weseek__growi/apps/app/src/server/middlewares/access-token-parser/api-token.ts

import type { IUser, IUserHasId } from '@growi/core/dist/interfaces';
import type { AccessTokenParserReq } from '@growi/core/dist/interfaces/server';
import { serializeUserSecurely } from '@growi/core/dist/models/serializers';
import type { Response } from 'express';
import type { HydratedDocument } from 'mongoose';
import mongoose from 'mongoose';

import loggerFactory from '~/utils/logger';

import { extractBearerToken } from './extract-bearer-token';

const logger = loggerFactory('growi:middleware:access-token-parser:api-token');

export const parserForApiToken = async (
  req: AccessTokenParserReq,
  res: Response,
): Promise<void> => {
  // Extract token from Authorization header first
  // It is more efficient to call it only once in "AccessTokenParser," which is the caller of the method
  const bearerToken = extractBearerToken(req.headers.authorization);

  // Try all possible token sources in order of priority
  const accessToken =
    bearerToken ?? req.query.access_token ?? req.body.access_token;

  if (accessToken == null || typeof accessToken !== 'string') {
    return;
  }

  logger.debug(
    { accessToken: `${accessToken.slice(0, 4)}...${accessToken.slice(-4)}` },
    'accessToken is',
  );

  const User = mongoose.model<HydratedDocument<IUser>, { findUserByApiToken }>(
    'User',
  );
  const userByApiToken: IUserHasId = await User.findUserByApiToken(accessToken);

  if (userByApiToken == null) {
    return;
  }

  req.user = serializeUserSecurely(userByApiToken);
  if (req.user == null) {
    return;
  }

  logger.debug('Access token parsed.');
  return;
};