How to use auth() method?

[kvlknctk]

Hi,
I need to use auth () to activate users who log in with tokens.
In this case, we can take the user as req.user in the controller and perform the operation.

But in any case, I have to check the req.user information.

my scenario is as follows:

Without auth (), a route is broadcasting publicly.
The user can view this route without logging in.
I want to send an additional field if it is logged in and has a relationship with the content it looks at /ep/54e...
I want to do something like "You have purchased this product before, you don't need to buy it again". /ep/54e.../buy
I have to define auth () under any condition to get the req.user information. but I also want my route to be public.

How can I verify if the request is from a verified user?
How should I use the auth () alternative methods?

Thank you.

[mddarmawan]

Hi @kvlknctk.

You can use something like this in middlewares/auth.js:

const verifyCallback = (req, resolve, reject, requiredRights) => async (err, user, info) => {
...
    const userIsVerified = user.verifiedAt;
    if (userIsVerified === null) {
      return reject(new ApiError(httpStatus.UNAUTHORIZED, 'Please verify'));
    }
...
}

And don't forget to use it at your router:

  .get(auth('REQUIRED_RIGHT'), ...)

[kvlknctk]

Hi @kvlknctk.

You can use something like this in middlewares/auth.js:

const verifyCallback = (req, resolve, reject, requiredRights) => async (err, user, info) => {
...
    const userIsVerified = user.verifiedAt;
    if (userIsVerified === null) {
      return reject(new ApiError(httpStatus.UNAUTHORIZED, 'Please verify'));
    }
...
}

And don't forget to use it at your router:

  .get(auth('REQUIRED_RIGHT'), ...)

When I use auth (), I know that we cannot pass guests in any way. Even if we do this somehow, I guess there must be a method where I can get the credentials of the user inside the controller.

[hagopj13]

@kvlknctk you can also make this endpoint public (avoid using the auth middleware in this case), and optionally pass the access token in the request body. If the token is not there, then the user is not logged in. If the token is there, then the user is logged in, so you can verify the token and get the user information from it.

[kvlknctk]

const passport = require('passport');
const httpStatus = require('http-status');
const ApiError = require('../utils/ApiError');
const { roleRights } = require('../config/roles');

const verifyCallback = (req, resolve, reject, requiredRights) => async (err, user, info) => {

  req.user = user;

  if (requiredRights.length) {
    const userRights = roleRights.get(user.role);
    const hasRequiredRights = requiredRights.every((requiredRight) => userRights.includes(requiredRight));
    if (!hasRequiredRights && req.params.userId !== user.id) {
      return reject(new ApiError(httpStatus.FORBIDDEN, 'Forbidden'));
    }
  }

  resolve();
};

const authSoft = (...requiredRights) => async (req, res, next) => {
  return new Promise((resolve, reject) => {
    passport.authenticate('jwt', { session: false }, verifyCallback(req, resolve, reject, requiredRights))(req, res, next);
  })
    .then(() => next())
    .catch((err) => next(err));
};

module.exports = authSoft;

This way I created an intermediate layer for myself, I hope I did it right.

[hagopj13]

@kvlknctk doesn't this fail when requiredRights is actually not empty?

It also doesn't make sense to use it here, so you can remove that part. The rest looks fine and intuitive.

[kvlknctk]

Yes, you right.
Thank you.