archetecture security fix

This commit is contained in:
root
2026-06-11 03:22:12 -04:00
parent 6def9993da
commit 9483750161
3126 changed files with 177194 additions and 37211 deletions
+54
View File
@@ -0,0 +1,54 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.requireRenterAuth = requireRenterAuth;
exports.optionalRenterAuth = optionalRenterAuth;
const prisma_1 = require("../lib/prisma");
const authHelpers_1 = require("./authHelpers");
const tokens_1 = require("../security/tokens");
const sessionCookies_1 = require("../security/sessionCookies");
const rateLimiter_1 = require("./rateLimiter");
/**
* Requires a valid renter Bearer token.
*
* Guarantees on success:
* req.renterId — the authenticated renter's id
*/
async function requireRenterAuth(req, res, next) {
const token = (0, authHelpers_1.getAuthToken)(req, (0, sessionCookies_1.getSessionCookieName)('renter'));
if (!token)
return (0, authHelpers_1.sendUnauthorized)(res, 'unauthenticated', 'Renter authentication required');
let payload;
try {
payload = (0, tokens_1.verifyActorToken)(token, 'renter');
}
catch {
return (0, authHelpers_1.sendUnauthorized)(res, 'invalid_token', 'Invalid or expired token');
}
const renter = await prisma_1.prisma.renter.findUnique({ where: { id: payload.sub } });
if (!renter || !renter.isActive) {
return (0, authHelpers_1.sendUnauthorized)(res, 'unauthenticated', 'Renter account not found or inactive');
}
req.renterId = renter.id;
return (0, rateLimiter_1.actorLimiter)(req, res, next);
}
/**
* Optionally extracts renter identity from a Bearer token.
* Never blocks the request — invalid or absent tokens are silently ignored.
*
* Sets on success:
* req.renterId — the authenticated renter's id (if token is valid)
*/
async function optionalRenterAuth(req, _res, next) {
const token = (0, authHelpers_1.getAuthToken)(req, (0, sessionCookies_1.getSessionCookieName)('renter'));
if (!token)
return next();
try {
const payload = (0, tokens_1.verifyActorToken)(token, 'renter');
req.renterId = payload.sub;
}
catch {
// Optional — silently ignore invalid tokens
}
next();
}
//# sourceMappingURL=requireRenterAuth.js.map