47 lines
2.0 KiB
JavaScript
47 lines
2.0 KiB
JavaScript
"use strict";
|
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
exports.requireCompanyAuth = requireCompanyAuth;
|
|
exports.requireCompanyDocumentAuth = requireCompanyDocumentAuth;
|
|
const prisma_1 = require("../lib/prisma");
|
|
const authHelpers_1 = require("./authHelpers");
|
|
const tokens_1 = require("../security/tokens");
|
|
const sessionCookies_1 = require("../security/sessionCookies");
|
|
const rateLimiter_1 = require("./rateLimiter");
|
|
/**
|
|
* Validates a company-scoped Bearer token and loads the employee + company onto `req`.
|
|
*
|
|
* Guarantees on success:
|
|
* req.employee — full employee record (with company relation)
|
|
* req.company — the employee's company
|
|
* req.companyId — string shorthand for req.company.id
|
|
*/
|
|
async function authenticateCompanyRequest(req, res, next) {
|
|
const token = (0, authHelpers_1.getAuthToken)(req, (0, sessionCookies_1.getSessionCookieName)('employee'));
|
|
if (!token)
|
|
return (0, authHelpers_1.sendUnauthorized)(res, 'unauthenticated', 'Authentication required');
|
|
let payload;
|
|
try {
|
|
payload = (0, tokens_1.verifyActorToken)(token, 'employee');
|
|
}
|
|
catch {
|
|
return (0, authHelpers_1.sendUnauthorized)(res, 'invalid_token', 'Invalid or expired session token');
|
|
}
|
|
const employee = await prisma_1.prisma.employee.findUnique({
|
|
where: { id: payload.sub },
|
|
include: { company: true },
|
|
});
|
|
if (!employee || !employee.isActive) {
|
|
return (0, authHelpers_1.sendUnauthorized)(res, 'unauthenticated', 'Employee account not found or inactive');
|
|
}
|
|
req.employee = employee;
|
|
req.company = employee.company;
|
|
req.companyId = employee.companyId;
|
|
return (0, rateLimiter_1.actorLimiter)(req, res, next);
|
|
}
|
|
async function requireCompanyAuth(req, res, next) {
|
|
return authenticateCompanyRequest(req, res, next);
|
|
}
|
|
async function requireCompanyDocumentAuth(req, res, next) {
|
|
return authenticateCompanyRequest(req, res, next);
|
|
}
|
|
//# sourceMappingURL=requireCompanyAuth.js.map
|