File Manager

Viewing File: /home/ubuntu/efiexchange-node-base/src/middleware/auth.middleware.ts

import { NextFunction, Request, Response } from "express";
import jwt from "jsonwebtoken";
import config from "config";
import logger from "../utils/logger";
import crypto from "crypto";
import { deriveKeysFromUserId } from "./keygen";

export async function authRequest(req: any, res: any, next: NextFunction) {
  console.log("Authenticiating")
  let payload = req.body;
  try {
    const token = req.body.token || req.query.token || req.headers["x-access-token"];

    if (!token) {
      return res.sendErrorCode("A token is required for authentication", 1001);
    }
    try {
      let secretKey = process.env.JWT_SECRET;
      const decoded = jwt.verify(token, secretKey);
      req.user = decoded;
    } catch (err) {
      return res.sendErrorCode("Invalid Token", 1001);
    }
    return next();
  } catch (ex) {
    return res.sendError(ex);
  }
}

export async function authVerification(req: any, res: any, next: NextFunction) {
  try {
    const timestamp = req.headers["x-api-timestamp"];
    const userId = req.headers["x-user-id"];
    const receivedApiKey = req.headers["x-api-key"];
    const receivedSignature = req.headers["x-api-signature"];

    if (!timestamp || !userId || !receivedApiKey || !receivedSignature) {
      return res.status(422).json({ message: "Missing auth headers" });
    }

    const now = Math.floor(Date.now() / 1000);
    if (!/^\d+$/.test(timestamp) || Math.abs(now - parseInt(timestamp)) > 300) {
      return res.status(423).json({ message: "Invalid or expired timestamp" });
    }

    const { api_key, salt_key } = deriveKeysFromUserId(userId);

    if (receivedApiKey !== api_key) {
      return res.status(401).json({ message: "Invalid API Key" });
    }

    const endpoint = req.originalUrl.split("?")[0];
    // console.log(endpoint, "object");
    const skipFields = [
      "picture", "file", "files", "payment_picture", "import_excel_file", "cover", "payment_file", "document"
    ];

    const body = { ...req.body };
    skipFields.forEach(field => delete body[field]);

    let bodyStr = JSON.stringify(body || {});
    bodyStr = bodyStr.replace(/\\r\\n/g, "\\n").replace(/:null(?=[,}])/g, ':""');

    const plainContent = `${endpoint}${bodyStr}${timestamp}${salt_key}`;

    const expectedSignature = crypto.createHmac("sha256", api_key).update(plainContent).digest("hex");

    // console.log("Authenticiating", expectedSignature, receivedSignature);

    const isMatch = crypto.timingSafeEqual(
      Buffer.from(expectedSignature),
      Buffer.from(receivedSignature)
    );

    if (!isMatch) {
      return res.status(401).json({ message: "Signature mismatch" });
    }

    req.user = { user_id: userId };
    return next();
  } catch (error: any) {
    return res.status(500).json({ message: "Auth error", error: error.message });
  }
}
Back to Directory File Manager