports = userAuth; diff --git a/auth/src/routes/auth.js b/auth/src/routes/auth.js index 11662ae..ea70bfa 100644 --- a/auth/src/routes/auth.js +++ b/auth/src/routes/auth.js @@ -2,22 +2,9 @@ const router = require('express').Router(); const auth = require('../core/auth.core'); const jwt = require('../tools/jwt'); -const version = process.env.VERSION; -const vBuild = process.env.VERSION_BUILD; -const vState = process.env.VERSION_STATE; - const CONSOLE_URL = process.env.CONSOLE_URL || 'http://localhost:3004'; const COOKIE_DOMAIN = process.env.COOKIE_DOMAIN || undefined; -router.get('/health', (req, res) => { - res.json({ - status: 'ok', - service: 'auth', - version: version, - build_number: vBuild, - version_state: vState - }); -}); router.post('/register', async (req, res) => { const { username, password } = req.body; @@ -36,10 +23,7 @@ router.post('/register', async (req, res) => { } }); -router.get('/login', (req, res) => { - const redirect = req.query.redirect || ''; - res.render('loginpage', { error: null, redirect }); -}); + router.post('/login', async (req, res) => { const { username, password, redirect } = req.body; diff --git a/auth/src/routes/sessions.js b/auth/src/routes/sessions.js index e69de29..5a422c4 100644 --- a/auth/src/routes/sessions.js +++ b/auth/src/routes/sessions.js @@ -0,0 +1,20 @@ +// api.mebboat.it/api/sessions + +const router = require('express').Router(); +const { query } = require('../storage/database'); +const userAuth = require('../middlewares/user.security'); + +router.use(userAuth); + +router.get('/', async (req, res) => { + try { + const result = await query( + 'SELECT id, user_id, session_code FROM sessions' + ); + res.json(result.rows); + } catch (err) { + res.status(500).json({ error: 'Errore interno del server ' + err }); + } +}); + +module.exports = router; \ No newline at end of file diff --git a/auth/src/routes/users.js b/auth/src/routes/users.js index 0d53be8..596335d 100644 --- a/auth/src/routes/users.js +++ b/auth/src/routes/users.js @@ -1,32 +1,11 @@ // api.mebboat.it/users const router = require('express').Router(); -const jwt = require('../tools/jwt'); const { query } = require('../storage/database'); +const userAuth = require('../middlewares/user.security'); +const internalAuth = require('../middlewares/internal.security'); -// Middleware di autenticazione: estrae l'utente dal token JWT -const requireAuth = (req, res, next) => { - // Estraiamo il token dai cookies (inserito al login) o dall'header "Authorization" - const token = (req.cookies && req.cookies.auth_token) || jwt.getToken(req.headers['authorization']); - - if (!token) { - return res.status(401).json({ error: 'Non autorizzato: token mancante' }); - } - - const verified = jwt.verifyToken(token); - if (!verified.valid) { - return res.status(401).json({ error: 'Non autorizzato: token scaduto o non valido', reason: verified.reason }); - } - - // Il riferimento all'identità dell'utente viene agganciato all'oggetto `req` - // (payload conterrà { user_id, username, session_id }) - req.user = verified.payload; - next(); -}; - -router.use(requireAuth); - -router.get('/', async (req, res) => { +router.get('/', internalAuth, async (req, res) => { try { const result = await query( 'SELECT id, username, is_active, created_at, telegram_id FROM users' @@ -37,7 +16,7 @@ router.get('/', async (req, res) => { } }) -router.get('/tonotify/', async (req, res) => { +router.get('/tonotify', internalAuth, async (req, res) => { try { const result = await query( 'SELECT telegram_id FROM users WHERE telegram_id IS NOT NULL' @@ -48,6 +27,8 @@ router.get('/tonotify/', async (req, res) => { } }) +router.use(userAuth); + router.get('/me', async (req, res) => { try { const result = await query( diff --git a/auth/src/routes/views/auth.js b/auth/src/routes/views/auth.js new file mode 100644 index 0000000..fdac9de --- /dev/null +++ b/auth/src/routes/views/auth.js @@ -0,0 +1,8 @@ +const router = require('express').Router(); + +router.get('/login', (req, res) => { + const redirect = req.query.redirect || ''; + res.render('loginpage', { error: null, redirect }); +}); + +module.exports = router; \ No newline at end of file diff --git a/auth/src/routes/views/sessions.js b/auth/src/routes/views/sessions.js new file mode 100644 index 0000000..0ebfc35 --- /dev/null +++ b/auth/src/routes/views/sessions.js @@ -0,0 +1,7 @@ +const router = require('express').Router(); + +router.get('/', userAuth, (req, res) => { + res.render('sessions'); +}); + +module.exports = router; \ No newline at end of file diff --git a/auth/src/routes/views/user.js b/auth/src/routes/views/user.js new file mode 100644 index 0000000..01d0063 --- /dev/null +++ b/auth/src/routes/views/user.js @@ -0,0 +1,7 @@ +const router = require('express').Router(); + +router.get('/', (req, res) => { + res.render('user'); +}); + +module.exports = router; \ No newline at end of file