archetecture security fix
This commit is contained in:
+47
@@ -0,0 +1,47 @@
|
||||
"use strict";
|
||||
Object.defineProperty(exports, "__esModule", { value: true });
|
||||
exports.requireCompanyAuth = requireCompanyAuth;
|
||||
exports.requireCompanyDocumentAuth = requireCompanyDocumentAuth;
|
||||
const prisma_1 = require("../lib/prisma");
|
||||
const authHelpers_1 = require("./authHelpers");
|
||||
const tokens_1 = require("../security/tokens");
|
||||
const sessionCookies_1 = require("../security/sessionCookies");
|
||||
const rateLimiter_1 = require("./rateLimiter");
|
||||
/**
|
||||
* Validates a company-scoped Bearer token and loads the employee + company onto `req`.
|
||||
*
|
||||
* Guarantees on success:
|
||||
* req.employee — full employee record (with company relation)
|
||||
* req.company — the employee's company
|
||||
* req.companyId — string shorthand for req.company.id
|
||||
*/
|
||||
async function authenticateCompanyRequest(req, res, next) {
|
||||
const token = (0, authHelpers_1.getAuthToken)(req, (0, sessionCookies_1.getSessionCookieName)('employee'));
|
||||
if (!token)
|
||||
return (0, authHelpers_1.sendUnauthorized)(res, 'unauthenticated', 'Authentication required');
|
||||
let payload;
|
||||
try {
|
||||
payload = (0, tokens_1.verifyActorToken)(token, 'employee');
|
||||
}
|
||||
catch {
|
||||
return (0, authHelpers_1.sendUnauthorized)(res, 'invalid_token', 'Invalid or expired session token');
|
||||
}
|
||||
const employee = await prisma_1.prisma.employee.findUnique({
|
||||
where: { id: payload.sub },
|
||||
include: { company: true },
|
||||
});
|
||||
if (!employee || !employee.isActive) {
|
||||
return (0, authHelpers_1.sendUnauthorized)(res, 'unauthenticated', 'Employee account not found or inactive');
|
||||
}
|
||||
req.employee = employee;
|
||||
req.company = employee.company;
|
||||
req.companyId = employee.companyId;
|
||||
return (0, rateLimiter_1.actorLimiter)(req, res, next);
|
||||
}
|
||||
async function requireCompanyAuth(req, res, next) {
|
||||
return authenticateCompanyRequest(req, res, next);
|
||||
}
|
||||
async function requireCompanyDocumentAuth(req, res, next) {
|
||||
return authenticateCompanyRequest(req, res, next);
|
||||
}
|
||||
//# sourceMappingURL=requireCompanyAuth.js.map
|
||||
Reference in New Issue
Block a user