| 2a9592c | | | 1 | const jwt = require("jsonwebtoken"); |
| 2a9592c | | | 2 | const cookie = require("cookie"); |
| 2a9592c | | | 3 | |
| 2a9592c | | | 4 | const JWT_SECRET = process.env.JWT_SECRET || "grove-dev-secret"; |
| 2a9592c | | | 5 | |
| 2a9592c | | | 6 | function verifyToken(token) { |
| 2a9592c | | | 7 | return jwt.verify(token, JWT_SECRET); |
| 2a9592c | | | 8 | } |
| 2a9592c | | | 9 | |
| 2a9592c | | | 10 | function extractToken(req) { |
| 2a9592c | | | 11 | // 1. Authorization header |
| 2a9592c | | | 12 | const authHeader = req.headers?.authorization; |
| 2a9592c | | | 13 | if (authHeader && authHeader.startsWith("Bearer ")) { |
| 2a9592c | | | 14 | return authHeader.slice(7); |
| 2a9592c | | | 15 | } |
| 2a9592c | | | 16 | // 2. Cookie |
| 2a9592c | | | 17 | const cookieHeader = req.headers?.cookie; |
| 2a9592c | | | 18 | if (cookieHeader) { |
| 2a9592c | | | 19 | const cookies = cookie.parse(cookieHeader); |
| 2a9592c | | | 20 | if (cookies.grove_hub_token) return cookies.grove_hub_token; |
| 2a9592c | | | 21 | } |
| 2a9592c | | | 22 | return null; |
| 2a9592c | | | 23 | } |
| 2a9592c | | | 24 | |
| 2a9592c | | | 25 | // Express middleware |
| 2a9592c | | | 26 | function requireAuth(req, res, next) { |
| 2a9592c | | | 27 | const token = extractToken(req); |
| 2a9592c | | | 28 | if (!token) return res.status(401).json({ error: "Unauthorized" }); |
| 2a9592c | | | 29 | try { |
| 2a9592c | | | 30 | req.user = verifyToken(token); |
| 2a9592c | | | 31 | req.token = token; |
| 2a9592c | | | 32 | next(); |
| 2a9592c | | | 33 | } catch { |
| 2a9592c | | | 34 | return res.status(401).json({ error: "Unauthorized" }); |
| 2a9592c | | | 35 | } |
| 2a9592c | | | 36 | } |
| 2a9592c | | | 37 | |
| 2a9592c | | | 38 | // Socket.IO middleware for /collab namespace |
| 2a9592c | | | 39 | function socketAuth(socket, next) { |
| 2a9592c | | | 40 | // 1. Handshake auth (client passes { auth: { token } }) |
| 2a9592c | | | 41 | let token = socket.handshake.auth?.token; |
| 2a9592c | | | 42 | // 2. Fallback to cookie |
| 2a9592c | | | 43 | if (!token) { |
| 2a9592c | | | 44 | const cookieHeader = socket.handshake.headers?.cookie; |
| 2a9592c | | | 45 | if (cookieHeader) { |
| 2a9592c | | | 46 | const cookies = cookie.parse(cookieHeader); |
| 2a9592c | | | 47 | token = cookies.grove_hub_token; |
| 2a9592c | | | 48 | } |
| 2a9592c | | | 49 | } |
| 2a9592c | | | 50 | if (!token) return next(new Error("unauthorized")); |
| 2a9592c | | | 51 | try { |
| 2a9592c | | | 52 | socket.user = verifyToken(token); |
| 2a9592c | | | 53 | socket.token = token; |
| 2a9592c | | | 54 | next(); |
| 2a9592c | | | 55 | } catch { |
| 2a9592c | | | 56 | return next(new Error("unauthorized")); |
| 2a9592c | | | 57 | } |
| 2a9592c | | | 58 | } |
| 2a9592c | | | 59 | |
| 515cc68 | | | 60 | // Like requireAuth but does not reject — just attaches user/token if present. |
| 515cc68 | | | 61 | function optionalAuth(req, res, next) { |
| 515cc68 | | | 62 | const token = extractToken(req); |
| 515cc68 | | | 63 | if (token) { |
| 515cc68 | | | 64 | try { |
| 515cc68 | | | 65 | req.user = verifyToken(token); |
| 515cc68 | | | 66 | req.token = token; |
| 515cc68 | | | 67 | } catch { |
| 515cc68 | | | 68 | // invalid token — treat as unauthenticated |
| 515cc68 | | | 69 | } |
| 515cc68 | | | 70 | } |
| 515cc68 | | | 71 | next(); |
| 515cc68 | | | 72 | } |
| 515cc68 | | | 73 | |
| 515cc68 | | | 74 | module.exports = { verifyToken, extractToken, requireAuth, optionalAuth, socketAuth }; |