The API server now respects the Bearer token scheme

backend/apis/nodejs/src/routes/job_offer_routes.js

@@ -100,8 +100,8 @@ async function findByOrganizationId(req, res) {
 
 const routes = express.Router();
 routes.get('/:id/joboffers', findByOrganizationId);
-routes.post('/:id/joboffers', jwtUtils.verifyToken, insert);
+routes.post('/:id/joboffers', jwtUtils.extractToken, insert);
-routes.delete('/joboffers/:jobOfferId', jwtUtils.verifyToken, remove);
+routes.delete('/joboffers/:jobOfferId', jwtUtils.extractToken, remove);
 
 module.exports = {
     routes

backend/apis/nodejs/src/routes/organization_admin_routes.js

@@ -78,8 +78,8 @@ async function removeOrganizationAdmin(req, res) {
 }
 
 const routes = express.Router();
-routes.post('/:organizationId/admins', jwtUtils.verifyToken, organizationAdminValidator.addOrganizationAdminValidator, addOrganizationAdmin);
+routes.post('/:organizationId/admins', jwtUtils.extractToken, organizationAdminValidator.addOrganizationAdminValidator, addOrganizationAdmin);
-routes.delete('/:organizationId/admins/me', jwtUtils.verifyToken, organizationAdminValidator.removeOrganizationAdminValidator, removeOrganizationAdmin);
+routes.delete('/:organizationId/admins/me', jwtUtils.extractToken, organizationAdminValidator.removeOrganizationAdminValidator, removeOrganizationAdmin);
 
 module.exports = {
   routes

backend/apis/nodejs/src/routes/organization_post_routes.js

@@ -95,8 +95,8 @@ async function deleteOrganizationPost(req, res) {
 }
 
 const routes = express.Router();
-routes.post('/:idOrganization/posts', jwtUtils.verifyToken, createOrganizationPost);
+routes.post('/:idOrganization/posts', jwtUtils.extractToken, createOrganizationPost);
-routes.delete('/posts/:id', jwtUtils.verifyToken, deleteOrganizationPost);
+routes.delete('/posts/:id', jwtUtils.extractToken, deleteOrganizationPost);
 
 // Exporting a function
 // means making a JavaScript function defined in one

backend/apis/nodejs/src/routes/organization_routes.js

@@ -181,15 +181,15 @@ async function filter(req, res) {
   }
 }
 
-// Here we can not use the jwtUtils.verifyToken as the Router's middleware directly, as the latter
+// Here we can not use the jwtUtils.extractToken as the Router's middleware directly, as the latter
 // will be mounted under /organizations, but there are other resources under /organizations
 // that do not require the authorization, e.g. job offers
 const routes = express.Router();
 routes.get('/:id', organizationValidator.deleteOrGetOrganizationValidator, getOrganization);
 routes.post('/filter', organizationValidator.filterValidator, filter);
-routes.post('/', jwtUtils.verifyToken, organizationValidator.createOrganizationValidator, createOrganization);
+routes.post('/', jwtUtils.extractToken, organizationValidator.createOrganizationValidator, createOrganization);
-routes.patch('/:id', jwtUtils.verifyToken, organizationValidator.updateOrganizationValidator, updateOrganization);
+routes.patch('/:id', jwtUtils.extractToken, organizationValidator.updateOrganizationValidator, updateOrganization);
-routes.delete('/:id', jwtUtils.verifyToken, organizationValidator.deleteOrGetOrganizationValidator, deleteOrganization);
+routes.delete('/:id', jwtUtils.extractToken, organizationValidator.deleteOrGetOrganizationValidator, deleteOrganization);
 
 module.exports = {
   routes

backend/apis/nodejs/src/routes/person_routes.js

@@ -329,7 +329,7 @@ publicRoutes.get('/:id/details', getPerson);
 publicRoutes.post('/me/activation', personValidator.confirmActivationValidator, confirmActivation);
 
 const protectedRoutes = express.Router(); // Routes requiring token
-protectedRoutes.use(jwtUtils.verifyToken);
+protectedRoutes.use(jwtUtils.extractToken);
 protectedRoutes.get('/me', getMyself);
 protectedRoutes.patch('/me', personValidator.updatePersonValidator, updatePerson);
 protectedRoutes.delete('/me', deletePerson);

backend/apis/nodejs/src/utils/jwt_utils.js

@@ -25,31 +25,40 @@ function generateToken(person_id) {
   return token;
 }
 
-// Middlware
+/**
-function verifyToken(req, res, next) {
+ * Verifies the validity of the token. If it is valid,
-  const token = req.headers.authorization;
+ * sets the req.jwt property to the decoded object
+ * contained within the jwt
+ */
+function extractToken(req, res, next) {
 
-  if (!token) {
+  const authHeader = req.headers.authorization;
+
+  // Obtain the token using the Bearer scheme
+  // The Bearer token, contained in the header, has the following
+  // structure: "Bearer <jwt>"
+  if (authHeader && authHeader.startsWith('Bearer ')) {
+    const token = authHeader.substring(7);
+    try {
+      const decoded = jwt.verify(token, process.env.JWT_SECRET_KEY);
+      // If the token is valid, store the decoded data in the request object
+      // req.jwt will contain the payload created in generateToken
+      req.jwt = decoded;
+      next();
+    } catch (error) {
+      return res.status(401).send({
+        error: 'Failed to authenticate token'
+      });
+    }
+  } else {
     return res.status(401).send({
       error: 'No token provided'
     });
   }
 
-  jwt.verify(token, process.env.JWT_SECRET_KEY, (err, decoded) => {
-    if (err) {
-      return res.status(401).send({
-        error: 'Failed to authenticate token'
-      });
-    }
-
-    // If the token is valid, store the decoded data in the request object
-    // req.jwt will contain the payload created in generateToken
-    req.jwt = decoded;
-    next();
-  });
 }
 
 module.exports = {
   generateToken,
-  verifyToken
+  extractToken
 };