From d0b26a70212909708da1f849e85d2db2010f40f7 Mon Sep 17 00:00:00 2001
From: Jack Foltz <jack@foltz.io>
Date: Thu, 26 Jul 2018 13:15:54 -0400
Subject: [PATCH] Make requireAuth() add request variables

---
 app/routes/auth.js      | 18 ++++++++----------
 app/util/requireAuth.js | 34 ++++++++++++++++++++++++++++------
 2 files changed, 36 insertions(+), 16 deletions(-)

diff --git a/app/routes/auth.js b/app/routes/auth.js
index 042365b..8269b24 100644
--- a/app/routes/auth.js
+++ b/app/routes/auth.js
@@ -97,26 +97,24 @@ router.post('/login', canonicalizeRequest, wrap(async (req, res, next) => {
     // Create session
     await login(user, req);
 
-    // Set scope
+    // Set session vars
+    req.session.passport.display = user.username;
     req.session.passport.scope = user.scope;
 
     res.status(200).json({'message': 'Logged in.'});
 }));
 
-router.get('/logout', function (req, res) {
+router.post('/logout', function (req, res) {
     req.logout();
     res.status(200).json({'message': 'Logged out.'});
 });
 
-router.get('/ping', requireAuth(), (req, res, next) => {
-    res.status(200).json({'message': 'pong'});
-});
-
-router.get('/session', requireAuth(), (req, res, next) => {
+router.get('/whoami', requireAuth(), (req, res) => {
     res.status(200).json({
-        username: req.session.passport.username,
-        canonicalname: req.session.passport.canonicalname,
-        scope: req.session.passport.scope
+        user: req.authUser,
+        display: req.authDisplay,
+        scope: req.authScope,
+        key: req.authKey
     });
 });
 
diff --git a/app/util/requireAuth.js b/app/util/requireAuth.js
index 38dc150..a21ca8d 100644
--- a/app/util/requireAuth.js
+++ b/app/util/requireAuth.js
@@ -2,14 +2,36 @@ const Key = require('../models/Key.js');
 const wrap = require('./wrap.js').wrap;
 
 const verifyScope = (scope, requiredScope) => scope.indexOf(requiredScope) !== -1;
-const getKeyScope = async apikey => (await Key.findOne({key: apikey})).scope;
 
+// Checks for authentication by either API Key or Session
+// Sets body.authUser and body.authKey if check passed
+// If the request is authenticated and has the desired scope, continue.
+// If the request is authenticated, but lacks the required scope, return 403 Forbidden.
+// If the request is unauthenticated, return 401 Unauthorized.
 exports.requireAuth = scope =>
     wrap(async (req, res, next) => {
-        if (req.isAuthenticated() && (scope ? verifyScope(req.session.passport.scope, scope) : true))
-            next();
-        else if (req.body.apikey && (scope ? verifyScope(getKeyScope(req.body.apikey), scope) : true))
-            next();
-        else
+        if (req.isAuthenticated()) {
+            if (scope ? verifyScope(req.session.passport.scope, scope) : true) {
+                req.authUser = req.session.passport.user;
+                req.authDisplay = req.session.passport.display;
+                req.authScope = req.session.passport.scope;
+                req.authKey = null;
+                next();
+            } else {
+                res.status(403).json({message: 'Forbidden.'});
+            }
+        } else if (req.body.apikey) {
+            const key = await Key.findOne({key: apikey});
+            if (scope ? verifyScope(key.scope, scope) : true) {
+                req.authUser = key.username;
+                req.authDisplay = key.username;
+                req.authScope = key.scope;
+                req.authKey = key.key;
+                next();
+            } else {
+                res.status(403).json({message: 'Forbidden.'});
+            }
+        } else {
             res.status(401).json({'message': 'Unauthorized.'});
+        }
     });
\ No newline at end of file