refactor: implement centralized auth middleware and standardize cross-subdomain session management

realtime/package.json

@@ -11,8 +11,10 @@
         "@influxdata/influxdb-client": "^1.35.0",
         "@influxdata/influxdb-client-apis": "^1.35.0",
         "@msgpack/msgpack": "^3.1.3",
+        "cookie-parser": "^1.4.7",
         "express": "^5.2.1",
         "ioredis": "^5.10.0",
+        "jsonwebtoken": "^9.0.3",
         "pg": "^8.20.0",
         "ws": "^8.19.0"
     }

realtime/src/index.js

@@ -1,5 +1,6 @@
 const express = require('express');
 const crypto = require('crypto');
+const parser = require('cookie-parser');
 const app = express();
 
 const db = require('./store/db')
@@ -7,6 +8,7 @@ const redis = require('./store/redis');
 const wsHandler = require('./ws/handler');
 
 app.use(express.json());
+app.use(parser());
 
 // CORS — consenti richieste dalla console e altri client browser
 app.use((req, res, next) => {

realtime/src/middlewares/auth.js

@@ -0,0 +1,51 @@
+/**
+ * Middleware di autenticazione per il servizio realtime.
+ * Usa il JWT condiviso via cookie .mebboat.it o Authorization Bearer.
+ * Il JWT viene firmato da auth.mebboat.it con JWT_SECRET e verificato localmente.
+ */
+
+const jwt = require('jsonwebtoken');
+
+const SECRET = process.env.JWT_SECRET;
+const INTERNAL_KEY = process.env.INTERNAL_API_KEY;
+
+function extractToken(req) {
+    const header = req.headers.authorization;
+    const bearer = header && header.startsWith('Bearer ') ? header.slice(7) : null;
+    return (req.cookies && req.cookies.auth_token) || bearer || null;
+}
+
+function verifyToken(token) {
+    if (!token || typeof token !== 'string' || token.length > 2048) return null;
+    try {
+        const p = jwt.verify(token, SECRET, { algorithms: ['HS256'] });
+        return {
+            user_id: p.sub,
+            username: p.username,
+            session_id: p.session_id,
+            iat: p.iat,
+            exp: p.exp
+        };
+    } catch {
+        return null;
+    }
+}
+
+/**
+ * Accetta utente loggato (cookie/bearer) o chiamata interna (x-api-key).
+ */
+function requireAuth(req, res, next) {
+    // Service-to-service
+    const apiKey = req.headers['x-api-key'];
+    if (apiKey && INTERNAL_KEY && apiKey === INTERNAL_KEY) {
+        req.internal = true;
+        return next();
+    }
+    // User auth
+    const user = verifyToken(extractToken(req));
+    if (!user) return res.status(401).json({ error: 'unauthorized' });
+    req.user = user;
+    next();
+}
+
+module.exports = { requireAuth, verifyToken, extractToken };