UNPKG

qgenutils

Version:

A security-first Node.js utility library providing authentication, HTTP operations, URL processing, validation, datetime formatting, and template rendering. Designed as a lightweight alternative to heavy npm packages with comprehensive error handling and

60 lines (54 loc) 2.38 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
/** * Check Passport Authentication Status * * RATIONALE: Routes often gate protected resources behind authentication. Passport * adds an isAuthenticated() method, but requests may omit the middleware or use * alternate authentication flows. We defensively check and default to "deny" for * security. * * IMPLEMENTATION DECISIONS: * - Use double negation (!!) to convert truthy/falsy to strict boolean * - Check for existence of isAuthenticated method before calling it * - Default to false (unauthenticated) for security when in doubt * - Log authentication attempts with user context for security auditing * * SECURITY CONSIDERATIONS: * - Fail closed: When uncertain, assume user is NOT authenticated * - Avoid throwing exceptions that could reveal authentication internals * - Log all authentication checks for security monitoring * - Handle edge cases where Passport middleware is missing * * TYPICAL USE CASES: * - Gate route handlers to prevent anonymous access * - Determine login state in view helpers for UI decisions * * WHY DOUBLE NEGATION (!!): * req.isAuthenticated() might return truthy values that aren't strictly boolean. * !! converts any truthy value to true and any falsy value to false. * This ensures we always return a proper boolean type. * * EDGE CASES HANDLED: * - req.isAuthenticated doesn't exist (Passport not configured) * - req.isAuthenticated throws an exception * - req object is malformed or null * - User object exists but authentication state is unclear * * @param {object} req - Express request object (should have Passport methods attached) * @returns {boolean} True if user is authenticated, false otherwise (fail-closed security) * @throws Never throws - returns false on any error for security */ const { qerrors } = require('qerrors'); const logger = require('../../logger'); // Import centralized authentication logging utility const logAuthOperation = require('./logAuthOperation'); function checkPassportAuth(req) { try { const isAuthenticated = !!(req.isAuthenticated && req.isAuthenticated()); logAuthOperation(`checkPassportAuth`, req?.user?.username || `guest`, isAuthenticated); return isAuthenticated; } catch (error) { qerrors(error, `checkPassportAuth`, req); return false; // fail closed on errors } } module.exports = checkPassportAuth;