251004 frontend backend

backend/src/middleware/auth.js

@@ -1,9 +1,4 @@
-// FILE: src/middleware/auth.js
-// Authentication & Authorization middleware
-// - JWT-based authentication
-// - Role & Permission enrichment
-// - RBAC (Role-Based Access Control) helpers
-// - Requires User, Role, Permission, UserRole, RolePermission models
+// FILE: backend/src/middleware/auth.js
 
 import jwt from "jsonwebtoken";
 import { config } from "../config.js";
@@ -20,10 +15,17 @@ export function signRefreshToken(payload) {
   });
 }
 
+export function extractToken(req) {
+  // ให้คุกกี้มาก่อน แล้วค่อย Bearer (รองรับทั้งสองทาง)
+  const cookieTok = req.cookies?.access_token || null;
+  if (cookieTok) return cookieTok;
+  const hdr = req.headers.authorization || "";
+  return hdr.startsWith("Bearer ") ? hdr.slice(7) : null;
+}
+
 export function requireAuth(req, res, next) {
   if (req.path === "/health") return next(); // อนุญาต health เสมอ
-  const hdr = req.headers.authorization || "";
-  const token = hdr.startsWith("Bearer ") ? hdr.slice(7) : null;
+  const token = extractToken(req);
   if (!token) return res.status(401).json({ error: "Missing token" });
 
   try {
@@ -33,6 +35,15 @@ export function requireAuth(req, res, next) {
     return res.status(401).json({ error: "Invalid/Expired token" });
   }
 }
+// ใช้กับเส้นทางที่ login แล้วจะ enrich ต่อได้ แต่ไม่บังคับ
+export function optionalAuth(req, _res, next) {
+  const token = extractToken(req);
+  if (!token) return next();
+  try {
+    req.user = jwt.verify(token, config.JWT.SECRET);
+  } catch {}
+  next();
+}
 
 export async function enrichRoles(req, _res, next) {
   if (!req.user?.user_id) return next();