meb/OLD-server-architecture
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: implement centralized auth middleware and standardize cross-subdomain session management

Browse Source
This commit is contained in:
Giuseppe Raffa
2026-04-21 22:17:48 +02:00
parent 69012029ad
commit 924c2b5367
22 changed files with 670 additions and 530 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
api/src/index.js
View File

@@ -1,6 +1,7 @@
const express = require('express');
const parser = require('cookie-parser');
const jwt = require('jsonwebtoken');
const { requireAuth } = require('./middlewares/auth');
const app = express();
const PORT = process.env.PORT;
@@ -56,33 +57,8 @@ app.get('/health', async (req, res) => {
const paramsSensorRoutes = require('./routes/params.sensor');
app.use('/params/sensor', paramsSensorRoutes);
// Middleware di autenticazione per le API
app.use((req, res, next) => {
if (req.path === '/health' || req.path === '/') return next();
// 1. Service-to-service: x-api-key header
const apiKey = req.headers['x-api-key'];
if (apiKey && apiKey === process.env.INTERNAL_API_KEY) {
req.internal = true;
return next();
}
// 2. User auth: cookie o Authorization header
const token = req.cookies?.auth_token
|| (req.headers.authorization?.startsWith('Bearer ') && req.headers.authorization.slice(7));
if (!token) {
return res.status(401).json({ error: 'Unauthorized: Nessun token di autenticazione fornito' });
}
try {
const payload = jwt.verify(token, process.env.JWT_SECRET, { algorithms: ['HS256'] });
req.user = payload;
next();
} catch (err) {
return res.status(401).json({ error: 'Unauthorized: Token non valido o scaduto' });
}
});
// Middleware di autenticazione per tutte le API protette
app.use(requireAuth);
const dataRoutes = require('./routes/data');
app.use('/data', dataRoutes);

70
api/src/middlewares/auth.js Normal file
View File

@@ -0,0 +1,70 @@
/**
* Middleware di autenticazione per API REST.
* Supporta tre modalità:
* - x-api-key (service-to-service, INTERNAL_API_KEY)
* - cookie auth_token (utenti loggati dal browser, SSO via .mebboat.it)
* - Authorization: Bearer <jwt>
*
* Il JWT viene firmato da auth.mebboat.it con JWT_SECRET e verificato localmente.
* Il cookie è condiviso tra i sottodomini grazie a domain=.mebboat.it
*/
const jwt = require('jsonwebtoken');
const SECRET = process.env.JWT_SECRET;
const INTERNAL_KEY = process.env.INTERNAL_API_KEY;
function extractToken(req) {
const header = req.headers.authorization;
const bearer = header && header.startsWith('Bearer ') ? header.slice(7) : null;
return (req.cookies && req.cookies.auth_token) || bearer || null;
}
function verifyToken(token) {
if (!token || typeof token !== 'string' || token.length > 2048) return null;
try {
const p = jwt.verify(token, SECRET, { algorithms: ['HS256'] });
return {
user_id: p.sub,
username: p.username,
session_id: p.session_id,
iat: p.iat,
exp: p.exp
};
} catch {
return null;
}
}
/**
* Accetta utente loggato (cookie/bearer) o chiamata interna (x-api-key).
* Imposta req.user con i dati dell'utente, oppure req.internal = true.
*/
function requireAuth(req, res, next) {
// 1. Service-to-service
const apiKey = req.headers['x-api-key'];
if (apiKey && INTERNAL_KEY && apiKey === INTERNAL_KEY) {
req.internal = true;
return next();
}
// 2. User auth (cookie o Bearer)
const user = verifyToken(extractToken(req));
if (!user) return res.status(401).json({ error: 'unauthorized' });
req.user = user;
next();
}
/**
* Solo service-to-service (x-api-key).
*/
function requireInternal(req, res, next) {
const apiKey = req.headers['x-api-key'];
if (!INTERNAL_KEY || !apiKey || apiKey !== INTERNAL_KEY) {
return res.status(403).json({ error: 'forbidden' });
}
req.internal = true;
next();
}
module.exports = { requireAuth, requireInternal, verifyToken, extractToken };

183
auth/src/core/auth.core.js
View File

@@ -1,101 +1,166 @@
const query = require('../storage/database').query;
const track = require('../tools/tracking');
const { v4: uuid } = require('uuid');
const { query } = require('../storage/database');
const security = require('../tools/security');
const tracking = require('../tools/tracking');
// ─── ERRORI CUSTOM ──────────────────────────────────────────────────
class AuthError extends Error {
constructor(code, message) {
super(message || code);
this.code = code;
}
}
// ─── REGISTRAZIONE ──────────────────────────────────────────────────
async function register(username, password) {
const userExists = await query('SELECT id FROM users WHERE username = $1', [username]);
const exists = await query('SELECT id FROM users WHERE username = $1', [username]);
if (exists.rows.length) throw new AuthError('USER_EXISTS', 'Username già in uso');
if (userExists.rows.length > 0) {
throw new Error('User already exists');
}
const hashedPassword = await security.hashPassword(password);
const hash = await security.hashPassword(password);
const id = uuid();
await query(
'INSERT INTO users (id, username, password_hash) VALUES ($1, $2, $3)',
[id, username, hashedPassword]
[id, username, hash]
);
return { success: true, user: { id, username } };
return { id, username };
}
// ─── LOGIN ──────────────────────────────────────────────────────────
async function login(username, password) {
const result = await query(
const { rows } = await query(
'SELECT id, username, password_hash, is_active, created_at FROM users WHERE username = $1',
[username]
);
if (!rows.length) throw new AuthError('INVALID_CREDENTIALS', 'Credenziali non valide');
if (result.rows.length === 0) {
throw new Error('No user matched');
const user = rows[0];
if (!user.is_active) throw new AuthError('ACCOUNT_INACTIVE', 'Account disattivato');
const ok = await security.verifyPassword(password, user.password_hash);
if (!ok) throw new AuthError('INVALID_CREDENTIALS', 'Credenziali non valide');
return { id: user.id, username: user.username, created_at: user.created_at };
}
const user = result.rows[0];
// ─── SESSIONI ───────────────────────────────────────────────────────
if (!user.is_active) {
throw new Error('User account is not active');
}
const isValid = await security.verifyPassword(password, user.password_hash);
if (!isValid) {
throw new Error('Password mismatch');
}
return {
id: user.id,
username: user.username,
created: user.created_at
};
}
async function logout(sessionID) {
if (!sessionID) {
throw new Error('No session ID provided');
}
const result = await query('UPDATE sessions SET is_revoked = TRUE WHERE id = $1', [sessionID]);
return result.rowCount > 0;
}
async function newSession(userId, userAgent, ip) {
async function createSession(userId, userAgent, ip) {
const id = uuid();
const sessionCode = security.generateSessionCode();
const metadata = track.getBasicMetadata(userAgent);
const code = security.sessionCode();
const meta = tracking.extract(userAgent);
await query(
`INSERT INTO sessions (id, user_id, session_code, encoded_username, ip_address, user_agent, browser, os, device_type)
`INSERT INTO sessions
(id, user_id, session_code, encoded_username, ip_address, user_agent, browser, os, device_type)
VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)`,
[id, userId, sessionCode, '', ip, userAgent, metadata.browser, metadata.os, metadata.device_type]
[id, userId, code, '', ip, userAgent, meta.browser, meta.os, meta.device_type]
);
return { id, sessionCode };
return { id, code };
}
async function validateSession(sessionId) {
if (!sessionId || typeof sessionId !== 'string') {
throw new Error('Invalid session ID');
throw new AuthError('INVALID_SESSION', 'Sessione non valida');
}
const result = await query(
'SELECT s.id, u.is_active FROM sessions s JOIN users u ON s.user_id = u.id WHERE s.id = $1 AND s.is_revoked = FALSE',
const { rows } = await query(
`SELECT s.id, s.is_revoked, u.is_active
FROM sessions s
JOIN users u ON s.user_id = u.id
WHERE s.id = $1`,
[sessionId]
);
if (result.rows.length === 0) {
throw new Error('Session not found or revoked');
if (!rows.length) throw new AuthError('INVALID_SESSION', 'Sessione non trovata');
if (rows[0].is_revoked) throw new AuthError('SESSION_REVOKED', 'Sessione revocata');
if (!rows[0].is_active) throw new AuthError('ACCOUNT_INACTIVE', 'Account disattivato');
// Aggiorna last_active in modo non bloccante
query('UPDATE sessions SET last_active = NOW() WHERE id = $1', [sessionId]).catch(() => {});
return true;
}
if (!result.rows[0].is_active) {
throw new Error('User account is not active');
async function revokeSession(sessionId, userId) {
if (userId) {
const r = await query(
'UPDATE sessions SET is_revoked = TRUE WHERE id = $1 AND user_id = $2 AND is_revoked = FALSE',
[sessionId, userId]
);
return r.rowCount > 0;
}
const r = await query(
'UPDATE sessions SET is_revoked = TRUE WHERE id = $1 AND is_revoked = FALSE',
[sessionId]
);
return r.rowCount > 0;
}
async function listSessions(userId) {
const { rows } = await query(
`SELECT id, ip_address, browser, os, device_type,
location_country, location_city, created_at, last_active, is_revoked
FROM sessions
WHERE user_id = $1
ORDER BY last_active DESC`,
[userId]
);
return rows;
}
// ─── LOOKUP UTENTE ──────────────────────────────────────────────────
async function getUserById(userId) {
const { rows } = await query(
'SELECT id, username, is_active, created_at, telegram_id FROM users WHERE id = $1',
[userId]
);
return rows[0] || null;
}
async function getAllUsers() {
const { rows } = await query(
'SELECT id, username, is_active, created_at, telegram_id FROM users'
);
return rows;
}
async function getUsersToNotify() {
const { rows } = await query(
'SELECT telegram_id FROM users WHERE telegram_id IS NOT NULL'
);
return rows;
}
async function updateUsername(userId, newUsername) {
const r = await query(
'UPDATE users SET username = $1 WHERE id = $2 RETURNING username',
[newUsername, userId]
);
return r.rowCount > 0 ? r.rows[0] : null;
}
async function updateTelegram(userId, telegramId) {
await query(
'UPDATE users SET telegram_id = $1 WHERE id = $2',
[telegramId, userId]
);
}
module.exports = {
AuthError,
register,
login,
logout,
newSession,
validateSession
createSession,
validateSession,
revokeSession,
listSessions,
getUserById,
getAllUsers,
getUsersToNotify,
updateUsername,
updateTelegram
};

56
auth/src/core/session.core.js
View File

@@ -1,56 +0,0 @@
const query = require('../storage/database').query;
const { parseSessionToken } = require('../tools/security');
async function getSessions(username) {
const result = await query('SELECT s.id, s.session_code, s.browser, s.os, s.device_type, s.created_at, s.last_active, s.is_revoked FROM sessions s JOIN users u ON s.user_id = u.id WHERE u.username = $1 AND s.is_revoked = FALSE ORDER BY s.last_active DESC', [username]);
return result.rows.map(s => ({
id: s.id,
code: s.session_code,
browser: s.browser,
os: s.os,
deviceType: s.device_type,
createdAt: s.created_at?.toLocaleDateString('it-IT', {
month: 'short', day: 'numeric', year: 'numeric', hour: '2-digit', minute: '2-digit'
}),
lastActive: s.last_active?.toLocaleDateString('it-IT', {
month: 'short', day: 'numeric', year: 'numeric', hour: '2-digit', minute: '2-digit'
}),
isRevoked: s.is_revoked,
isCurrent: false
}));
};
async function getCurrentSessionID(token) {
const parsed = parseSessionToken(token);
if (!parsed) {
throw new Error('Invalid token');
}
const result = await query('SELECT id FROM sessions WHERE session_code = $1', [parsed]);
return result.rows[0]?.id || null;
}
async function revoke(id, username) {
const result = await query('UPDATE sessions s SET is_revoked = TRUE FROM users u WHERE s.id = $1 AND s.user_id = u.id AND u.username = $2', [id, username]);
return result.rowCount > 0;
}
async function revokeOthers(username, current) {
const result = await query('UPDATE sessions s SET is_revoked = TRUE FROM users u WHERE s.user_id = u.id AND u.username = $1 AND s.id != $2 AND s.is_revoked = FALSE', [username, current]);
return result.rowCount;
}
async function getCount(username) {
const result = await query('SELECT COUNT(*) as count FROM sessions s JOIN users u ON s.user_id = u.id WHERE u.username = $1 AND s.is_revoked = FALSE', [username]);
return parseInt(result.rows[0].count, 10);
}
module.exports = {
getSessions,
getCurrentSessionID,
revoke,
revokeOthers,
getCount
};

5
auth/src/index.js
View File

@@ -116,14 +116,11 @@ app.use('/api/sessions', require('./routes/sessions'));
// ─── HEALTH CHECK ───────────────────────────────────────────────────
app.get('/health', async (req, res) => {
const dbConnected = await database.checkPostgres();
const redisHelper = require('./storage/redis');
const redisConnected = await redisHelper.checkRedis();
res.json({
status: dbConnected && redisConnected ? "ok" : "degraded",
status: dbConnected ? "ok" : "degraded",
service: "auth",
database: dbConnected ? "connected" : "disconnected",
redis: redisConnected ? "connected" : "disconnected",
version: version,
build_number: vBuild,
version_state: vState

40
auth/src/middlewares/internal.security.js
View File

@@ -3,40 +3,30 @@ const crypto = require('crypto');
const API_KEY = process.env.INTERNAL_API_KEY;
/**
* Middleware di autenticazione per servizi interni (container-to-container).
* Verifica l'header 'x-internal-api-key' contro INTERNAL_API_KEY nell'env.
*
* SICUREZZA:
* - Se INTERNAL_API_KEY non è configurata, TUTTE le richieste vengono rifiutate
* - Usa timingSafeEqual per prevenire attacchi timing side-channel
* Middleware: autentica chiamate service-to-service tramite header x-internal-api-key.
* Usa timing-safe comparison per prevenire timing attacks.
*/
const internalAuth = (req, res, next) => {
// Se la chiave non è configurata nel server, blocca tutto
module.exports = function internalAuth(req, res, next) {
if (!API_KEY) {
console.error('[SECURITY] INTERNAL_API_KEY absent! All internal requests blocked.');
return res.status(503).json({ error: 'Service not configured correctly' });
console.error('[SECURITY] INTERNAL_API_KEY mancante, blocco tutte le richieste interne.');
return res.status(503).json({ error: 'service_not_configured' });
}
const internalToken = req.headers['x-internal-api-key'];
if (!internalToken || typeof internalToken !== 'string') {
return res.status(403).json({ error: 'unauthorized' });
const token = req.headers['x-internal-api-key'];
if (!token || typeof token !== 'string') {
return res.status(403).json({ error: 'forbidden' });
}
// Confronto timing-safe per prevenire timing attacks
try {
const tokenBuffer = Buffer.from(internalToken, 'utf8');
const keyBuffer = Buffer.from(API_KEY, 'utf8');
if (tokenBuffer.length !== keyBuffer.length || !crypto.timingSafeEqual(tokenBuffer, keyBuffer)) {
return res.status(403).json({ error: 'Accesso negato' });
const a = Buffer.from(token, 'utf8');
const b = Buffer.from(API_KEY, 'utf8');
if (a.length !== b.length || !crypto.timingSafeEqual(a, b)) {
return res.status(403).json({ error: 'forbidden' });
}
} catch {
return res.status(403).json({ error: 'Accesso negato' });
return res.status(403).json({ error: 'forbidden' });
}
req.user = { id: 'system', role: 'internal_service' };
return next();
req.internal = true;
next();
};
module.exports = internalAuth;

35
auth/src/middlewares/user.security.js
View File

@@ -1,34 +1,37 @@
const jwt = require('../tools/jwt');
const { validateSession } = require('../core/auth.core');
const userAuth = async (req, res, next) => {
const token = (req.cookies && req.cookies.auth_token) || jwt.getToken(req.headers['authorization']);
/**
* Middleware: richiede un utente autenticato valido.
* Legge il token dal cookie `auth_token` o dall'header `Authorization: Bearer <token>`.
*
* Se la richiesta accetta HTML → redirect a /login con redirect-back URL.
* Altrimenti → 401 JSON.
*/
module.exports = async function userAuth(req, res, next) {
const token = (req.cookies && req.cookies.auth_token) || jwt.bearer(req.headers.authorization);
const unauthorized = (reason) => {
if (req.accepts('html')) {
const redirect = encodeURIComponent(req.originalUrl);
return res.redirect(`/login?redirect=${redirect}`);
if (req.accepts('html') && !req.xhr) {
const r = encodeURIComponent(req.originalUrl);
return res.redirect(`/login?redirect=${r}`);
}
return res.status(401).json({ error: reason || 'Non autorizzato' });
return res.status(401).json({ error: reason || 'unauthorized' });
};
if (!token || typeof token !== 'string' || token.length > 2048) {
return unauthorized('Token mancante o non valido');
return unauthorized('missing_token');
}
const verified = jwt.verifyToken(token);
if (!verified.valid) {
return unauthorized(`Sessione non valida (${verified.reason})`);
}
const v = jwt.verify(token);
if (!v.valid) return unauthorized(`token_${v.reason}`);
try {
await validateSession(verified.payload.session_id);
await validateSession(v.payload.session_id);
} catch (err) {
return unauthorized('Sessione non valida o revocata');
return unauthorized(err.code || 'session_invalid');
}
req.user = verified.payload;
req.user = v.payload;
next();
};
module.exports = userAuth;

181
auth/src/routes/auth.js
View File

@@ -4,146 +4,175 @@ const jwt = require('../tools/jwt');
const CONSOLE_URL = process.env.CONSOLE_URL || 'http://localhost:3004';
const COOKIE_DOMAIN = process.env.COOKIE_DOMAIN || undefined;
const IS_PROD = process.env.NODE_ENV === 'production';
const USERNAME_REGEX = /^[a-zA-Z0-9_.\-]{3,50}$/;
const PASSWORD_MIN_LENGTH = 8;
const PASSWORD_MAX_LENGTH = 128;
const ERROR_RESPONSES = {
csrf: { success: false, error: 'csrf', message: 'Richiesta non valida, riprova' },
invalid_credentials: { success: false, error: 'invalid_credentials', message: 'Credenziali non valide' },
internal: { success: false, error: 'internal', message: 'Errore interno, riprova più tardi' }
};
const MIN_PASSWORD = 8;
const MAX_PASSWORD = 128;
const TOKEN_MAX_AGE_MS = 7 * 24 * 60 * 60 * 1000; // 7 giorni
/**
* Restituisce un redirect sicuro, scartando URL che puntano ad API
* o ad host diversi da CONSOLE_URL.
* Opzioni cookie condivise per auth_token.
* Domain = `.mebboat.it` in produzione → SSO cross-subdomain
* (console.mebboat.it, ml.mebboat.it, api.mebboat.it, ecc.)
*/
function authCookieOptions(withMaxAge = true) {
const opts = {
httpOnly: true,
secure: IS_PROD,
sameSite: 'lax',
path: '/'
};
if (withMaxAge) opts.maxAge = TOKEN_MAX_AGE_MS;
if (COOKIE_DOMAIN) opts.domain = COOKIE_DOMAIN;
return opts;
}
/**
* Valida un redirect URL per prevenire open-redirect.
* Accetta solo lo stesso dominio di CONSOLE_URL (o sottodomini di COOKIE_DOMAIN).
*/
function resolveSafeRedirect(redirect) {
if (!redirect || typeof redirect !== 'string') return CONSOLE_URL;
try {
const redirectUrl = new URL(redirect);
const consoleUrl = new URL(CONSOLE_URL);
const target = new URL(redirect);
const console_ = new URL(CONSOLE_URL);
const sameHost = redirectUrl.hostname === consoleUrl.hostname;
const notApi = !redirectUrl.pathname.startsWith('/api/');
const sameHost = target.hostname === console_.hostname;
const sameApex = COOKIE_DOMAIN
? target.hostname.endsWith(COOKIE_DOMAIN.replace(/^\./, ''))
: false;
const notApi = !target.pathname.startsWith('/api/');
if (sameHost && notApi) return redirect;
if ((sameHost || sameApex) && notApi) return redirect;
} catch {
// URL non valido / relativo: fallback a CONSOLE_URL
// URL invalido / relativo: fallback
}
return CONSOLE_URL;
}
// ─── POST /register ────────────────────────────────────────────────
router.post('/register', async (req, res) => {
const { username, password } = req.body;
const { username, password } = req.body || {};
if (!username || !password || typeof username !== 'string' || typeof password !== 'string') {
return res.status(400).json({ success: false, error: 'Username e password richiesti' });
return res.status(400).json({ success: false, error: 'username_and_password_required' });
}
if (!USERNAME_REGEX.test(username)) {
return res.status(400).json({
success: false,
error: 'Username non valido. 3-50 caratteri alfanumerici, underscore, punto o trattino.'
});
return res.status(400).json({ success: false, error: 'invalid_username' });
}
if (password.length < PASSWORD_MIN_LENGTH || password.length > PASSWORD_MAX_LENGTH) {
return res.status(400).json({
success: false,
error: `Password deve essere tra ${PASSWORD_MIN_LENGTH} e ${PASSWORD_MAX_LENGTH} caratteri`
});
if (password.length < MIN_PASSWORD || password.length > MAX_PASSWORD) {
return res.status(400).json({ success: false, error: 'invalid_password_length' });
}
try {
await auth.register(username, password);
return res.status(201).json({ success: true });
const user = await auth.register(username, password);
return res.status(201).json({ success: true, user });
} catch (err) {
if (err.message === 'User already exists') {
return res.status(409).json({ success: false, error: 'User already exists' });
if (err.code === 'USER_EXISTS') {
return res.status(409).json({ success: false, error: 'user_exists' });
}
console.error('[AUTH] Register failed:', err.message);
return res.status(500).json({ success: false, error: 'Errore interno' });
console.error('[AUTH] register:', err.message);
return res.status(500).json({ success: false, error: 'internal' });
}
});
router.post('/login', async (req, res) => {
const { username, password, redirect, _csrf } = req.body;
// ─── POST /login ───────────────────────────────────────────────────
router.post('/login', async (req, res) => {
const { username, password, redirect, _csrf } = req.body || {};
// Verifica CSRF token
const csrfCookie = req.cookies && req.cookies._csrf;
if (!_csrf || !csrfCookie || _csrf !== csrfCookie) {
return res.status(400).json(ERROR_RESPONSES.csrf);
return res.status(400).json({
success: false, error: 'csrf', message: 'Richiesta non valida, riprova'
});
}
if (!username || !password || typeof username !== 'string' || typeof password !== 'string') {
return res.status(400).json(ERROR_RESPONSES.invalid_credentials);
}
if (username.length > 50 || password.length > PASSWORD_MAX_LENGTH) {
return res.status(400).json(ERROR_RESPONSES.invalid_credentials);
if (!username || !password || typeof username !== 'string' || typeof password !== 'string'
|| username.length > 50 || password.length > MAX_PASSWORD) {
return res.status(400).json({
success: false, error: 'invalid_credentials', message: 'Credenziali non valide'
});
}
const safeRedirect = resolveSafeRedirect(redirect);
try {
const user = await auth.login(username, password);
const session = await auth.newSession(user.id, req.headers['user-agent'], req.ip);
const token = jwt.generateToken(user, session.id);
const session = await auth.createSession(user.id, req.headers['user-agent'], req.ip);
const token = jwt.sign(user, session.id);
const cookieOptions = {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'lax',
maxAge: 7 * 24 * 60 * 60 * 1000
};
if (COOKIE_DOMAIN) cookieOptions.domain = COOKIE_DOMAIN;
res.cookie('auth_token', token, cookieOptions);
res.clearCookie('_csrf');
// Imposta il cookie auth_token (condiviso tra sottodomini se COOKIE_DOMAIN è impostato)
res.cookie('auth_token', token, authCookieOptions(true));
// Rimuove il cookie CSRF
res.clearCookie('_csrf', { httpOnly: true, sameSite: 'strict', path: '/' });
return res.status(200).json({
success: true,
redirect_url: safeRedirect,
message: 'Login effettuato con successo'
message: 'Login effettuato'
});
} catch (err) {
if (err.message === 'No user matched' || err.message === 'Password mismatch') {
return res.status(401).json(ERROR_RESPONSES.invalid_credentials);
if (err.code === 'INVALID_CREDENTIALS') {
return res.status(401).json({
success: false, error: 'invalid_credentials', message: 'Credenziali non valide'
});
}
if (err.message === 'User account is not active') {
if (err.code === 'ACCOUNT_INACTIVE') {
return res.status(403).json({
success: false,
error: 'account_inactive',
message: 'Account disattivato'
success: false, error: 'account_inactive', message: 'Account disattivato'
});
}
console.error('[AUTH] Login error:', err.message);
return res.status(500).json(ERROR_RESPONSES.internal);
console.error('[AUTH] login:', err.message);
return res.status(500).json({
success: false, error: 'internal', message: 'Errore interno'
});
}
});
// ─── POST /logout ──────────────────────────────────────────────────
router.post('/logout', async (req, res) => {
const token = req.cookies && req.cookies.auth_token;
if (token) {
const v = jwt.verify(token);
if (v.valid) {
try {
const verified = jwt.verifyToken(token);
if (verified.valid) {
await auth.logout(verified.payload.session_id);
}
await auth.revokeSession(v.payload.session_id);
} catch (err) {
console.error('[AUTH] Logout error:', err.message);
console.error('[AUTH] logout revoke:', err.message);
}
}
}
const clearOptions = { httpOnly: true, sameSite: 'lax' };
if (COOKIE_DOMAIN) clearOptions.domain = COOKIE_DOMAIN;
res.clearCookie('auth_token', authCookieOptions(false));
res.clearCookie('auth_token', clearOptions);
// Form HTML tradizionale → redirect, altrimenti JSON
if (req.accepts('html') && !req.xhr && !req.headers['content-type']?.includes('json')) {
return res.redirect('/login');
}
return res.status(200).json({ success: true, redirect_url: '/login' });
});
// ─── GET /verify (introspection per altri servizi) ─────────────────
router.get('/verify', async (req, res) => {
const token = (req.cookies && req.cookies.auth_token) || jwt.bearer(req.headers.authorization);
if (!token) return res.status(401).json({ valid: false, error: 'no_token' });
const v = jwt.verify(token);
if (!v.valid) return res.status(401).json({ valid: false, error: `token_${v.reason}` });
try {
await auth.validateSession(v.payload.session_id);
} catch (err) {
return res.status(401).json({ valid: false, error: err.code || 'session_invalid' });
}
return res.status(200).json({ valid: true, user: v.payload });
});
module.exports = router;

50
auth/src/routes/sessions.js
View File

@@ -1,54 +1,36 @@
// api.mebboat.it/api/sessions
const router = require('express').Router();
const { query } = require('../storage/database');
const auth = require('../core/auth.core');
const userAuth = require('../middlewares/user.security');
const UUID_REGEX = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
// Tutte le route richiedono autenticazione utente
router.use(userAuth);
// Mostra SOLO le sessioni dell'utente autenticato (non di tutti!)
// GET / — Lista sessioni dell'utente corrente
router.get('/', async (req, res) => {
try {
const result = await query(
`SELECT id, ip_address, browser, os, device_type,
location_country, location_city, created_at, last_active, is_revoked
FROM sessions
WHERE user_id = $1
ORDER BY last_active DESC`,
[req.user.user_id]
);
res.json(result.rows);
const rows = await auth.listSessions(req.user.user_id);
res.json(rows);
} catch (err) {
console.error('[SESSIONS] Errore recupero sessioni:', err);
res.status(500).json({ error: 'Errore interno del server' });
console.error('[SESSIONS] list:', err.message);
res.status(500).json({ error: 'internal' });
}
});
// Revoca una sessione specifica dell'utente
// DELETE /:sessionId — Revoca una sessione specifica
router.delete('/:sessionId', async (req, res) => {
const { sessionId } = req.params;
// Validazione UUID
const UUID_REGEX = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
if (!UUID_REGEX.test(sessionId)) {
return res.status(400).json({ error: 'ID sessione non valido' });
return res.status(400).json({ error: 'invalid_session_id' });
}
try {
// Verifica che la sessione appartenga all'utente autenticato
const result = await query(
'UPDATE sessions SET is_revoked = TRUE WHERE id = $1 AND user_id = $2 AND is_revoked = FALSE',
[sessionId, req.user.user_id]
);
if (result.rowCount === 0) {
return res.status(404).json({ error: 'Sessione non trovata o già revocata' });
}
res.json({ success: true, message: 'Sessione revocata' });
const revoked = await auth.revokeSession(sessionId, req.user.user_id);
if (!revoked) return res.status(404).json({ error: 'session_not_found' });
res.json({ success: true });
} catch (err) {
console.error('[SESSIONS] Errore revoca sessione:', err);
res.status(500).json({ error: 'Errore interno del server' });
console.error('[SESSIONS] revoke:', err.message);
res.status(500).json({ error: 'internal' });
}
});

114
auth/src/routes/users.js
View File

@@ -1,122 +1,76 @@
// api.mebboat.it/api/users
const router = require('express').Router();
const { query } = require('../storage/database');
const auth = require('../core/auth.core');
const userAuth = require('../middlewares/user.security');
const internalAuth = require('../middlewares/internal.security');
// ─── VALIDAZIONE INPUT ──────────────────────────────────────────────
const USERNAME_REGEX = /^[a-zA-Z0-9_.\-]{3,50}$/;
const TELEGRAM_ID_REGEX = /^[0-9]{5,15}$/;
const TELEGRAM_REGEX = /^[0-9]{5,15}$/;
// ─── ROTTE INTERNAL (prima del router.use userAuth) ─────────────────
// ─── SERVICE-TO-SERVICE (x-internal-api-key) ────────────────────────
router.get('/', internalAuth, async (req, res) => {
try {
const result = await query(
'SELECT id, username, is_active, created_at, telegram_id FROM users'
);
res.json(result.rows);
const users = await auth.getAllUsers();
res.json(users);
} catch (err) {
console.error('[USERS] Errore lista utenti:', err);
res.status(500).json({ error: 'Errore interno del server' });
console.error('[USERS] list:', err.message);
res.status(500).json({ error: 'internal' });
}
});
router.get('/tonotify', internalAuth, async (req, res) => {
try {
const result = await query(
'SELECT telegram_id FROM users WHERE telegram_id IS NOT NULL'
);
res.json(result.rows);
const users = await auth.getUsersToNotify();
res.json(users);
} catch (err) {
console.error('[USERS] Errore lista notifiche:', err);
res.status(500).json({ error: 'Errore interno del server' });
console.error('[USERS] tonotify:', err.message);
res.status(500).json({ error: 'internal' });
}
});
// ─── ROTTE USER (tutte le rotte sotto usano userAuth) ───────────────
// ─── USER AUTH (cookie/JWT) ─────────────────────────────────────────
router.use(userAuth);
router.get('/me', async (req, res) => {
try {
const result = await query(
'SELECT id, username, is_active, created_at, telegram_id FROM users WHERE id = $1',
[req.user.user_id]
);
if (result.rows.length === 0) {
return res.status(404).json({ error: 'Utente non trovato' });
}
res.json(result.rows[0]);
const user = await auth.getUserById(req.user.user_id);
if (!user) return res.status(404).json({ error: 'user_not_found' });
res.json(user);
} catch (err) {
console.error('[USERS] Errore recupero utente:', err);
res.status(500).json({ error: 'Errore interno del server' });
console.error('[USERS] me:', err.message);
res.status(500).json({ error: 'internal' });
}
});
router.put('/me/username', async (req, res) => {
const newUsername = req.query.newUsername || req.body?.newUsername;
if (!newUsername || typeof newUsername !== 'string') {
return res.status(400).json({ error: 'Nuovo username richiesto' });
const newUsername = req.body?.newUsername || req.query.newUsername;
if (!newUsername || typeof newUsername !== 'string' || !USERNAME_REGEX.test(newUsername)) {
return res.status(400).json({ error: 'invalid_username' });
}
// Validazione formato username
if (!USERNAME_REGEX.test(newUsername)) {
return res.status(400).json({
error: 'Username non valido. Deve contenere 3-50 caratteri alfanumerici, underscore, punto o trattino.'
});
}
try {
const result = await query(
'UPDATE users SET username = $1 WHERE id = $2 RETURNING username',
[newUsername, req.user.user_id]
);
if (result.rowCount === 0) {
return res.status(404).json({ error: 'Utente non trovato' });
}
res.json({ success: true, username: result.rows[0].username });
const updated = await auth.updateUsername(req.user.user_id, newUsername);
if (!updated) return res.status(404).json({ error: 'user_not_found' });
res.json({ success: true, username: updated.username });
} catch (err) {
if (err.code === '23505') {
return res.status(409).json({ error: 'Questo username è già in uso' });
}
console.error('[USERS] Errore aggiornamento username:', err);
res.status(500).json({ error: 'Errore interno del server' });
if (err.code === '23505') return res.status(409).json({ error: 'username_taken' });
console.error('[USERS] update username:', err.message);
res.status(500).json({ error: 'internal' });
}
});
router.put('/me/telegram', async (req, res) => {
const telegramId = req.query.telegramId || req.body?.telegramId;
if (!telegramId || typeof telegramId !== 'string') {
return res.status(400).json({ error: 'Telegram ID richiesto' });
const telegramId = req.body?.telegramId || req.query.telegramId;
if (!telegramId || typeof telegramId !== 'string' || !TELEGRAM_REGEX.test(telegramId)) {
return res.status(400).json({ error: 'invalid_telegram_id' });
}
// Validazione formato Telegram ID (solo numeri, 5-15 cifre)
if (!TELEGRAM_ID_REGEX.test(telegramId)) {
return res.status(400).json({
error: 'Telegram ID non valido. Deve contenere solo numeri (5-15 cifre).'
});
}
try {
await query(
'UPDATE users SET telegram_id = $1 WHERE id = $2',
[telegramId, req.user.user_id]
);
res.json({ success: true, message: 'Telegram ID aggiornato' });
await auth.updateTelegram(req.user.user_id, telegramId);
res.json({ success: true });
} catch (err) {
if (err.code === '23505') {
return res.status(409).json({ error: 'Questo Telegram ID è già associato a un altro account' });
}
console.error('[USERS] Errore aggiornamento telegram:', err);
res.status(500).json({ error: 'Errore interno del server' });
if (err.code === '23505') return res.status(409).json({ error: 'telegram_taken' });
console.error('[USERS] update telegram:', err.message);
res.status(500).json({ error: 'internal' });
}
});

19
auth/src/routes/views/auth.js
View File

@@ -1,25 +1,28 @@
const router = require('express').Router();
const crypto = require('crypto');
const { csrfToken } = require('../../tools/security');
const ERROR_MESSAGES = {
invalid_credentials: 'Credenziali non valide',
invalid_redirect: 'Redirect non autorizzato',
csrf: 'Richiesta non valida, riprova'
csrf: 'Richiesta non valida, riprova',
account_inactive: 'Account disattivato',
session_expired: 'Sessione scaduta, effettua nuovamente il login'
};
router.get('/login', (req, res) => {
const redirect = req.query.redirect || '';
const redirect = typeof req.query.redirect === 'string' ? req.query.redirect : '';
const errorKey = req.query.error;
const error = ERROR_MESSAGES[errorKey] || null;
const csrfToken = crypto.randomBytes(32).toString('hex');
res.cookie('_csrf', csrfToken, {
const token = csrfToken();
res.cookie('_csrf', token, {
httpOnly: true,
sameSite: 'strict',
secure: process.env.NODE_ENV === 'production'
secure: process.env.NODE_ENV === 'production',
path: '/',
maxAge: 30 * 60 * 1000
});
res.render('loginpage', { error, redirect, csrf_token: csrfToken });
res.render('loginpage', { error, redirect, csrf_token: token });
});
module.exports = router;

73
auth/src/tools/jwt.js
View File

@@ -1,69 +1,52 @@
const jwt = require('jsonwebtoken');
const secret = process.env.JWT_SECRET;
const expires_in = process.env.JWT_EXPIRES_IN;
const SECRET = process.env.JWT_SECRET;
const EXPIRES_IN = process.env.JWT_EXPIRES_IN || '7d';
/**
* Genera un JWT Token a partire dall'utente e crea una nuova sessione
*
* Uso dell'algoritmo HS256 per firmare il token con JWT_SECRET
*
* @param {Object} user - Utente
* @param {string} sessionID - ID della sessione
* @returns {string} - JWT Token
* Firma un JWT per l'utente e la sessione.
* Payload: { sub: userId, username, session_id }
*/
function generateToken(user, sessionID) {
const payload = {
sub: user.id,
username: user.username,
session_id: sessionID,
iat: Math.floor(Date.now() / 1000)
};
return jwt.sign(payload, secret, { expiresIn: expires_in, algorithm: 'HS256' });
function sign(user, sessionId) {
return jwt.sign(
{ sub: user.id, username: user.username, session_id: sessionId },
SECRET,
{ algorithm: 'HS256', expiresIn: EXPIRES_IN }
);
}
/**
* Verifica e decodifica il token
* @param {string} token - JWT Token
* @returns {{valid: boolean, payload?: Object, error?: string, reason?: string}} - Il risultato della verifica. Se fallisce restituisce errore e motivo, altrimenti restituisce una conferma e il payload completo
* Verifica e decodifica un token.
* @returns {{ valid: boolean, payload?: Object, reason?: string }}
*/
function verifyToken(token) {
function verify(token) {
try {
const payload = jwt.verify(token, secret, {
algorithms: ['HS256']
});
const p = jwt.verify(token, SECRET, { algorithms: ['HS256'] });
return {
valid: true,
payload: {
user_id: payload.sub,
username: payload.username,
session_id: payload.session_id,
iat: payload.iat,
exp: payload.exp
user_id: p.sub,
username: p.username,
session_id: p.session_id,
iat: p.iat,
exp: p.exp
}
};
} catch (err) {
const reason = err.name === 'TokenExpiredError' ? 'expired' : 'invalid';
return {
valid: false,
error: err.message,
reason: `token ${reason}`
reason: err.name === 'TokenExpiredError' ? 'expired' : 'invalid'
};
}
}
function getToken(header) {
if (!header) return null;
const parts = header.split(' ');
if (parts.length === 2 && parts[0].toLowerCase() === 'bearer') {
return parts[1];
/**
* Estrae il token da un header Authorization: Bearer <token>.
*/
function bearer(header) {
if (!header || typeof header !== 'string') return null;
const [scheme, token] = header.split(' ');
return scheme && scheme.toLowerCase() === 'bearer' && token ? token : null;
}
return null;
}
module.exports = { generateToken, verifyToken, getToken };
module.exports = { sign, verify, bearer };

44
auth/src/tools/security.js
View File

@@ -1,54 +1,22 @@
const bcrypt = require('bcrypt');
const crypto = require('crypto');
const saltRounds = 12;
const SALT_ROUNDS = 12;
/**
* Genera un hash di una password
* @param {string} password - Password da hashare
* @returns {string} - Hash della password
*/
async function hashPassword(password) {
return bcrypt.hash(password, saltRounds);
return bcrypt.hash(password, SALT_ROUNDS);
}
/**
* Verifica una password
* @param {string} password - Password da verificare
* @param {string} hash - Hash della password
* @returns {boolean} - True se la password è corretta, false altrimenti
*/
async function verifyPassword(password, hash) {
return bcrypt.compare(password, hash);
}
/**
* Create a session token from code and username
* Format: XXXXXXXX-base64_username
* @param {string} sessionCode
* @param {string} username
* @returns {string} Session token
*/
function generateSessionCode() {
function sessionCode() {
return crypto.randomBytes(32).toString('base64url');
}
/**
* Parse a session token
* @param {string} token
* @returns {string|null} The session token itself if valid
*/
function parseSessionToken(token) {
if (!token || typeof token !== 'string' || token.length < 32 || token.length > 64) {
return null;
function csrfToken() {
return crypto.randomBytes(32).toString('hex');
}
return token;
}
module.exports = {
hashPassword,
verifyPassword,
generateSessionCode,
parseSessionToken
};
module.exports = { hashPassword, verifyPassword, sessionCode, csrfToken };

27
auth/src/tools/tracking.js
View File

@@ -1,24 +1,15 @@
//TODO: Verfica se serve davvero prendere le info come ip e browser
const { UAParser: parser } = require('ua-parser-js');
const { UAParser } = require('ua-parser-js');
/**
* Estrae le informazioni base su browser, sistema operativo e dispositivo per identificare meglio la sessione dell'utente
* @param {*} userAgent
* @returns
* Estrae browser/os/device dal user-agent per identificare meglio la sessione.
*/
function getBasicMetadata(userAgent) {
const parsed = parser(userAgent);
function extract(userAgent) {
const r = new UAParser(userAgent || '').getResult();
return {
browser: parsed.browser.name,
os: parsed.os.name,
device_type: parsed.device.type,
}
}
module.exports = {
getBasicMetadata
browser: r.browser.name || null,
os: r.os.name || null,
device_type: r.device.type || 'desktop'
};
}
module.exports = { extract };

40
console/src/index.js
View File

@@ -1,10 +1,10 @@
const express = require('express');
const nunjucks = require('nunjucks');
const path = require('path');
const jwt = require('jsonwebtoken');
const parser = require('cookie-parser');
const { requireAuthHtml } = require('./middlewares/auth');
const app = express();
const PORT = process.env.PORT;
@@ -47,39 +47,9 @@ const renderPage = (page, extra = {}) => (req, res) => {
res.render(page, {current_path: req.path, ...extra})
}
// Middleware di autenticazione per le pagine
app.use((req, res, next) => {
if (req.path === '/health' || req.path.startsWith('/static')) {
return next();
}
const authBase = process.env.AUTH_LOGIN_URL || 'http://localhost:3006/login';
// Costruisci l'URL di redirect-back: protocollo + host + path originale
const proto = req.protocol;
const host = req.get('host');
const redirectBack = `${proto}://${host}${req.originalUrl}`;
const loginUrl = `${authBase}?redirect=${encodeURIComponent(redirectBack)}`;
const token = req.cookies && req.cookies.auth_token;
if (!token) {
return res.redirect(loginUrl);
}
try {
const payload = jwt.verify(token, process.env.JWT_SECRET, { algorithms: ['HS256'] });
req.user = payload;
next();
} catch (err) {
const clearOptions = { httpOnly: true, sameSite: 'lax' };
if (process.env.COOKIE_DOMAIN) {
clearOptions.domain = process.env.COOKIE_DOMAIN;
}
res.clearCookie('auth_token', clearOptions);
return res.redirect(loginUrl);
}
});
// Middleware di autenticazione per tutte le pagine protette
// Le route /health e /static sono già gestite sopra
app.use(requireAuthHtml);
app.get('/dashboard', renderPage('dashboard'));
app.get('/live', renderPage('live', {

74
console/src/middlewares/auth.js Normal file
View File

@@ -0,0 +1,74 @@
/**
* Middleware di autenticazione condiviso per la console.
* Usa il JWT in cookie `auth_token` (condiviso tra i sottodomini via COOKIE_DOMAIN = .mebboat.it)
* oppure il header `Authorization: Bearer <token>`.
*
* Il JWT viene firmato da auth.mebboat.it con JWT_SECRET; questo servizio lo verifica
* localmente usando lo stesso secret. Nessuna chiamata di rete richiesta.
*/
const jwt = require('jsonwebtoken');
const SECRET = process.env.JWT_SECRET;
const AUTH_LOGIN_URL = process.env.AUTH_LOGIN_URL || 'http://localhost:3006/login';
const COOKIE_DOMAIN = process.env.COOKIE_DOMAIN || undefined;
function extractToken(req) {
const header = req.headers.authorization;
const bearer = header && header.startsWith('Bearer ') ? header.slice(7) : null;
return (req.cookies && req.cookies.auth_token) || bearer || null;
}
function verifyToken(token) {
if (!token || typeof token !== 'string' || token.length > 2048) return null;
try {
const p = jwt.verify(token, SECRET, { algorithms: ['HS256'] });
return {
user_id: p.sub,
username: p.username,
session_id: p.session_id,
iat: p.iat,
exp: p.exp
};
} catch {
return null;
}
}
function clearAuthCookie(res) {
const opts = { httpOnly: true, sameSite: 'lax', path: '/' };
if (COOKIE_DOMAIN) opts.domain = COOKIE_DOMAIN;
res.clearCookie('auth_token', opts);
}
function loginRedirectUrl(req) {
const back = `${req.protocol}://${req.get('host')}${req.originalUrl}`;
return `${AUTH_LOGIN_URL}?redirect=${encodeURIComponent(back)}`;
}
/**
* Pagine HTML: su fallimento redirige all'auth service (SSO).
* Il redirect-back URL viene costruito automaticamente dalla richiesta corrente.
*/
function requireAuthHtml(req, res, next) {
const token = extractToken(req);
const user = verifyToken(token);
if (!user) {
if (token) clearAuthCookie(res);
return res.redirect(loginRedirectUrl(req));
}
req.user = user;
next();
}
/**
* API JSON: su fallimento risponde 401.
*/
function requireAuthApi(req, res, next) {
const user = verifyToken(extractToken(req));
if (!user) return res.status(401).json({ error: 'unauthorized' });
req.user = user;
next();
}
module.exports = { requireAuthHtml, requireAuthApi, clearAuthCookie, verifyToken, extractToken };

85
ml/core/auth.py Normal file
View File

@@ -0,0 +1,85 @@
"""
Middleware / dependency di autenticazione per FastAPI (servizio ML).
Verifica il JWT firmato da auth.mebboat.it (JWT_SECRET condiviso).
Supporta cookie `auth_token` (SSO via .mebboat.it) e header Authorization: Bearer <jwt>.
Il cookie auth_token è condiviso tra i sottodomini grazie a domain=.mebboat.it:
- console.mebboat.it imposta il cookie al login
- ml.mebboat.it lo riceve automaticamente dal browser
Uso:
from core.auth import require_auth, require_internal
@app.get("/protected")
async def protected_route(user = Depends(require_auth)):
return {"user": user}
"""
import os
from typing import Optional
import jwt
from fastapi import Cookie, Header, HTTPException, Request, status
SECRET = os.environ.get("JWT_SECRET")
INTERNAL_KEY = os.environ.get("INTERNAL_API_KEY")
def _verify(token: Optional[str]):
"""Verifica e decodifica un JWT. Ritorna il payload o None."""
if not token or not isinstance(token, str) or len(token) > 2048:
return None
try:
payload = jwt.decode(token, SECRET, algorithms=["HS256"])
return {
"user_id": payload.get("sub"),
"username": payload.get("username"),
"session_id": payload.get("session_id"),
"iat": payload.get("iat"),
"exp": payload.get("exp"),
}
except jwt.PyJWTError:
return None
async def require_auth(
request: Request,
auth_token: Optional[str] = Cookie(default=None),
authorization: Optional[str] = Header(default=None),
x_api_key: Optional[str] = Header(default=None),
):
"""
FastAPI dependency: accetta utente loggato (cookie/bearer) o chiamata interna.
Uso: `user = Depends(require_auth)`.
Il cookie auth_token arriva automaticamente dal browser se l'utente
ha effettuato il login su auth.mebboat.it (dominio .mebboat.it).
"""
# Service-to-service
if x_api_key and INTERNAL_KEY and x_api_key == INTERNAL_KEY:
request.state.internal = True
return {"internal": True}
# Bearer token
bearer = None
if authorization and authorization.startswith("Bearer "):
bearer = authorization[7:]
user = _verify(auth_token or bearer)
if not user:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="unauthorized",
)
request.state.user = user
return user
async def require_internal(x_api_key: Optional[str] = Header(default=None)):
"""FastAPI dependency: solo chiamate service-to-service con x-api-key."""
if not INTERNAL_KEY or x_api_key != INTERNAL_KEY:
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="forbidden",
)
return True

1
ml/requirements.txt
View File

@@ -1,2 +1,3 @@
fastapi
uvicorn
PyJWT

2
realtime/package.json
View File

@@ -11,8 +11,10 @@
"@influxdata/influxdb-client": "^1.35.0",
"@influxdata/influxdb-client-apis": "^1.35.0",
"@msgpack/msgpack": "^3.1.3",
"cookie-parser": "^1.4.7",
"express": "^5.2.1",
"ioredis": "^5.10.0",
"jsonwebtoken": "^9.0.3",
"pg": "^8.20.0",
"ws": "^8.19.0"
}

2
realtime/src/index.js
View File

@@ -1,5 +1,6 @@
const express = require('express');
const crypto = require('crypto');
const parser = require('cookie-parser');
const app = express();
const db = require('./store/db')
@@ -7,6 +8,7 @@ const redis = require('./store/redis');
const wsHandler = require('./ws/handler');
app.use(express.json());
app.use(parser());
// CORS — consenti richieste dalla console e altri client browser
app.use((req, res, next) => {

51
realtime/src/middlewares/auth.js Normal file
View File

@@ -0,0 +1,51 @@
/**
* Middleware di autenticazione per il servizio realtime.
* Usa il JWT condiviso via cookie .mebboat.it o Authorization Bearer.
* Il JWT viene firmato da auth.mebboat.it con JWT_SECRET e verificato localmente.
*/
const jwt = require('jsonwebtoken');
const SECRET = process.env.JWT_SECRET;
const INTERNAL_KEY = process.env.INTERNAL_API_KEY;
function extractToken(req) {
const header = req.headers.authorization;
const bearer = header && header.startsWith('Bearer ') ? header.slice(7) : null;
return (req.cookies && req.cookies.auth_token) || bearer || null;
}
function verifyToken(token) {
if (!token || typeof token !== 'string' || token.length > 2048) return null;
try {
const p = jwt.verify(token, SECRET, { algorithms: ['HS256'] });
return {
user_id: p.sub,
username: p.username,
session_id: p.session_id,
iat: p.iat,
exp: p.exp
};
} catch {
return null;
}
}
/**
* Accetta utente loggato (cookie/bearer) o chiamata interna (x-api-key).
*/
function requireAuth(req, res, next) {
// Service-to-service
const apiKey = req.headers['x-api-key'];
if (apiKey && INTERNAL_KEY && apiKey === INTERNAL_KEY) {
req.internal = true;
return next();
}
// User auth
const user = verifyToken(extractToken(req));
if (!user) return res.status(401).json({ error: 'unauthorized' });
req.user = user;
next();
}
module.exports = { requireAuth, verifyToken, extractToken };