Merge pull request #2111 from rteas/refactor-permission-management

fix: rename TOKEN_SECRET to JWT_SECRET across backend, small fixes

Author: rteas

backend/config/auth.config.js

@@ -1,5 +1,5 @@
 module.exports = {
-  TOKEN_SECRET: process.env.TOKEN_SECRET || 'placeholder_secret_key_for_development_only',
+  JWT_SECRET: process.env.JWT_SECRET || 'placeholder_secret_key_for_development_only',
   CUSTOM_REQUEST_HEADER: process.env.CUSTOM_REQUEST_HEADER,
   // 15 minutes as a string for JWT expiration
   ACCESS_TOKEN_EXPIRATION: '15m',

backend/controllers/user.controller.js

@@ -17,7 +17,7 @@ const expectedHeader = process.env.CUSTOM_REQUEST_HEADER;
 const UserController = {};
 
 // Get list of Users with GET
-UserController.user_list = async function (req, res) {
+UserController.user_list = async (req, res) => {
   const { headers } = req;
   const { query } = req;
 
@@ -34,7 +34,7 @@ UserController.user_list = async function (req, res) {
   }
 };
 
-UserController.user_by_email = async function (req, res) {
+UserController.user_by_email = async (req, res) => {
   const { headers } = req;
   const { email } = req.params;
 
@@ -54,23 +54,25 @@ UserController.user_by_email = async function (req, res) {
 };
 
 // Get list of Users with accessLevel 'admin' or 'superadmin' with GET
-UserController.admin_list = async function (req, res) {
+UserController.admin_list = async (req, res) => {
   const { headers } = req;
 
   if (headers['x-customrequired-header'] !== expectedHeader) {
     return res.sendStatus(403);
   }
 
   try {
-    const admins = await User.find({ accessLevel: { $in: ['admin', 'superadmin'] } });
+    const admins = await User.find({
+      accessLevel: { $in: ['admin', 'superadmin'] },
+    });
     return res.status(200).send(admins);
   } catch (err) {
     console.error(err);
     return res.sendStatus(400);
   }
 };
 
-UserController.projectManager_list = async function (req, res) {
+UserController.projectManager_list = async (req, res) => {
   const { headers } = req;
 
   if (headers['x-customrequired-header'] !== expectedHeader) {
@@ -120,7 +122,7 @@ UserController.projectManager_list = async function (req, res) {
 };
 
 // Get User by id with GET
-UserController.user_by_id = async function (req, res) {
+UserController.user_by_id = async (req, res) => {
   const { headers } = req;
   const { UserId } = req.params;
 
@@ -138,7 +140,7 @@ UserController.user_by_id = async function (req, res) {
 };
 
 // Add User with POST
-UserController.create = async function (req, res) {
+UserController.create = async (req, res) => {
   const { headers } = req;
 
   if (headers['x-customrequired-header'] !== expectedHeader) {
@@ -164,7 +166,7 @@ UserController.create = async function (req, res) {
 };
 
 // Update User with PATCH
-UserController.update = async function (req, res) {
+UserController.update = async (req, res) => {
   const { headers } = req;
   const { UserId } = req.params;
 
@@ -173,7 +175,9 @@ UserController.update = async function (req, res) {
   }
 
   try {
-    const user = await User.findOneAndUpdate({ _id: UserId }, req.body, { new: true });
+    const user = await User.findOneAndUpdate({ _id: UserId }, req.body, {
+      new: true,
+    });
     return res.status(200).send(user);
   } catch (err) {
     console.error(err);
@@ -182,7 +186,7 @@ UserController.update = async function (req, res) {
 };
 
 // Add User with POST
-UserController.delete = async function (req, res) {
+UserController.delete = async (req, res) => {
   const { headers } = req;
   const { UserId } = req.params;
 
@@ -199,7 +203,7 @@ UserController.delete = async function (req, res) {
   }
 };
 
-UserController.createUser = function (req, res) {
+UserController.createUser = async (req, res) => {
   const { firstName, lastName, email } = req.body;
   const { origin } = req.headers;
 
@@ -224,7 +228,7 @@ UserController.createUser = function (req, res) {
   EmailController.sendLoginLink(req.body.email, user.name.firstName, jsonToken, req.cookie, origin);
 };
 
-UserController.signin = function (req, res) {
+UserController.signin = (req, res) => {
   const { email, auth_origin } = req.body;
   const { origin } = req.headers;
 
@@ -251,15 +255,15 @@ UserController.signin = function (req, res) {
     });
 };
 
-UserController.verifySignIn = async function (req, res) {
+UserController.verifySignIn = async (req, res) => {
   let token = req.headers['x-access-token'] || req.headers['authorization'];
   if (token.startsWith('Bearer ')) {
     // Remove Bearer from string
     token = token.slice(7, token.length);
   }
 
   try {
-    const payload = jwt.verify(token, CONFIG_AUTH.SECRET);
+    const payload = jwt.verify(token, CONFIG_AUTH.JWT_SECRET);
     const user = await User.findById(payload.id);
     const refreshToken = generateRefreshToken();
     const accessToken = generateAccessToken(user, payload.auth_origin);
@@ -287,11 +291,9 @@ UserController.verifySignIn = async function (req, res) {
   }
 };
 
-UserController.verifyMe = async function (req, res) {
-  return res.status(200).send(req.user);
-};
+UserController.verifyMe = async (req, res) => res.status(200).send(req.user);
 
-UserController.logout = async function (req, res) {
+UserController.logout = async (req, res) => {
   try {
     await RefreshToken.deleteOne({ _id: req.refreshToken._id });
     return res.clearCookie('token').status(200).send('Successfully logged out.');
@@ -301,7 +303,7 @@ UserController.logout = async function (req, res) {
   }
 };
 
-UserController.refreshAccessToken = async function (req, res) {
+UserController.refreshAccessToken = async (req, res) => {
   const accessToken = generateAccessToken(req.user, req.auth_origin);
   const decoded = jwt.decode(accessToken);
 
@@ -315,7 +317,7 @@ UserController.refreshAccessToken = async function (req, res) {
 };
 
 // Update user's managedProjects
-UserController.updateManagedProjects = async function (req, res) {
+UserController.updateManagedProjects = async (req, res) => {
   const { headers } = req;
   const { UserId } = req.params;
   const { action, projectId } = req.body; // action - 'add' or 'remove'
@@ -357,7 +359,7 @@ UserController.updateManagedProjects = async function (req, res) {
   }
 };
 
-UserController.bulkUpdateManagedProjects = async function (req, res) {
+UserController.bulkUpdateManagedProjects = async (req, res) => {
   const { bulkOps } = req.body;
 
   // Convert string IDs to ObjectId in bulkOps

backend/middleware/auth.middleware.js

@@ -5,7 +5,7 @@ const { RefreshToken, User } = require('../models');
 const crypto = require('crypto');
 const AuthUtils = require('../../shared/authorizationUtils');
 
-const SECRET = CONFIG_AUTH.TOKEN_SECRET;
+const SECRET = CONFIG_AUTH.JWT_SECRET;
 
 // Utility functions
 

backend/routers/projects.router.js

@@ -8,6 +8,9 @@ const { ProjectController } = require('../controllers');
 // Require user to be project manager or higher (commented out for now for current app to work succesfully without auth, will re-enable when auth is ready)
 // router.use(Auth.authUser, Auth.requireMinimumRole(ROLES.PROJECT_MANAGER));
 // The base is /api/projects
+
+const { AuthUtil } = require('../middleware/auth.middleware');
+
 router.get('/', ProjectController.project_list);
 
 // Its a put because we have to send the PM projects to be filtered here
@@ -26,6 +29,10 @@ router.patch('/:ProjectId', ProjectController.updateManagedByUsers);
 router.post('/bulk-updates', ProjectController.bulkUpdateManagedByUsers);
 
 // Update onboard/offboard visibility for a project
-router.patch('/:ProjectId/visibility', AuthUtil.verifyCookie, ProjectController.updateOnboardOffboardVisibility);
+router.patch(
+  '/:ProjectId/visibility',
+  AuthUtil.verifyCookie,
+  ProjectController.updateOnboardOffboardVisibility,
+);
 
 module.exports = router;

backend/test/old-tests/projects.router.test.js

@@ -28,13 +28,9 @@ describe('CREATE', () => {
     };
     const user = await User.create(submittedData);
     const auth_origin = 'TEST';
-    token = jwt.sign(
-      { id: user.id, role: user.accessLevel, auth_origin },
-      CONFIG_AUTH.TOKEN_SECRET,
-      {
-        expiresIn: `${CONFIG_AUTH.ACCESS_TOKEN_EXPIRATION_SEC}s`,
-      },
-    );
+    token = jwt.sign({ id: user.id, role: user.accessLevel, auth_origin }, CONFIG_AUTH.JWT_SECRET, {
+      expiresIn: `${CONFIG_AUTH.ACCESS_TOKEN_EXPIRATION_SEC}s`,
+    });
   });
   test('Create a Project with POST to /api/projects/ without token', async (done) => {
     // Test Data
@@ -101,13 +97,9 @@ describe('UPDATE', () => {
     };
     const user = await User.create(submittedData);
     const auth_origin = 'TEST';
-    token = jwt.sign(
-      { id: user.id, role: user.accessLevel, auth_origin },
-      CONFIG_AUTH.TOKEN_SECRET,
-      {
-        expiresIn: `${CONFIG_AUTH.ACCESS_TOKEN_EXPIRATION_SEC}s`,
-      },
-    );
+    token = jwt.sign({ id: user.id, role: user.accessLevel, auth_origin }, CONFIG_AUTH.JWT_SECRET, {
+      expiresIn: `${CONFIG_AUTH.ACCESS_TOKEN_EXPIRATION_SEC}s`,
+    });
   });
   test('Update a project with PATCH to /api/projects/:id without a token', async (done) => {
     // Test Data
@@ -189,13 +181,9 @@ describe('DELETE', () => {
     };
     const user = await User.create(submittedData);
     const auth_origin = 'TEST';
-    token = jwt.sign(
-      { id: user.id, role: user.accessLevel, auth_origin },
-      CONFIG_AUTH.TOKEN_SECRET,
-      {
-        expiresIn: `${CONFIG_AUTH.ACCESS_TOKEN_EXPIRATION_SEC}s`,
-      },
-    );
+    token = jwt.sign({ id: user.id, role: user.accessLevel, auth_origin }, CONFIG_AUTH.JWT_SECRET, {
+      expiresIn: `${CONFIG_AUTH.ACCESS_TOKEN_EXPIRATION_SEC}s`,
+    });
   });
   test('Delete a project with POST to /api/projects/:id without a token', async (done) => {
     // Test Data