feat(auth): add membership and role checks to server mutation routes#88
Closed
varun29sharma wants to merge 1 commit into
Closed
feat(auth): add membership and role checks to server mutation routes#88varun29sharma wants to merge 1 commit into
varun29sharma wants to merge 1 commit into
Conversation
- Add server/middleware/verifyServerRole.js with 3-layer guard: 401 for missing/invalid JWT 403 for non-members of the target server 403 for members without owner/admin role - Apply verifyServerRole to /add_new_channel, /add_new_category, /delete_server - Reuses existing checkServerInUser() from serverService.js - validate() from Issue 18 runs first, verifyServerRole second - Socket.IO server_updated events completely unchanged Closes 0rigin-c0de#19
👷 Deploy request for piperchat01 pending review.Visit the deploys page to approve it
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #19
Adds authentication, server membership verification, and role-based access
control to the three unprotected mutation routes in
server/routes/servers.js.Previously any anonymous HTTP request could create channels, categories, or
delete a server entirely.
Changes
New file:
server/middleware/verifyServerRole.jsA three-layer guard middleware that runs in sequence:
x-auth-tokenheader →401if missing or invalidcheckServerInUser()to confirm user belongs to the server →403if not a memberserver_roleon the User document isowneroradmin→403if regular memberAttaches
req.userandreq.serverMembershipfor downstream use.Modified:
server/routes/servers.jsPOST /add_new_channelvalidate()→verifyServerRole()→ handlerPOST /add_new_categoryvalidate()→verifyServerRole()→ handlerPOST /delete_servervalidate()→verifyServerRole()→ handlerReuses the existing
checkServerInUser()fromserverService.js— the samepattern already used correctly in
/server_info.Socket.IO
server_updatedevents are completely unchanged.Test evidence
All tests run with
curlagainst local instance (port 2000):POST /add_new_channelwith no token →401✅POST /add_new_channelwith fake token →401✅POST /add_new_channelwith valid token but wrong server →403✅POST /add_new_categorywith owner token + real server →200✅Compatibility
All existing happy-path response shapes unchanged. No frontend code modified.
validate()middleware from PR #82 runs first,verifyServerRole()second —the two middlewares compose cleanly.Yeah So everything's fine now