backend/middleware/auth.js

// Authentication Middleware
const pool = require('../db');
const { teamToIvanti } = require('../helpers/teams');

// Require authenticated user — no parameters needed, pool is imported directly
function requireAuth() {
    return async (req, res, next) => {
        const sessionId = req.cookies?.session_id;

        if (!sessionId) {
            return res.status(401).json({ error: 'Authentication required' });
        }

        try {
            const { rows } = await pool.query(
                `SELECT s.*, u.id as user_id, u.username, u.email, u.role, u.user_group, u.bu_teams, u.is_active
                 FROM sessions s
                 JOIN users u ON s.user_id = u.id
                 WHERE s.session_id = $1 AND s.expires_at > NOW()`,
                [sessionId]
            );

            const session = rows[0];

            if (!session) {
                return res.status(401).json({ error: 'Session expired or invalid' });
            }

            if (!session.is_active) {
                return res.status(401).json({ error: 'Account is disabled' });
            }

            // Attach user to request
            req.user = {
                id: session.user_id,
                username: session.username,
                email: session.email,
                role: session.role,
                group: session.user_group,
                teams: session.bu_teams ? session.bu_teams.split(',').filter(Boolean) : []
            };

            next();
        } catch (err) {
            console.error('Auth middleware error:', err);
            return res.status(500).json({ error: 'Authentication error' });
        }
    };
}

// Require specific group(s)
function requireGroup(...allowedGroups) {
    return (req, res, next) => {
        if (!req.user) {
            return res.status(401).json({ error: 'Authentication required' });
        }

        if (!allowedGroups.includes(req.user.group)) {
            return res.status(403).json({
                error: 'Insufficient permissions',
                required: allowedGroups,
                current: req.user.group
            });
        }

        next();
    };
}

// Require team assignment — enforces team-scoped data access.
// Admin group bypasses (req.teamScope = null means "no filter").
// Non-admin users without teams get 403.
// Non-admin users with teams get req.teamScope = { short: [...], ivanti: [...] }.
function requireTeam() {
    return (req, res, next) => {
        if (!req.user) {
            return res.status(401).json({ error: 'Authentication required' });
        }

        // Admin bypass — full access to all teams
        if (req.user.group === 'Admin') {
            req.teamScope = null;
            return next();
        }

        // No teams assigned — block access
        if (!req.user.teams || req.user.teams.length === 0) {
            return res.status(403).json({
                error: 'No team assignment. Contact an administrator to assign BU teams to your account.',
                code: 'NO_TEAM_ASSIGNMENT'
            });
        }

        // Build scope with both naming conventions
        req.teamScope = {
            short: req.user.teams,
            ivanti: req.user.teams.map(t => teamToIvanti(t))
        };

        next();
    };
}

module.exports = { requireAuth, requireGroup, requireTeam };
added required code changes, components, and packages for login feature 2026-01-28 14:36:33 -07:00			`// Authentication Middleware`
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite) 2026-05-06 11:44:17 -06:00			`const pool = require('../db');`
Add backend team enforcement via requireTeam() middleware Introduce server-side team-scoped data access enforcement: - Add TEAM_TO_IVANTI/IVANTI_TO_TEAM mapping to helpers/teams.js - Add requireTeam() middleware to middleware/auth.js - Admin bypass (req.teamScope = null) - 403 for users with no team assignment - Populates req.teamScope with short and ivanti name arrays - Ivanti findings: replace client ?teams= param with req.teamScope filtering on GET /, /counts, /counts/history, /fp-workflow-counts, POST /sync - Override and note endpoints verify finding is in team scope - Compliance: add requireTeam() router-level, validate ?team= param against scope on GET /items and GET /summary - CARD: validate teamName param on GET /teams/:teamName/assets - Todo queue: verify findings belong to user's teams on POST /batch - Clarify IVANTI_BU_FILTER comment (sync-level vs query-time filtering) - Update 14 test files to include requireTeam in auth middleware mocks 2026-06-24 11:36:25 -06:00			`const { teamToIvanti } = require('../helpers/teams');`
added required code changes, components, and packages for login feature 2026-01-28 14:36:33 -07:00
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite) 2026-05-06 11:44:17 -06:00			`// Require authenticated user — no parameters needed, pool is imported directly`
			`function requireAuth() {`
added required code changes, components, and packages for login feature 2026-01-28 14:36:33 -07:00			`return async (req, res, next) => {`
			`const sessionId = req.cookies?.session_id;`

			`if (!sessionId) {`
			`return res.status(401).json({ error: 'Authentication required' });`
			`}`

			`try {`
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite) 2026-05-06 11:44:17 -06:00			`const { rows } = await pool.query(`
			`SELECT s.*, u.id as user_id, u.username, u.email, u.role, u.user_group, u.bu_teams, u.is_active
			`FROM sessions s`
			`JOIN users u ON s.user_id = u.id`
			WHERE s.session_id = $1 AND s.expires_at > NOW()`,
			`[sessionId]`
			`);`

			`const session = rows[0];`
added required code changes, components, and packages for login feature 2026-01-28 14:36:33 -07:00
			`if (!session) {`
			`return res.status(401).json({ error: 'Session expired or invalid' });`
			`}`

			`if (!session.is_active) {`
			`return res.status(401).json({ error: 'Account is disabled' });`
			`}`

			`// Attach user to request`
			`req.user = {`
			`id: session.user_id,`
			`username: session.username,`
			`email: session.email,`
feat: implement group-based access control (Admin, Standard_User, Leadership, Read_Only) - Add user_group migration and created_by column migration - Replace requireRole middleware with requireGroup - Update all backend routes to use group-based authorization - Add Standard_User conditional delete with ownership, state, and compliance checks - Add cascade impact check for CVE deletes - Update AuthContext with group-based permission helpers - Update all frontend components for group-based rendering - Update UserManagement UI with group dropdown, confirmation dialogs, self-demotion prevention 2026-04-06 16:18:07 -06:00			`role: session.role,`
feat: add multi-BU tenancy with per-user team scoping (Option B) - Add bu_teams column to users table (migration + fresh schema) - Create shared KNOWN_TEAMS constant and validateTeams helper - Expose user teams in auth middleware, login, and /me responses - Add bu_teams CRUD to user management routes with audit logging - Make Ivanti FINDINGS_FILTERS configurable via IVANTI_BU_FILTER env var - Add query-time team filtering to GET /findings and /findings/counts - Update AuthContext with teams helpers and admin scope toggle - Create AdminScopeToggle component (My Teams / All BUs) - Scope ReportingPage findings fetch by user teams - Scope CompliancePage team selector by user teams - Scope ExportsPage findings exports by user teams - Add BU teams multi-select to UserManagement create/edit forms - Display team badges in user list table 2026-05-05 11:04:53 -06:00			`group: session.user_group,`
			`teams: session.bu_teams ? session.bu_teams.split(',').filter(Boolean) : []`
added required code changes, components, and packages for login feature 2026-01-28 14:36:33 -07:00			`};`

			`next();`
			`} catch (err) {`
			`console.error('Auth middleware error:', err);`
			`return res.status(500).json({ error: 'Authentication error' });`
			`}`
			`};`
			`}`

feat: implement group-based access control (Admin, Standard_User, Leadership, Read_Only) - Add user_group migration and created_by column migration - Replace requireRole middleware with requireGroup - Update all backend routes to use group-based authorization - Add Standard_User conditional delete with ownership, state, and compliance checks - Add cascade impact check for CVE deletes - Update AuthContext with group-based permission helpers - Update all frontend components for group-based rendering - Update UserManagement UI with group dropdown, confirmation dialogs, self-demotion prevention 2026-04-06 16:18:07 -06:00			`// Require specific group(s)`
			`function requireGroup(...allowedGroups) {`
added required code changes, components, and packages for login feature 2026-01-28 14:36:33 -07:00			`return (req, res, next) => {`
			`if (!req.user) {`
			`return res.status(401).json({ error: 'Authentication required' });`
			`}`

feat: implement group-based access control (Admin, Standard_User, Leadership, Read_Only) - Add user_group migration and created_by column migration - Replace requireRole middleware with requireGroup - Update all backend routes to use group-based authorization - Add Standard_User conditional delete with ownership, state, and compliance checks - Add cascade impact check for CVE deletes - Update AuthContext with group-based permission helpers - Update all frontend components for group-based rendering - Update UserManagement UI with group dropdown, confirmation dialogs, self-demotion prevention 2026-04-06 16:18:07 -06:00			`if (!allowedGroups.includes(req.user.group)) {`
added required code changes, components, and packages for login feature 2026-01-28 14:36:33 -07:00			`return res.status(403).json({`
			`error: 'Insufficient permissions',`
feat: implement group-based access control (Admin, Standard_User, Leadership, Read_Only) - Add user_group migration and created_by column migration - Replace requireRole middleware with requireGroup - Update all backend routes to use group-based authorization - Add Standard_User conditional delete with ownership, state, and compliance checks - Add cascade impact check for CVE deletes - Update AuthContext with group-based permission helpers - Update all frontend components for group-based rendering - Update UserManagement UI with group dropdown, confirmation dialogs, self-demotion prevention 2026-04-06 16:18:07 -06:00			`required: allowedGroups,`
			`current: req.user.group`
added required code changes, components, and packages for login feature 2026-01-28 14:36:33 -07:00			`});`
			`}`

			`next();`
			`};`
			`}`

Add backend team enforcement via requireTeam() middleware Introduce server-side team-scoped data access enforcement: - Add TEAM_TO_IVANTI/IVANTI_TO_TEAM mapping to helpers/teams.js - Add requireTeam() middleware to middleware/auth.js - Admin bypass (req.teamScope = null) - 403 for users with no team assignment - Populates req.teamScope with short and ivanti name arrays - Ivanti findings: replace client ?teams= param with req.teamScope filtering on GET /, /counts, /counts/history, /fp-workflow-counts, POST /sync - Override and note endpoints verify finding is in team scope - Compliance: add requireTeam() router-level, validate ?team= param against scope on GET /items and GET /summary - CARD: validate teamName param on GET /teams/:teamName/assets - Todo queue: verify findings belong to user's teams on POST /batch - Clarify IVANTI_BU_FILTER comment (sync-level vs query-time filtering) - Update 14 test files to include requireTeam in auth middleware mocks 2026-06-24 11:36:25 -06:00			`// Require team assignment — enforces team-scoped data access.`
			`// Admin group bypasses (req.teamScope = null means "no filter").`
			`// Non-admin users without teams get 403.`
			`// Non-admin users with teams get req.teamScope = { short: [...], ivanti: [...] }.`
			`function requireTeam() {`
			`return (req, res, next) => {`
			`if (!req.user) {`
			`return res.status(401).json({ error: 'Authentication required' });`
			`}`

			`// Admin bypass — full access to all teams`
			`if (req.user.group === 'Admin') {`
			`req.teamScope = null;`
			`return next();`
			`}`

			`// No teams assigned — block access`
			`if (!req.user.teams \|\| req.user.teams.length === 0) {`
			`return res.status(403).json({`
			`error: 'No team assignment. Contact an administrator to assign BU teams to your account.',`
			`code: 'NO_TEAM_ASSIGNMENT'`
			`});`
			`}`

			`// Build scope with both naming conventions`
			`req.teamScope = {`
			`short: req.user.teams,`
			`ivanti: req.user.teams.map(t => teamToIvanti(t))`
			`};`

			`next();`
			`};`
			`}`

			`module.exports = { requireAuth, requireGroup, requireTeam };`