first commit
This commit is contained in:
Stefan Hacker
Vendored
+69
@@ -0,0 +1,69 @@
|
||||
"use strict";
|
||||
var __importDefault = (this && this.__importDefault) || function (mod) {
|
||||
return (mod && mod.__esModule) ? mod : { "default": mod };
|
||||
};
|
||||
Object.defineProperty(exports, "__esModule", { value: true });
|
||||
exports.authenticate = authenticate;
|
||||
exports.requirePermission = requirePermission;
|
||||
exports.requireCustomerAccess = requireCustomerAccess;
|
||||
const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
|
||||
function authenticate(req, res, next) {
|
||||
const authHeader = req.headers.authorization;
|
||||
if (!authHeader || !authHeader.startsWith('Bearer ')) {
|
||||
res.status(401).json({ success: false, error: 'Nicht authentifiziert' });
|
||||
return;
|
||||
}
|
||||
const token = authHeader.split(' ')[1];
|
||||
try {
|
||||
const decoded = jsonwebtoken_1.default.verify(token, process.env.JWT_SECRET || 'fallback-secret');
|
||||
req.user = decoded;
|
||||
next();
|
||||
}
|
||||
catch {
|
||||
res.status(401).json({ success: false, error: 'Ungültiger Token' });
|
||||
}
|
||||
}
|
||||
function requirePermission(...requiredPermissions) {
|
||||
return (req, res, next) => {
|
||||
if (!req.user) {
|
||||
res.status(401).json({ success: false, error: 'Nicht authentifiziert' });
|
||||
return;
|
||||
}
|
||||
const userPermissions = req.user.permissions || [];
|
||||
// Check if user has any of the required permissions
|
||||
const hasPermission = requiredPermissions.some((perm) => userPermissions.includes(perm));
|
||||
if (!hasPermission) {
|
||||
res.status(403).json({
|
||||
success: false,
|
||||
error: 'Keine Berechtigung für diese Aktion',
|
||||
});
|
||||
return;
|
||||
}
|
||||
next();
|
||||
};
|
||||
}
|
||||
// Middleware to check if user can access specific customer data
|
||||
function requireCustomerAccess(req, res, next) {
|
||||
if (!req.user) {
|
||||
res.status(401).json({ success: false, error: 'Nicht authentifiziert' });
|
||||
return;
|
||||
}
|
||||
const userPermissions = req.user.permissions || [];
|
||||
// Admins and employees can access all customers
|
||||
if (userPermissions.includes('customers:read') ||
|
||||
userPermissions.includes('customers:update')) {
|
||||
next();
|
||||
return;
|
||||
}
|
||||
// Customers can only access their own data
|
||||
const customerId = parseInt(req.params.customerId || req.params.id);
|
||||
if (req.user.customerId && req.user.customerId === customerId) {
|
||||
next();
|
||||
return;
|
||||
}
|
||||
res.status(403).json({
|
||||
success: false,
|
||||
error: 'Kein Zugriff auf diese Kundendaten',
|
||||
});
|
||||
}
|
||||
//# sourceMappingURL=auth.js.map
|
||||
Reference in New Issue
Block a user