58 lines
1.8 KiB
JavaScript
58 lines
1.8 KiB
JavaScript
const tables = require("../tables");
|
|
|
|
/**
|
|
* Middleware verifyOAuth — Token Introspection via SuperOAuth.
|
|
*
|
|
* Flow :
|
|
* 1. Extraire le token du header x-auth-token
|
|
* 2. Appeler SuperOAuth POST /api/v1/auth/token/validate
|
|
* 3. Résoudre l'utilisateur local par super_oauth_id
|
|
* 4. req.user = localUser.id (integer) — verifySelf inchangé
|
|
*/
|
|
const verifyOAuth = async (req, res, next) => {
|
|
const token = req.header("x-auth-token");
|
|
|
|
if (!token) {
|
|
return res.status(401).json({ message: "Access denied. No token provided." });
|
|
}
|
|
|
|
const superOAuthUrl = process.env.SUPER_OAUTH_URL;
|
|
if (!superOAuthUrl) {
|
|
console.error("verifyOAuth — SUPER_OAUTH_URL not configured");
|
|
return res.status(500).json({ message: "Auth service not configured." });
|
|
}
|
|
|
|
try {
|
|
const response = await fetch(`${superOAuthUrl}/api/v1/auth/token/validate`, {
|
|
method: "POST",
|
|
headers: { "Content-Type": "application/json" },
|
|
body: JSON.stringify({ token }),
|
|
});
|
|
|
|
const data = await response.json();
|
|
|
|
if (!response.ok || !data.data?.valid || !data.data?.user) {
|
|
return res.status(401).json({ message: "Invalid or expired token." });
|
|
}
|
|
|
|
if (!data.data.user.isActive) {
|
|
return res.status(401).json({ message: "Account is disabled." });
|
|
}
|
|
|
|
const superOAuthId = data.data.user.id;
|
|
const localUser = await tables.users.getBySuperOAuthId(superOAuthId);
|
|
|
|
if (!localUser) {
|
|
return res.status(401).json({ message: "Account not linked. Please log in via SuperOAuth." });
|
|
}
|
|
|
|
req.user = localUser.id;
|
|
return next();
|
|
} catch (err) {
|
|
console.error("verifyOAuth — auth service unreachable", err);
|
|
return res.status(500).json({ message: "Authentication service unreachable." });
|
|
}
|
|
};
|
|
|
|
module.exports = verifyOAuth;
|