feat: implement internal and user security middlewares and refactor route structures to support view and API separation

2026-04-04 19:11:29 +02:00
parent 0f511c2cf9
commit 3cd5a84cc1
8 changed files with 83 additions and 42 deletions
--- a/auth/src/middlewares/internal.security.js
+++ b/auth/src/middlewares/internal.security.js
@@ -0,0 +1,12 @@
+const API_KEY = process.env.INTERNAL_API_KEY;
+
+const internalAuth = (req, res, next) => {
+    const internalToken = req.headers['x-internal-api-key'];
+    if (internalToken === API_KEY) {
+        req.user = { id: 'system', role: 'internal_service' };
+        return next();
+    }
+    return res.status(403).json({ error: 'Accesso negato: Richiesta interna non autorizzata' });
+};
+
+module.exports = internalAuth;
--- a/auth/src/middlewares/user.security.js
+++ b/auth/src/middlewares/user.security.js
@@ -0,0 +1,22 @@
+const jwt = require('../tools/jwt');
+
+const userAuth = (req, res, next) => {
+    const token = (req.cookies && req.cookies.auth_token) || jwt.getToken(req.headers['authorization']);
+
+    if (!token) {
+        return res.status(401).json({ error: 'Accesso negato: Token utente mancante' });
+    }
+
+    const verified = jwt.verifyToken(token);
+    if (!verified.valid) {
+        return res.status(401).json({ 
+            error: 'Sessione non valida o scaduta', 
+            reason: verified.reason 
+        });
+    }
+
+    req.user = verified.payload;
+    next();
+};
+
+module.exports = userAuth;