diff --git a/Server/controllers/monitorController.js b/Server/controllers/monitorController.js index f004f98f3..b8e2e1ec7 100644 --- a/Server/controllers/monitorController.js +++ b/Server/controllers/monitorController.js @@ -5,6 +5,7 @@ const { } = require("../validation/joi"); const logger = require("../utils/logger"); +const SERVICE_NAME = "monitorController"; /** * Returns all monitors @@ -19,7 +20,7 @@ const getAllMonitors = async (req, res) => { const monitors = await req.db.getAllMonitors(); return res.json({ success: true, msg: "Monitors found", data: monitors }); } catch (error) { - logger.error(error.message, { service: "monitor" }); + logger.error(error.message, { service: SERVICE_NAME }); return res.status(500).json({ success: false, msg: error.message }); } }; @@ -42,9 +43,14 @@ const getMonitorById = async (req, res) => { try { const monitor = await req.db.getMonitorById(req, res); + if (!monitor) { + logger.error("Monitor not found", { service: SERVICE_NAME }); + return res.status(404).json({ success: false, msg: "Monitor not found" }); + } + return res.json({ success: true, msg: "Monitor found", data: monitor }); } catch (error) { - logger.error(error.message, { service: "monitor" }); + logger.error(error.message, { service: SERVICE_NAME }); return res.status(500).json({ success: false, msg: error.message }); } }; @@ -68,17 +74,20 @@ const getMonitorsByUserId = async (req, res) => { try { const userId = req.params.userId; const monitors = await req.db.getMonitorsByUserId(req, res); - logger.info(`Monitors for user ${userId} found`, { - service: "monitor", - userId: userId, - }); + + if (monitors && monitors.length === 0) { + return res + .status(404) + .json({ success: false, msg: "No monitors not found" }); + } + return res.json({ success: true, msg: `Monitors for user ${userId} found`, data: monitors, }); } catch (error) { - logger.error(error.message, { service: "monitor" }); + logger.error(error.message, { service: SERVICE_NAME }); return res.status(500).json({ success: false, msg: error.message }); } }; @@ -106,7 +115,7 @@ const createMonitor = async (req, res) => { .status(201) .json({ success: true, msg: "Monitor created", data: monitor }); } catch (error) { - logger.error(error.message, { service: "monitor" }); + logger.error(error.message, { service: SERVICE_NAME }); return res.status(500).json({ success: false, msg: error.message }); } }; @@ -137,7 +146,7 @@ const deleteMonitor = async (req, res) => { */ return res.status(200).json({ success: true, msg: "Monitor deleted" }); } catch (error) { - logger.error(error.message, { service: "monitor" }); + logger.error(error.message, { service: SERVICE_NAME }); return res.status(500).json({ success: false, msg: error.message }); } }; @@ -150,9 +159,9 @@ const deleteMonitor = async (req, res) => { * @returns {Promise} * @throws {Error} */ -const editMonitor = async (req, res) => { - let paramError = getMonitorByIdValidation.validate(req.params); - if (paramError.error) { +const editMonitor = async (req, res, next) => { + let { paramError } = getMonitorByIdValidation.validate(req.params); + if (paramError) { return res .status(422) .json({ success: false, msg: paramError.error.details[0].message }); @@ -171,7 +180,7 @@ const editMonitor = async (req, res) => { .status(200) .json({ success: true, msg: "Monitor edited", data: editedMonitor }); } catch (error) { - logger.error(error.message, { service: "monitor" }); + logger.error(error.message, { service: SERVICE_NAME }); return res.status(500).json({ success: false, msg: error.message }); } }; diff --git a/Server/db/MongoDB.js b/Server/db/MongoDB.js index 8fcc1dced..44b734954 100644 --- a/Server/db/MongoDB.js +++ b/Server/db/MongoDB.js @@ -2,6 +2,10 @@ const Monitor = require("../models/Monitor"); const mongoose = require("mongoose"); const UserModel = require("../models/user"); +const verifyId = (userId, monitorId) => { + return userId.toString() === monitorId.toString(); +}; + const connect = async () => { try { await mongoose.connect(process.env.DB_CONNECTION_STRING); @@ -113,6 +117,7 @@ const getMonitorsByUserId = async (req, res) => { const createMonitor = async (req, res) => { try { const monitor = new Monitor({ ...req.body }); + monitor.userId = req.user._id; await monitor.save(); return monitor; } catch (error) { diff --git a/Server/index.js b/Server/index.js index 5068c98d8..11e2b5b5b 100644 --- a/Server/index.js +++ b/Server/index.js @@ -6,7 +6,7 @@ const monitorRouter = require("./routes/monitorRoute"); const { connectDbAndRunServer } = require("./configs/db"); require("dotenv").config(); const logger = require("./utils/logger"); -var { verifyJWT } = require("./middleware/verifyJWT"); +const { verifyJWT } = require("./middleware/verifyJWT"); // const { sendEmail } = require('./utils/sendEmail') diff --git a/Server/middleware/verifyOwnership.js b/Server/middleware/verifyOwnership.js new file mode 100644 index 000000000..1b496fbce --- /dev/null +++ b/Server/middleware/verifyOwnership.js @@ -0,0 +1,41 @@ +const logger = require("../utils/logger"); +const SERVICE_NAME = "verifyOwnership"; + +const verifyOwnership = (Model, paramName) => { + return async (req, res, next) => { + const userId = req.user._id; + const documentId = req.params[paramName]; + try { + const doc = await Model.findById(documentId); + //If the document is not found, return a 404 error + if (!doc) { + logger.error("Document not found", { + service: SERVICE_NAME, + }); + return res + .status(404) + .json({ success: false, msg: "Document not found" }); + } + + // If the userID does not match the document's userID, return a 403 error + if (userId.toString() !== doc.userId.toString()) { + logger.error("Unauthorized access", { + service: SERVICE_NAME, + }); + + return res.status(403).json({ + success: false, + msg: "You are not authorized to perform this action", + }); + } + next(); + } catch (error) { + logger.error(error.message, { + service: SERVICE_NAME, + }); + return res.status(500).json({ success: false, msg: error.message }); + } + }; +}; + +module.exports = { verifyOwnership }; diff --git a/Server/models/user.js b/Server/models/user.js index 02d0d53b3..d90b484bb 100644 --- a/Server/models/user.js +++ b/Server/models/user.js @@ -50,7 +50,6 @@ UserSchema.pre("save", async function (next) { }); UserSchema.methods.comparePassword = function (submittedPassword) { - console.log(submittedPassword, this.password); return bcrypt.compare(submittedPassword, this.password); }; diff --git a/Server/routes/monitorRoute.js b/Server/routes/monitorRoute.js index 5f2ce4bb5..ffdce1d4d 100644 --- a/Server/routes/monitorRoute.js +++ b/Server/routes/monitorRoute.js @@ -1,11 +1,21 @@ const router = require("express").Router(); const monitorController = require("../controllers/monitorController"); +const { verifyOwnership } = require("../middleware/verifyOwnership"); +const Monitor = require("../models/Monitor"); router.get("/", monitorController.getAllMonitors); router.get("/:monitorId", monitorController.getMonitorById); router.get("/user/:userId", monitorController.getMonitorsByUserId); router.post("/", monitorController.createMonitor); -router.post("/delete/:monitorId", monitorController.deleteMonitor); -router.post("/edit/:monitorId", monitorController.editMonitor); +router.post( + "/delete/:monitorId", + verifyOwnership(Monitor, "monitorId"), + monitorController.deleteMonitor +); +router.post( + "/edit/:monitorId", + verifyOwnership(Monitor, "monitorId"), + monitorController.editMonitor +); module.exports = router; diff --git a/package-lock.json b/package-lock.json deleted file mode 100644 index f71a78c1f..000000000 --- a/package-lock.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "name": "bluewave-uptime", - "lockfileVersion": 3, - "requires": true, - "packages": {} -}