TinyExplosions/authMiddleware.js

## authMiddleware.js
(function() {
    var Auth = {},
        $fh = require('fh-mbaas-api'),
        Q = require('q'),
        Logger = require('/util/logger').getLogger();

    Auth.authenticated = function(req, res, next) {
        Logger.log("debug", "Authenticating Request");
        // Check for the `X-FH-Session-Token` -if it's not there, it's an unauthorised attempt
        var sessionToken = req.header('X-FH-Session-Token');
        if (!sessionToken) {
            Logger.log("debug", "No Session Token Present");
            return res.send(403, {
                body: "Error Getting Correct Headers"
            });
        }
        // We have an `X-FH-Session-Token` header, so see if it's in `$fh.session`
        _getUserDetails(sessionToken)
            .then(function(userObj) {
                Logger.log("debug", "Session Verified", userObj);
                res.user = userObj;
                next();
            })
            .fail(function(err) {
                Logger.log("debug", "Error finding session", err);
                var errCode = err.code === 500 ? 500 : 403;
                return res.send(errCode, {
                    body: err
                });
            });
    };

    // This can be used as a 'belt and braces' approach, as it checks for a well formed sessionToken
    // if a token exists at all. If no token, it allows the request through.
    Auth.verifyHash = function(req, res, next) {
        Logger.log("debug", "Verify Hash");
        var sessionToken = req.header('X-FH-Session-Token');
        if (sessionToken) {
            if (encodeURI(sessionToken).match("[a-fA-F0-9]{32}")) {
                return next();
            } else {
                return res.send(403, {
                    body: "Session token invalid format."
                });
            }
        }
        return next();
    };

    var _getUserDetails = function(sessionToken) {
        var deferred = Q.defer();
        Logger.log("debug", "Session Token is", sessionToken);
        $fh.session.get(sessionToken, function(err, session) {
            // if `err` isn't undefined there's a *major* issue with redis
            if (err) {
                deferred.reject({
                    code: 500,
                    error: "Redis Error"
                });
            }
            // if no `session` either session has timed out or `sessionToken` is invalid
            // `code: 102` can be used for debugging in the app, as it will be specific to
            // this error
            if (!session) {
                deferred.reject({
                    code: 102,
                    error: "Error Retriving User Details"
                });
            } else {
                // we have session data, so lets return that for the next route parser
                var userObj = JSON.parse(session);
                userObj.objectId = sessionToken;
                deferred.resolve(userObj);
            }
        });
        return deferred.promise;
    };

    module.exports = Auth;
})();
	(function() {
	var Auth = {},
	$fh = require('fh-mbaas-api'),
	Q = require('q'),
	Logger = require('/util/logger').getLogger();

	Auth.authenticated = function(req, res, next) {
	Logger.log("debug", "Authenticating Request");
	// Check for the `X-FH-Session-Token` -if it's not there, it's an unauthorised attempt
	var sessionToken = req.header('X-FH-Session-Token');
	if (!sessionToken) {
	Logger.log("debug", "No Session Token Present");
	return res.send(403, {
	body: "Error Getting Correct Headers"
	});
	}
	// We have an `X-FH-Session-Token` header, so see if it's in `$fh.session`
	_getUserDetails(sessionToken)
	.then(function(userObj) {
	Logger.log("debug", "Session Verified", userObj);
	res.user = userObj;
	next();
	})
	.fail(function(err) {
	Logger.log("debug", "Error finding session", err);
	var errCode = err.code === 500 ? 500 : 403;
	return res.send(errCode, {
	body: err
	});
	});
	};

	// This can be used as a 'belt and braces' approach, as it checks for a well formed sessionToken
	// if a token exists at all. If no token, it allows the request through.
	Auth.verifyHash = function(req, res, next) {
	Logger.log("debug", "Verify Hash");
	var sessionToken = req.header('X-FH-Session-Token');
	if (sessionToken) {
	if (encodeURI(sessionToken).match("[a-fA-F0-9]{32}")) {
	return next();
	} else {
	return res.send(403, {
	body: "Session token invalid format."
	});
	}
	}
	return next();
	};

	var _getUserDetails = function(sessionToken) {
	var deferred = Q.defer();
	Logger.log("debug", "Session Token is", sessionToken);
	$fh.session.get(sessionToken, function(err, session) {
	// if `err` isn't undefined there's a major issue with redis
	if (err) {
	deferred.reject({
	code: 500,
	error: "Redis Error"
	});
	}
	// if no `session` either session has timed out or `sessionToken` is invalid
	// `code: 102` can be used for debugging in the app, as it will be specific to
	// this error
	if (!session) {
	deferred.reject({
	code: 102,
	error: "Error Retriving User Details"
	});
	} else {
	// we have session data, so lets return that for the next route parser
	var userObj = JSON.parse(session);
	userObj.objectId = sessionToken;
	deferred.resolve(userObj);
	}
	});
	return deferred.promise;
	};

	module.exports = Auth;
	})();