removed unused types and fixed authentication middleware jsdoc

Suvidh-kaushik · Suvidh-kaushik · commit bf4d3cdde776 · 2025-06-27T19:48:33.000+05:30
diff --git a/constants/requests.ts b/constants/requests.ts
@@ -71,9 +71,6 @@ export const UNAUTHORIZED_TO_UPDATE_REQUEST = "Unauthorized to update request";
 
 export const FEATURE_NOT_IMPLEMENTED = "Feature not implemented";
 
-export const IMPERSONATION_NOT_COMPLETED = "Please complete impersonation before creating a new request";
-export const IMPERSONATION_ALREADY_ATTEMPTED = "No active request is available for impersonation";
-export const IMPERSONATION_REQUEST_NOT_APPROVED = "Awaiting approval for impersonation request";
 export const INVALID_ACTION_PARAM = "Invalid 'action' parameter: must be either 'START' or 'STOP'";
 
 
diff --git a/middlewares/addAuthorizationForImpersonation.ts b/middlewares/addAuthorizationForImpersonation.ts
@@ -7,7 +7,7 @@ import { INVALID_ACTION_PARAM } from "../constants/requests";
 /**
  * Middleware to authorize impersonation based on the 'action' query param.
  * - START → Requires SUPERUSER role.
- * - END → Allows without additional checks.
+ * - STOP → Allows without additional checks.
  * - Invalid or missing action → Responds with 400 Bad Request.
  */
 export const addAuthorizationForImpersonation = async (
diff --git a/middlewares/authenticate.js b/middlewares/authenticate.js
@@ -1,18 +1,19 @@
 const authService = require("../services/authService");
 const dataAccess = require("../services/dataAccessLayer");
+const logger = require("../utils/logger");
 
 /**
- * Middleware to check if the authenticated user has restricted permissions.
+ * Middleware to check if the user is restricted or in an impersonation session.
  *
- * - If the user is impersonating, restrict to only `GET` and `PATCH` requests with `action=STOP`.
- * - If the user has a `restricted` role, disallow all non-GET requests.
+ * - If the user is impersonating, only GET requests and the STOP impersonation route are allowed.
+ * - If the user is restricted (based on roles), only GET requests are permitted.
  *
- * This middleware must be invoked after successful authentication.
- *
- * @param {Object} req - Express request object. Expects `userData` and `isImpersonating` to be set.
- * @param {Object} res - Express response object.
- * @param {Function} next - Express next middleware function.
- * @returns {Object|void} Responds with `403 Forbidden` if action is not permitted; otherwise calls `next()`.
+ * @async
+ * @function checkRestricted
+ * @param {import('express').Request} req - Express request object
+ * @param {import('express').Response} res - Express response object
+ * @param {Function} next - Express next middleware function
+ * @returns {void}
  */
 const checkRestricted = async (req, res, next) => {
   const { roles } = req.userData;
@@ -25,7 +26,7 @@ const checkRestricted = async (req, res, next) => {
       req.query.action === "STOP";
 
     if (req.method !== "GET" && !isStopImpersonationRoute) {
-      return res.boom.forbidden("You are not allowed for this operation at the moment");
+      return res.boom.forbidden("Only viewing is permitted during impersonation");
     }
   }
 
@@ -37,39 +38,38 @@ const checkRestricted = async (req, res, next) => {
 };
 
 /**
- * Authentication Middleware
- *
- * 1. Verifies the user's JWT (from cookie or Bearer header in non-production).
- * 2. If the token is valid, attaches user info to `req.userData`.
- * 3. If impersonation is active, uses the impersonated user for `req.userData`.
- * 4. If the JWT is expired but within `refreshTtl`, issues a new token and continues.
- * 5. Applies role-based restrictions via `checkRestricted()`.
- *
- * @todo Add test cases to validate JWT refresh logic by simulating token expiry and TTL.
+ * Authentication middleware that:
+ * 1. Verifies JWT token from cookies (or headers in non-production).
+ * 2. Handles impersonation if applicable.
+ * 3. Refreshes token if it's expired but still within the refresh TTL window.
+ * 4. Attaches user data to `req.userData` for downstream use.
  *
- * @param {Object} req - Express request object.
- * @param {Object} res - Express response object.
- * @param {Function} next - Express next middleware function.
- * @returns {Object|void} - Returns `401 Unauthorized` if the user is unauthenticated; otherwise continues to `checkRestricted`.
+ * @async
+ * @function
+ * @param {import('express').Request} req - Express request object
+ * @param {import('express').Response} res - Express response object
+ * @param {Function} next - Express next middleware function
+ * @returns {Promise<void>} - Calls `next()` on successful authentication or returns an error response.
  */
 module.exports = async (req, res, next) => {
   try {
     let token = req.cookies[config.get("userToken.cookieName")];
 
-    // Allow Bearer token in non-production (e.g., for Swagger UI)
+    /**
+     * Enable Bearer Token authentication for NON-PRODUCTION environments.
+     * Useful for Swagger or manual testing where cookies are not easily managed.
+     */
     if (process.env.NODE_ENV !== "production" && !token) {
       token = req.headers.authorization?.split(" ")[1];
     }
 
     const { userId, impersonatedUserId } = authService.verifyAuthToken(token);
+    // `req.isImpersonating` keeps track of the impersonation session
     req.isImpersonating = Boolean(impersonatedUserId);
 
-    let userData;
-    if (impersonatedUserId) {
-      userData = await dataAccess.retrieveUsers({ id: impersonatedUserId });
-    } else {
-      userData = await dataAccess.retrieveUsers({ id: userId });
-    }
+    const userData = impersonatedUserId
+      ? await dataAccess.retrieveUsers({ id: impersonatedUserId })
+      : await dataAccess.retrieveUsers({ id: userId });
 
     req.userData = userData.user;
     return checkRestricted(req, res, next);
@@ -83,7 +83,7 @@ module.exports = async (req, res, next) => {
       const newToken = authService.generateAuthToken({ userId });
       const rdsUiUrl = new URL(config.get("services.rdsUi.baseUrl"));
 
-      // Refresh token if within allowed refresh window
+      // add new JWT to the response if it satisfies the refreshTtl time
       if (Math.floor(Date.now() / 1000) - iat <= refreshTtl) {
         res.cookie(config.get("userToken.cookieName"), newToken, {
           domain: rdsUiUrl.hostname,
@@ -93,13 +93,13 @@ module.exports = async (req, res, next) => {
           sameSite: "lax",
         });
 
-        req.userData = await dataAccess.retrieveUsers({ id: userId });
+        const userData = await dataAccess.retrieveUsers({ id: userId });
+        req.userData = userData.user;
+
         return checkRestricted(req, res, next);
-      } else {
-        return res.boom.unauthorized("Unauthenticated User");
       }
-    } else {
       return res.boom.unauthorized("Unauthenticated User");
     }
+    return res.boom.unauthorized("Unauthenticated User");
   }
 };
diff --git a/types/impersonationRequest.d.ts b/types/impersonationRequest.d.ts
@@ -124,7 +124,7 @@ export type CreateImpersonationRequestServiceBody={
 }
 
 export type ImpersonationSessionQuery = RequestQuery & {
-  dev?:string;
+  dev:string;
   action:"START" | "STOP";
 }
 

Original file line number	Diff line number	Diff line change
`@@ -124,7 +124,7 @@ export type CreateImpersonationRequestServiceBody={`
`124`	`124`	`}`
`125`	`125`
`126`	`126`	`export type ImpersonationSessionQuery = RequestQuery & {`
`127`		`- dev?:string;`
	`127`	`+ dev:string;`
`128`	`128`	`action:"START" \| "STOP";`
`129`	`129`	`}`
`130`	`130`