rate/api/src/framework/express/middleware.ts

import { ErrorRequestHandler, Request, RequestHandler } from 'express';
import { randomUUID } from 'crypto';
import { validationResult } from 'express-validator';
import { UserInfo, UserRoles } from '@core';

declare module 'express-session' {
  interface SessionData {
    user: UserInfo | null;
  }
}

export function getId(req: Request): string {
  return req.header('request-id') || 'unknown';
}

export function RequestId(): RequestHandler {
  return (req, res, next) => {
    req.headers['request-id'] = randomUUID();
    next();
  };
}

export function CheckPermissions(): RequestHandler {
  function getResourceId(req: Request): string | null {
    if (req.params.uuid) return req.params.uuid;
    if (req.body.uuid) return req.body.uuid;
    return null;
  }

  function canAccessRessource(user: UserInfo, uuid: string): boolean {
    if (user.uuid === uuid) return true;
    return false;
  }

  return (req, res, next) => {
    if (!req.session.user) {
      next({ status: 401, messsage: 'Unauthorized' });
      return;
    }

    if (req.session.user.role === UserRoles.ADMIN) {
      next();
      return;
    }

    const ressourceId = getResourceId(req);
    if (!ressourceId) {
      next({ status: 403, messsage: 'Forbidden' });
      return;
    }
    if (canAccessRessource(req.session.user, ressourceId)) {
      next();
      return;
    } else {
      next({ status: 403, messsage: 'Forbidden' });
      return;
    }

    next({ status: 401, messsage: 'Unauthorized' });
  };
}

export function SchemaValidator(): RequestHandler {
  return (req, res, next) => {
    const error = validationResult(req);
    error.isEmpty()
      ? next()
      : next({
          status: 400,
          ...error,
        });
  };
}

export function ErrorHandler(): ErrorRequestHandler {
  return (error, req, res, next) => {
    error.status
      ? res.status(error.status).send(error)
      : res.status(500).send(error);
  };
}