feat(auth): finally better auth working as i wanted it to

2025-09-22 22:40:44 -05:00
parent 4ab43d91b9
commit 8f1375ab7b
50 changed files with 7939 additions and 5909 deletions
--- a/app/src/pkg/middleware/authMiddleware.ts
+++ b/app/src/pkg/middleware/authMiddleware.ts
@@ -0,0 +1,90 @@
+import type { Request, Response, NextFunction } from "express";
+import { auth } from "../auth/auth.js";
+import { userRoles, type UserRole } from "../db/schema/user_roles.js";
+import { db } from "../db/db.js";
+import { eq } from "drizzle-orm";
+
+declare global {
+    namespace Express {
+        interface Request {
+            user?: {
+                id: string;
+                email?: string;
+                roles: Record<string, string[]>;
+            };
+        }
+    }
+}
+function toWebHeaders(nodeHeaders: Request["headers"]): Headers {
+    const h = new Headers();
+    for (const [key, value] of Object.entries(nodeHeaders)) {
+        if (Array.isArray(value)) {
+            value.forEach((v) => h.append(key, v));
+        } else if (value !== undefined) {
+            h.set(key, value);
+        }
+    }
+    return h;
+}
+
+export const requireAuth = (moduleName?: string, requiredRoles?: string[]) => {
+    return async (req: Request, res: Response, next: NextFunction) => {
+        try {
+            const headers = toWebHeaders(req.headers);
+
+            // Get session
+            const session = await auth.api.getSession({
+                headers,
+                query: { disableCookieCache: true },
+            });
+
+            if (!session) {
+                return res.status(401).json({ error: "No active session" });
+            }
+
+            const userId = session.user.id;
+
+            // Get roles
+            const roles = await db
+                .select()
+                .from(userRoles)
+                .where(eq(userRoles.userId, userId));
+
+            // Organize roles by module
+            const rolesByModule: Record<string, string[]> = {};
+            for (const r of roles) {
+                if (!rolesByModule[r.module]) rolesByModule[r.module] = [];
+                rolesByModule[r.module].push(r.role);
+            }
+
+            req.user = {
+                id: userId,
+                email: session.user.email,
+                roles: rolesByModule,
+            };
+
+            // SystemAdmin override
+            const hasSystemAdmin = Object.values(rolesByModule)
+                .flat()
+                .includes("systemAdmin");
+
+            // Role check (skip if systemAdmin)
+            if (requiredRoles?.length && !hasSystemAdmin) {
+                const moduleRoles = moduleName
+                    ? rolesByModule[moduleName] ?? []
+                    : Object.values(rolesByModule).flat();
+                const hasAccess = moduleRoles.some((role) =>
+                    requiredRoles.includes(role)
+                );
+                if (!hasAccess) {
+                    return res.status(403).json({ error: "Forbidden" });
+                }
+            }
+
+            next();
+        } catch (err) {
+            console.error("Auth middleware error:", err);
+            res.status(500).json({ error: "Auth check failed" });
+        }
+    };
+};