Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
import express from 'express';
import morgan from 'morgan';
import passport from 'passport';
import BearerStrategy from 'passport-http-bearer';
import AnonymousStrategy from 'passport-anonymous';
import cookieParser from 'cookie-parser';
import graphqlHTTP from 'express-graphql';
import schema from './schema';
import createLoaders from './createLoaders';
import getUserByToken from './queries/user/getUserByToken';
passport.use(new AnonymousStrategy());
passport.use(new BearerStrategy(
async (token, cb) => {
try {
cb(undefined, await getUserByToken(token));
} catch (err) {
cb(err);
}
}
));
const app = express();
app.disable('x-powered-by');
app.use(morgan(process.env.NODE_ENV === 'production' ? 'combined' : 'dev'));
app.use(cookieParser());
app.use(passport.authenticate(['bearer', 'anonymous'], {
session: false,
})
})
if (!validPassword) {
return callback(undefined, false)
}
callback(undefined, user)
} catch (error) {
callback(error)
}
})
)
passport.use(
new BearerStrategy(async (token, callback) => {
try {
const user = await db
.select('EXPAND(IN("UserToken"))')
.from('AccessToken')
.where({hash: token})
.one()
if (!user) {
return callback(undefined, false)
}
callback(undefined, user)
} catch (error) {
callback(error)
}
}
return next(null, client);
})
.catch((err) => {
if (err.status === 404) {
return next(null, false);
}
return next(err);
});
}));
/**
* Instructions for passport to use a bearer token authentication. Requires the
* user/client to supply their token in a header for access.
*/
passport.use(new BearerStrategy('bearer', (accessToken, next) => {
authService.findOneTokenByValue(accessToken)
.then((foundToken) => {
userService.getUserByIdOrUsername(foundToken.userId)
.then((user) => {
if (!user) {
return next(null, false);
}
return next(null, user, { scope: '*' });
})
.catch(err => next(err));
})
.catch(err => next(err))
}));
/**
* Registers the function to serialize the client for sessions on the auth server's side