weseek__growi/apps/app/src/server/middlewares/access-token-parser/api-token.ts

import type { IUser, IUserHasId } from '@growi/core/dist/interfaces';
import { serializeUserSecurely } from '@growi/core/dist/models/serializers';
import type { NextFunction, Response } from 'express';
import type { HydratedDocument } from 'mongoose';
import mongoose from 'mongoose';

import loggerFactory from '~/utils/logger';

import type { AccessTokenParserReq } from './interfaces';

const logger = loggerFactory('growi:middleware:access-token-parser:api-token');

const extractBearerToken = (authHeader: string | undefined): string | null => {
  if (authHeader == null) {
    return null;
  }

  if (!authHeader.startsWith('Bearer ')) {
    return null;
  }

  return authHeader.substring(7); // Remove 'Bearer ' prefix
};


export const parserForApiToken = async(req: AccessTokenParserReq, res: Response): Promise<void> => {
  // Extract token from Authorization header first
  const bearerToken = extractBearerToken(req.headers.authorization);

  // Try all possible token sources in order of priority
  const accessToken = bearerToken ?? req.query.access_token ?? req.body.access_token;

  if (accessToken == null || typeof accessToken !== 'string') {
    return;
  }

  logger.debug('accessToken is', accessToken);

  const User = mongoose.model<HydratedDocument<IUser>, { findUserByApiToken }>('User');
  const userByApiToken: IUserHasId = await User.findUserByApiToken(accessToken);

  if (userByApiToken == null) {
    return;
  }

  req.user = serializeUserSecurely(userByApiToken);
  if (req.user == null) {
    return;
  }

  logger.debug('Access token parsed.');
  return;
};