feat: validate token locally using jwt secret

Author: JDIZM

.env.example

@@ -16,3 +16,4 @@ POSTGRES_DB=postgres
 ###
 SUPABASE_URL=https://example.supabase.co
 SUPABASE_PK=example-key
+SUPABASE_AUTH_JWT_SECRET=abcdefghijklmnopqrstuvwxzyz1234567890

package.json

@@ -28,6 +28,7 @@
   "author": "",
   "license": "ISC",
   "devDependencies": {
+    "@types/jsonwebtoken": "^9.0.6",
     "@typescript-eslint/eslint-plugin": "^7.11.0",
     "@typescript-eslint/parser": "^7.11.0",
     "@vitest/coverage-v8": "^2.0.0",
@@ -68,6 +69,7 @@
     "drizzle-zod": "^0.5.1",
     "express": "^4.19.2",
     "helmet": "^7.1.0",
+    "jsonwebtoken": "^9.0.2",
     "pg": "^8.11.5",
     "pino": "^9.1.0",
     "pino-http": "^10.1.0"

src/config.ts

@@ -9,7 +9,6 @@ export const ENV = process.env.NODE_ENV ?? "development";
 
 export const getStage = (env: string): Stage => {
   if (!stages.includes(env as Stage)) {
-    logger.error(`Invalid environment: ${ENV}`);
     throw new Error(`Invalid environment: ${ENV}`);
   }
   return env as Stage;
@@ -32,5 +31,6 @@ export const config = {
   db_password: process.env.POSTGRES_PASSWORD || "postgres",
   db_name: process.env.POSTGRES_DB || "test",
   supabaseUrl: process.env.SUPABASE_URL || "https://example.supabase.co",
-  supabaseKey: process.env.SUPABASE_PK || "example-key"
+  supabaseKey: process.env.SUPABASE_PK || "example-key",
+  jwtSecret: process.env.SUPABASE_AUTH_JWT_SECRET || "super-secret-key-that-should-be-replaced"
 };

src/handlers/auth/auth.methods.ts

@@ -0,0 +1,12 @@
+import jwt from "jsonwebtoken";
+import { config } from "../../config.ts";
+import { logger } from "@/helpers/index.ts";
+
+export const verifyToken = async (token: string) => {
+  try {
+    return jwt.verify(token, config.jwtSecret) as { sub: string };
+  } catch (err) {
+    logger.error("Token validation failed:", err);
+    return null;
+  }
+};

src/handlers/profiles/profiles.handlers.ts

@@ -18,7 +18,7 @@ export async function getProfiles(req: Request, res: Response) {
 
     const result = await getProfilesByAccountId(id);
 
-    const response = gatewayResponse().success(200, result, "Fetched profiles for account");
+    const response = gatewayResponse().success(200, result, `Fetched profiles for account: ${id}`);
 
     return res.status(response.code).send(response);
   } catch (err) {

src/middleware/isAuthenticated.ts

@@ -1,8 +1,8 @@
 import { logger, gatewayResponse, permissions } from "@/helpers/index.ts";
-import { supabase } from "@/services/supabase.ts";
 import type { Route } from "@/helpers/index.ts";
 import type { NextFunction, Request, Response } from "express";
 import type { Method } from "@/helpers/permissions/permissions.ts";
+import { verifyToken } from "@/handlers/auth/auth.methods.ts";
 
 const getIpFromRequest = (req: Request): string | undefined => {
   const ips =
@@ -18,6 +18,7 @@ export const isAuthenticated = async (req: Request, res: Response, next: NextFun
   const token = authHeader && authHeader.split(" ")[1];
 
   const routeKey = (req.baseUrl + req.route.path) as Route;
+
   const routeMethod = req.method as Method;
 
   const resourcePermissions = permissions.permissions.get(routeKey);
@@ -33,34 +34,26 @@ export const isAuthenticated = async (req: Request, res: Response, next: NextFun
     return next();
   }
 
-  if (!token && requiresAuth) {
+  if (!token) {
     logger.error({ msg: "isAuthenticated: A token is required for authentication", routeKey, routeMethod });
 
     return res.status(403).send("A token is required for authentication");
   }
 
   try {
-    // Verify token using your auth service.
+    const verifiedToken = await verifyToken(token);
+    console.log("verifiedToken", verifiedToken);
 
-    // TODO use a local db user and bypass token verification.
-    const user = { id: "dd715937-ad7c-4a18-8214-0bd4d3c062a4" };
-    // <-- Comment out the following block to use a local db user and bypass supabase
-    // const {
-    //   data: { user },
-    //   error
-    // } = await supabase.auth.getUser(token);
+    if (!verifiedToken) {
+      throw new Error("Invalid token");
+    }
 
-    // if (error || !user) {
-    //   throw new Error(error?.message, {
-    //     cause: error
-    //   });
-    // }
-    // End comment -->
+    const { sub } = verifiedToken;
 
-    logger.debug({ msg: `Verified user token for id: ${user.id}` });
+    logger.debug({ msg: `Verified user token for id: ${sub}` });
 
     // Attach user to res.locals and verify permissions in isAuthorized middleware
-    res.locals = { id: user.id, sub: user.id };
+    res.locals = { id: sub, sub };
 
     return next();
   } catch (err) {