refactor: implement centralized auth middleware and standardize cross-subdomain session management

api/src/index.js

@@ -1,6 +1,7 @@
 const express = require('express');
 const parser = require('cookie-parser');
-const jwt = require('jsonwebtoken');
+
+const { requireAuth } = require('./middlewares/auth');
 
 const app = express();
 const PORT = process.env.PORT;
@@ -56,33 +57,8 @@ app.get('/health', async (req, res) => {
 const paramsSensorRoutes = require('./routes/params.sensor');
 app.use('/params/sensor', paramsSensorRoutes);
 
-// Middleware di autenticazione per le API
-app.use((req, res, next) => {
-    if (req.path === '/health' || req.path === '/') return next();
-
-    // 1. Service-to-service: x-api-key header
-    const apiKey = req.headers['x-api-key'];
-    if (apiKey && apiKey === process.env.INTERNAL_API_KEY) {
-        req.internal = true;
-        return next();
-    }
-
-    // 2. User auth: cookie o Authorization header
-    const token = req.cookies?.auth_token
-        || (req.headers.authorization?.startsWith('Bearer ') && req.headers.authorization.slice(7));
-
-    if (!token) {
-        return res.status(401).json({ error: 'Unauthorized: Nessun token di autenticazione fornito' });
-    }
-
-    try {
-        const payload = jwt.verify(token, process.env.JWT_SECRET, { algorithms: ['HS256'] });
-        req.user = payload;
-        next();
-    } catch (err) {
-        return res.status(401).json({ error: 'Unauthorized: Token non valido o scaduto' });
-    }
-});
+// Middleware di autenticazione per tutte le API protette
+app.use(requireAuth);
 
 const dataRoutes = require('./routes/data');
 app.use('/data', dataRoutes);