diff --git a/backend/config/secret.js b/backend/config/secret.js new file mode 100644 index 00000000..031c6a28 --- /dev/null +++ b/backend/config/secret.js @@ -0,0 +1,11 @@ +const JWT_SECRET = process.env.JWT_SECRET; +const MONGO_URI = process.env.MONGO_URI; +const PORT = process.env.PORT; +const CORS_ORIGIN = process.env.CORS_ORIGIN; + +module.exports = { + JWT_SECRET, + MONGO_URI, + PORT, + CORS_ORIGIN, +}; diff --git a/backend/controller/admin.controller.js b/backend/controller/admin.controller.js index 259fa374..aa8f3440 100644 --- a/backend/controller/admin.controller.js +++ b/backend/controller/admin.controller.js @@ -35,7 +35,6 @@ async function createAdmin(req, res) { } catch (error) { logger.error("Error creating admin:", { message: error.message, - stack: error.stack, }); res.status(500).json({ error: "Internal server error" }); } @@ -64,9 +63,13 @@ async function loginAdmin(req, res) { if (!validPassword) { return res.status(401).json({ error: "Invalid email or password" }); } - const token = jwt.sign({ email: admin.email }, process.env.JWT_SECRET, { - expiresIn: "1h", - }); + const token = jwt.sign( + { id: admin._id, role: "admin" }, + process.env.JWT_SECRET, + { + expiresIn: "1h", + } + ); res.json({ message: "Login successful", token, diff --git a/backend/controller/customer.controller.js b/backend/controller/customer.controller.js index 8e5a8eae..96a7713c 100644 --- a/backend/controller/customer.controller.js +++ b/backend/controller/customer.controller.js @@ -61,7 +61,7 @@ async function loginCustomer(req, res) { return res.status(401).json({ error: "Invalid email or password" }); } const token = jwt.sign( - { id: customer._id, username: customer.name }, + { id: customer._id }, process.env.JWT_SECRET, { expiresIn: "1h" } // Expires in 1 hour ); diff --git a/backend/middlewares/authAdmin.js b/backend/middlewares/authAdmin.js index 661be80f..3f084138 100644 --- a/backend/middlewares/authAdmin.js +++ b/backend/middlewares/authAdmin.js @@ -4,16 +4,17 @@ const logger = require("../config/logger"); const authenticateAdmin = (req, res, next) => { const token = req.header("Authorization")?.split(" ")[1]; // Expecting "Bearer " - if (!req.body.admin) { - return res.sendStatus(403); // Forbidden - } if (token) { - jwt.verify(token, process.env.JWT_SECRET, (err, admin) => { + jwt.verify(token, process.env.JWT_SECRET, (err, decoded) => { if (err) { return res.sendStatus(403); // Forbidden } - req.user = admin; - logger.info(`Admin authenticated: ${JSON.stringify(admin.email)}`); + if (decoded.role !== "admin") { + return res.sendStatus(403); // Forbidden + } + + req.user = decoded; + logger.info(`Admin authenticated: ${JSON.stringify(decoded.email)}`); next(); }); } else { diff --git a/backend/middlewares/authCustomer.js b/backend/middlewares/authCustomer.js index d066b5b7..eb175092 100644 --- a/backend/middlewares/authCustomer.js +++ b/backend/middlewares/authCustomer.js @@ -1,13 +1,17 @@ const jwt = require("jsonwebtoken"); const logger = require("../config/logger"); +const config = require("../config/secret"); const authenticateCustomer = (req, res, next) => { const token = req.header("Authorization")?.split(" ")[1]; // Expecting "Bearer " if (token) { - jwt.verify(token, process.env.JWT_SECRET, (err, user) => { + jwt.verify(token, config.JWT_SECRET, (err, user) => { if (err) { - return res.sendStatus(403); // Forbidden + if (err.name === "TokenExpiredError") { + return res.status(401).json({ message: "Token expired" }); + } + return res.status(403).json({ message: "Invalid token" }); } req.user = user; logger.info(`Customer authenticated: ${JSON.stringify(user.username)}`);