Enabling Authentication and Authorization from a Single Middleware for Cookie and Bearer Token-Based Flows (#1926)

* changed auth & authorization middledware

* changed for /nickname/status

* authorization -> authorizeOrAuthenticate

* authorizeOrAuthenticate -> authorizeAndAuthenticate

* change a middleware for nickname/sync & nickname/status

* imported virifyCronJob

---------

Co-authored-by: Achintya Chatterjee <[email protected]>

Author: Pavangbhat

middlewares/authorizeUsersAndService.ts

@@ -8,7 +8,7 @@ const { Services } = require("../constants/bot");
 const ROLES = require("../constants/roles");
 const { INTERNAL_SERVER_ERROR_MESSAGE } = require("../constants/progresses");
 
-export const authorization = (allowedRoles: string[], allowedServices: string[]) => {
+export const authorizeAndAuthenticate = (allowedRoles: string[], allowedServices: string[]) => {
   const isRolesValid = allowedRoles.every((role) => Object.values(ROLES).includes(role));
   if (!isRolesValid) {
     throw new Error("Invalid role");

routes/discordactions.js

@@ -25,7 +25,10 @@ const checkIsVerifiedDiscord = require("../middlewares/verifydiscord");
 const checkCanGenerateDiscordLink = require("../middlewares/checkCanGenerateDiscordLink");
 const { SUPERUSER } = require("../constants/roles");
 const authorizeRoles = require("../middlewares/authorizeRoles");
+const ROLES = require("../constants/roles");
+const { Services } = require("../constants/bot");
 const { verifyCronJob } = require("../middlewares/authorizeBot");
+const { authorizeAndAuthenticate } = require("../middlewares/authorizeUsersAndService");
 
 const router = express.Router();
 
@@ -43,21 +46,27 @@ router.patch(
   checkIsVerifiedDiscord,
   updateDiscordImageForVerification
 );
-router.put("/group-idle", authenticate, authorizeRoles([SUPERUSER]), setRoleIdleToIdleUsers);
-router.put("/group-idle-7d", authenticate, authorizeRoles([SUPERUSER]), setRoleIdle7DToIdleUsers);
+router.put(
+  "/group-idle",
+  authorizeAndAuthenticate([ROLES.SUPERUSER], [Services.CRON_JOB_HANDLER]),
+  setRoleIdleToIdleUsers
+);
+router.put(
+  "/group-idle-7d",
+  authorizeAndAuthenticate([ROLES.SUPERUSER], [Services.CRON_JOB_HANDLER]),
+  setRoleIdle7DToIdleUsers
+);
 router.post(
   "/nicknames/sync",
-  authenticate,
-  authorizeRoles([SUPERUSER]),
+  authorizeAndAuthenticate([ROLES.SUPERUSER], [Services.CRON_JOB_HANDLER]),
   checkIsVerifiedDiscord,
   updateDiscordNicknames
 );
 router.post("/nickname/status", verifyCronJob, validateUpdateUsersNicknameStatusBody, updateUsersNicknameStatus);
 router.post("/discord-roles", authenticate, authorizeRoles([SUPERUSER]), syncDiscordGroupRolesInFirestore);
 router.put(
   "/group-onboarding-31d-plus",
-  authenticate,
-  authorizeRoles([SUPERUSER]),
+  authorizeAndAuthenticate([ROLES.SUPERUSER], [Services.CRON_JOB_HANDLER]),
   setRoleToUsersWith31DaysPlusOnboarding
 );
 module.exports = router;

routes/external-accounts.js

@@ -6,13 +6,16 @@ const externalAccount = require("../controllers/external-accounts");
 const authenticate = require("../middlewares/authenticate");
 const authorizeRoles = require("../middlewares/authorizeRoles");
 const { SUPERUSER } = require("../constants/roles");
+const ROLES = require("../constants/roles");
+const { Services } = require("../constants/bot");
+const { authorizeAndAuthenticate } = require("../middlewares/authorizeUsersAndService");
+
 router.post("/", validator.externalAccountData, authorizeBot.verifyDiscordBot, externalAccount.addExternalAccountData);
 router.get("/:token", authenticate, externalAccount.getExternalAccountData);
 router.patch("/discord-sync", authenticate, authorizeRoles([SUPERUSER]), externalAccount.syncExternalAccountData);
 router.post(
   "/users",
-  authenticate,
-  authorizeRoles([SUPERUSER]),
+  authorizeAndAuthenticate([ROLES.SUPERUSER], [Services.CRON_JOB_HANDLER]),
   validator.postExternalAccountsUsers,
   externalAccount.externalAccountsUsersPostHandler
 );

routes/tasks.js

@@ -10,7 +10,7 @@ const {
   getUsersValidator,
 } = require("../middlewares/validators/tasks");
 const authorizeRoles = require("../middlewares/authorizeRoles");
-const { authorization } = require("../middlewares/authorizeUsersAndService");
+const { authorizeAndAuthenticate } = require("../middlewares/authorizeUsersAndService");
 const { APPOWNER, SUPERUSER } = require("../constants/roles");
 const assignTask = require("../middlewares/assignTask");
 const { cacheResponse, invalidateCache } = require("../utils/cache");
@@ -19,7 +19,10 @@ const { verifyCronJob } = require("../middlewares/authorizeBot");
 const { CLOUDFLARE_WORKER, CRON_JOB_HANDLER } = require("../constants/bot");
 
 const oldAuthorizationMiddleware = authorizeRoles([APPOWNER, SUPERUSER]);
-const newAuthorizationMiddleware = authorization([APPOWNER, SUPERUSER], [CLOUDFLARE_WORKER, CRON_JOB_HANDLER]);
+const newAuthorizationMiddleware = authorizeAndAuthenticate(
+  [APPOWNER, SUPERUSER],
+  [CLOUDFLARE_WORKER, CRON_JOB_HANDLER]
+);
 
 // Middleware to check if 'dev' query parameter is set to true
 const enableDevModeMiddleware = (req, res, next) => {

routes/userStatus.js

@@ -17,13 +17,21 @@ const {
   validateMassUpdate,
   validateGetQueryParams,
 } = require("../middlewares/validators/userStatus");
+const { authorizeAndAuthenticate } = require("../middlewares/authorizeUsersAndService");
+const ROLES = require("../constants/roles");
+const { Services } = require("../constants/bot");
 
 router.get("/", validateGetQueryParams, getUserStatusControllers);
 router.get("/self", authenticate, getUserStatus);
 router.get("/:userId", getUserStatus);
 router.patch("/self", authenticate, validateUserStatus, updateUserStatusController);
-router.patch("/update", authenticate, authorizeRoles([SUPERUSER]), updateAllUserStatus);
-router.patch("/batch", authenticate, authorizeRoles([SUPERUSER]), validateMassUpdate, batchUpdateUsersStatus);
+router.patch("/update", authorizeAndAuthenticate([ROLES.SUPERUSER], [Services.CRON_JOB_HANDLER]), updateAllUserStatus);
+router.patch(
+  "/batch",
+  authorizeAndAuthenticate([ROLES.SUPERUSER], [Services.CRON_JOB_HANDLER]),
+  validateMassUpdate,
+  batchUpdateUsersStatus
+);
 router.patch("/:userId", authenticate, authorizeRoles([SUPERUSER]), validateUserStatus, updateUserStatus);
 router.delete("/:userId", authenticate, authorizeRoles([SUPERUSER]), deleteUserStatus);
 

routes/users.js

@@ -8,8 +8,11 @@ const userValidator = require("../middlewares/validators/user");
 const { upload } = require("../utils/multer");
 const { getUserBadges } = require("../controllers/badges");
 const checkIsVerifiedDiscord = require("../middlewares/verifydiscord");
+const { authorizeAndAuthenticate } = require("../middlewares/authorizeUsersAndService");
+const ROLES = require("../constants/roles");
+const { Services } = require("../constants/bot");
 
-router.post("/", authenticate, authorizeRoles([SUPERUSER]), users.markUnverified);
+router.post("/", authorizeAndAuthenticate([ROLES.SUPERUSER], [Services.CRON_JOB_HANDLER]), users.markUnverified);
 router.post("/update-in-discord", authenticate, authorizeRoles([SUPERUSER]), users.setInDiscordScript);
 router.post("/verify", authenticate, users.verifyUser);
 router.get("/userId/:userId", users.getUserById);

test/integration/authorizeUsersAndService.test.ts

@@ -1,5 +1,5 @@
 import { expect } from "chai";
-import { authorization } from "../../middlewares/authorizeUsersAndService";
+import { authorizeAndAuthenticate  } from "../../middlewares/authorizeUsersAndService";
 import bot from "../utils/generateBotToken";
 const userData = require("../fixtures/user/user")();
 import authService from "../../services/authService";
@@ -41,46 +41,46 @@ describe("Middleware | Authorization", function () {
   });
   describe("Input validations", function () {
     it("should throw an error for invalid roles", function () {
-      expect(() => authorization(["invalid_role"], [Services.CRON_JOB_HANDLER])).to.throw("Invalid role");
+      expect(() => authorizeAndAuthenticate (["invalid_role"], [Services.CRON_JOB_HANDLER])).to.throw("Invalid role");
     });
 
     it("should throw an error for invalid services", function () {
-      expect(() => authorization([ROLES.APPOWNER], ["invalid_service"])).to.throw("Invalid service name");
+      expect(() => authorizeAndAuthenticate ([ROLES.APPOWNER], ["invalid_service"])).to.throw("Invalid service name");
     });
   });
 
   describe("Service Authorization", function () {
     it("should return unauthorized for invalid authorization header format", async function () {
       req.headers.authorization = "InvalidHeader";
 
-      await authorization([ROLES.APPOWNER], [Services.CRON_JOB_HANDLER])(req, res, next);
+      await authorizeAndAuthenticate ([ROLES.APPOWNER], [Services.CRON_JOB_HANDLER])(req, res, next);
       expect(res.boom.unauthorized.calledOnce).to.be.equal(true);
     });
 
     it("should return unauthorized for invalid JWT token", async function () {
       req.headers.authorization = "Bearer invalid_token";
-      await authorization([ROLES.APPOWNER], [Services.CRON_JOB_HANDLER])(req, res, next);
+      await authorizeAndAuthenticate ([ROLES.APPOWNER], [Services.CRON_JOB_HANDLER])(req, res, next);
       expect(res.boom.unauthorized.calledOnce).to.be.equal(true);
     });
 
     it("should call verifyCronJob for valid cron job token", async function () {
       const jwtToken = bot.generateCronJobToken({ name: CRON_JOB_HANDLER });
       req.headers.authorization = `Bearer ${jwtToken}`;
-      await authorization([ROLES.APPOWNER], [Services.CRON_JOB_HANDLER])(req, res, next);
+      await authorizeAndAuthenticate ([ROLES.APPOWNER], [Services.CRON_JOB_HANDLER])(req, res, next);
       expect(next.calledOnce).to.be.equal(true);
     });
 
     it("should call verifyDiscordBot for valid Discord bot token", async function () {
       const jwtToken = bot.generateToken({ name: CLOUDFLARE_WORKER });
       req.headers.authorization = `Bearer ${jwtToken}`;
-      await authorization([ROLES.APPOWNER], [Services.CLOUDFLARE_WORKER])(req, res, next);
+      await authorizeAndAuthenticate ([ROLES.APPOWNER], [Services.CLOUDFLARE_WORKER])(req, res, next);
       expect(next.calledOnce).to.be.equal(true);
     });
 
     it("should return unauthorized for unknown service names", async function () {
       const jwtToken = bot.generateToken({ name: "Invalid name" });
       req.headers.authorization = `Bearer ${jwtToken}`;
-      await authorization([ROLES.APPOWNER], [Services.CLOUDFLARE_WORKER])(req, res, next);
+      await authorizeAndAuthenticate ([ROLES.APPOWNER], [Services.CLOUDFLARE_WORKER])(req, res, next);
       expect(res.boom.unauthorized.calledOnce).to.be.equal(true);
     });
   });
@@ -89,7 +89,7 @@ describe("Middleware | Authorization", function () {
       return res.json({ message: "pong" });
     };
 
-    router.get("/for-super-user", authorization([ROLES.SUPERUSER], [Services.CRON_JOB_HANDLER]), pongHandler);
+    router.get("/for-super-user", authorizeAndAuthenticate ([ROLES.SUPERUSER], [Services.CRON_JOB_HANDLER]), pongHandler);
 
     const app = express();
     AppMiddlewares(app);