refactor: update access token parsing logic to accept accessToken as a parameter

apps/app/src/server/middlewares/access-token-parser/access-token.ts

@@ -5,20 +5,12 @@ import type { Response } from 'express';
 import { AccessToken } from '~/server/models/access-token';
 import loggerFactory from '~/utils/logger';
 
-import { extractBearerToken } from './extract-bearer-token';
 import type { AccessTokenParserReq } from './interfaces';
 
 const logger = loggerFactory('growi:middleware:access-token-parser:access-token');
 
-export const parserForAccessToken = (scopes: Scope[]) => {
+export const parserForAccessToken = (accessToken: string, scopes: Scope[]) => {
   return async(req: AccessTokenParserReq, res: Response): Promise<void> => {
-    // Extract token from Authorization header first
-    const bearerToken = extractBearerToken(req.headers.authorization);
-
-    const accessToken = bearerToken ?? req.query.access_token ?? req.body.access_token;
-    if (accessToken == null || typeof accessToken !== 'string') {
-      return;
-    }
     if (scopes == null || scopes.length === 0) {
       logger.debug('scopes is empty');
       return;

apps/app/src/server/middlewares/access-token-parser/api-token.ts

@@ -6,37 +6,26 @@ import mongoose from 'mongoose';
 
 import loggerFactory from '~/utils/logger';
 
-import { extractBearerToken } from './extract-bearer-token';
 import type { AccessTokenParserReq } from './interfaces';
 
 const logger = loggerFactory('growi:middleware:access-token-parser:api-token');
 
 
-export const parserForApiToken = async(req: AccessTokenParserReq, res: Response): Promise<void> => {
-  // Extract token from Authorization header first
-  const bearerToken = extractBearerToken(req.headers.authorization);
+export const parserForApiToken = (accessToken: string) => {
+  return async(req: AccessTokenParserReq, res: Response): Promise<void> => {
+    const User = mongoose.model<HydratedDocument<IUser>, { findUserByApiToken }>('User');
+    const userByApiToken: IUserHasId = await User.findUserByApiToken(accessToken);
 
-  // Try all possible token sources in order of priority
-  const accessToken = bearerToken ?? req.query.access_token ?? req.body.access_token;
+    if (userByApiToken == null) {
+      return;
+    }
 
-  if (accessToken == null || typeof accessToken !== 'string') {
-    return;
-  }
-
-  logger.debug('accessToken is', accessToken);
-
-  const User = mongoose.model<HydratedDocument<IUser>, { findUserByApiToken }>('User');
-  const userByApiToken: IUserHasId = await User.findUserByApiToken(accessToken);
+    req.user = serializeUserSecurely(userByApiToken);
+    if (req.user == null) {
+      return;
+    }
 
-  if (userByApiToken == null) {
+    logger.debug('Access token parsed.');
     return;
-  }
-
-  req.user = serializeUserSecurely(userByApiToken);
-  if (req.user == null) {
-    return;
-  }
-
-  logger.debug('Access token parsed.');
-  return;
+  };
 };

apps/app/src/server/middlewares/access-token-parser/extract-bearer-token.ts

@@ -1,11 +0,0 @@
-export const extractBearerToken = (authHeader: string | undefined): string | null => {
-  if (authHeader == null) {
-    return null;
-  }
-
-  if (!authHeader.startsWith('Bearer ')) {
-    return null;
-  }
-
-  return authHeader.substring(7); // Remove 'Bearer ' prefix
-};

apps/app/src/server/middlewares/access-token-parser/index.ts

@@ -9,21 +9,44 @@ import type { AccessTokenParserReq } from './interfaces';
 
 const logger = loggerFactory('growi:middleware:access-token-parser');
 
+export const extractBearerToken = (authHeader: string | undefined): string | null => {
+  if (authHeader == null) {
+    return null;
+  }
+
+  if (!authHeader.startsWith('Bearer ')) {
+    return null;
+  }
+
+  return authHeader.substring(7); // Remove 'Bearer ' prefix
+};
+
+
 export type AccessTokenParser = (scopes?: Scope[], opts?: {acceptLegacy: boolean})
   => (req: AccessTokenParserReq, res: Response, next: NextFunction) => Promise<void>
 
 export const accessTokenParser: AccessTokenParser = (scopes, opts) => {
   return async(req, res, next): Promise<void> => {
-    // TODO: comply HTTP header of RFC6750 / Authorization: Bearer
+    // Extract token from Authorization header first
+    const bearerToken = extractBearerToken(req.headers.authorization);
+
+    // Try all possible token sources in order of priority
+    const accessToken = bearerToken ?? req.query.access_token ?? req.body.access_token;
+    if (accessToken == null || typeof accessToken !== 'string') {
+      return;
+    }
+
+    logger.debug('accessToken is', accessToken);
+
     if (scopes == null || scopes.length === 0) {
       logger.warn('scopes is empty');
       return next();
     }
 
-    await parserForAccessToken(scopes)(req, res);
+    await parserForAccessToken(accessToken, scopes)(req, res);
 
     if (opts?.acceptLegacy) {
-      await parserForApiToken(req, res);
+      await parserForApiToken(accessToken)(req, res);
     }
 
     return next();