fosrl.pangolin/server/routers/auth/verifyRoleAccess.ts

import { Request, Response, NextFunction } from "express";
import { db } from "@server/db";
import { roles, userOrgs } from "@server/db/schema";
import { and, eq } from "drizzle-orm";
import createHttpError from "http-errors";
import HttpCode from "@server/types/HttpCode";
import logger from "@server/logger";

export async function verifyRoleAccess(
    req: Request,
    res: Response,
    next: NextFunction
) {
    const userId = req.user?.userId;
    const roleId = parseInt(
        req.params.roleId || req.body.roleId || req.query.roleId
    );

    if (!userId) {
        return next(
            createHttpError(HttpCode.UNAUTHORIZED, "User not authenticated")
        );
    }

    if (isNaN(roleId)) {
        return next(createHttpError(HttpCode.BAD_REQUEST, "Invalid role ID"));
    }

    try {
        const role = await db
            .select()
            .from(roles)
            .where(eq(roles.roleId, roleId))
            .limit(1);

        if (role.length === 0) {
            return next(
                createHttpError(
                    HttpCode.NOT_FOUND,
                    `Role with ID ${roleId} not found`
                )
            );
        }

        if (!req.userOrg) {
            const userOrgRole = await db
                .select()
                .from(userOrgs)
                .where(
                    and(
                        eq(userOrgs.userId, userId),
                        eq(userOrgs.orgId, role[0].orgId!)
                    )
                )
                .limit(1);
            req.userOrg = userOrgRole[0];
        }

        if (!req.userOrg) {
            return next(
                createHttpError(
                    HttpCode.FORBIDDEN,
                    "User does not have access to this organization"
                )
            );
        }

        if (req.userOrg.orgId !== role[0].orgId) {
            return next(
                createHttpError(
                    HttpCode.FORBIDDEN,
                    "Role does not belong to the organization"
                )
            );
        }

        req.userOrgRoleId = req.userOrg.roleId;
        req.userOrgId = req.userOrg.orgId;

        return next();
    } catch (error) {
        logger.error("Error verifying role access:", error);
        return next(
            createHttpError(
                HttpCode.INTERNAL_SERVER_ERROR,
                "Error verifying role access"
            )
        );
    }
}
rename super user to admin and middleware refactoring 2024-11-05 22:38:57 -05:00			`import { Request, Response, NextFunction } from "express";`
			`import { db } from "@server/db";`
			`import { roles, userOrgs } from "@server/db/schema";`
			`import { and, eq } from "drizzle-orm";`
			`import createHttpError from "http-errors";`
			`import HttpCode from "@server/types/HttpCode";`
			`import logger from "@server/logger";`

			`export async function verifyRoleAccess(`
			`req: Request,`
			`res: Response,`
			`next: NextFunction`
			`) {`
			`const userId = req.user?.userId;`
			`const roleId = parseInt(`
			`req.params.roleId \|\| req.body.roleId \|\| req.query.roleId`
			`);`
Add role aware updates & endpoints 2024-10-12 21:36:14 -04:00
			`if (!userId) {`
rename super user to admin and middleware refactoring 2024-11-05 22:38:57 -05:00			`return next(`
			`createHttpError(HttpCode.UNAUTHORIZED, "User not authenticated")`
			`);`
Add role aware updates & endpoints 2024-10-12 21:36:14 -04:00			`}`

			`if (isNaN(roleId)) {`
rename super user to admin and middleware refactoring 2024-11-05 22:38:57 -05:00			`return next(createHttpError(HttpCode.BAD_REQUEST, "Invalid role ID"));`
Add role aware updates & endpoints 2024-10-12 21:36:14 -04:00			`}`

			`try {`
rename super user to admin and middleware refactoring 2024-11-05 22:38:57 -05:00			`const role = await db`
			`.select()`
Add role aware updates & endpoints 2024-10-12 21:36:14 -04:00			`.from(roles)`
			`.where(eq(roles.roleId, roleId))`
			`.limit(1);`

			`if (role.length === 0) {`
rename super user to admin and middleware refactoring 2024-11-05 22:38:57 -05:00			`return next(`
			`createHttpError(`
			`HttpCode.NOT_FOUND,`
			`Role with ID ${roleId} not found`
			`)`
			`);`
Add role aware updates & endpoints 2024-10-12 21:36:14 -04:00			`}`

more user role stuff 2024-11-09 23:59:19 -05:00			`if (!req.userOrg) {`
rename super user to admin and middleware refactoring 2024-11-05 22:38:57 -05:00			`const userOrgRole = await db`
			`.select()`
			`.from(userOrgs)`
			`.where(`
			`and(`
			`eq(userOrgs.userId, userId),`
			`eq(userOrgs.orgId, role[0].orgId!)`
			`)`
			`)`
			`.limit(1);`
more user role stuff 2024-11-09 23:59:19 -05:00			`req.userOrg = userOrgRole[0];`
rename super user to admin and middleware refactoring 2024-11-05 22:38:57 -05:00			`}`
Add role aware updates & endpoints 2024-10-12 21:36:14 -04:00
more user role stuff 2024-11-09 23:59:19 -05:00			`if (!req.userOrg) {`
rename super user to admin and middleware refactoring 2024-11-05 22:38:57 -05:00			`return next(`
			`createHttpError(`
			`HttpCode.FORBIDDEN,`
			`"User does not have access to this organization"`
			`)`
			`);`
Add role aware updates & endpoints 2024-10-12 21:36:14 -04:00			`}`

more user role stuff 2024-11-09 23:59:19 -05:00			`if (req.userOrg.orgId !== role[0].orgId) {`
			`return next(`
			`createHttpError(`
			`HttpCode.FORBIDDEN,`
			`"Role does not belong to the organization"`
			`)`
			`);`
			`}`

			`req.userOrgRoleId = req.userOrg.roleId;`
			`req.userOrgId = req.userOrg.orgId;`
Add role aware updates & endpoints 2024-10-12 21:36:14 -04:00
			`return next();`
			`} catch (error) {`
rename super user to admin and middleware refactoring 2024-11-05 22:38:57 -05:00			`logger.error("Error verifying role access:", error);`
			`return next(`
			`createHttpError(`
			`HttpCode.INTERNAL_SERVER_ERROR,`
			`"Error verifying role access"`
			`)`
			`);`
Add role aware updates & endpoints 2024-10-12 21:36:14 -04:00			`}`
remove lucia 2024-10-13 17:13:47 -04:00			`}`