rmm-psa-backend_2routes_2auth_8js_source.html

/**

 * @file routes/auth.js

 * @brief Authentication and tenant impersonation API endpoints

 * @description Provides authentication endpoints for tenant impersonation in multi-tenant

 * MSP environment. Allows root/MSP users to impersonate other tenants for support and

 * administration purposes, with full audit logging. Includes endpoints for starting and

 * stopping impersonation sessions.

 *

 * **Key Features:**

 * - Tenant impersonation (MSP → Customer tenant)

 * - Exit impersonation (return to root tenant)

 * - Full audit trail of impersonation sessions

 * - IP address and user agent tracking

 * - JWT token generation with impersonation context

 *

 * **Security:**

 * - Only root/MSP/admin roles can impersonate

 * - All impersonation events are logged

 * - JWT tokens contain impersonation flag

 * - 2-hour token expiration

 * @author Independent Business Group

 * @date 2026-03-11

 * @module routes/auth

 * @requires express

 * @requires jsonwebtoken

 * @requires ../services/db

 * @requires ../middleware/auth

 * @requires ../middleware/tenant

 */


const express = require('express');

const router = express.Router();

const jwt = require('jsonwebtoken');

const pool = require('../services/db');

const authenticateToken = require('../middleware/auth');

const { setTenantContext } = require('../middleware/tenant');


/**

 * @api {post} /auth/exit-impersonation Exit tenant impersonation

 * @apiName ExitImpersonation

 * @apiGroup Authentication

 * @apiDescription Exits current tenant impersonation session and returns user to

 * their root tenant context. Issues new JWT token without impersonation flag. Records

 * the impersonation stop event in audit log with IP address and user agent for

 * security tracking.

 *

 * **Use Case:** MSP admin who was impersonating a customer tenant needs to return

 * to their root tenant to manage other customers or access MSP-level features.

 * @apiHeader {string} Authorization Bearer JWT token with impersonation flag

 * @apiSuccess {string} token New JWT token for root tenant

 * @apiSuccess {string} message Success message

 * @apiSuccess {object} user User object with root tenant context

 * @apiError {string} error Error message

 * @apiError {number} 403 User is not MSP/root/admin role

 * @apiError {number} 500 Token generation or audit logging failed

 * @apiExample {curl} Example Request:

 *   curl -X POST \

 *        -H "Authorization: Bearer eyJhbGc..." \

 *        "https://api.everydaytech.au/auth/exit-impersonation"

 * @apiExample {json} Success Response:

 *   HTTP/1.1 200 OK

 *   {

 *     "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",

 *     "message": "Exited impersonation mode",

 *     "user": {

 *       "user_id": "uuid-here",

 *       "tenant_id": "00000000-0000-0000-0000-000000000001",

 *       "role": "msp",

 *       "impersonated": false

 *     }

 *   }

 * @since 2.0.0

 * @see {@link module:routes/auth.impersonate} for starting impersonation

 */

router.post('/exit-impersonation', authenticateToken, setTenantContext, async (req, res) => {

  try {

    if (!req.user || !(req.user.role === 'msp' || req.user.role === 'root' || req.user.role === 'admin')) {

      return res.status(403).json({ error: 'Only MSP/root/admin can exit impersonation' });

    }

    // Issue new JWT for root context (no impersonation)

    const rootTenantId = '00000000-0000-0000-0000-000000000001';

    const payload = {

      user_id: req.user.impersonator_id || req.user.user_id,

      tenant_id: rootTenantId,

      tenantId: rootTenantId,

      role: req.user.role,

      name: req.user.impersonator_name || req.user.name,

      email: req.user.email,

      is_msp: req.user.role === 'msp' || req.user.role === 'root',

      impersonated: false

    };

    // Remove impersonation-specific fields

    delete payload.impersonator_id;

    delete payload.impersonator_name;

    const token = jwt.sign(payload, process.env.JWT_SECRET, { expiresIn: '2h' });

    // Audit log

    try {

      const uuidRegex = /^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/;

      let impersonatorId = req.user.user_id;

      if (!uuidRegex.test(String(impersonatorId))) {

        impersonatorId = req.user.tenantId && uuidRegex.test(String(req.user.tenantId))

          ? req.user.tenantId

          : '00000000-0000-0000-0000-000000000000';

      }

      await pool.query(

        `INSERT INTO impersonation_audit (

          impersonator_id, impersonator_name, impersonated_tenant_id, impersonated_tenant_name, action, ip_address, user_agent

        ) VALUES ($1, $2, $3, $4, $5, $6, $7)`,

        [

          impersonatorId,

          req.user.name,

          rootTenantId,

          'Root Tenant',

          'stop',

          req.ip,

          req.headers['user-agent'] || ''

        ]

      );

    } catch (auditErr) {

      console.error('[auth/exit-impersonation] Audit log insert error:', auditErr);

    }


    // Set token as HTTP-only cookie

    // Use SameSite=None for production cross-origin (App Platform separate domains)

    res.cookie('auth_token', token, {

      httpOnly: true,

      secure: true, // Always require HTTPS in production

      sameSite: process.env.NODE_ENV === 'production' ? 'none' : 'lax',

      maxAge: 2 * 60 * 60 * 1000, // 2 hours

      domain: process.env.NODE_ENV === 'production' ? '.ondigitalocean.app' : undefined

    });


    res.json({ token });

  } catch (err) {

    console.error('[auth/exit-impersonation] Error:', err);

    res.status(500).json({ error: 'Failed to exit impersonation', details: err.message });

  }

});


/**

 * @api {post} /auth/impersonate Start tenant impersonation

 * @apiName ImpersonateTenant

 * @apiGroup Authentication

 * @apiDescription Starts tenant impersonation session, allowing MSP/admin users to

 * access another tenant's context as if they were that tenant. Issues new JWT token

 * with impersonated tenant context. Records impersonation start event in audit log

 * with full details for compliance and security tracking.

 *

 * **Use Case:** MSP support staff needs to troubleshoot issues in a customer's

 * account by viewing their dashboard, tickets, and data as they would see it.

 *

 * **Security Considerations:**

 * - Only root, MSP, and admin roles can impersonate

 * - All impersonation sessions are audit logged

 * - Impersonated flag is set in JWT for transparency

 * - IP address and user agent tracked

 * - 2-hour session expiration

 * @apiHeader {string} Authorization Bearer JWT token (root/MSP/admin)

 * @apiHeader {string} Content-Type application/json

 * @apiParam {string} tenant_id UUID of tenant to impersonate

 * @apiSuccess {string} token New JWT token with impersonated tenant context

 * @apiSuccess {string} message Success message with tenant name

 * @apiSuccess {object} user User object with impersonated tenant context

 * @apiSuccess {string} user.tenant_id Impersonated tenant ID

 * @apiSuccess {boolean} user.impersonated Always true

 * @apiSuccess {string} user.role User's original role

 * @apiError {string} error Error message

 * @apiError {number} 400 tenant_id is required

 * @apiError {number} 403 User is not MSP/root/admin role

 * @apiError {number} 404 Tenant not found

 * @apiError {number} 500 Token generation or audit logging failed

 * @apiExample {curl} Example Request:

 *   curl -X POST \

 *        -H "Authorization: Bearer eyJhbGc..." \

 *        -H "Content-Type: application/json" \

 *        -d '{"tenant_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"}' \

 *        "https://api.everydaytech.au/auth/impersonate"

 * @apiExample {json} Success Response:

 *   HTTP/1.1 200 OK

 *   {

 *     "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",

 *     "message": "Successfully impersonating Acme Corporation",

 *     "user": {

 *       "user_id": "original-user-id",

 *       "tenant_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",

 *       "role": "msp",

 *       "impersonated": true,

 *       "original_tenant_id": "00000000-0000-0000-0000-000000000001"

 *     }

 *   }

 *

 * @apiExample {json} Error Response (Not Authorized):

 *   HTTP/1.1 403 Forbidden

 *   {

 *     "error": "Only MSP/root/admin can impersonate tenants"

 *   }

 *

 * @since 2.0.0

 * @see {@link module:routes/auth.exitImpersonation} for stopping impersonation

 * @see {@link module:middleware/tenant.setTenantContext} for tenant filtering

 */

router.post('/impersonate', authenticateToken, setTenantContext, async (req, res) => {

  try {

    const { tenant_id } = req.body;

    if (!tenant_id) return res.status(400).json({ error: 'Missing tenant_id' });


    // Log for debugging

    console.log('[auth/impersonate] Request from user:', {

      user_id: req.user?.user_id,

      role: req.user?.role,

      name: req.user?.name,

      tenant_id: req.user?.tenant_id

    });


    if (!req.user || !(req.user.role === 'msp' || req.user.role === 'root' || req.user.role === 'admin')) {

      console.log('[auth/impersonate] 403 - User role not authorized:', req.user?.role);

      return res.status(403).json({ error: 'Only MSP, root, or admin can impersonate tenants', user_role: req.user?.role });

    }


    // Lookup impersonated tenant

    const tenantRes = await pool.query('SELECT name FROM tenants WHERE tenant_id = $1', [tenant_id]);

    if (tenantRes.rows.length === 0) {

      return res.status(404).json({ error: 'Tenant not found' });

    }

    const impersonatedTenantName = tenantRes.rows[0].name;


    // Issue new JWT for impersonated tenant

    // IMPORTANT: Only include specific fields to avoid carrying over is_msp=true

    const payload = {

      user_id: req.user.user_id,

      tenant_id,

      tenantId: tenant_id,

      role: req.user.role,

      name: req.user.name,

      email: req.user.email,

      is_msp: false, // Act as regular tenant user, not MSP

      impersonated: true,

      impersonator_id: req.user.user_id,

      impersonator_name: req.user.name,

      impersonated_tenant_name: impersonatedTenantName

    };

    let token;

    try {

      token = jwt.sign(payload, process.env.JWT_SECRET, { expiresIn: '2h' });

    } catch (jwtErr) {

      console.error('[auth/impersonate] JWT sign error:', jwtErr, 'Payload:', payload);

      return res.status(500).json({ error: 'JWT sign error', details: jwtErr.message });

    }


    // Audit log

    try {

      // Use a valid UUID for impersonator_id

      const uuidRegex = /^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/;

      let impersonatorId = req.user.user_id;

      if (!uuidRegex.test(String(impersonatorId))) {

        impersonatorId = req.user.tenantId && uuidRegex.test(String(req.user.tenantId))

          ? req.user.tenantId

          : '00000000-0000-0000-0000-000000000000'; // fallback null UUID

      }

      await pool.query(

        `INSERT INTO impersonation_audit (

          impersonator_id, impersonator_name, impersonated_tenant_id, impersonated_tenant_name, action, ip_address, user_agent

        ) VALUES ($1, $2, $3, $4, $5, $6, $7)`,

        [

          impersonatorId,

          req.user.name,

          tenant_id,

          impersonatedTenantName,

          'start',

          req.ip,

          req.headers['user-agent'] || ''

        ]

      );

    } catch (auditErr) {

      console.error('[auth/impersonate] Audit log insert error:', auditErr, {

        impersonator_id: req.user.user_id,

        impersonator_name: req.user.name,

        impersonated_tenant_id: tenant_id,

        impersonated_tenant_name: impersonatedTenantName,

        ip_address: req.ip,

        user_agent: req.headers['user-agent'] || ''

      });

      return res.status(500).json({ error: 'Audit log insert error', details: auditErr.message });

    }


    // Set token as HTTP-only cookie

    // Use SameSite=None for production cross-origin (App Platform separate domains)

    res.cookie('auth_token', token, {

      httpOnly: true,

      secure: true, // Always require HTTPS in production

      sameSite: process.env.NODE_ENV === 'production' ? 'none' : 'lax',

      maxAge: 2 * 60 * 60 * 1000, // 2 hours

      domain: process.env.NODE_ENV === 'production' ? '.ondigitalocean.app' : undefined

    });


    res.json({ token });

  } catch (err) {

    console.error('[auth/impersonate] Error:', err, {

      user: req.user,

      body: req.body,

      ip: req.ip,

      headers: req.headers

    });

    res.status(500).json({ error: 'Failed to impersonate tenant', details: err.message });

  }

});


module.exports = router;