refactor: implement centralized auth middleware and standardize cross-subdomain session management
This commit is contained in:
Giuseppe Raffa
@@ -1,5 +1,6 @@
|
||||
const express = require('express');
|
||||
const crypto = require('crypto');
|
||||
const parser = require('cookie-parser');
|
||||
const app = express();
|
||||
|
||||
const db = require('./store/db')
|
||||
@@ -7,6 +8,7 @@ const redis = require('./store/redis');
|
||||
const wsHandler = require('./ws/handler');
|
||||
|
||||
app.use(express.json());
|
||||
app.use(parser());
|
||||
|
||||
// CORS — consenti richieste dalla console e altri client browser
|
||||
app.use((req, res, next) => {
|
||||
|
||||
51
realtime/src/middlewares/auth.js
Normal file
51
realtime/src/middlewares/auth.js
Normal file
@@ -0,0 +1,51 @@
|
||||
/**
|
||||
* Middleware di autenticazione per il servizio realtime.
|
||||
* Usa il JWT condiviso via cookie .mebboat.it o Authorization Bearer.
|
||||
* Il JWT viene firmato da auth.mebboat.it con JWT_SECRET e verificato localmente.
|
||||
*/
|
||||
|
||||
const jwt = require('jsonwebtoken');
|
||||
|
||||
const SECRET = process.env.JWT_SECRET;
|
||||
const INTERNAL_KEY = process.env.INTERNAL_API_KEY;
|
||||
|
||||
function extractToken(req) {
|
||||
const header = req.headers.authorization;
|
||||
const bearer = header && header.startsWith('Bearer ') ? header.slice(7) : null;
|
||||
return (req.cookies && req.cookies.auth_token) || bearer || null;
|
||||
}
|
||||
|
||||
function verifyToken(token) {
|
||||
if (!token || typeof token !== 'string' || token.length > 2048) return null;
|
||||
try {
|
||||
const p = jwt.verify(token, SECRET, { algorithms: ['HS256'] });
|
||||
return {
|
||||
user_id: p.sub,
|
||||
username: p.username,
|
||||
session_id: p.session_id,
|
||||
iat: p.iat,
|
||||
exp: p.exp
|
||||
};
|
||||
} catch {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Accetta utente loggato (cookie/bearer) o chiamata interna (x-api-key).
|
||||
*/
|
||||
function requireAuth(req, res, next) {
|
||||
// Service-to-service
|
||||
const apiKey = req.headers['x-api-key'];
|
||||
if (apiKey && INTERNAL_KEY && apiKey === INTERNAL_KEY) {
|
||||
req.internal = true;
|
||||
return next();
|
||||
}
|
||||
// User auth
|
||||
const user = verifyToken(extractToken(req));
|
||||
if (!user) return res.status(401).json({ error: 'unauthorized' });
|
||||
req.user = user;
|
||||
next();
|
||||
}
|
||||
|
||||
module.exports = { requireAuth, verifyToken, extractToken };
|
||||
Reference in New Issue
Block a user