coworking-metz · mtthp · May 26, 2024 · May 15, 2024
diff --git a/lib/auth.js b/lib/auth.js
@@ -51,13 +51,15 @@ export function ensureToken(req, res, next) {
 }
 
 export async function ensureAccess(req, res, next) {
-  await retrieveUserFromAccessToken(req, res)
+  if (req.isAdmin) {
+    return next()
+  }
 
   if (!req.user) {
     throw createError(401, 'Authentication required')
   }
 
-  if (req.rawUser && !(req.rawUser._id === req.user.id || req.isAdmin)) {
+  if (req.rawUser && req.rawUser._id !== req.user.id) {
     throw createError(403, 'You are not allowed to access this content')
   }
 
@@ -72,7 +74,7 @@ export function ensureAdmin(req, res, next) {
   return next()
 }
 
-export function multiAuth(req, res, next) {
+export async function multiAuth(req, res, next) {
   const tokenAuthentication = authToken(req)
 
   if (tokenAuthentication === true) {
@@ -84,7 +86,9 @@ export function multiAuth(req, res, next) {
     throw createError(401, 'Invalid API key')
   }
 
-  return ensureAccess(req, res, next)
+  await retrieveUserFromAccessToken(req, res)
+
+  return next()
 }
 
 const {OAUTH_FOLLOW_WHITELIST} = process.env
@@ -230,11 +234,12 @@ export function buildOauth2Callback(path) {
  * Decode the access token and add the user to the request
  */
 export async function retrieveUserFromAccessToken(req) {
-  if (!req.get('Authorization')) {
-    throw createError(401)
+  const authorizationHeader = req.get('Authorization')
+  if (!authorizationHeader) {
+    return
   }
 
-  const accessToken = req.get('Authorization').slice('Bearer '.length)
+  const accessToken = authorizationHeader.slice('Bearer '.length)
   const user = await verifyAccessToken(accessToken)
     .catch(error => {
       if (error instanceof jwt.TokenExpiredError) {

diff --git a/server.js b/server.js
@@ -90,13 +90,13 @@ app.get('/coworkersNow', w(coworkersNow)) // Legacy
 /* General purpose */
 
 app.get('/api/members', w(multiAuth), w(ensureAdmin), w(getAllMembers))
-app.get('/api/members/:userId', w(multiAuth), w(getMemberInfos))
-app.get('/api/members/:userId/activity', w(multiAuth), w(getMemberActivity))
-app.get('/api/members/:userId/tickets', w(multiAuth), w(getMemberTickets))
-app.get('/api/members/:userId/subscriptions', w(multiAuth), w(getMemberSubscriptions))
-app.get('/api/members/:userId/memberships', w(multiAuth), w(getMemberMemberships))
-app.put('/api/members/:userId/mac-addresses', express.json(), w(multiAuth), w(updateMemberMacAddresses))
-app.post('/api/members/:userId/sync-wordpress', w(multiAuth), w(forceWordpressSync))
+app.get('/api/members/:userId', w(multiAuth), w(ensureAccess), w(getMemberInfos))
+app.get('/api/members/:userId/activity', w(multiAuth), w(ensureAccess), w(getMemberActivity))
+app.get('/api/members/:userId/tickets', w(multiAuth), w(ensureAccess), w(getMemberTickets))
+app.get('/api/members/:userId/subscriptions', w(multiAuth), w(ensureAccess), w(getMemberSubscriptions))
+app.get('/api/members/:userId/memberships', w(multiAuth), w(ensureAccess), w(getMemberMemberships))
+app.put('/api/members/:userId/mac-addresses', express.json(), w(multiAuth), w(ensureAccess), w(updateMemberMacAddresses))
+app.post('/api/members/:userId/sync-wordpress', w(multiAuth), w(ensureAccess), w(forceWordpressSync))
 
 app.get('/api/voting-members', w(multiAuth), w(ensureAdmin), w(getVotingMembers))
 app.get('/api/users-stats', w(multiAuth), w(ensureAdmin), w(getUsersStats))
@@ -115,7 +115,7 @@ app.post('/api/sync-user-webhook', validateAndParseJson, w(syncUserWebhook))
 
 /* Services */
 
-app.post('/api/interphone', w(multiAuth), w(async (req, res) => {
+app.post('/api/interphone', w(multiAuth), w(ensureAccess), w(async (req, res) => {
   if (!req.isAdmin && !req.user?.capabilities.includes('UNLOCK_GATE')) {
     throw createHttpError(403, 'Forbidden')
   }
@@ -132,7 +132,7 @@ app.post('/api/interphone', w(multiAuth), w(async (req, res) => {
   })
 }))
 
-app.post('/api/parking', w(multiAuth), w(async (req, res) => {
+app.post('/api/parking', w(multiAuth), w(ensureAccess), w(async (req, res) => {
   if (!req.isAdmin && !req.user?.capabilities.includes('PARKING_ACCESS')) {
     throw createHttpError(403, 'Forbidden')
   }
@@ -154,7 +154,7 @@ app.get('/netatmo/stations', w(async (req, res) => {
   res.send(sensors)
 }))
 
-app.use('/api/on-premise', w(ensureAccess), onPremiseRoutes)
+app.use('/api/on-premise', w(multiAuth), w(ensureAccess), onPremiseRoutes)
 
 app.get('/api/calendar/events', w(multiAuth), w(getAllEvents))