• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

mozilla / blurts-server / #12332

pending completion
#12332

push

circleci

web-flow
Merge pull request #2839 from mozilla/fix-require-admin-json-parse

MNTOR-1198: admin middleware json parse fix

282 of 1371 branches covered (20.57%)

Branch coverage included in aggregate %.

6 of 6 new or added lines in 1 file covered. (100.0%)

959 of 3720 relevant lines covered (25.78%)

2.09 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

0.0
/src/middleware/auth.js
1
/* This Source Code Form is subject to the terms of the Mozilla Public
2
 * License, v. 2.0. If a copy of the MPL was not distributed with this
3
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4

5
import AppConstants from '../app-constants.js'
6
import { getSubscriberById, updateFxAProfileData } from '../db/tables/subscribers.js'
7
import * as FXA from '../utils/fxa.js'
8
import { UnauthorizedError } from '../utils/error.js'
9

10
async function getRequestSessionUser (req, res, next) {
11
  if (req.session && req.session.user) {
×
12
    // make sure the user object has all subscribers and email_addresses properties
13
    return getSubscriberById(req.session.user.id)
×
14
  }
15
  return null
×
16
}
17

18
async function requireSessionUser (req, res, next) {
19
  const user = await getRequestSessionUser(req)
×
20
  if (!user) {
×
21
    const queryParams = new URLSearchParams(req.query).toString()
×
22
    return res.redirect(`/oauth/init?${queryParams}`)
×
23
  }
24
  const fxaProfileData = await FXA.getProfileData(user.fxa_access_token)
×
25
  if (Object.prototype.hasOwnProperty.call(fxaProfileData, 'name') && fxaProfileData.name === 'HTTPError') {
×
26
    delete req.session.user
×
27
    return res.redirect('/')
×
28
  }
29
  await updateFxAProfileData(user, fxaProfileData)
×
30
  req.session.user = user
×
31
  req.user = user
×
32
  next()
×
33
}
34

35
async function requireAdminUser (req, res, next) {
36
  const user = await getRequestSessionUser(req)
×
37
  if (!user) {
×
38
    const queryParams = new URLSearchParams(req.query).toString()
×
39
    return res.redirect(`/oauth/init?${queryParams}`)
×
40
  }
41
  const fxaProfileData = await FXA.getProfileData(user.fxa_access_token)
×
42
  if (Object.prototype.hasOwnProperty.call(fxaProfileData, 'name') && fxaProfileData.name === 'HTTPError') {
×
43
    delete req.session.user
×
44
    return res.redirect('/')
×
45
  }
46
  const admins = AppConstants.ADMINS?.split(',') || []
×
47
  const isAdmin = admins.includes(JSON.parse(fxaProfileData).email)
×
48
  if (!isAdmin) {
×
49
    next(new UnauthorizedError('User is not an admin'))
×
50
  }
51

52
  await updateFxAProfileData(user, fxaProfileData)
×
53
  req.session.user = user
×
54
  req.user = user
×
55
  next()
×
56
}
57

58
export { requireSessionUser, requireAdminUser }
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2025 Coveralls, Inc