DK404/CentralBackend
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
94b282fa7b
CentralBackend/middleware/guestRestriction.js
Seazn c2bbb1df15 feat: implement auto-renewal cron service for subscriptions 
- Added RenewalCronService to handle automatic subscription renewals and reactivations.
- Introduced listPausedAutoRenew method in AbonemmentRepository to fetch paused subscriptions eligible for reactivation.
- Created test script for renewal cron job to simulate subscription renewal scenarios.
- Updated MailService to send renewal confirmation and payment reminder emails.
- Enhanced EmailVerificationService to auto-grant 'can_subscribe' permission upon email verification.
- Modified createAdminUser script to allow different admin email configurations.
- Added node-cron dependency for scheduling tasks.
2026-03-15 14:16:46 +01:00

62 lines
1.6 KiB
JavaScript
Raw Blame History

const { logger } = require('./logger');
/**
* Middleware that blocks guest users from accessing non-abonnement routes.
* Guest users (role='guest') can ONLY access:
* - /abonements/*
* - /invoices/mine
* - /me
* - /user/settings
* - /logout
* - /refresh
*
* Place this AFTER authMiddleware in the app-level middleware chain.
*/
const GUEST_ALLOWED_PREFIXES = [
'/abonements',
'/invoices/mine',
'/me',
'/user/settings',
'/user/status',
'/logout',
'/refresh',
'/coffee/active',
'/tax/vat-rates',
'/send-verification-email',
'/verify-email-code',
];
function guestRestriction(req, res, next) {
const user = req.user;
if (!user || user.role !== 'guest') {
return next();
}
const urlPath = req.originalUrl.split('?')[0];
// Strip /api prefix if present (routes are mounted at /api but prefixes listed without it)
const normalizedPath = urlPath.startsWith('/api/') ? urlPath.slice(4) : urlPath;
const isAllowed = GUEST_ALLOWED_PREFIXES.some((prefix) => normalizedPath.startsWith(prefix));
// Allow guests to fetch their own permissions
const userId = user.userId || user.id;
const isOwnPermissions = userId && normalizedPath === `/users/${userId}/permissions`;
if (isAllowed || isOwnPermissions) {
return next();
}
logger.warn('guestRestriction:blocked', {
userId: user.userId || user.id,
route: urlPath,
method: req.method,
});
return res.status(403).json({
success: false,
message: 'Guest accounts can only access subscription features. Please upgrade your account for full access.',
});
}
module.exports = guestRestriction;
Reference in New Issue View Git Blame Copy Permalink