refactoring: TypeScript migration, security fixes,

2026-06-20 22:01:45 +00:00 · 2026-03-27 18:40:18 +01:00
parent 510475a46f
commit 8396a75223
150 changed files with 8116 additions and 8467 deletions
@@ -1,63 +0,0 @@
-const jwt = require('jsonwebtoken');
-const { db } = require('../db/database');
-const { JWT_SECRET } = require('../config');
-
-const authenticate = (req, res, next) => {
-  const authHeader = req.headers['authorization'];
-  const token = authHeader && authHeader.split(' ')[1];
-
-  if (!token) {
-    return res.status(401).json({ error: 'Access token required' });
-  }
-
-  try {
-    const decoded = jwt.verify(token, JWT_SECRET);
-    const user = db.prepare(
-      'SELECT id, username, email, role, maps_api_key, unsplash_api_key, openweather_api_key FROM users WHERE id = ?'
-    ).get(decoded.id);
-    if (!user) {
-      return res.status(401).json({ error: 'User not found' });
-    }
-    req.user = user;
-    next();
-  } catch (err) {
-    return res.status(401).json({ error: 'Invalid or expired token' });
-  }
-};
-
-const optionalAuth = (req, res, next) => {
-  const authHeader = req.headers['authorization'];
-  const token = authHeader && authHeader.split(' ')[1];
-
-  if (!token) {
-    req.user = null;
-    return next();
-  }
-
-  try {
-    const decoded = jwt.verify(token, JWT_SECRET);
-    const user = db.prepare(
-      'SELECT id, username, email, role, maps_api_key, unsplash_api_key, openweather_api_key FROM users WHERE id = ?'
-    ).get(decoded.id);
-    req.user = user || null;
-  } catch (err) {
-    req.user = null;
-  }
-  next();
-};
-
-const adminOnly = (req, res, next) => {
-  if (!req.user || req.user.role !== 'admin') {
-    return res.status(403).json({ error: 'Admin access required' });
-  }
-  next();
-};
-
-const demoUploadBlock = (req, res, next) => {
-  if (process.env.DEMO_MODE === 'true' && req.user?.email === 'demo@nomad.app') {
-    return res.status(403).json({ error: 'Uploads are disabled in demo mode. Self-host NOMAD for full functionality.' });
-  }
-  next();
-};
-
-module.exports = { authenticate, optionalAuth, adminOnly, demoUploadBlock };
@@ -0,0 +1,71 @@
+import { Request, Response, NextFunction } from 'express';
+import jwt from 'jsonwebtoken';
+import { db } from '../db/database';
+import { JWT_SECRET } from '../config';
+import { AuthRequest, OptionalAuthRequest, User } from '../types';
+
+const authenticate = (req: Request, res: Response, next: NextFunction): void => {
+  const authHeader = req.headers['authorization'];
+  const token = authHeader && authHeader.split(' ')[1];
+
+  if (!token) {
+    res.status(401).json({ error: 'Access token required' });
+    return;
+  }
+
+  try {
+    const decoded = jwt.verify(token, JWT_SECRET) as { id: number };
+    const user = db.prepare(
+      'SELECT id, username, email, role FROM users WHERE id = ?'
+    ).get(decoded.id) as User | undefined;
+    if (!user) {
+      res.status(401).json({ error: 'User not found' });
+      return;
+    }
+    (req as AuthRequest).user = user;
+    next();
+  } catch (err: unknown) {
+    res.status(401).json({ error: 'Invalid or expired token' });
+  }
+};
+
+const optionalAuth = (req: Request, res: Response, next: NextFunction): void => {
+  const authHeader = req.headers['authorization'];
+  const token = authHeader && authHeader.split(' ')[1];
+
+  if (!token) {
+    (req as OptionalAuthRequest).user = null;
+    return next();
+  }
+
+  try {
+    const decoded = jwt.verify(token, JWT_SECRET) as { id: number };
+    const user = db.prepare(
+      'SELECT id, username, email, role FROM users WHERE id = ?'
+    ).get(decoded.id) as User | undefined;
+    (req as OptionalAuthRequest).user = user || null;
+  } catch (err: unknown) {
+    (req as OptionalAuthRequest).user = null;
+  }
+  next();
+};
+
+const adminOnly = (req: Request, res: Response, next: NextFunction): void => {
+  const authReq = req as AuthRequest;
+  if (!authReq.user || authReq.user.role !== 'admin') {
+    res.status(403).json({ error: 'Admin access required' });
+    return;
+  }
+  next();
+};
+
+const demoUploadBlock = (req: Request, res: Response, next: NextFunction): void => {
+  const authReq = req as AuthRequest;
+  if (process.env.DEMO_MODE === 'true' && authReq.user?.email === 'demo@nomad.app') {
+    res.status(403).json({ error: 'Uploads are disabled in demo mode. Self-host NOMAD for full functionality.' });
+    return;
+  }
+  next();
+};
+
+export { authenticate, optionalAuth, adminOnly, demoUploadBlock };
@@ -0,0 +1,37 @@
+import { Request, Response, NextFunction } from 'express';
+import { canAccessTrip, isOwner } from '../db/database';
+import { AuthRequest } from '../types';
+
+/** Middleware: verifies the authenticated user is an owner or member of the trip, then attaches trip to req. */
+function requireTripAccess(req: Request, res: Response, next: NextFunction): void {
+  const authReq = req as AuthRequest;
+  const tripId = req.params.tripId || req.params.id;
+  if (!tripId) {
+    res.status(400).json({ error: 'Trip ID required' });
+    return;
+  }
+  const trip = canAccessTrip(Number(tripId), authReq.user.id);
+  if (!trip) {
+    res.status(404).json({ error: 'Trip not found' });
+    return;
+  }
+  authReq.trip = trip;
+  next();
+}
+
+/** Middleware: verifies the authenticated user is the trip owner (not just a member). */
+function requireTripOwner(req: Request, res: Response, next: NextFunction): void {
+  const authReq = req as AuthRequest;
+  const tripId = req.params.tripId || req.params.id;
+  if (!tripId) {
+    res.status(400).json({ error: 'Trip ID required' });
+    return;
+  }
+  if (!isOwner(Number(tripId), authReq.user.id)) {
+    res.status(403).json({ error: 'Only the trip owner can do this' });
+    return;
+  }
+  next();
+}
+
+export { requireTripAccess, requireTripOwner };
@@ -0,0 +1,26 @@
+import { Request, Response, NextFunction } from 'express';
+
+function maxLength(field: string, max: number) {
+  return (req: Request, res: Response, next: NextFunction): void => {
+    if (req.body[field] && typeof req.body[field] === 'string' && req.body[field].length > max) {
+      res.status(400).json({ error: `${field} must be ${max} characters or less` });
+      return;
+    }
+    next();
+  };
+}
+
+function validateStringLengths(maxLengths: Record<string, number>) {
+  return (req: Request, res: Response, next: NextFunction): void => {
+    for (const [field, max] of Object.entries(maxLengths)) {
+      const value = req.body[field];
+      if (value && typeof value === 'string' && value.length > max) {
+        res.status(400).json({ error: `${field} must be ${max} characters or less` });
+        return;
+      }
+    }
+    next();
+  };
+}
+
+export { maxLength, validateStringLengths };