flfeders/FEDEO
2
1
Fork 0
Code Issues 62 Pull Requests Actions Packages Projects 21 Releases Wiki Activity

Redone Auth

Browse Source
This commit is contained in:
florianfederspiel
2025-11-08 19:02:08 +01:00
parent 8b34609e53
commit 75e2f84726
1 changed files with 66 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
src/plugins/auth.ts
View File

@@ -1,55 +1,91 @@
import { FastifyInstance } from "fastify"; import { FastifyInstance } from "fastify";
import fp from "fastify-plugin"; import fp from "fastify-plugin";
import jwt from "jsonwebtoken"; import jwt from "jsonwebtoken";
import {secrets} from "../utils/secrets"; import { secrets } from "../utils/secrets.js";
export default fp(async (server: FastifyInstance) => { export default fp(async (server: FastifyInstance) => {
server.addHook("preHandler", async (req, reply) => { server.addHook("preHandler", async (req, reply) => {
// 1⃣ Token holen (Header oder Cookie)
try { const cookieToken = req.cookies?.token;
// 1) Token aus Cookie lesen const authHeader = req.headers.authorization;
const cookieToken = req.cookies?.token
// 2) Token aus Header lesen (falls Cookie nicht da ist)
const authHeader = req.headers.authorization
const headerToken = authHeader?.startsWith("Bearer ") const headerToken = authHeader?.startsWith("Bearer ")
? authHeader.slice(7) ? authHeader.slice(7)
: null : null;
let token = null const token =
headerToken && headerToken.length > 10 ? headerToken : cookieToken || null;
if(headerToken !== null && headerToken.length > 10){
token = headerToken
} else if(cookieToken ){
token = cookieToken
}
if (!token) { if (!token) {
return // keine Exception → Route darf z. B. public sein return reply.code(401).send({ error: "Authentication required" });
} }
try {
// 2⃣ JWT verifizieren
const payload = jwt.verify(token, secrets.JWT_SECRET!) as { const payload = jwt.verify(token, secrets.JWT_SECRET!) as {
user_id: string; user_id: string;
email: string; email: string;
tenant_id?: string; tenant_id: number;
role?: string;
}; };
(req as any).user = payload; if (!payload?.user_id || !payload.tenant_id) {
return reply.code(401).send({ error: "Invalid token" });
}
req.user = payload;
// 3⃣ Rolle des Nutzers im Tenant laden
const { data: roleData, error: roleError } = await server.supabase
.from("auth_user_roles")
.select("role_id")
.eq("user_id", payload.user_id)
.eq("tenant_id", payload.tenant_id)
.maybeSingle();
if (roleError) {
server.log.error("Error fetching user role", roleError);
return reply.code(500).send({ error: "Failed to load user role" });
}
if (!roleData) {
return reply.code(403).send({ error: "No role assigned for this tenant" });
}
const roleId = roleData.role_id;
// 4⃣ Berechtigungen der Rolle laden
const { data: permissions, error: permsError } = await server.supabase
.from("auth_role_permissions")
.select("permission")
.eq("role_id", roleId);
if (permsError) {
server.log.error("Failed to load permissions", permsError);
return reply.code(500).send({ error: "Permission lookup failed" });
}
const perms = permissions?.map((p) => p.permission) ?? [];
// 5⃣ An Request hängen
req.role = roleId;
req.permissions = perms;
req.hasPermission = (perm: string) => perms.includes(perm);
} catch (err) { } catch (err) {
return reply.code(401).send({ error: "Invalid or expired token" }); return reply.code(401).send({ error: "Invalid or expired token" });
} }
}); });
}); });
// 🧩 Fastify Type Declarations
declare module "fastify" { declare module "fastify" {
interface FastifyRequest { interface FastifyRequest {
user?: { user: {
user_id: string; user_id: string;
email: string; email: string;
tenant_id?: number; tenant_id: number;
role?: string;
}; };
role: string;
permissions: string[];
hasPermission: (permission: string) => boolean;
} }
} }