customerAuth_8js_source.html

const jwt = require('jsonwebtoken');

const pool = require('../services/db');


/**

 * Authenticate customer user via JWT token

 * Sets req.customerUserId, req.customerId, req.tenantId

 * Customer tokens are separate from admin tokens

 */

async function authenticateCustomer(req, res, next) {

    try {

        const authHeader = req.headers['authorization'];

        const token = authHeader && authHeader.split(' ')[1]; // Bearer TOKEN


        if (!token) {

            return res.status(401).json({ error: 'Access denied. No token provided.' });

        }


        // Verify token

        const decoded = jwt.verify(token, process.env.JWT_SECRET);


        // Validate token type

        if (decoded.type !== 'customer') {

            return res.status(403).json({ error: 'Invalid token type. Customer token required.' });

        }


        // Check if session exists and is valid

        const sessionResult = await pool.query(

            `SELECT cs.*, cu.customer_id, cu.tenant_id, cu.is_active

             FROM customer_sessions cs

             JOIN customer_users cu ON cs.customer_user_id = cu.customer_user_id

             WHERE cs.customer_user_id = $1

             AND cs.expires_at > NOW()`,

            [decoded.customerUserId]

        );


        if (sessionResult.rows.length === 0) {

            return res.status(401).json({ error: 'Session expired or invalid.' });

        }


        const session = sessionResult.rows[0];


        // Check if user is active

        if (!session.is_active) {

            return res.status(403).json({ error: 'Account is deactivated.' });

        }


        // Set request properties

        req.customerUserId = decoded.customerUserId;

        req.customerId = session.customer_id;

        req.tenantId = session.tenant_id;


        next();

    } catch (error) {

        console.error('Customer authentication error:', error);


        if (error.name === 'JsonWebTokenError') {

            return res.status(401).json({ error: 'Invalid token.' });

        }

        if (error.name === 'TokenExpiredError') {

            return res.status(401).json({ error: 'Token expired.' });

        }


        return res.status(500).json({ error: 'Authentication failed.', details: error.message });

    }

}


/**

 * Set customer context middleware

 * Ensures customer can only access their own data

 * Validates that customerId in request matches authenticated customer

 */

function setCustomerContext(req, res, next) {

    // Customer context is already set by authenticateCustomer

    // This middleware validates that customer is accessing their own data


    // If a customer_id is in the URL params or body, validate it matches

    const requestedCustomerId = parseInt(req.params.customer_id || req.body.customer_id);


    if (requestedCustomerId && requestedCustomerId !== req.customerId) {

        return res.status(403).json({

            error: 'Access denied. You can only access your own data.'

        });

    }


    next();

}


/**

 * Log customer audit event

 * Call this after successful actions to track customer activity

 */

async function logCustomerAudit(customerUserId, tenantId, action, entityType, entityId, details, ipAddress) {

    try {

        await pool.query(

            `INSERT INTO customer_audit_log

             (tenant_id, customer_user_id, action, entity_type, entity_id, details, ip_address)

             VALUES ($1, $2, $3, $4, $5, $6, $7)`,

            [tenantId, customerUserId, action, entityType, entityId, details, ipAddress]

        );

    } catch (error) {

        console.error('Error logging customer audit:', error);

        // Don't throw - audit log failures shouldn't break requests

    }

}


module.exports = {

    authenticateCustomer,

    setCustomerContext,

    logCustomerAudit

};