refactor: share oauth jwt middleware verification flow

Author: BillChirico

src/api/middleware/auth.js

@@ -4,8 +4,8 @@
  */
 
 import crypto from 'node:crypto';
-import { error, warn } from '../../logger.js';
-import { verifyJwtToken } from './verifyJwt.js';
+import { warn } from '../../logger.js';
+import { handleOAuthJwt } from './oauthJwt.js';
 
 /**
  * Performs a constant-time comparison of the given secret against BOT_API_SECRET.
@@ -59,22 +59,8 @@ export function requireAuth() {
     }
 
     // Try OAuth2 JWT
-    const authHeader = req.headers.authorization;
-    if (authHeader?.startsWith('Bearer ')) {
-      const token = authHeader.slice(7);
-      const result = verifyJwtToken(token);
-      if (result.error) {
-        if (result.status === 500) {
-          error('SESSION_SECRET not configured — cannot verify OAuth token', {
-            ip: req.ip,
-            path: req.path,
-          });
-        }
-        return res.status(result.status).json({ error: result.error });
-      }
-      req.authMethod = 'oauth';
-      req.user = result.user;
-      return next();
+    if (handleOAuthJwt(req, res, next)) {
+      return;
     }
 
     // Neither auth method provided or valid

src/api/middleware/oauth.js

@@ -3,8 +3,7 @@
  * Verifies JWT tokens from Discord OAuth2 sessions
  */
 
-import { error } from '../../logger.js';
-import { verifyJwtToken } from './verifyJwt.js';
+import { handleOAuthJwt } from './oauthJwt.js';
 
 /**
  * Creates middleware that verifies a JWT Bearer token from the Authorization header.
@@ -14,25 +13,6 @@ import { verifyJwtToken } from './verifyJwt.js';
  */
 export function requireOAuth() {
   return (req, res, next) => {
-    const authHeader = req.headers.authorization;
-
-    if (!authHeader?.startsWith('Bearer ')) {
-      return res.status(401).json({ error: 'No token provided' });
-    }
-
-    const token = authHeader.slice(7);
-    const result = verifyJwtToken(token);
-    if (result.error) {
-      if (result.status === 500) {
-        error('SESSION_SECRET not configured — cannot verify OAuth token', {
-          ip: req.ip,
-          path: req.path,
-        });
-      }
-      return res.status(result.status).json({ error: result.error });
-    }
-    req.authMethod = 'oauth';
-    req.user = result.user;
-    return next();
+    return handleOAuthJwt(req, res, next, { missingTokenError: 'No token provided' });
   };
 }

src/api/middleware/oauthJwt.js

@@ -0,0 +1,56 @@
+/**
+ * Shared OAuth JWT middleware helpers
+ */
+
+import { error } from '../../logger.js';
+import { verifyJwtToken } from './verifyJwt.js';
+
+/**
+ * Extract Bearer token from Authorization header.
+ *
+ * @param {string|undefined} authHeader - Raw Authorization header value
+ * @returns {string|null} JWT token if present, otherwise null
+ */
+export function getBearerToken(authHeader) {
+  if (!authHeader?.startsWith('Bearer ')) {
+    return null;
+  }
+  return authHeader.slice(7);
+}
+
+/**
+ * Authenticate request using OAuth JWT Bearer token.
+ *
+ * @param {import('express').Request} req - Express request
+ * @param {import('express').Response} res - Express response
+ * @param {import('express').NextFunction} next - Express next callback
+ * @param {{ missingTokenError?: string }} [options] - Behavior options
+ * @returns {boolean} True if middleware chain has been handled, false if no Bearer token was provided and no missing-token error was requested
+ */
+export function handleOAuthJwt(req, res, next, options = {}) {
+  const token = getBearerToken(req.headers.authorization);
+  if (!token) {
+    if (options.missingTokenError) {
+      res.status(401).json({ error: options.missingTokenError });
+      return true;
+    }
+    return false;
+  }
+
+  const result = verifyJwtToken(token);
+  if (result.error) {
+    if (result.status === 500) {
+      error('SESSION_SECRET not configured — cannot verify OAuth token', {
+        ip: req.ip,
+        path: req.path,
+      });
+    }
+    res.status(result.status).json({ error: result.error });
+    return true;
+  }
+
+  req.authMethod = 'oauth';
+  req.user = result.user;
+  next();
+  return true;
+}

tests/api/middleware/auth.test.js

@@ -100,6 +100,18 @@ describe('auth middleware', () => {
     expect(next).not.toHaveBeenCalled();
   });
 
+  it('should return Unauthorized when Authorization header is not Bearer and no API secret succeeds', () => {
+    vi.stubEnv('BOT_API_SECRET', '');
+    req.headers.authorization = 'Basic abc123';
+    const middleware = requireAuth();
+
+    middleware(req, res, next);
+
+    expect(res.status).toHaveBeenCalledWith(401);
+    expect(res.json).toHaveBeenCalledWith({ error: 'Unauthorized' });
+    expect(next).not.toHaveBeenCalled();
+  });
+
   it('should return 401 with specific error when x-api-secret does not match', () => {
     vi.stubEnv('BOT_API_SECRET', 'test-secret');
     req.headers['x-api-secret'] = 'wrong-secret';

tests/api/middleware/oauth.test.js

@@ -52,6 +52,17 @@ describe('requireOAuth middleware', () => {
     expect(res.json).toHaveBeenCalledWith({ error: 'No token provided' });
   });
 
+  it('should still return No token provided even if x-api-secret header is present', () => {
+    req.headers['x-api-secret'] = 'test-secret';
+    const middleware = requireOAuth();
+
+    middleware(req, res, next);
+
+    expect(res.status).toHaveBeenCalledWith(401);
+    expect(res.json).toHaveBeenCalledWith({ error: 'No token provided' });
+    expect(next).not.toHaveBeenCalled();
+  });
+
   it('should return 500 when SESSION_SECRET is not set', () => {
     vi.stubEnv('SESSION_SECRET', '');
     req.headers.authorization = 'Bearer some-token';