Hey guys, I have two middleware functions that are exactly the same right now (they work to protect routes if the req.headers have a token). So I can add the middleware function to protect routes for users, however I want to have one admin user that has protected routes. The route that I want protected for the admin is a list of the users, their ID’s, and ability to delete them. Just currently, all users can delete any other user, but here is the code. What is the best practice to check if it has a token header and check if the user is the admin?
// Middle ware for user protected routes
export const isAuth: MiddlewareFn<MyContext> = ({ context }, next) => {
const authorization = context.req.headers['authorization'];
if (!authorization) {
throw new Error('not authenticated');
}
try {
const token = authorization.split(' ')[1];
const payload = verify(token, process.env.ACCESS_TOKEN_SECRET!);
context.payload = payload as any;
} catch (err) {
console.log(err);
throw new Error('not authenticated');
}
return next();
};
// Middle ware for admin protected routes
export const isAdmin: MiddlewareFn<MyContext> = ({ context }, next) => {
const authorization = context.req.headers['authorization'];
console.log('isAdmin', context);
if (!authorization) {
throw new Error('not authenticated');
}
try {
const token = authorization.split(' ')[1];
const payload = verify(token, process.env.ACCESS_TOKEN_SECRET!);
context.payload = payload as any;
} catch (err) {
console.log(err);
throw new Error('not authenticated');
}
return next();
};
EDIT: I thought about checking the ID & the token, but not sure if that is the most foolproof way?