Hacker-Software/opencrm
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
e209e9bbca9263dcb5d4ff4a82a3806b62a61385
opencrm/backend/src/middleware/auth.ts
T
Stefan Hacker e209e9bbca first commit
2026-01-29 01:16:54 +01:00

91 lines
2.2 KiB
TypeScript
Raw Blame History

import { Response, NextFunction } from 'express';
import jwt from 'jsonwebtoken';
import { AuthRequest, JwtPayload } from '../types/index.js';
export function authenticate(
req: AuthRequest,
res: Response,
next: NextFunction
): void {
const authHeader = req.headers.authorization;
if (!authHeader || !authHeader.startsWith('Bearer ')) {
res.status(401).json({ success: false, error: 'Nicht authentifiziert' });
return;
}
const token = authHeader.split(' ')[1];
try {
const decoded = jwt.verify(
token,
process.env.JWT_SECRET || 'fallback-secret'
) as JwtPayload;
req.user = decoded;
next();
} catch {
res.status(401).json({ success: false, error: 'Ungültiger Token' });
}
}
export function requirePermission(...requiredPermissions: string[]) {
return (req: AuthRequest, res: Response, next: NextFunction): void => {
if (!req.user) {
res.status(401).json({ success: false, error: 'Nicht authentifiziert' });
return;
}
const userPermissions = req.user.permissions || [];
// Check if user has any of the required permissions
const hasPermission = requiredPermissions.some((perm) =>
userPermissions.includes(perm)
);
if (!hasPermission) {
res.status(403).json({
success: false,
error: 'Keine Berechtigung für diese Aktion',
});
return;
}
next();
};
}
// Middleware to check if user can access specific customer data
export function requireCustomerAccess(
req: AuthRequest,
res: Response,
next: NextFunction
): void {
if (!req.user) {
res.status(401).json({ success: false, error: 'Nicht authentifiziert' });
return;
}
const userPermissions = req.user.permissions || [];
// Admins and employees can access all customers
if (
userPermissions.includes('customers:read') ||
userPermissions.includes('customers:update')
) {
next();
return;
}
// Customers can only access their own data
const customerId = parseInt(req.params.customerId || req.params.id);
if (req.user.customerId && req.user.customerId === customerId) {
next();
return;
}
res.status(403).json({
success: false,
error: 'Kein Zugriff auf diese Kundendaten',
});
}
Reference in New Issue View Git Blame Copy Permalink