Implement Auth in Routes

[thehabes]

Determine a way to use the auth middleware to validate the Bearer (User) tokens passed into the routes. If a route does CRUD, it will need to Authorize the token first before continuing into the route logic. If the route determines that the token is not Authorized, the route should return a 401.

[cubap]

Design Policy

The auth0Middleware() is intended to be used inside the router as close to the required action as possible. Discussing how auth and permissions is included in Interfaces is out of scope here.

Express Docs talk about middleware routers and you are already using them in all your router.get('/',arrowFunc) patterns. with the .use() patterns, you just have a series of arguments (or as a single array) that is the order of middleware to use, so just put the auth0Middleware() at the beginning or consider if it is faster to validate the basic request before bothering. Every function after the auth0Middleware() will have req.user available to them.

• The rarest router.use(auth) would apply to an entire router and is almost never appropriate.
• Most frequently, a router.METHOD will be completely covered by authentication requirements.
• Middleware, generally, needs the (req, res, next) parameters which means that you can nest them inside of other middleware. This is possible, but should be reserved for when it is necessary as it is messy to maintain and hard to test. An easier alternative is usually to consider the specificity of the path in the router and the order in which they are applied to let the no-auth versions through first and then drop into the auth cases.

Testing should not test auth. Testing should not test auth. Just mock auth0Middleware() and include a req.user that is admin or public or whatever is needed to run your test. Do not rely on copied tokens that need to be validated remotely and updated when they expire.