WorkshopTasker/server/middleware/auth.ts

import { defineEventHandler, getCookie } from "h3";
import SessionToken from "../utils/SessionToken";

import { database } from "~/server/utils/database";
import getRequestingUser from "~/server/utils/getRequestingUser";

import { createError } from "#imports";

const endpointsWithoutAuth: string[] = [
  "/dbtest",
  "/echo",
  "/hi",
  "/login",
  "/logout",
  "/firstRun",
];

export default defineEventHandler(async (e) => {
  const endpoint = e.path?.match(/^\/api(\/.*)/)?.[1];

  // if client does not access api
  if (!endpoint) return;

  for (const i of endpointsWithoutAuth)
    // if accessed endpoint doesn't require auth
    if (endpoint.startsWith(i)) return;

  const token = getCookie(e, "token");
  if (!await isAuthorised(token))
    throw createError({ statusCode: 401, message: "Unauthorized" });
});

/**
 * Checks if the token is authorised
 * @param token the token to ckeck
 */
export async function isAuthorised(token: string | undefined): Promise<boolean> {
  if (!token) return false;
  try {
    await database.session.findUniqueOrThrow({
      where: {
        ...SessionToken.fromString(token).toPrisma(),
        expiry_date: {
          gte: new Date(),
        },
      },
    });

    return true;
  } catch (e) {
    return false;
  }
}
Update dependencies, fix (auto)import problems 2023-11-06 02:57:00 +01:00			`import { defineEventHandler, getCookie } from "h3";`
[BREAKING] Auth: replace current auth tokens with more secure ones previously tokens were only like IDs, time based and incrementing counter. An attacker could easily bruteforce them. This patch changes tokens to be completely random. fixes #2 2023-11-09 18:28:09 +01:00			`import SessionToken from "../utils/SessionToken";`
Initial commit 2023-05-11 06:03:22 +02:00
Replace mysql2 with prisma also I updated packages, and properly typed api input a lot of time was spent, I don't remeber what really I did x3 but everything was related to replacing mysql2 with prisma 2023-11-08 05:35:48 +01:00			`import { database } from "~/server/utils/database";`
			`import getRequestingUser from "~/server/utils/getRequestingUser";`
Initial commit 2023-05-11 06:03:22 +02:00
[BREAKING] Auth: replace current auth tokens with more secure ones previously tokens were only like IDs, time based and incrementing counter. An attacker could easily bruteforce them. This patch changes tokens to be completely random. fixes #2 2023-11-09 18:28:09 +01:00			`import { createError } from "#imports";`

Initial commit 2023-05-11 06:03:22 +02:00			`const endpointsWithoutAuth: string[] = [`
			`"/dbtest",`
			`"/echo",`
			`"/hi",`
			`"/login",`
			`"/logout",`
fix auth check if database is uninitialised 2023-06-14 12:37:57 +02:00			`"/firstRun",`
Initial commit 2023-05-11 06:03:22 +02:00			`];`

			`export default defineEventHandler(async (e) => {`
			`const endpoint = e.path?.match(/^\/api(\/.*)/)?.[1];`

			`// if client does not access api`
			`if (!endpoint) return;`

			`for (const i of endpointsWithoutAuth)`
			`// if accessed endpoint doesn't require auth`
			`if (endpoint.startsWith(i)) return;`

			`const token = getCookie(e, "token");`
			`if (!await isAuthorised(token))`
			`throw createError({ statusCode: 401, message: "Unauthorized" });`
			`});`

			`/**`
			`* Checks if the token is authorised`
			`* @param token the token to ckeck`
			`*/`
			`export async function isAuthorised(token: string \| undefined): Promise<boolean> {`
			`if (!token) return false;`
fix auth check if database is uninitialised 2023-06-14 12:37:57 +02:00			`try {`
Replace mysql2 with prisma also I updated packages, and properly typed api input a lot of time was spent, I don't remeber what really I did x3 but everything was related to replacing mysql2 with prisma 2023-11-08 05:35:48 +01:00			`await database.session.findUniqueOrThrow({`
			`where: {`
[BREAKING] Auth: replace current auth tokens with more secure ones previously tokens were only like IDs, time based and incrementing counter. An attacker could easily bruteforce them. This patch changes tokens to be completely random. fixes #2 2023-11-09 18:28:09 +01:00			`...SessionToken.fromString(token).toPrisma(),`
			`expiry_date: {`
			`gte: new Date(),`
			`},`
Replace mysql2 with prisma also I updated packages, and properly typed api input a lot of time was spent, I don't remeber what really I did x3 but everything was related to replacing mysql2 with prisma 2023-11-08 05:35:48 +01:00			`},`
			`});`

			`return true;`
			`} catch (e) {`
fix auth check if database is uninitialised 2023-06-14 12:37:57 +02:00			`return false;`
			`}`
Initial commit 2023-05-11 06:03:22 +02:00			`}`