From 8360bbbe554c6051c19721f13bac877df8125487 Mon Sep 17 00:00:00 2001 From: pedroyen21 Date: Sun, 2 Jul 2023 23:19:57 -0300 Subject: [PATCH] #149 feat: validacao de usuario de consulta --- src/middlewares/admin-auth-middleware.ts | 41 ++++++++++--------- .../is-not-query-user-middleware.ts | 26 ++++++++++++ src/routes.ts | 37 ++++++++++++++--- 3 files changed, 78 insertions(+), 26 deletions(-) create mode 100644 src/middlewares/is-not-query-user-middleware.ts diff --git a/src/middlewares/admin-auth-middleware.ts b/src/middlewares/admin-auth-middleware.ts index a77efdb..9454957 100644 --- a/src/middlewares/admin-auth-middleware.ts +++ b/src/middlewares/admin-auth-middleware.ts @@ -2,24 +2,25 @@ import { Request, Response } from 'express' import { decode } from 'jsonwebtoken' export const checkAdminAccessToken = ( - req: Request, - resp: Response, - next: () => void - ): void => { - const token = req.headers.authorization?.split(' ')[1] - if (!token) { - resp.status(401).json({ error: 'Token não informado' }) - return - } - - const { userId, role } = decode(token) as { userId: string, role: string } - - if (role != 'administrador') { - resp.status(403).json({ error: 'Acesso negado. Você não é um administrador.' }) - return - } - - req.userId = userId - next() + req: Request, + resp: Response, + next: () => void +): void => { + const token = req.headers.authorization?.split(' ')[1] + if (!token) { + resp.status(401).json({ error: 'Token não informado' }) + return } - \ No newline at end of file + + const { userId, role } = decode(token) as { userId: string; role: string } + + if (role !== 'administrador') { + resp + .status(403) + .json({ error: 'Acesso negado. Você não é um administrador.' }) + return + } + + req.userId = userId + next() +} diff --git a/src/middlewares/is-not-query-user-middleware.ts b/src/middlewares/is-not-query-user-middleware.ts new file mode 100644 index 0000000..fa9cf67 --- /dev/null +++ b/src/middlewares/is-not-query-user-middleware.ts @@ -0,0 +1,26 @@ +import { Request, Response } from 'express' +import { decode } from 'jsonwebtoken' + +export const checkIfIsQueryUser = ( + req: Request, + resp: Response, + next: () => void +): void => { + const token = req.headers.authorization?.split(' ')[1] + if (!token) { + resp.status(401).json({ error: 'Token não informado' }) + return + } + + const { userId, role } = decode(token) as { userId: string; role: string } + + if (role === 'consulta') { + resp.status(403).json({ + error: 'Usuários de consulta não têm acesso a essa funcionalidade' + }) + return + } + + req.userId = userId + next() +} diff --git a/src/routes.ts b/src/routes.ts index 9ba3fc8..86d3e6d 100644 --- a/src/routes.ts +++ b/src/routes.ts @@ -1,4 +1,5 @@ import { checkAdminAccessToken } from './middlewares/admin-auth-middleware' +import { checkIfIsQueryUser } from './middlewares/is-not-query-user-middleware' import { Router } from 'express' import { adaptExpressRoute as adapt } from './adapters/express-router' import { makeCreateOrderController } from './factories/controllers/create-order-service' @@ -18,9 +19,17 @@ import { makeUpdateEquipmentController } from './factories/controllers/update-eq const routes = Router() -routes.post('/create-order-service', adapt(makeCreateOrderController())) +routes.post( + '/create-order-service', + checkIfIsQueryUser, + adapt(makeCreateOrderController()) +) routes.get('/find', adapt(makeGetEquipmentController())) -routes.post('/createEquipment', adapt(makeCreateEquipmentController())) +routes.post( + '/createEquipment', + checkIfIsQueryUser, + adapt(makeCreateEquipmentController()) +) routes.delete( '/deleteEquipment', checkAdminAccessToken, @@ -31,10 +40,26 @@ routes.get('/getAllBrands', adapt(makeFindAllBrandsController())) routes.get('/getAllAcquisitions', adapt(makeFindAllAcquisitionsController())) routes.get('/listOrderService', adapt(makeFindOrderServiceController())) routes.get('/listOne', adapt(makeFindOneEquipmentController())) -routes.put('/updateOrderService', adapt(makeUpdateOrderController())) -routes.post('/createMovement', adapt(makeCreateMovementController())) +routes.put( + '/updateOrderService', + checkIfIsQueryUser, + adapt(makeUpdateOrderController()) +) +routes.post( + '/createMovement', + checkIfIsQueryUser, + adapt(makeCreateMovementController()) +) routes.get('/findMovements', adapt(makeFindMovementsController())) -routes.delete('/deleteMovement', adapt(makeDeleteMovementController())) -routes.put('/updateEquipment', adapt(makeUpdateEquipmentController())) +routes.delete( + '/deleteMovement', + checkIfIsQueryUser, + adapt(makeDeleteMovementController()) +) +routes.put( + '/updateEquipment', + checkIfIsQueryUser, + adapt(makeUpdateEquipmentController()) +) export default routes