From bad5c1ef2444a95f667e3f3a2c2e8ec5a6cd0945 Mon Sep 17 00:00:00 2001
From: Netcup Gituser <netcup@umbach.dev>
Date: Tue, 5 Dec 2023 19:14:03 +0100
Subject: [PATCH] added auth check for admin

---
 src/middleware/authMiddleware.ts | 34 ++++++++++++++++++++++++++++++--
 src/models/user.ts               |  4 ++++
 src/routes/adminRoutes.ts        |  4 ++--
 src/utils/constants.ts           |  4 ++++
 4 files changed, 42 insertions(+), 4 deletions(-)

diff --git a/src/middleware/authMiddleware.ts b/src/middleware/authMiddleware.ts
index bf257b4..bc04dae 100644
--- a/src/middleware/authMiddleware.ts
+++ b/src/middleware/authMiddleware.ts
@@ -1,14 +1,18 @@
 import { Request } from "express";
 import { Session } from "../models/session";
+import { User } from "../models/user";
+import { HEADER_X_AUTHORIZATION } from "../utils/constants";
 
 export async function sessionProtection(req: Request, res: any, next: any) {
-  const xAuthorization = req.get("x-authorization");
+  const xAuthorization = req.get(HEADER_X_AUTHORIZATION);
 
   if (!xAuthorization) {
     return res.status(401).json({ status: "err" });
   }
 
-  const session = await Session.findOne({ sessionId: xAuthorization }).lean();
+  const session = await Session.findOne({ sessionId: xAuthorization })
+    .select("sessionId -_id")
+    .lean();
 
   if (!session) {
     return res.status(401).json({ status: "err" });
@@ -16,3 +20,29 @@ export async function sessionProtection(req: Request, res: any, next: any) {
 
   next();
 }
+
+export async function adminProtection(req: Request, res: any, next: any) {
+  const xAuthorization = req.get(HEADER_X_AUTHORIZATION);
+
+  if (!xAuthorization) {
+    return res.status(401).json({ status: "err" });
+  }
+
+  const session = await Session.findOne({ sessionId: xAuthorization })
+    .select("sessionId accountName -_id")
+    .lean();
+
+  if (!session) {
+    return res.status(401).json({ status: "err" });
+  }
+
+  const user = await User.findOne({ accountName: session.accountName })
+    .select("isAdmin -_id")
+    .lean();
+
+  if (!user || !user.isAdmin) {
+    return res.status(401).json({ status: "err" });
+  }
+
+  next();
+}
diff --git a/src/models/user.ts b/src/models/user.ts
index 4b66c0b..0dd1d86 100644
--- a/src/models/user.ts
+++ b/src/models/user.ts
@@ -16,6 +16,10 @@ export const userSchema = new Schema({
     type: Number,
     default: 0,
   },
+  isAdmin: {
+    type: Boolean,
+    default: false,
+  },
 });
 
 export type User = InferSchemaType<typeof userSchema>;
diff --git a/src/routes/adminRoutes.ts b/src/routes/adminRoutes.ts
index 8ca4c25..b690220 100644
--- a/src/routes/adminRoutes.ts
+++ b/src/routes/adminRoutes.ts
@@ -2,8 +2,8 @@ import express from "express";
 const router = express.Router();
 
 import * as adminController from "../controllers/adminController";
-import { sessionProtection } from "../middleware/authMiddleware";
+import { adminProtection } from "../middleware/authMiddleware";
 
-router.get("/users", sessionProtection, adminController.GetAllUsers);
+router.get("/users", adminProtection, adminController.GetAllUsers);
 
 export default router;
diff --git a/src/utils/constants.ts b/src/utils/constants.ts
index dc849c8..b7a096d 100644
--- a/src/utils/constants.ts
+++ b/src/utils/constants.ts
@@ -4,4 +4,8 @@ export const DEFAULT_SESSION_EXPIRATION: number = 7 * 24 * 60 * 60 * 1000;
 // Maximum number of users to display per page in the admin interface
 export const ADMIN_MAX_USERS_PER_PAGE: number = 10;
 
+// Fields to ignore when querying MongoDB
 export const MONGODB_IGNORED_FIELDS: string = "-password -_id -__v";
+
+// Header name for the session ID
+export const HEADER_X_AUTHORIZATION: string = "x-authorization";