From 070520f6f9047fceec26ef218ef07496a7a868e6 Mon Sep 17 00:00:00 2001
From: Andrew Smith <boosmith@gmail.com>
Date: Thu, 29 Aug 2019 11:29:17 +0100
Subject: [PATCH] feature #12: API protected with Bearer token auth

---
 src/tools/apiServer.js | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/src/tools/apiServer.js b/src/tools/apiServer.js
index e93bcad..b0dd7c6 100755
--- a/src/tools/apiServer.js
+++ b/src/tools/apiServer.js
@@ -37,7 +37,7 @@ server.post("/users/", function(req, res, next) {
 	}
 });
 
-server.post("/users/authenticate", function(req, res, next) {
+server.post("/auth/login", function(req, res, next) {
 	const { userName, password } = req.body;
 	if (isAuthenticated(userName, password) === false) {
 		const status = 401;
@@ -51,6 +51,26 @@ server.post("/users/authenticate", function(req, res, next) {
 
 router.db._.id = "_id";
 
+server.use(/^(?!\/auth).*$/, (req, res, next) => {
+	if (
+		req.headers.authorization === undefined ||
+		req.headers.authorization.split(" ")[0] !== "Bearer"
+	) {
+		const status = 401;
+		const message = "Bad authorization header";
+		res.status(status).json({ status, message });
+		return;
+	}
+	try {
+		verifyToken(req.headers.authorization.split(" ")[1]);
+		next();
+	} catch (err) {
+		const status = 401;
+		const message = "Error: access_token is not valid";
+		res.status(status).json({ status, message });
+	}
+});
+
 server.use("/api", router);
 
 const port = 3001;