Merge pull request #238 from UofA-Blueprint/fix/overide-user-role

fix: override user role in middleware
UofA-Blueprint · Aug 22, 2023 · fd19002 · fd19002
2 parents bb81c71 + 450a212
commit fd19002
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 5 deletions.
diff --git a/backend/src/controllers/users.ts b/backend/src/controllers/users.ts
@@ -81,7 +81,7 @@ export const verifyUserSession = async (req: Request, res: Response) => {
         user: user,
         userData: userData,
     })
-    return res.status(200).json({ user : { ...user, ...userData}})
+    return res.status(200).json({ user: { ...user, ...userData } })
 }
 
 export const updateUser = async (req: Request, res: Response) => {

diff --git a/backend/src/middlewares/auth.ts b/backend/src/middlewares/auth.ts
@@ -4,6 +4,7 @@ import jwt, { JwtPayload, Secret } from 'jsonwebtoken'
 import { auth } from '../services/firebase'
 import { DecodedIdToken } from 'firebase-admin/lib/auth/token-verifier'
 import Logger from '../utils/logger'
+import { getUserById } from '../services/users'
 dotenv.config()
 
 const API_KEY = process.env.API_KEY || 'test'
@@ -122,6 +123,19 @@ export const verifyFirebaseToken = (req: Request, res: Response, next: NextFunct
     auth.verifySessionCookie(sessionCookies, true /** check revoked */)
         .then((decodedClaims) => {
             ;(req as CustomRequest).firebase = decodedClaims
+        })
+        .then(async () => {
+            // fetch the user from firebase and update the role in the request object
+            // This logic will overide the role in the firebase session token with the role in the database
+            let user = await getUserById((req as CustomRequest).firebase.uid)
+            if (!user) {
+                Logger.error({
+                    message: 'User not found',
+                    statusCode: 404,
+                })
+                return res.status(400).json({ error: 'user_not_found' })
+            }
+            ;(req as CustomRequest).firebase.role = user.role
             next()
         })
         .catch((error) => {

diff --git a/backend/src/services/dish.ts b/backend/src/services/dish.ts
@@ -222,25 +222,34 @@ export const validateDishRequestBody = (dish: Dish) => {
 
 export const validateReturnDishRequestBody = (dish: Dish) => {
     const schema = Joi.object({
-        condition: Joi.string().valid(Condition.smallChip, Condition.largeCrack, Condition.shattered, Condition.alright).required(),
+        condition: Joi.string()
+            .valid(Condition.smallChip, Condition.largeCrack, Condition.shattered, Condition.alright)
+            .required(),
     }).required()
 
     return schema.validate(dish)
 }
 
 export const validateUpdateConditonRequestBody = (body: Object) => {
     const schema = Joi.object({
-        condition: Joi.string().valid(Condition.smallChip, Condition.largeCrack, Condition.shattered, Condition.alright).required(),
+        condition: Joi.string()
+            .valid(Condition.smallChip, Condition.largeCrack, Condition.shattered, Condition.alright)
+            .required(),
     }).required()
 
     return schema.validate(body)
 }
 
-export const updateBorrowedStatus = async (dish: Dish, userClaims: DecodedIdToken, borrowed: boolean, condition?: string) => {
+export const updateBorrowedStatus = async (
+    dish: Dish,
+    userClaims: DecodedIdToken,
+    borrowed: boolean,
+    condition?: string
+) => {
     // when borrowing, set userId and increase timesBorrowed
     let timesBorrowed = borrowed ? dish.timesBorrowed + 1 : dish.timesBorrowed
     let userId = borrowed ? userClaims.uid : null
-    let dishCondition;
+    let dishCondition
     if (condition) {
         dishCondition = condition
     } else {