From fd67355b033e9344c3dc74024ac04e62117ddd53 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Thu, 1 Oct 2020 13:30:00 -0400
Subject: [PATCH] fix(writeapi): authenticate middleware logic to work better
 with await

---
 src/middleware/user.js | 58 +++++++++++++++++++++++++-----------------
 1 file changed, 34 insertions(+), 24 deletions(-)

diff --git a/src/middleware/user.js b/src/middleware/user.js
index de7ae916af80..bba1db79042c 100644
--- a/src/middleware/user.js
+++ b/src/middleware/user.js
@@ -16,17 +16,41 @@ const controllers = {
 	authentication: require('../controllers/authentication'),
 };
 
+const passportAuthenticateAsync = function (req, res) {
+	return new Promise((resolve, reject) => {
+		passport.authenticate('bearer', { session: false }, (err, user) => {
+			if (err) {
+				reject(err);
+			} else {
+				resolve(user);
+			}
+		})(req, res);
+	});
+};
+
 module.exports = function (middleware) {
 	async function authenticate(req, res) {
 		if (req.loggedIn) {
 			return true;
 		} else if (req.headers.hasOwnProperty('authorization')) {
-			passport.authenticate('bearer', { session: false }, function (err, user) {
-				if (err) { throw new Error(err); }
-				if (!user) { return false; }
+			const user = await passportAuthenticateAsync(req, res);
+			if (!user) { return true; }
+
+			// If the token received was a master token, a _uid must also be present for all calls
+			if (user.hasOwnProperty('uid')) {
+				req.login(user, async function (err) {
+					if (err) { throw new Error(err); }
+
+					await controllers.authentication.onSuccessfulLogin(req, user.uid);
+					req.uid = user.uid;
+					req.loggedIn = req.uid > 0;
+					return true;
+				});
+			} else if (user.hasOwnProperty('master') && user.master === true) {
+				if (req.body.hasOwnProperty('_uid') || req.query.hasOwnProperty('_uid')) {
+					user.uid = req.body._uid || req.query._uid;
+					delete user.master;
 
-				// If the token received was a master token, a _uid must also be present for all calls
-				if (user.hasOwnProperty('uid')) {
 					req.login(user, async function (err) {
 						if (err) { throw new Error(err); }
 
@@ -35,27 +59,13 @@ module.exports = function (middleware) {
 						req.loggedIn = req.uid > 0;
 						return true;
 					});
-				} else if (user.hasOwnProperty('master') && user.master === true) {
-					if (req.body.hasOwnProperty('_uid') || req.query.hasOwnProperty('_uid')) {
-						user.uid = req.body._uid || req.query._uid;
-						delete user.master;
-
-						req.login(user, async function (err) {
-							if (err) { throw new Error(err); }
-
-							await controllers.authentication.onSuccessfulLogin(req, user.uid);
-							req.uid = user.uid;
-							req.loggedIn = req.uid > 0;
-							return true;
-						});
-					} else {
-						throw new Error('A master token was received without a corresponding `_uid` in the request body');
-					}
 				} else {
-					winston.warn('[api/authenticate] Unable to find user after verifying token');
-					return false;
+					throw new Error('A master token was received without a corresponding `_uid` in the request body');
 				}
-			})(req, res);
+			} else {
+				winston.warn('[api/authenticate] Unable to find user after verifying token');
+				return true;
+			}
 		}
 
 		await plugins.fireHook('response:middleware.authenticate', {