initial commit
This commit is contained in:
MayaTheShy
64
server/auth.js
Normal file
64
server/auth.js
Normal file
@@ -0,0 +1,64 @@
|
||||
/**
|
||||
* @cc-platform/server/auth — API key authentication middleware
|
||||
*
|
||||
* Extracted from the structurally identical auth code in both
|
||||
* remoteturtle/server/server.js and Inventory-Manager-CC/web/server/server.js.
|
||||
*
|
||||
* Usage:
|
||||
* const { createAuthMiddleware } = require('@cc-platform/server/auth');
|
||||
* const auth = createAuthMiddleware(process.env.API_KEY);
|
||||
* app.use(auth.protectMutations);
|
||||
*
|
||||
* // Or protect specific routes:
|
||||
* app.post('/api/admin', auth.requireAuth, handler);
|
||||
*/
|
||||
|
||||
'use strict';
|
||||
|
||||
/**
|
||||
* Create an auth middleware suite for the given API key.
|
||||
*
|
||||
* If apiKey is falsy or empty, all requests are allowed through
|
||||
* (auth is effectively disabled).
|
||||
*
|
||||
* @param {string} apiKey - The expected API key (from env or config)
|
||||
* @returns {{ extractApiKey, requireAuth, protectMutations }}
|
||||
*/
|
||||
function createAuthMiddleware(apiKey) {
|
||||
/**
|
||||
* Extract an API key from a request.
|
||||
* Checks, in order: Authorization Bearer header, X-API-Key header, query param.
|
||||
*/
|
||||
function extractApiKey(req) {
|
||||
const auth = req.headers.authorization || '';
|
||||
if (auth.startsWith('Bearer ')) return auth.slice(7);
|
||||
return req.headers['x-api-key'] || req.query.key || '';
|
||||
}
|
||||
|
||||
/**
|
||||
* Express middleware: require valid API key.
|
||||
* Passes through if auth is disabled (no API key configured).
|
||||
*/
|
||||
function requireAuth(req, res, next) {
|
||||
if (!apiKey) return next();
|
||||
const token = extractApiKey(req);
|
||||
if (token === apiKey) return next();
|
||||
return res.status(401).json({
|
||||
error: 'Unauthorized — invalid or missing API key',
|
||||
});
|
||||
}
|
||||
|
||||
/**
|
||||
* Express middleware: protect non-GET methods.
|
||||
* GET, HEAD, and OPTIONS requests pass through without auth.
|
||||
* All other methods require a valid API key.
|
||||
*/
|
||||
function protectMutations(req, res, next) {
|
||||
if (['GET', 'HEAD', 'OPTIONS'].includes(req.method)) return next();
|
||||
return requireAuth(req, res, next);
|
||||
}
|
||||
|
||||
return { extractApiKey, requireAuth, protectMutations };
|
||||
}
|
||||
|
||||
module.exports = { createAuthMiddleware };
|
||||
Reference in New Issue
Block a user