From 480655a0eea2c29da486d1e1f6fe648014005b8a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=98=99=E2=97=A6=20The=20Tablet=20=E2=9D=80=20GamerGirla?=
 =?UTF-8?q?ndCo=20=E2=97=A6=E2=9D=A7?= <i.am.the.tablet@proton.me>
Date: Mon, 9 Dec 2024 15:34:30 -0500
Subject: [PATCH] refactor(server/middleware): update current user middleware

- check for titlecased version of auth header
- check for token's `sub` field as well as `id`
- ensure we don't select sensitive info when querying the user
- don't throw if there's no user logged in for that request
---
 server/middleware/05.currentUser.ts | 36 ++++++++++++++---------------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/server/middleware/05.currentUser.ts b/server/middleware/05.currentUser.ts
index 0e2e220..88d81ff 100644
--- a/server/middleware/05.currentUser.ts
+++ b/server/middleware/05.currentUser.ts
@@ -1,26 +1,26 @@
 import jwt from "jsonwebtoken";
-import { log } from "@server/logger";
-import { messages } from "@server/constants";
-import { User } from "@models/user";
-import { AccessToken } from "@models/oauth";
-import { IJwt } from "@server/types/authstuff";
+import { IUser, User } from "@models/user";
 
 export default defineEventHandler(async (event) => {
-	let ahead = (getHeaders(event).authorization || "")?.replace("Bearer ", "");
+	let ahead = (getHeaders(event).authorization || getHeaders(event).Authorization || getCookie(event, "rockfic_cookie"))?.replace("Bearer ", "");
 	if (ahead) {
-		let toktok: jwt.JwtPayload;
+		let toktok: any;
+		let user: IUser | null = null;
 		try {
-			toktok = jwt.verify(ahead, useRuntimeConfig().jwt) as IJwt;
-			let user = await User.findById(toktok.id as number).exec();
-			if (user && toktok) event.context.currentUser = user;
-		} catch (e) {
-			const t = await AccessToken.findOne({ token: ahead });
-			if (!t)
-				throw createError({
-					statusCode: 401,
-					message: messages[401],
-				});
-			let user = await User.findById(t.userID);
+			toktok = jwt.verify(ahead, useRuntimeConfig().jwt);
+			console.log(toktok);
+			if (toktok?.sub) {
+				user = await User.findById(toktok.sub as number)
+					.select("-password -auth -ipLog")
+					.exec();
+			} else if (toktok.id) {
+				user = await User.findById(toktok.id as number)
+					.select("-password -auth -ipLog")
+					.exec();
+			}
+		} catch (E) {
+			console.error(E);
+		} finally {
 			if (user) event.context.currentUser = user;
 		}
 	}