Update:Express middleware sets req.user to new data model, openid per…

…missions functions moved to new data model
advplyr · Aug 11, 2024 · 2472b86 · 2472b86
1 parent 29a1585
commit 2472b86
Show file tree

Hide file tree

Showing 29 changed files with 474 additions and 430 deletions.
diff --git a/server/Auth.js b/server/Auth.js
@@ -152,6 +152,8 @@ class Auth {
   /**
    * Finds an existing user by OpenID subject identifier, or by email/username based on server settings,
    * or creates a new user if configured to do so.
+   *
+   * @returns {import('./models/User')|null}
    */
   async findOrCreateUser(userinfo) {
     let user = await Database.userModel.getUserByOpenIDSub(userinfo.sub)
@@ -307,9 +309,8 @@ class Auth {
     const absPermissions = userinfo[absPermissionsClaim]
     if (!absPermissions) throw new Error(`Advanced permissions claim ${absPermissionsClaim} not found in userinfo`)
 
-    if (user.updatePermissionsFromExternalJSON(absPermissions)) {
+    if (await user.updatePermissionsFromExternalJSON(absPermissions)) {
       Logger.info(`[Auth] openid callback: Updating advanced perms for user "${user.username}" using "${JSON.stringify(absPermissions)}"`)
-      await Database.userModel.updateFromOld(user)
     }
   }
 
@@ -921,7 +922,7 @@ class Auth {
   async userChangePassword(req, res) {
     let { password, newPassword } = req.body
     newPassword = newPassword || ''
-    const matchingUser = req.userNew
+    const matchingUser = req.user
 
     // Only root can have an empty password
     if (matchingUser.type !== 'root' && !newPassword) {

diff --git a/server/Server.js b/server/Server.js
@@ -91,23 +91,14 @@ class Server {
 
   /**
    * Middleware to check if the current request is authenticated
-   * req.user is set if authenticated to the OLD user object
-   * req.userNew is set if authenticated to the NEW user object
    *
    * @param {import('express').Request} req
    * @param {import('express').Response} res
    * @param {import('express').NextFunction} next
    */
   authMiddleware(req, res, next) {
     // ask passportjs if the current request is authenticated
-    this.auth.isAuthenticated(req, res, () => {
-      if (req.user) {
-        // TODO: req.userNew to become req.user
-        req.userNew = req.user
-        req.user = Database.userModel.getOldUser(req.user)
-      }
-      next()
-    })
+    this.auth.isAuthenticated(req, res, next)
   }
 
   cancelLibraryScan(libraryId) {

diff --git a/server/controllers/AuthorController.js b/server/controllers/AuthorController.js
@@ -24,7 +24,7 @@ class AuthorController {
 
     // Used on author landing page to include library items and items grouped in series
     if (include.includes('items')) {
-      authorJson.libraryItems = await Database.libraryItemModel.getForAuthor(req.author, req.userNew)
+      authorJson.libraryItems = await Database.libraryItemModel.getForAuthor(req.author, req.user)
 
       if (include.includes('series')) {
         const seriesMap = {}
@@ -222,8 +222,8 @@ class AuthorController {
    * @param {import('express').Response} res
    */
   async uploadImage(req, res) {
-    if (!req.userNew.canUpload) {
-      Logger.warn(`User "${req.userNew.username}" attempted to upload an image without permission`)
+    if (!req.user.canUpload) {
+      Logger.warn(`User "${req.user.username}" attempted to upload an image without permission`)
       return res.sendStatus(403)
     }
     if (!req.body.url) {
@@ -362,11 +362,11 @@ class AuthorController {
     const author = await Database.authorModel.getOldById(req.params.id)
     if (!author) return res.sendStatus(404)
 
-    if (req.method == 'DELETE' && !req.userNew.canDelete) {
-      Logger.warn(`[AuthorController] User "${req.userNew.username}" attempted to delete without permission`)
+    if (req.method == 'DELETE' && !req.user.canDelete) {
+      Logger.warn(`[AuthorController] User "${req.user.username}" attempted to delete without permission`)
       return res.sendStatus(403)
-    } else if ((req.method == 'PATCH' || req.method == 'POST') && !req.userNew.canUpdate) {
-      Logger.warn(`[AuthorController] User "${req.userNew.username}" attempted to update without permission`)
+    } else if ((req.method == 'PATCH' || req.method == 'POST') && !req.user.canUpdate) {
+      Logger.warn(`[AuthorController] User "${req.user.username}" attempted to update without permission`)
       return res.sendStatus(403)
     }
 

diff --git a/server/controllers/BackupController.js b/server/controllers/BackupController.js
@@ -113,8 +113,8 @@ class BackupController {
   }
 
   middleware(req, res, next) {
-    if (!req.userNew.isAdminOrUp) {
-      Logger.error(`[BackupController] Non-admin user "${req.userNew.username}" attempting to access backups`)
+    if (!req.user.isAdminOrUp) {
+      Logger.error(`[BackupController] Non-admin user "${req.user.username}" attempting to access backups`)
       return res.sendStatus(403)
     }
 

diff --git a/server/controllers/CacheController.js b/server/controllers/CacheController.js
@@ -5,7 +5,7 @@ class CacheController {
 
   // POST: api/cache/purge
   async purgeCache(req, res) {
-    if (!req.userNew.isAdminOrUp) {
+    if (!req.user.isAdminOrUp) {
       return res.sendStatus(403)
     }
     await CacheManager.purgeAll()
@@ -14,7 +14,7 @@ class CacheController {
 
   // POST: api/cache/items/purge
   async purgeItemsCache(req, res) {
-    if (!req.userNew.isAdminOrUp) {
+    if (!req.user.isAdminOrUp) {
       return res.sendStatus(403)
     }
     await CacheManager.purgeItems()

diff --git a/server/controllers/CollectionController.js b/server/controllers/CollectionController.js
@@ -16,7 +16,7 @@ class CollectionController {
    */
   async create(req, res) {
     const newCollection = new Collection()
-    req.body.userId = req.userNew.id
+    req.body.userId = req.user.id
     if (!newCollection.setData(req.body)) {
       return res.status(400).send('Invalid collection data')
     }
@@ -50,7 +50,7 @@ class CollectionController {
   }
 
   async findAll(req, res) {
-    const collectionsExpanded = await Database.collectionModel.getOldCollectionsJsonExpanded(req.userNew)
+    const collectionsExpanded = await Database.collectionModel.getOldCollectionsJsonExpanded(req.user)
     res.json({
       collections: collectionsExpanded
     })
@@ -59,7 +59,7 @@ class CollectionController {
   async findOne(req, res) {
     const includeEntities = (req.query.include || '').split(',')
 
-    const collectionExpanded = await req.collection.getOldJsonExpanded(req.userNew, includeEntities)
+    const collectionExpanded = await req.collection.getOldJsonExpanded(req.user, includeEntities)
     if (!collectionExpanded) {
       // This may happen if the user is restricted from all books
       return res.sendStatus(404)
@@ -334,11 +334,11 @@ class CollectionController {
       req.collection = collection
     }
 
-    if (req.method == 'DELETE' && !req.userNew.canDelete) {
-      Logger.warn(`[CollectionController] User "${req.userNew.username}" attempted to delete without permission`)
+    if (req.method == 'DELETE' && !req.user.canDelete) {
+      Logger.warn(`[CollectionController] User "${req.user.username}" attempted to delete without permission`)
       return res.sendStatus(403)
-    } else if ((req.method == 'PATCH' || req.method == 'POST') && !req.userNew.canUpdate) {
-      Logger.warn(`[CollectionController] User "${req.userNew.username}" attempted to update without permission`)
+    } else if ((req.method == 'PATCH' || req.method == 'POST') && !req.user.canUpdate) {
+      Logger.warn(`[CollectionController] User "${req.user.username}" attempted to update without permission`)
       return res.sendStatus(403)
     }
 

diff --git a/server/controllers/CustomMetadataProviderController.js b/server/controllers/CustomMetadataProviderController.js
@@ -101,8 +101,8 @@ class CustomMetadataProviderController {
    * @param {import('express').NextFunction} next
    */
   async middleware(req, res, next) {
-    if (!req.userNew.isAdminOrUp) {
-      Logger.warn(`[CustomMetadataProviderController] Non-admin user "${req.userNew.username}" attempted access route "${req.path}"`)
+    if (!req.user.isAdminOrUp) {
+      Logger.warn(`[CustomMetadataProviderController] Non-admin user "${req.user.username}" attempted access route "${req.path}"`)
       return res.sendStatus(403)
     }
 

diff --git a/server/controllers/EmailController.js b/server/controllers/EmailController.js
@@ -59,15 +59,15 @@ class EmailController {
    * @param {import('express').Response} res
    */
   async sendEBookToDevice(req, res) {
-    Logger.debug(`[EmailController] Send ebook to device requested by user "${req.userNew.username}" for libraryItemId=${req.body.libraryItemId}, deviceName=${req.body.deviceName}`)
+    Logger.debug(`[EmailController] Send ebook to device requested by user "${req.user.username}" for libraryItemId=${req.body.libraryItemId}, deviceName=${req.body.deviceName}`)
 
     const device = Database.emailSettings.getEReaderDevice(req.body.deviceName)
     if (!device) {
       return res.status(404).send('Ereader device not found')
     }
 
     // Check user has access to device
-    if (!Database.emailSettings.checkUserCanAccessDevice(device, req.userNew)) {
+    if (!Database.emailSettings.checkUserCanAccessDevice(device, req.user)) {
       return res.sendStatus(403)
     }
 
@@ -77,7 +77,7 @@ class EmailController {
     }
 
     // Check user has access to library item
-    if (!req.userNew.checkCanAccessLibraryItem(libraryItem)) {
+    if (!req.user.checkCanAccessLibraryItem(libraryItem)) {
       return res.sendStatus(403)
     }
 
@@ -90,7 +90,7 @@ class EmailController {
   }
 
   adminMiddleware(req, res, next) {
-    if (!req.userNew.isAdminOrUp) {
+    if (!req.user.isAdminOrUp) {
       return res.sendStatus(404)
     }
 

diff --git a/server/controllers/FileSystemController.js b/server/controllers/FileSystemController.js
@@ -13,8 +13,8 @@ class FileSystemController {
    * @param {import('express').Response} res
    */
   async getPaths(req, res) {
-    if (!req.userNew.isAdminOrUp) {
-      Logger.error(`[FileSystemController] Non-admin user "${req.userNew.username}" attempting to get filesystem paths`)
+    if (!req.user.isAdminOrUp) {
+      Logger.error(`[FileSystemController] Non-admin user "${req.user.username}" attempting to get filesystem paths`)
       return res.sendStatus(403)
     }
 
@@ -69,8 +69,8 @@ class FileSystemController {
 
   // POST: api/filesystem/pathexists
   async checkPathExists(req, res) {
-    if (!req.userNew.canUpload) {
-      Logger.error(`[FileSystemController] Non-admin user "${req.userNew.username}" attempting to check path exists`)
+    if (!req.user.canUpload) {
+      Logger.error(`[FileSystemController] Non-admin user "${req.user.username}" attempting to check path exists`)
       return res.sendStatus(403)
     }