events/ PUT requires `user` details for authentication

[daisycrego]

Within the api-event.js (frontend wrappers around fetch calls to the express server endpoints), we have an update function which we will use to update the event status:

const update = async (params, credentials, event) => {
  console.log(`api-event: update()`);
  console.log(`params:`);
  console.log(params);
  console.log(`credentials:`);
  console.log(credentials);
  console.log(`event:`);
  console.log(event);
  try {
    // add userId as a parameter or somehow access userId from the route!
    let response = await fetch(`/api/events/${params.eventId}`, {
      method: "PUT",
      headers: {
        Accept: "application/json",
        "Content-Type": "application/json",
        Authorization: "Bearer " + credentials.t,
      },
      body: JSON.stringify(event),
    });
    return await response.json();
  } catch (err) {
    console.log(err);
  }
};

• Currently, this PUT operation is failing with the error that the user is not authorized to perform this action. The reason why we aren't identifying the user as logged in is because what's happening in the background:
• We define the event routes in event.routes.js:

  
  router
  .route("/api/events/:eventId/:userId")
  .get(authCtrl.requireSignin, eventCtrl.read)
  .put(authCtrl.requireSignin, authCtrl.hasAuthorization, eventCtrl.update)
  .delete(authCtrl.requireSignin, authCtrl.hasAuthorization, eventCtrl.remove);

router.param("eventId", eventCtrl.eventById);

- Every route should have `req.event` set because we actually set `req.event` in the call to `eventCtrl.eventById` that happens when the route is run:
```js
/**
 * Load event and append to req.
 */
const eventById = async (req, res, next, id) => {
  try {
    let event = await Event.findById(id);
    if (!event)
      return res.status("400").json({
        error: "event not found",
      });
    req.event = event;
    next();
  } catch (err) {
    return res.status("400").json({
      error: "Could not retrieve event",
    });
  }
};

• When we define the auth routes, including the PUT route, we protect the routes by running the authCtrl.hasAuthorization middleware when we are loading the routes. The middleware will prevent the update and remove routes from ever being reached unless the middleware passes.
• Here is the authCtrl.hasAuthorization middleware:

  const hasAuthorization = (req, res, next) => {
  const authorized = req.profile && req.auth && req.profile._id == req.auth._id;
  if (!authorized) {
  return res.status("403").json({
    error: "User is not authorized",
  });
  }
  next();
  };

• Looking at some console logs, we find that when hasAuthorization is called, req.auth is defined, but req.profile is not defined. When is req.profile supposed to be set in the first place?
• req.profile is set in the userById middleware:

  /**
  * Load user and append to req.
  */
  const userByID = async (req, res, next, id) => {
  console.log(`userByID is attach user to req.profile`);
  try {
  let user = await User.findById(id);
  if (!user)
    return res.status("400").json({
      error: "User not found",
    });
  req.profile = user;
  console.log(req.profile);
  next();
  } catch (err) {
  return res.status("400").json({
    error: "Could not retrieve user",
  });
  }
  };

• Notably, the userById middleware is currently only being used to protect/wrap/prepare the user routes, not the event routes. None of the event routes take a userId param.

  Solutions

• Add a userId parameter to the /events route so that the incoming requests will have req.profile set correctly.
• Set req.profile somewhere else based on the bearer token (e.g. the user shouldn't have to pass their ID in the route, we should be able to infer the ID from the cookies/token if present).

[daisycrego]

Solution

• This works for now, although it doesn't really achieve separation of concerns:

  /**
  * Load event and append to req.
  */
  const eventById = async (req, res, next, id) => {
  try {
  const userId = jwt.verify(
    req.headers.authorization.split(" ")[1],
    config.jwtSecret
  );
  let user = await User.findById(userId);
  req.profile = user;
  } catch (err) {
  console.log(err);
  return res.status("400").json({
    error: "Could not retrieve user",
  });
  }
  try {
  let event = await Event.findById(id);
  if (!event)
    return res.status("400").json({
      error: "event not found",
    });
  req.event = event;
  next();
  } catch (err) {
  return res.status("400").json({
    error: "Could not retrieve event",
  });
  }
  };

[daisycrego]

req.profile was previously only being set if a route has userId as a parameter. Now, we're also defining req.profile for event routes as well, specifically the update route so far. This code isn't exactly in the right place right now... but it will work for all the events routes, so let's keep moving forward.