Merge pull request #63 from bluewave-labs/feat/edit-auth

Added document ownership middleware, resovles #59

Server/controllers/monitorController.js

@@ -5,6 +5,7 @@ const {
 } = require("../validation/joi");
 
 const logger = require("../utils/logger");
+const SERVICE_NAME = "monitorController";
 
 /**
  * Returns all monitors
@@ -19,7 +20,7 @@ const getAllMonitors = async (req, res) => {
     const monitors = await req.db.getAllMonitors();
     return res.json({ success: true, msg: "Monitors found", data: monitors });
   } catch (error) {
-    logger.error(error.message, { service: "monitor" });
+    logger.error(error.message, { service: SERVICE_NAME });
     return res.status(500).json({ success: false, msg: error.message });
   }
 };
@@ -42,9 +43,14 @@ const getMonitorById = async (req, res) => {
 
   try {
     const monitor = await req.db.getMonitorById(req, res);
+    if (!monitor) {
+      logger.error("Monitor not found", { service: SERVICE_NAME });
+      return res.status(404).json({ success: false, msg: "Monitor not found" });
+    }
+
     return res.json({ success: true, msg: "Monitor found", data: monitor });
   } catch (error) {
-    logger.error(error.message, { service: "monitor" });
+    logger.error(error.message, { service: SERVICE_NAME });
     return res.status(500).json({ success: false, msg: error.message });
   }
 };
@@ -68,17 +74,20 @@ const getMonitorsByUserId = async (req, res) => {
   try {
     const userId = req.params.userId;
     const monitors = await req.db.getMonitorsByUserId(req, res);
-    logger.info(`Monitors for user ${userId} found`, {
-      service: "monitor",
-      userId: userId,
-    });
+
+    if (monitors && monitors.length === 0) {
+      return res
+        .status(404)
+        .json({ success: false, msg: "No monitors not found" });
+    }
+
     return res.json({
       success: true,
       msg: `Monitors for user ${userId} found`,
       data: monitors,
     });
   } catch (error) {
-    logger.error(error.message, { service: "monitor" });
+    logger.error(error.message, { service: SERVICE_NAME });
     return res.status(500).json({ success: false, msg: error.message });
   }
 };
@@ -106,7 +115,7 @@ const createMonitor = async (req, res) => {
       .status(201)
       .json({ success: true, msg: "Monitor created", data: monitor });
   } catch (error) {
-    logger.error(error.message, { service: "monitor" });
+    logger.error(error.message, { service: SERVICE_NAME });
     return res.status(500).json({ success: false, msg: error.message });
   }
 };
@@ -137,7 +146,7 @@ const deleteMonitor = async (req, res) => {
      */
     return res.status(200).json({ success: true, msg: "Monitor deleted" });
   } catch (error) {
-    logger.error(error.message, { service: "monitor" });
+    logger.error(error.message, { service: SERVICE_NAME });
     return res.status(500).json({ success: false, msg: error.message });
   }
 };
@@ -150,9 +159,9 @@ const deleteMonitor = async (req, res) => {
  * @returns {Promise<Express.Response>}
  * @throws {Error}
  */
-const editMonitor = async (req, res) => {
-  let paramError = getMonitorByIdValidation.validate(req.params);
-  if (paramError.error) {
+const editMonitor = async (req, res, next) => {
+  let { paramError } = getMonitorByIdValidation.validate(req.params);
+  if (paramError) {
     return res
       .status(422)
       .json({ success: false, msg: paramError.error.details[0].message });
@@ -171,7 +180,7 @@ const editMonitor = async (req, res) => {
       .status(200)
       .json({ success: true, msg: "Monitor edited", data: editedMonitor });
   } catch (error) {
-    logger.error(error.message, { service: "monitor" });
+    logger.error(error.message, { service: SERVICE_NAME });
     return res.status(500).json({ success: false, msg: error.message });
   }
 };

Server/db/MongoDB.js

@@ -2,6 +2,10 @@ const Monitor = require("../models/Monitor");
 const mongoose = require("mongoose");
 const UserModel = require("../models/user");
 
+const verifyId = (userId, monitorId) => {
+  return userId.toString() === monitorId.toString();
+};
+
 const connect = async () => {
   try {
     await mongoose.connect(process.env.DB_CONNECTION_STRING);
@@ -113,6 +117,7 @@ const getMonitorsByUserId = async (req, res) => {
 const createMonitor = async (req, res) => {
   try {
     const monitor = new Monitor({ ...req.body });
+    monitor.userId = req.user._id;
     await monitor.save();
     return monitor;
   } catch (error) {

Server/index.js

@@ -6,7 +6,7 @@ const monitorRouter = require("./routes/monitorRoute");
 const { connectDbAndRunServer } = require("./configs/db");
 require("dotenv").config();
 const logger = require("./utils/logger");
-var { verifyJWT } = require("./middleware/verifyJWT");
+const { verifyJWT } = require("./middleware/verifyJWT");
 
 // const { sendEmail } = require('./utils/sendEmail')
 

Server/middleware/verifyOwnership.js

@@ -0,0 +1,41 @@
+const logger = require("../utils/logger");
+const SERVICE_NAME = "verifyOwnership";
+
+const verifyOwnership = (Model, paramName) => {
+  return async (req, res, next) => {
+    const userId = req.user._id;
+    const documentId = req.params[paramName];
+    try {
+      const doc = await Model.findById(documentId);
+      //If the document is not found, return a 404 error
+      if (!doc) {
+        logger.error("Document not found", {
+          service: SERVICE_NAME,
+        });
+        return res
+          .status(404)
+          .json({ success: false, msg: "Document not found" });
+      }
+
+      // If the userID does not match the document's userID, return a 403 error
+      if (userId.toString() !== doc.userId.toString()) {
+        logger.error("Unauthorized access", {
+          service: SERVICE_NAME,
+        });
+
+        return res.status(403).json({
+          success: false,
+          msg: "You are not authorized to perform this action",
+        });
+      }
+      next();
+    } catch (error) {
+      logger.error(error.message, {
+        service: SERVICE_NAME,
+      });
+      return res.status(500).json({ success: false, msg: error.message });
+    }
+  };
+};
+
+module.exports = { verifyOwnership };

Server/models/user.js

@@ -50,7 +50,6 @@ UserSchema.pre("save", async function (next) {
 });
 
 UserSchema.methods.comparePassword = function (submittedPassword) {
-  console.log(submittedPassword, this.password);
   return bcrypt.compare(submittedPassword, this.password);
 };
 

Server/routes/monitorRoute.js

@@ -1,11 +1,21 @@
 const router = require("express").Router();
 const monitorController = require("../controllers/monitorController");
+const { verifyOwnership } = require("../middleware/verifyOwnership");
+const Monitor = require("../models/Monitor");
 
 router.get("/", monitorController.getAllMonitors);
 router.get("/:monitorId", monitorController.getMonitorById);
 router.get("/user/:userId", monitorController.getMonitorsByUserId);
 
 router.post("/", monitorController.createMonitor);
-router.post("/delete/:monitorId", monitorController.deleteMonitor);
-router.post("/edit/:monitorId", monitorController.editMonitor);
+router.post(
+  "/delete/:monitorId",
+  verifyOwnership(Monitor, "monitorId"),
+  monitorController.deleteMonitor
+);
+router.post(
+  "/edit/:monitorId",
+  verifyOwnership(Monitor, "monitorId"),
+  monitorController.editMonitor
+);
 module.exports = router;

package-lock.json

@@ -1,6 +0,0 @@
-{
-  "name": "bluewave-uptime",
-  "lockfileVersion": 3,
-  "requires": true,
-  "packages": {}
-}