added auth check for admin
parent
b5a97350c2
commit
bad5c1ef24
|
|
@ -1,14 +1,18 @@
|
|||
import { Request } from "express";
|
||||
import { Session } from "../models/session";
|
||||
import { User } from "../models/user";
|
||||
import { HEADER_X_AUTHORIZATION } from "../utils/constants";
|
||||
|
||||
export async function sessionProtection(req: Request, res: any, next: any) {
|
||||
const xAuthorization = req.get("x-authorization");
|
||||
const xAuthorization = req.get(HEADER_X_AUTHORIZATION);
|
||||
|
||||
if (!xAuthorization) {
|
||||
return res.status(401).json({ status: "err" });
|
||||
}
|
||||
|
||||
const session = await Session.findOne({ sessionId: xAuthorization }).lean();
|
||||
const session = await Session.findOne({ sessionId: xAuthorization })
|
||||
.select("sessionId -_id")
|
||||
.lean();
|
||||
|
||||
if (!session) {
|
||||
return res.status(401).json({ status: "err" });
|
||||
|
|
@ -16,3 +20,29 @@ export async function sessionProtection(req: Request, res: any, next: any) {
|
|||
|
||||
next();
|
||||
}
|
||||
|
||||
export async function adminProtection(req: Request, res: any, next: any) {
|
||||
const xAuthorization = req.get(HEADER_X_AUTHORIZATION);
|
||||
|
||||
if (!xAuthorization) {
|
||||
return res.status(401).json({ status: "err" });
|
||||
}
|
||||
|
||||
const session = await Session.findOne({ sessionId: xAuthorization })
|
||||
.select("sessionId accountName -_id")
|
||||
.lean();
|
||||
|
||||
if (!session) {
|
||||
return res.status(401).json({ status: "err" });
|
||||
}
|
||||
|
||||
const user = await User.findOne({ accountName: session.accountName })
|
||||
.select("isAdmin -_id")
|
||||
.lean();
|
||||
|
||||
if (!user || !user.isAdmin) {
|
||||
return res.status(401).json({ status: "err" });
|
||||
}
|
||||
|
||||
next();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -16,6 +16,10 @@ export const userSchema = new Schema({
|
|||
type: Number,
|
||||
default: 0,
|
||||
},
|
||||
isAdmin: {
|
||||
type: Boolean,
|
||||
default: false,
|
||||
},
|
||||
});
|
||||
|
||||
export type User = InferSchemaType<typeof userSchema>;
|
||||
|
|
|
|||
|
|
@ -2,8 +2,8 @@ import express from "express";
|
|||
const router = express.Router();
|
||||
|
||||
import * as adminController from "../controllers/adminController";
|
||||
import { sessionProtection } from "../middleware/authMiddleware";
|
||||
import { adminProtection } from "../middleware/authMiddleware";
|
||||
|
||||
router.get("/users", sessionProtection, adminController.GetAllUsers);
|
||||
router.get("/users", adminProtection, adminController.GetAllUsers);
|
||||
|
||||
export default router;
|
||||
|
|
|
|||
|
|
@ -4,4 +4,8 @@ export const DEFAULT_SESSION_EXPIRATION: number = 7 * 24 * 60 * 60 * 1000;
|
|||
// Maximum number of users to display per page in the admin interface
|
||||
export const ADMIN_MAX_USERS_PER_PAGE: number = 10;
|
||||
|
||||
// Fields to ignore when querying MongoDB
|
||||
export const MONGODB_IGNORED_FIELDS: string = "-password -_id -__v";
|
||||
|
||||
// Header name for the session ID
|
||||
export const HEADER_X_AUTHORIZATION: string = "x-authorization";
|
||||
|
|
|
|||
Reference in New Issue