Add extract token + authenticate middleware

2026-01-24 18:07:55 -05:00 · 2020-06-23 15:46:07 -04:00
parent 2946a5d76f
commit 6c2daebf30
3 changed files with 74 additions and 2 deletions
--- a/src/app.ts
+++ b/src/app.ts
@@ -6,7 +6,8 @@ import bodyParser from 'body-parser';

 import { errorHandler, ErrorCode } from './error';

-import passport from './auth/passport';
+import extractToken from './middleware/extract-token';
+import authenticate from './middleware/authenticate';

 import activityRouter from './routes/activity';
 import authRouter from './routes/auth';
@@ -38,7 +39,8 @@ import notFoundHandler from './routes/not-found';
 const app = express()
 	.disable('x-powered-by')
 	.use(bodyParser.json())
-	.use(passport.initialize())
+	.use(extractToken)
+	.use(authenticate)
 	.use('/activity', activityRouter)
 	.use('/auth', authRouter)
 	.use('/collection_presets', collectionPresetsRouter)
--- a/src/middleware/authenticate.ts
+++ b/src/middleware/authenticate.ts
@@ -0,0 +1,31 @@
+import { RequestHandler } from 'express';
+import jwt from 'jsonwebtoken';
+import isJWT from '../utils/is-jwt';
+import database from '../database';
+
+const authenticate: RequestHandler = async (req, res, next) => {
+	if (!req.token) return next();
+
+	if (isJWT(req.token)) {
+		const payload = jwt.verify(req.token, process.env.SECRET) as { id: string };
+		const user = await database
+			.select('role')
+			.from('directus_users')
+			.where({ id: payload.id })
+			.first();
+		/** @TODO verify user status */
+		req.user = payload.id;
+		req.role = user.role;
+		return next();
+	}
+
+	/**
+	 * @TODO
+	 * Implement static tokens
+	 *
+	 * We'll silently ignore wrong tokens. This makes sure we prevent brute-forcing static tokens
+	 */
+	return next();
+};
+
+export default authenticate;
--- a/src/middleware/extract-token.ts
+++ b/src/middleware/extract-token.ts
@@ -0,0 +1,39 @@
+/**
+ * Extract access token from:
+ *
+ * Authorization: Bearer
+ * access_token query parameter
+ *
+ * and store in req.token
+ */
+
+import { RequestHandler } from 'express';
+
+const extractToken: RequestHandler = (req, res, next) => {
+	let token: string | null = null;
+
+	if (req.query && req.query.access_token) {
+		token = req.query.access_token as string;
+	}
+
+	if (req.headers && req.headers.authorization) {
+		const parts = req.headers.authorization.split(' ');
+
+		if (parts.length === 2 && parts[0] === 'Bearer') {
+			token = parts[1];
+		}
+	}
+
+	/**
+	 * @TODO
+	 * Look into RFC6750 compliance:
+	 * In order to be fully compliant with RFC6750, we have to throw a 400 error when you have the
+	 * token in more than 1 place afaik. We also might have to support "access_token" as a post body
+	 * key
+	 */
+
+	req.token = token;
+	next();
+};
+
+export default extractToken;