Files
alrahma_sunday_school_api/apps/api/dist/middleware/requireCompanyAuth.js
T
2026-06-11 03:22:12 -04:00

47 lines
2.0 KiB
JavaScript

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.requireCompanyAuth = requireCompanyAuth;
exports.requireCompanyDocumentAuth = requireCompanyDocumentAuth;
const prisma_1 = require("../lib/prisma");
const authHelpers_1 = require("./authHelpers");
const tokens_1 = require("../security/tokens");
const sessionCookies_1 = require("../security/sessionCookies");
const rateLimiter_1 = require("./rateLimiter");
/**
* Validates a company-scoped Bearer token and loads the employee + company onto `req`.
*
* Guarantees on success:
* req.employee — full employee record (with company relation)
* req.company — the employee's company
* req.companyId — string shorthand for req.company.id
*/
async function authenticateCompanyRequest(req, res, next) {
const token = (0, authHelpers_1.getAuthToken)(req, (0, sessionCookies_1.getSessionCookieName)('employee'));
if (!token)
return (0, authHelpers_1.sendUnauthorized)(res, 'unauthenticated', 'Authentication required');
let payload;
try {
payload = (0, tokens_1.verifyActorToken)(token, 'employee');
}
catch {
return (0, authHelpers_1.sendUnauthorized)(res, 'invalid_token', 'Invalid or expired session token');
}
const employee = await prisma_1.prisma.employee.findUnique({
where: { id: payload.sub },
include: { company: true },
});
if (!employee || !employee.isActive) {
return (0, authHelpers_1.sendUnauthorized)(res, 'unauthenticated', 'Employee account not found or inactive');
}
req.employee = employee;
req.company = employee.company;
req.companyId = employee.companyId;
return (0, rateLimiter_1.actorLimiter)(req, res, next);
}
async function requireCompanyAuth(req, res, next) {
return authenticateCompanyRequest(req, res, next);
}
async function requireCompanyDocumentAuth(req, res, next) {
return authenticateCompanyRequest(req, res, next);
}
//# sourceMappingURL=requireCompanyAuth.js.map