fix(internal): Restructure auth and guard middlewares

Mostly naming tweaks for clarity

Author: ashquarky

apps/miiverse-api/src/services/internal/index.ts

@@ -4,4 +4,4 @@ import { postsRouter } from '@/services/internal/routes/posts';
 
 export const internalApiRouter = express.Router();
 internalApiRouter.use('/api/v1', testRouter);
-internalApiRouter.use('/api/v1/posts', postsRouter);
+internalApiRouter.use('/api/v1', postsRouter);

…nternal/middleware/check-user-account.ts …/internal/middleware/auth-accesscheck.tsapps/miiverse-api/src/services/internal/middleware/check-user-account.ts renamed to apps/miiverse-api/src/services/internal/middleware/auth-accesscheck.ts apps/miiverse-api/src/services/internal/middleware/check-user-account.ts renamed to apps/miiverse-api/src/services/internal/middleware/auth-accesscheck.ts

@@ -4,7 +4,7 @@ import type express from 'express';
 /**
  * Checks the user account is valid for this request (not banned, setup complete, etc.)
  */
-async function checkUserAccount(request: express.Request, response: express.Response, next: express.NextFunction): Promise<void> {
+export async function authAccessCheck(request: express.Request, response: express.Response, next: express.NextFunction): Promise<void> {
 	const account = response.locals.account;
 	if (account === null) {
 		// Guest access
@@ -19,5 +19,3 @@ async function checkUserAccount(request: express.Request, response: express.Resp
 
 	return next();
 }
-
-export default checkUserAccount;

…es/internal/middleware/authentication.ts …ces/internal/middleware/auth-populate.tsapps/miiverse-api/src/services/internal/middleware/authentication.ts renamed to apps/miiverse-api/src/services/internal/middleware/auth-populate.ts apps/miiverse-api/src/services/internal/middleware/authentication.ts renamed to apps/miiverse-api/src/services/internal/middleware/auth-populate.ts

@@ -8,7 +8,7 @@ import type { AccountData } from '@/types/common/account-data';
  * Handles authentication for service (NNAS/console) and OAuth (web) tokens. Sets locals.account to AccountData.
  * Will error if tokens bad or account nonexistent, but otherwise does not check bans or setup status.
  */
-async function auth(request: express.Request, response: express.Response, next: express.NextFunction): Promise<void> {
+export async function authPopulate(request: express.Request, response: express.Response, next: express.NextFunction): Promise<void> {
 	// Used by console applets
 	const serviceToken = getValueFromHeaders(request.headers, 'x-service-token');
 	// Used by web frontend
@@ -19,9 +19,9 @@ async function auth(request: express.Request, response: express.Response, next:
 	}
 
 	if (serviceToken) {
-		response.locals.account = await consoleAuth(serviceToken);
+		response.locals.account = await consoleAuth(request, serviceToken);
 	} else if (oAuthToken) {
-		response.locals.account = await webAuth(oAuthToken);
+		response.locals.account = await webAuth(request, oAuthToken);
 	} else {
 		// Guest access
 		response.locals.account = null;
@@ -30,34 +30,33 @@ async function auth(request: express.Request, response: express.Response, next:
 	return next();
 }
 
-async function consoleAuth(serviceToken: string): Promise<AccountData> {
+async function consoleAuth(_request: express.Request, serviceToken: string): Promise<AccountData> {
 	const pid = getPIDFromServiceToken(serviceToken);
 	if (pid === 0) {
 		throw new errors.unauthorized('Invalid service token');
 	}
 
-	const pnid = await getUserAccountData(pid);
 	// If the user has a valid token for an unknown PID, just let the exception bubble
+	const pnid = await getUserAccountData(pid);
 
-	const settings = await getUserSettings(pid) ?? undefined; // Null doesn't play nice with TS ?
-	// Undef here just means the initial setup isn't done
+	// Null here just means the initial setup isn't done
+	const settings = await getUserSettings(pid);
 
 	return { pnid, settings };
 }
 
-async function webAuth(oAuthToken: string): Promise<AccountData> {
+async function webAuth(request: express.Request, oAuthToken: string): Promise<AccountData> {
 	// The "normal" getUserData API (used here) is mutually incompatible with the "backdoor" one.
 	// Since we can only use the backdoor one for consoles right now...
-	const pid = (await getUserDataFromToken(oAuthToken).catch(() => {
+	const pid = (await getUserDataFromToken(oAuthToken).catch((e) => {
 		// TODO should probably check the error type here in case of e.g. connection refused
+		request.log.error(e, 'Failed to get user data from OAuth token');
 		throw new errors.unauthorized('Invalid OAuth token!');
 	})).pid;
 	// Ask the "backdoor" API, just use the above as a glorified token decryption.
 	const pnid = await getUserAccountData(pid);
 
-	const settings = await getUserSettings(pid) ?? undefined;
+	const settings = await getUserSettings(pid);
 
 	return { pnid, settings };
 }
-
-export default auth;

…al/middleware/authenticated-endpoints.ts …c/services/internal/middleware/guards.tsapps/miiverse-api/src/services/internal/middleware/authenticated-endpoints.ts renamed to apps/miiverse-api/src/services/internal/middleware/guards.ts apps/miiverse-api/src/services/internal/middleware/authenticated-endpoints.ts renamed to apps/miiverse-api/src/services/internal/middleware/guards.ts

@@ -4,14 +4,14 @@ import type express from 'express';
 /**
  * Guest access is fine
  */
-export async function authGuest(request: express.Request, response: express.Response, next: express.NextFunction): Promise<void> {
+export async function guest(request: express.Request, response: express.Response, next: express.NextFunction): Promise<void> {
 	return next();
 }
 
 /**
  * Fail on guest access
  */
-export async function authUsers(request: express.Request, response: express.Response, next: express.NextFunction): Promise<void> {
+export async function user(request: express.Request, response: express.Response, next: express.NextFunction): Promise<void> {
 	const account = response.locals.account;
 	if (account === null) {
 		// Guest access
@@ -24,7 +24,7 @@ export async function authUsers(request: express.Request, response: express.Resp
 /**
  * Moderators only
  */
-export async function authModerators(request: express.Request, response: express.Response, next: express.NextFunction): Promise<void> {
+export async function moderator(request: express.Request, response: express.Response, next: express.NextFunction): Promise<void> {
 	const account = response.locals.account;
 	if (account === null) {
 		// Guest access
@@ -37,3 +37,9 @@ export async function authModerators(request: express.Request, response: express
 
 	return next();
 }
+
+export const guards = {
+	guest,
+	user,
+	moderator
+};

apps/miiverse-api/src/services/internal/routes/posts.ts

@@ -2,12 +2,12 @@ import express from 'express';
 import { getPostByID } from '@/database';
 import { errors } from '@/services/internal/errors';
 import { handle } from '@/services/internal/utils';
-import { authGuest } from '@/services/internal/middleware/authenticated-endpoints';
+import { guards } from '@/services/internal/middleware/guards';
 import { mapPost } from '@/services/internal/contract/post';
 
 export const postsRouter = express.Router();
 
-postsRouter.get('/:post_id', authGuest, handle(async ({ req }) => {
+postsRouter.get('/posts/:post_id', guards.guest, handle(async ({ req }) => {
 	const post = await getPostByID(req.params.post_id);
 	if (!post || post.removed) {
 		throw new errors.notFound('Post not found');

apps/miiverse-api/src/services/internal/routes/test.ts

@@ -1,10 +1,10 @@
 import express from 'express';
 import { handle } from '@/services/internal/utils';
-import { authUsers } from '@/services/internal/middleware/authenticated-endpoints';
+import { guards } from '@/services/internal/middleware/guards';
 
 export const testRouter = express.Router();
 
-testRouter.get('/test', authUsers, handle(async () => {
+testRouter.get('/test', guards.user, handle(async () => {
 	return {
 		message: 'Hello from the test route!'
 	};

apps/miiverse-api/src/services/internal/server.ts

@@ -4,20 +4,20 @@ import express from 'express';
 import { MiiverseServiceDefinition } from '@repo/grpc-client/out/miiverse_service';
 import { config } from '@/config';
 import { internalApiRouter } from '@/services/internal';
-import authentication from '@/services/internal/middleware/authentication';
-import checkUserAccount from '@/services/internal/middleware/check-user-account';
 import { logger } from '@/logger';
 import { InternalAPIError } from '@/services/internal/errors';
 import { loggerHttp } from '@/loggerHttp';
+import { authPopulate } from '@/services/internal/middleware/auth-populate';
+import { authAccessCheck } from '@/services/internal/middleware/auth-accesscheck';
 import type { CallContext, ServerMiddlewareCall } from 'nice-grpc';
 
 // API server
 
 const app = express();
 app.use(express.json());
 app.use(loggerHttp);
-app.use(authentication);
-app.use(checkUserAccount);
+app.use(authPopulate);
+app.use(authAccessCheck);
 app.use(internalApiRouter);
 
 // API error handler

apps/miiverse-api/src/types/common/account-data.ts

@@ -3,5 +3,5 @@ import type { GetUserDataResponse } from '@pretendonetwork/grpc/account/get_user
 
 export interface AccountData {
 	pnid: GetUserDataResponse;
-	settings?: HydratedSettingsDocument;
+	settings: HydratedSettingsDocument | null;
 }