tag/v2.2.0/backend/middleware/auth.js

// Authentication Middleware
const pool = require('../db');

// Require authenticated user — no parameters needed, pool is imported directly
function requireAuth() {
    return async (req, res, next) => {
        const sessionId = req.cookies?.session_id;

        if (!sessionId) {
            return res.status(401).json({ error: 'Authentication required' });
        }

        try {
            const { rows } = await pool.query(
                `SELECT s.*, u.id as user_id, u.username, u.email, u.role, u.user_group, u.bu_teams, u.is_active
                 FROM sessions s
                 JOIN users u ON s.user_id = u.id
                 WHERE s.session_id = $1 AND s.expires_at > NOW()`,
                [sessionId]
            );

            const session = rows[0];

            if (!session) {
                return res.status(401).json({ error: 'Session expired or invalid' });
            }

            if (!session.is_active) {
                return res.status(401).json({ error: 'Account is disabled' });
            }

            // Attach user to request
            req.user = {
                id: session.user_id,
                username: session.username,
                email: session.email,
                role: session.role,
                group: session.user_group,
                teams: session.bu_teams ? session.bu_teams.split(',').filter(Boolean) : []
            };

            next();
        } catch (err) {
            console.error('Auth middleware error:', err);
            return res.status(500).json({ error: 'Authentication error' });
        }
    };
}

// Require specific group(s)
function requireGroup(...allowedGroups) {
    return (req, res, next) => {
        if (!req.user) {
            return res.status(401).json({ error: 'Authentication required' });
        }

        if (!allowedGroups.includes(req.user.group)) {
            return res.status(403).json({
                error: 'Insufficient permissions',
                required: allowedGroups,
                current: req.user.group
            });
        }

        next();
    };
}

module.exports = { requireAuth, requireGroup };
added required code changes, components, and packages for login feature 2026-01-28 14:36:33 -07:00			`// Authentication Middleware`
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite) 2026-05-06 11:44:17 -06:00			`const pool = require('../db');`
added required code changes, components, and packages for login feature 2026-01-28 14:36:33 -07:00
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite) 2026-05-06 11:44:17 -06:00			`// Require authenticated user — no parameters needed, pool is imported directly`
			`function requireAuth() {`
added required code changes, components, and packages for login feature 2026-01-28 14:36:33 -07:00			`return async (req, res, next) => {`
			`const sessionId = req.cookies?.session_id;`

			`if (!sessionId) {`
			`return res.status(401).json({ error: 'Authentication required' });`
			`}`

			`try {`
feat(postgres): migrate all route files from SQLite to pg pool - All 16 route files now import pool from ../db directly - Removed db parameter from all factory functions - All callbacks replaced with async/await pool.query() - All ? placeholders converted to $1, $2... numbered params - datetime('now') → NOW(), INSERT OR IGNORE → ON CONFLICT DO NOTHING - LIKE → ILIKE for case-insensitive searches - Error detection: err.code === '23505' for unique violations - server.js no longer passes pool/db/requireAuth to route factories - Only ivantiFindings.js still receives pool (pending task 8 rewrite) 2026-05-06 11:44:17 -06:00			`const { rows } = await pool.query(`
			`SELECT s.*, u.id as user_id, u.username, u.email, u.role, u.user_group, u.bu_teams, u.is_active
			`FROM sessions s`
			`JOIN users u ON s.user_id = u.id`
			WHERE s.session_id = $1 AND s.expires_at > NOW()`,
			`[sessionId]`
			`);`

			`const session = rows[0];`
added required code changes, components, and packages for login feature 2026-01-28 14:36:33 -07:00
			`if (!session) {`
			`return res.status(401).json({ error: 'Session expired or invalid' });`
			`}`

			`if (!session.is_active) {`
			`return res.status(401).json({ error: 'Account is disabled' });`
			`}`

			`// Attach user to request`
			`req.user = {`
			`id: session.user_id,`
			`username: session.username,`
			`email: session.email,`
feat: implement group-based access control (Admin, Standard_User, Leadership, Read_Only) - Add user_group migration and created_by column migration - Replace requireRole middleware with requireGroup - Update all backend routes to use group-based authorization - Add Standard_User conditional delete with ownership, state, and compliance checks - Add cascade impact check for CVE deletes - Update AuthContext with group-based permission helpers - Update all frontend components for group-based rendering - Update UserManagement UI with group dropdown, confirmation dialogs, self-demotion prevention 2026-04-06 16:18:07 -06:00			`role: session.role,`
feat: add multi-BU tenancy with per-user team scoping (Option B) - Add bu_teams column to users table (migration + fresh schema) - Create shared KNOWN_TEAMS constant and validateTeams helper - Expose user teams in auth middleware, login, and /me responses - Add bu_teams CRUD to user management routes with audit logging - Make Ivanti FINDINGS_FILTERS configurable via IVANTI_BU_FILTER env var - Add query-time team filtering to GET /findings and /findings/counts - Update AuthContext with teams helpers and admin scope toggle - Create AdminScopeToggle component (My Teams / All BUs) - Scope ReportingPage findings fetch by user teams - Scope CompliancePage team selector by user teams - Scope ExportsPage findings exports by user teams - Add BU teams multi-select to UserManagement create/edit forms - Display team badges in user list table 2026-05-05 11:04:53 -06:00			`group: session.user_group,`
			`teams: session.bu_teams ? session.bu_teams.split(',').filter(Boolean) : []`
added required code changes, components, and packages for login feature 2026-01-28 14:36:33 -07:00			`};`

			`next();`
			`} catch (err) {`
			`console.error('Auth middleware error:', err);`
			`return res.status(500).json({ error: 'Authentication error' });`
			`}`
			`};`
			`}`

feat: implement group-based access control (Admin, Standard_User, Leadership, Read_Only) - Add user_group migration and created_by column migration - Replace requireRole middleware with requireGroup - Update all backend routes to use group-based authorization - Add Standard_User conditional delete with ownership, state, and compliance checks - Add cascade impact check for CVE deletes - Update AuthContext with group-based permission helpers - Update all frontend components for group-based rendering - Update UserManagement UI with group dropdown, confirmation dialogs, self-demotion prevention 2026-04-06 16:18:07 -06:00			`// Require specific group(s)`
			`function requireGroup(...allowedGroups) {`
added required code changes, components, and packages for login feature 2026-01-28 14:36:33 -07:00			`return (req, res, next) => {`
			`if (!req.user) {`
			`return res.status(401).json({ error: 'Authentication required' });`
			`}`

feat: implement group-based access control (Admin, Standard_User, Leadership, Read_Only) - Add user_group migration and created_by column migration - Replace requireRole middleware with requireGroup - Update all backend routes to use group-based authorization - Add Standard_User conditional delete with ownership, state, and compliance checks - Add cascade impact check for CVE deletes - Update AuthContext with group-based permission helpers - Update all frontend components for group-based rendering - Update UserManagement UI with group dropdown, confirmation dialogs, self-demotion prevention 2026-04-06 16:18:07 -06:00			`if (!allowedGroups.includes(req.user.group)) {`
added required code changes, components, and packages for login feature 2026-01-28 14:36:33 -07:00			`return res.status(403).json({`
			`error: 'Insufficient permissions',`
feat: implement group-based access control (Admin, Standard_User, Leadership, Read_Only) - Add user_group migration and created_by column migration - Replace requireRole middleware with requireGroup - Update all backend routes to use group-based authorization - Add Standard_User conditional delete with ownership, state, and compliance checks - Add cascade impact check for CVE deletes - Update AuthContext with group-based permission helpers - Update all frontend components for group-based rendering - Update UserManagement UI with group dropdown, confirmation dialogs, self-demotion prevention 2026-04-06 16:18:07 -06:00			`required: allowedGroups,`
			`current: req.user.group`
added required code changes, components, and packages for login feature 2026-01-28 14:36:33 -07:00			`});`
			`}`

			`next();`
			`};`
			`}`

feat: implement group-based access control (Admin, Standard_User, Leadership, Read_Only) - Add user_group migration and created_by column migration - Replace requireRole middleware with requireGroup - Update all backend routes to use group-based authorization - Add Standard_User conditional delete with ownership, state, and compliance checks - Add cascade impact check for CVE deletes - Update AuthContext with group-based permission helpers - Update all frontend components for group-based rendering - Update UserManagement UI with group dropdown, confirmation dialogs, self-demotion prevention 2026-04-06 16:18:07 -06:00			`module.exports = { requireAuth, requireGroup };`