added middleware and fixed code quality

Author: Suvidh-kaushik

constants/requests.ts

@@ -74,6 +74,8 @@ export const FEATURE_NOT_IMPLEMENTED = "Feature not implemented";
 export const IMPERSONATION_NOT_COMPLETED = "Please complete impersonation before creating a new request";
 export const IMPERSONATION_ALREADY_ATTEMPTED = "No active request is available for impersonation";
 export const IMPERSONATION_REQUEST_NOT_APPROVED = "Awaiting approval for impersonation request";
+export const INVALID_ACTION_PARAM = "Invalid 'action' parameter: must be either 'START' or 'STOP'";
+
 
 
 export const IMPERSONATION_LOG_TYPE = {

controllers/impersonationRequests.ts

@@ -163,30 +163,32 @@ export const impersonationController = async (
   const { action } = req.query;
   const requestId = req.params.id;
   const userId = req.userData?.id;
-
-  let body;
+  let authCookie;
   let response;
-
   try {
+
     if (action === "START") {
+      authCookie = await generateImpersonationTokenService(requestId, action);
       response = await startImpersonationService({ requestId, userId });
-      body = await generateImpersonationTokenService(requestId, action);
-    } else if (action === "STOP" && req?.isImpersonating) {
+    }
+
+    if (action === "STOP") {
+      if (!req.isImpersonating) {
+        throw new Forbidden("Cannot stop impersonation: no active impersonation session");
+      }
+      authCookie = await generateImpersonationTokenService(requestId, action);
       response = await stopImpersonationService({ requestId, userId });
-      body = await generateImpersonationTokenService(requestId, action);
-    } else {
-      throw new Forbidden("Invalid impersonation session");
     }
 
-    res.clearCookie(body.name);
-    res.cookie(body.name, body.value, body.options);
+    res.clearCookie(authCookie.name);
+    res.cookie(authCookie.name, authCookie.value, authCookie.options);
 
     return res.status(200).json({
       message: response?.returnMessage,
       data: response.updatedRequest
     });
   } catch (error) {
-    logger.error("Error while handling impersonation request", error);
+    logger.error(`Failed to process impersonation ${action} for requestId=${requestId}, userId=${userId}`, error);
     next(error);
   }
 };

middlewares/addAuthorizationForImpersonation.ts

@@ -0,0 +1,29 @@
+import { NextFunction } from "express";
+import authorizeRoles from "./authorizeRoles";
+const { SUPERUSER } = require("../constants/roles");
+import { ImpersonationRequestResponse, ImpersonationSessionRequest } from "../types/impersonationRequest";
+import { INVALID_ACTION_PARAM } from "../constants/requests";
+
+/**
+ * Middleware to authorize impersonation based on the 'action' query param.
+ * - START → Requires SUPERUSER role.
+ * - END → Allows without additional checks.
+ * - Invalid or missing action → Responds with 400 Bad Request.
+ */
+export const addAuthorizationForImpersonation = async (
+  req: ImpersonationSessionRequest,
+  res: ImpersonationRequestResponse,
+  next: NextFunction
+) => {
+  const { action } = req.query;
+
+  if (action === "START") {
+    return authorizeRoles([SUPERUSER])(req, res, next);
+  }
+
+  if (action === "STOP") {
+    return next();
+  }
+
+  return res.boom.badRequest(INVALID_ACTION_PARAM);
+};

middlewares/authenticate.js

@@ -25,7 +25,7 @@ const checkRestricted = async (req, res, next) => {
       req.query.action === "STOP";
 
     if (req.method !== "GET" && !isStopImpersonationRoute) {
-      return res.boom.forbidden("Only viewing is permitted during impersonation");
+      return res.boom.forbidden("You are not allowed for this operation at the moment");
     }
   }
 

models/impersonationRequests.ts

@@ -4,11 +4,12 @@ import {
   IMPERSONATION_NOT_COMPLETED,
   REQUEST_ALREADY_PENDING,
   REQUEST_STATE,
-  ERROR_WHILE_FETCHING_REQUEST
+  ERROR_WHILE_FETCHING_REQUEST,
+  ERROR_WHILE_UPDATING_REQUEST
 } from "../constants/requests";
 import { Timestamp } from "firebase-admin/firestore";
 import { Query, CollectionReference } from '@google-cloud/firestore';
-import { CreateImpersonationRequestModelDto, ImpersonationRequest, PaginatedImpersonationRequests,ImpersonationRequestQuery} from "../types/impersonationRequest";
+import { CreateImpersonationRequestModelDto, ImpersonationRequest, PaginatedImpersonationRequests,ImpersonationRequestQuery, UpdateImpersonationRequestModelDto} from "../types/impersonationRequest";
 import { Forbidden } from "http-errors";
 const logger = require("../utils/logger");
 const impersonationRequestModel = firestore.collection("impersonationRequests");

routes/impersonation.ts

@@ -5,6 +5,7 @@ const authorizeRoles = require("../middlewares/authorizeRoles");
 const { SUPERUSER } = require("../constants/roles");
 import authenticate from "../middlewares/authenticate";
 import { createImpersonationRequestController, getImpersonationRequestByIdController, getImpersonationRequestsController, impersonationController } from "../controllers/impersonationRequests";
+import { addAuthorizationForImpersonation } from "../middlewares/addAuthorizationForImpersonation";
 
 router.post(
   "/requests",
@@ -28,7 +29,12 @@ router.get(
    getImpersonationRequestByIdController
 );
 
-
-router.patch("/:id",authenticate,impersonationSessionValidator,impersonationController)
+router.patch(
+    "/:id",
+    authenticate,
+    impersonationSessionValidator,
+    addAuthorizationForImpersonation,
+    impersonationController
+);
 
 module.exports = router;

services/authService.js

@@ -15,7 +15,7 @@ const generateAuthToken = (payload) => {
 const generateImpersonationAuthToken = (payload) => {
   return jwt.sign(payload, config.get("userToken.privateKey"), {
     algorithm: "RS256",
-    expiresIn: config.get("impersonationTtl"),
+    expiresIn: config.get("userToken.impersonationTtl"),
   });
 };
 

services/impersonationRequests.ts

@@ -1,6 +1,7 @@
 import {
   ERROR_WHILE_CREATING_REQUEST,
   IMPERSONATION_LOG_TYPE,
+  INVALID_ACTION_PARAM,
   LOG_ACTION,
   REQUEST_DOES_NOT_EXIST,
   REQUEST_LOG_TYPE,
@@ -11,7 +12,7 @@ import { createImpersonationRequest, getImpersonationRequestById, updateImperson
 import { fetchUser } from "../models/users";
 import { addLog } from "./logService";
 import { User } from "../typeDefinitions/users";
-import { NotFound, Forbidden } from "http-errors";
+import { NotFound, Forbidden, BadRequest } from "http-errors";
 import { CreateImpersonationRequestServiceBody, ImpersonationRequest, ImpersonationSessionServiceBody, UpdateImpersonationRequestDataResponse } from "../types/impersonationRequest";
 import { Timestamp } from "firebase-admin/firestore";
 import config from "config";
@@ -158,7 +159,7 @@ export const stopImpersonationService = async (
       throw new NotFound(REQUEST_DOES_NOT_EXIST);
     }
     if (impersonationRequest.impersonatedUserId !== body.userId) {
-      throw new Forbidden("You are not authorized for this action");
+      throw new Forbidden("You are not allowed for this operation at the moment");
     }
 
     const newBody = { endedAt: Timestamp.now() };
@@ -207,37 +208,48 @@ export const generateImpersonationTokenService = async (
   requestId: string,
   action: string
 ): Promise<{ name: string, value: string, options: object }> => {
-  try {
+    try {
     const request = await getImpersonationRequestById(requestId);
     if (!request) {
       throw new NotFound(REQUEST_DOES_NOT_EXIST);
     }
-    const impersonatedUserId = request.impersonatedUserId;
-    const userId = request.userId;
-    const cookieName = config.get("userToken.cookieName") as string;
-    const rdsUiUrl = new URL(config.get("services.rdsUi.baseUrl"));
+
+    const { userId, impersonatedUserId } = request;
+    const cookieName = config.get<string>("userToken.cookieName");
+    const rdsUiUrl = new URL(config.get<string>("services.rdsUi.baseUrl"));
+    const ttlInSeconds = Number(config.get("userToken.ttl"));
+
     let token: string;
-    if (action === "START") {
-      token = await authService.generateImpersonationAuthToken({ userId, impersonatedUserId });
-    } else if (action === "STOP") {
-      token = await authService.generateAuthToken({ userId });
-    } else {
-      throw new Forbidden("Action can be only START/STOP");
+
+    switch (action) {
+      case "START":
+        token = await authService.generateImpersonationAuthToken({ userId, impersonatedUserId });
+        break;
+
+      case "STOP":
+        token = await authService.generateAuthToken({ userId });
+        break;
+
+      default:
+        throw new BadRequest(INVALID_ACTION_PARAM);
     }
 
     return {
       name: cookieName,
       value: token,
       options: {
         domain: rdsUiUrl.hostname,
-        expires: new Date(Date.now() + Number(config.get("userToken.ttl")) * 1000),
+        expires: new Date(Date.now() + ttlInSeconds * 1000),
         httpOnly: true,
         secure: true,
         sameSite: "lax",
-      }
+      },
     };
   } catch (error) {
-    logger.error("Error while generating impersonation token", error);
+    logger.error(
+      `Error generating impersonation token for requestId=${requestId}, action=${action}`,
+      error
+    );
     throw error;
   }
 };