Skip to content

Commit eb3c628

Browse files
authored
Merge pull request #1674 from jetstreamapp/fix/protected-assets-session-check
feat: add redirectIfNotAuthenticatedMiddleware to enforce authentication before accessing app routes
2 parents 7a7bd61 + e6db530 commit eb3c628

2 files changed

Lines changed: 18 additions & 0 deletions

File tree

apps/api/src/app/routes/route.middleware.ts

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -167,6 +167,22 @@ export async function redirectIfMfaEnrollmentRequiredMiddleware(req: express.Req
167167
next();
168168
}
169169

170+
/**
171+
* Must run AFTER the pending-* gates (pendingVerification, pendingTosAcceptance, pendingMfaEnrollment)
172+
* so that sessions still in a mid-auth state (including temporary/placeholder sessions with pendingVerification)
173+
* are routed to their appropriate flow before falling through to /auth/login.
174+
*/
175+
export async function redirectIfNotAuthenticatedMiddleware(req: express.Request, res: express.Response, next: express.NextFunction) {
176+
const user = req.session.user;
177+
178+
if (!user || user.id === PLACEHOLDER_USER_ID) {
179+
res.redirect(302, '/auth/login');
180+
return;
181+
}
182+
183+
next();
184+
}
185+
170186
export async function checkAuth(req: express.Request, res: express.Response, next: express.NextFunction) {
171187
const userAgent = req.get('User-Agent');
172188

apps/api/src/main.ts

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,7 @@ import {
3939
destroySessionIfPendingVerificationIsExpired,
4040
notFoundMiddleware,
4141
redirectIfMfaEnrollmentRequiredMiddleware,
42+
redirectIfNotAuthenticatedMiddleware,
4243
redirectIfPendingTosAcceptanceMiddleware,
4344
redirectIfPendingVerificationMiddleware,
4445
setApplicationCookieMiddleware,
@@ -430,6 +431,7 @@ if (ENV.NODE_ENV === 'production' && !ENV.CI && cluster.isPrimary) {
430431
redirectIfPendingVerificationMiddleware,
431432
redirectIfPendingTosAcceptanceMiddleware,
432433
redirectIfMfaEnrollmentRequiredMiddleware,
434+
redirectIfNotAuthenticatedMiddleware,
433435
helmet.contentSecurityPolicy({
434436
directives: buildCspDirectives(['*.google.com', '*.googleusercontent.com', 'accounts.google.com']),
435437
}),

0 commit comments

Comments
 (0)