Merge pull request #402 from tcet-opensource/feat-200-Added-middleware-for-authentication-and-authorization

200-Added-authorization.js-and-authentication.js-for-access-management

Author: TejasNair9977

.github/workflows/test.yml

@@ -10,6 +10,7 @@ on:
 env: 
   TOKEN_SECRET: ${{ secrets.TOKEN_SECRET }}
   DB_URL: ${{ secrets.DB_URL }}
+  ENVIRONMENT: ${{ secrets.ENVIRONMENT }}
 
 permissions:
     contents: read

_apidoc.js

@@ -1749,4 +1749,4 @@
  * @apiSuccess {String[]} faculty.designation Faculty member's designation.
  * @apiSuccess {String} faculty.natureOfAssociation Nature of association with the institution.
  * @apiSuccess {String} faculty.additionalResponsibilities Additional responsibilities of the faculty.
- **/
+ */

middleware/auth.js

@@ -2,25 +2,36 @@ import jwt from "jsonwebtoken";
 import util from "#util";
 
 async function authenticateToken(req, res, next) {
-  const authHeader = req.headers.authorization;
-  const token = authHeader && authHeader.split(" ")[1];
-  if (token == null) return res.sendStatus(401);
-  try {
-    const payload = jwt.verify(token, process.env.TOKEN_SECRET);
-    const decryptedIP = util.decrypt(payload.ip);
-    if (decryptedIP !== req.ip) {
+  if (process.env.ENVIRONMENT === "local") {
+    return next();
+  }
+  const authHeader = req.headers.authorization || req.headers.Authorization;
+  // Inside header when we are going to provide the value for key authentication we have
+  // to start it with 'Bearer acesstoken'
+  if (authHeader && authHeader.startsWith("Bearer")) {
+    const token = authHeader.split(" ")[1];
+    if (token == null) return res.sendStatus(401);
+    try {
+      const payload = jwt.verify(token, process.env.TOKEN_SECRET);
+      const decryptedIP = util.decrypt(payload.ip);
+      if (decryptedIP !== req.ip) {
+        res.status(403);
+        res.send({ err: "Unauthorized" });
+      }
+
+      req.user = payload.data;
+      next();
+      return true;
+    } catch (error) {
       res.status(403);
       res.send({ err: "Unauthorized" });
+      return false;
     }
-
-    req.user = payload.data;
-    next();
-    return true;
-  } catch (error) {
-    res.status(403);
-    res.send({ err: "Unauthorized" });
-    return false;
+  } else {
+    res.json({
+      msg: "Kindly login",
+    });
   }
+  return null;
 }
-
-export default { authenticateToken };
+export default authenticateToken;

middleware/authorization.js

@@ -0,0 +1,14 @@
+function authorization(access = []) {
+  return (req, res, next) => {
+    // remove this in production
+    if (process.env.ENVIRONMENT === "local") {
+      return next();
+    }
+    if (!req.user) return res.json({ msg: "kindly login first" });
+    if (!access.includes(req.user.type))
+      return res.json({ msg: "Unauthorized request" });
+    return next();
+  };
+}
+
+export default authorization;

models/user.js

@@ -7,7 +7,13 @@ const userSchema = {
   emailId: { type: String, unique: true, required: true },
   password: { type: String, required: true },
   uid: { type: String, unique: true, required: true },
-  userType: { type: String, required: true },
+  userType: {
+    type: String,
+    required: true,
+    enum: ["ADMIN", "FACULTY", "EMPLOYEE", "STUDENT"],
+    default: "ADMIN",
+    // for now we are keeping the default usertype as ADMIN
+  },
 };
 
 const User = connector.model("User", userSchema);
@@ -18,9 +24,7 @@ async function remove(filter) {
 }
 
 async function create(userData) {
-  const {
-    name, password, emailId, uid, userType,
-  } = userData;
+  const { name, password, emailId, uid, userType } = userData;
   const hashedPassword = await hashPassword(password);
   const user = new User({
     name,
@@ -39,10 +43,17 @@ async function read(filter, limit = 1) {
 }
 
 async function update(filter, updateObject, options = { multi: true }) {
-  const updateResult = await User.updateMany(filter, { $set: updateObject }, options);
+  const updateResult = await User.updateMany(
+    filter,
+    { $set: updateObject },
+    options,
+  );
   return updateResult.acknowledged;
 }
 
 export default {
-  create, read, update, remove,
+  create,
+  read,
+  update,
+  remove,
 };

routes/accreditation.js

@@ -1,9 +1,21 @@
 import express from "express";
+import authenticateToken from "#middleware/auth";
+import authorization from "#middleware/authorization";
 import accreditationController from "#controller/accreditation";
 
 const router = express.Router();
-router.get("/list", accreditationController.showAccreditation);
-router.post("/add", accreditationController.addAccreditation);
+router.get(
+  "/list",
+  authenticateToken,
+  authorization(["ADMIN"]),
+  accreditationController.showAccreditation,
+);
+router.post(
+  "/add",
+  authenticateToken,
+  authorization(["ADMIN"]),
+  accreditationController.addAccreditation,
+);
 router.delete("/delete/:id", accreditationController.deleteAccreditation);
 router.post("/update/:id", accreditationController.updateAccreditation);
 

routes/activity.js

@@ -1,10 +1,32 @@
 import express from "express";
+import authenticateToken from "#middleware/auth";
+import authorization from "#middleware/authorization";
 import activityController from "#controller/activity";
 
-const router=express.Router();
-router.post("/add",activityController.addActivity);
-router.get("/list",activityController.getActivity);
-router.post("/update/:id",activityController.updateActivity);
-router.delete("/delete/:id",activityController.deleteActivity);
+const router = express.Router();
+router.post(
+  "/add",
+  authenticateToken,
+  authorization(["ADMIN", "FACULTY"]),
+  activityController.addActivity,
+);
+router.get(
+  "/list",
+  authenticateToken,
+  authorization(["ADMIN", "FACULTY"]),
+  activityController.getActivity,
+);
+router.post(
+  "/update/:id",
+  authenticateToken,
+  authorization(["ADMIN", "FACULTY"]),
+  activityController.updateActivity,
+);
+router.delete(
+  "/delete/:id",
+  authenticateToken,
+  authorization(["ADMIN", "FACULTY"]),
+  activityController.deleteActivity,
+);
 
-export default router;
+export default router;

routes/assignment.js

@@ -1,10 +1,32 @@
 import express from "express";
 import assingmentController from "#controller/assignment";
+import authenticateToken from "#middleware/auth";
+import authorization from "#middleware/authorization";
 
 const router = express.Router();
-router.post("/add", assingmentController.addAssignment);
-router.get("/list", assingmentController.getAssignment);
-router.post("/update/:id", assingmentController.updateAssignment);
-router.delete("/delete/:id", assingmentController.deleteAssignment);
+router.post(
+  "/add",
+  authenticateToken,
+  authorization(["ADMIN", "FACULTY"]),
+  assingmentController.addAssignment,
+);
+router.get(
+  "/list",
+  authenticateToken,
+  authorization(["ADMIN", "FACULTY"]),
+  assingmentController.getAssignment,
+);
+router.post(
+  "/update/:id",
+  authenticateToken,
+  authorization(["ADMIN", "FACULTY"]),
+  assingmentController.updateAssignment,
+);
+router.delete(
+  "/delete/:id",
+  authenticateToken,
+  authorization(["ADMIN", "FACULTY"]),
+  assingmentController.deleteAssignment,
+);
 
 export default router;

routes/coursework.js

@@ -1,10 +1,32 @@
 import express from "express";
+import authenticateToken from "#middleware/auth";
+import authorization from "#middleware/authorization";
 import courseworkController from "#controller/coursework";
 
 const router = express.Router();
-router.post("/add", courseworkController.addCoursework);
-router.get("/list", courseworkController.getCoursework);
-router.post("/update/:id", courseworkController.updateCoursework);
-router.delete("/delete/:id", courseworkController.deleteCoursework);
+router.post(
+  "/add",
+  authenticateToken,
+  authorization(["ADMIN", "FACULTY"]),
+  courseworkController.addCoursework,
+);
+router.get(
+  "/list",
+  authenticateToken,
+  authorization(["ADMIN", "FACULTY"]),
+  courseworkController.getCoursework,
+);
+router.post(
+  "/update/:id",
+  authenticateToken,
+  authorization(["ADMIN", "FACULTY"]),
+  courseworkController.updateCoursework,
+);
+router.delete(
+  "/delete/:id",
+  authenticateToken,
+  authorization(["ADMIN", "FACULTY"]),
+  courseworkController.deleteCoursework,
+);
 
 export default router;

routes/department.js

@@ -1,11 +1,33 @@
 import express from "express";
+import authenticateToken from "#middleware/auth";
+import authorization from "#middleware/authorization";
 import departmentContoller from "#controller/department";
 
 const router = express.Router();
 
-router.get("/list", departmentContoller.showdepartments);
-router.post("/create", departmentContoller.addDepartment);
-router.delete("/delete/:id", departmentContoller.removedepartmentbyid);
-router.post("/update/:id", departmentContoller.updatedDepartment);
+router.get(
+  "/list",
+  authenticateToken,
+  authorization(["ADMIN"]),
+  departmentContoller.showdepartments,
+);
+router.post(
+  "/create",
+  authenticateToken,
+  authorization(["ADMIN"]),
+  departmentContoller.addDepartment,
+);
+router.delete(
+  "/delete/:id",
+  authenticateToken,
+  authorization(["ADMIN"]),
+  departmentContoller.removedepartmentbyid,
+);
+router.post(
+  "/update/:id",
+  authenticateToken,
+  authorization(["ADMIN"]),
+  departmentContoller.updatedDepartment,
+);
 
 export default router;