bugfix rbac

2026-04-27 15:49:56 +02:00
parent 2ab69bda98
commit 5f494bb837
6 changed files with 93 additions and 90 deletions
--- a/src/routes/loginRoutes.js
+++ b/src/routes/loginRoutes.js
@@ -40,7 +40,7 @@ module.exports = {

        
        // Geschützte Route
-        app.get('/me', service.get('authenticationManager').authenticate(), (req, res) => {
+        app.get('/me', service.get('rbacManager').authenticate(), (req, res) => {
            res.json(JSON.stringify({
                user: {
                name: req.user
@@ -63,7 +63,7 @@ module.exports = {
        });

        // Logout
-        app.post('/logout', service.get('authenticationManager').authenticate(), async (req, res) => {
+        app.post('/logout', service.get('rbacManager').authenticate(), async (req, res) => {
            const logout = await service.get('authenticationManager').logout(req.user.sAMAccountName);

            // socketManager.sendTo('/', req.user.objectGuid, 'login_status', { levelId: logout.levelId, message: logout.message } )
--- a/src/services/authenticationManager.js
+++ b/src/services/authenticationManager.js
@@ -2,6 +2,7 @@ const jwt = require('jsonwebtoken');
 const bcrypt = require('bcryptjs');

 class AuthenticationManager {
+
  constructor(model, secretKey) {
    this.Authentication = model;
    this.SECRET_KEY = secretKey;
@@ -113,81 +114,6 @@ class AuthenticationManager {
      return { valid: false, levelId: 4 };
    }
  }
-
-  // =========================================================
-  // 🔥 MIDDLEWARE BLEIBT HIER
-  // =========================================================
-  authenticate() {
-    return async (req, res, next) => {
-
-      try {
-
-        // =====================================================
-        // 🔥 GLOBAL PUBLIC ROUTE BYPASS (ROBUST)
-        // =====================================================
-
-        const url = req.originalUrl.split('?')[0];
-
-        const publicRoutes = [
-          '/login',
-          '/public'
-        ];
-
-        const isPublicRoute = publicRoutes.some(route =>
-          url === route || url.startsWith(route + '/')
-        );
-
-        if (isPublicRoute) {
-          return next();
-        }
-
-        // =====================================================
-        // 🔐 AUTH FLOW
-        // =====================================================
-
-        const sAMAccountName = req.cookies?.sAMAccountName;
-
-        if (!sAMAccountName) {
-          return res.redirect('/login');
-        }
-
-        const user = await this.findUser(sAMAccountName);
-
-        if (!user || !user.active) {
-          return res.redirect('/login');
-        }
-
-        let payload;
-
-        try {
-          payload = jwt.verify(user.refreshtoken, this.SECRET_KEY);
-        } catch {
-          return res.redirect('/login');
-        }
-
-        const rbac = await this.rbac.resolvePermissions(user.ObjectGUID);
-
-        const normalized = this.rbac.normalize(rbac.permissions);
-        const isSuperAdmin = this.rbac.isSuperAdmin(normalized);
-
-        req.user = {
-          ...user.toJSON(),
-          jwt: payload,
-          groups: rbac.groups,
-          roles: rbac.roles,
-          permissions: normalized,
-          isSuperAdmin
-        };
-
-        next();
-
-      } catch (err) {
-        console.error(err);
-        return res.redirect('/login');
-      }
-    };
-  }
-  
 }

 module.exports = AuthenticationManager;
--- a/src/services/rbacManager.js
+++ b/src/services/rbacManager.js
@@ -151,6 +151,82 @@ class RBACManager {
    };
  }

+  
+  // =========================================================
+  // 🔥 MIDDLEWARE BLEIBT HIER
+  // =========================================================
+  authenticate() {
+    return async (req, res, next) => {
+
+      try {
+
+        // =====================================================
+        // 🔥 GLOBAL PUBLIC ROUTE BYPASS (ROBUST)
+        // =====================================================
+
+        const url = req.originalUrl.split('?')[0];
+
+        const publicRoutes = [
+          '/login',
+          '/public'
+        ];
+
+        const isPublicRoute = publicRoutes.some(route =>
+          url === route || url.startsWith(route + '/')
+        );
+
+        if (isPublicRoute) {
+          return next();
+        }
+
+        // =====================================================
+        // 🔐 AUTH FLOW
+        // =====================================================
+
+        const sAMAccountName = req.cookies?.sAMAccountName;
+
+        if (!sAMAccountName) {
+          return res.redirect('/login');
+        }
+
+        const user = await this.db.get('authentication').findOne( { where: { sAMAccountName } } );
+
+        if (!user || !user.active) {
+          return res.redirect('/login');
+        }
+
+        let payload;
+
+        try {
+          payload = jwt.verify(user.refreshtoken, this.SECRET_KEY);
+        } catch {
+          return res.redirect('/login');
+        }
+
+        const rbac = await this.resolvePermissions(user.ObjectGUID);
+
+        const normalized = this.normalize(rbac.permissions);
+        const isSuperAdmin = this.isSuperAdmin(normalized);
+
+        req.user = {
+          ...user.toJSON(),
+          jwt: payload,
+          groups: rbac.groups,
+          roles: rbac.roles,
+          permissions: normalized,
+          isSuperAdmin
+        };
+
+        next();
+
+      } catch (err) {
+        console.error(err);
+        return res.redirect('/login');
+      }
+    };
+  }
+  
+
  normalize(permissions) {
    return permissions.map(p => ({
      scope: p.scope,