1 files changed, 118 insertions, 0 deletions

diff --git a/app/Middleware/Auth.ts b/app/Middleware/Auth.ts
new file mode 100644
index 0000000..d0b212c
--- /dev/null
+++ b/app/Middleware/Auth.ts
@@ -0,0 +1,118 @@
+import { GuardsList } from '@ioc:Adonis/Addons/Auth';
+import { HttpContextContract } from '@ioc:Adonis/Core/HttpContext';
+import { AuthenticationException } from '@adonisjs/auth/build/standalone';
+import * as jose from 'jose';
+import { appKey } from 'Config/app';
+import User from 'App/Models/User';
+
+/**
+ * Auth middleware is meant to restrict un-authenticated access to a given route
+ * or a group of routes.
+ *
+ * You must register this middleware inside `start/kernel.ts` file under the list
+ * of named middleware.
+ */
+export default class AuthMiddleware {
+  /**
+   * The URL to redirect to when request is Unauthorized
+   */
+  protected redirectTo = '/user/login';
+
+  /**
+   * Authenticates the current HTTP request against a custom set of defined
+   * guards.
+   *
+   * The authentication loop stops as soon as the user is authenticated using any
+   * of the mentioned guards and that guard will be used by the rest of the code
+   * during the current request.
+   */
+  protected async authenticate(
+    auth: HttpContextContract['auth'],
+    guards: (keyof GuardsList)[],
+    request: HttpContextContract['request'],
+  ) {
+    /**
+     * Hold reference to the guard last attempted within the for loop. We pass
+     * the reference of the guard to the "AuthenticationException", so that
+     * it can decide the correct response behavior based upon the guard
+     * driver
+     */
+    let guardLastAttempted: string | undefined;
+
+    for (const guard of guards) {
+      guardLastAttempted = guard;
+
+      let isLoggedIn = false;
+      try {
+        // eslint-disable-next-line no-await-in-loop
+        isLoggedIn = await auth.use(guard).check();
+      } catch {
+        // Silent fail to allow the rest of the code to handle the error
+      }
+
+      if (isLoggedIn) {
+        /**
+         * Instruct auth to use the given guard as the default guard for
+         * the rest of the request, since the user authenticated
+         * succeeded here
+         */
+        auth.defaultGuard = guard;
+        return;
+      }
+    }
+
+    // Manually try authenticating using the JWT (verfiy signature required)
+    // Legacy support for JWTs so that the client still works (older than 2.0.0)
+    const authToken = request.headers().authorization?.split(' ')[1];
+    if (authToken) {
+      try {
+        const jwt = await jose.jwtVerify(
+          authToken,
+          new TextEncoder().encode(appKey),
+        );
+        const { uid } = jwt.payload;
+
+        // @ts-expect-error
+        request.user = await User.findOrFail(uid);
+        return;
+      } catch {
+        // Silent fail to allow the rest of the code to handle the error
+      }
+    }
+
+    /**
+     * Unable to authenticate using any guard
+     */
+    throw new AuthenticationException(
+      'Unauthorized access',
+      'E_UNAUTHORIZED_ACCESS',
+      guardLastAttempted,
+      this.redirectTo,
+    );
+  }
+
+  /**
+   * Handle request
+   */
+  public async handle(
+    { request, auth, response }: HttpContextContract,
+    next: () => Promise<void>,
+    customGuards: (keyof GuardsList)[],
+  ) {
+    /**
+     * Uses the user defined guards or the default guard mentioned in
+     * the config file
+     */
+    const guards = customGuards.length > 0 ? customGuards : [auth.name];
+    try {
+      await this.authenticate(auth, guards, request);
+    } catch (error) {
+      // If the user is not authenticated and it is a web endpoint, redirect to the login page
+      if (guards.includes('web')) {
+        return response.redirect(error.redirectTo);
+      }
+      throw error;
+    }
+    await next();
+  }
+}