feat: add auth measure

tianheg · tianheg · commit 0e1c52e3cbf0 · 2024-06-28T23:42:53.000+08:00
diff --git a/bun.lockb b/bun.lockb
diff --git a/package.json b/package.json
@@ -17,6 +17,7 @@
     "@fastify/cors": "^9.0.1",
     "@fastify/formbody": "^7.4.0",
     "@fastify/helmet": "^11.1.1",
+    "@fastify/jwt": "^8.0.1",
     "@fastify/postgres": "^5.2.2",
     "@fastify/rate-limit": "^9.1.0",
     "@fastify/swagger": "^8.14.0",
diff --git a/routes.js b/routes.js
@@ -55,93 +55,105 @@ export default async function registerRoutes(app) {
     );
   }
 
-  app.post("/books", async (request, reply) => {
-    const { name, url } = request.body;
-    if (!name || !url) {
-      reply.status(400).send("Missing name or url");
-      return;
-    }
-    const client = await app.pg.connect();
-    try {
-      const response = await client.query(
-        "INSERT INTO books (name, url) VALUES ($1, $2) RETURNing *",
-        [name, url],
-      );
-      reply.send(response.rows[0]);
-    } catch (error) {
-      reply.status(500).send(error);
-    } finally {
-      client.release();
-    }
-  });
-
-  app.delete("/books/:id", async (request, reply) => {
-    const { id } = request.params; // Extract the ID from the request parameters.
-
-    // Assuming app.pg.connect() is your method to get a database client.
-    const client = await app.pg.connect();
-    try {
-      // Execute a SQL query to delete the book by its ID.
-      // Ensure your query is protected against SQL injection by using parameterized queries.
-      const result = await client.query(
-        "DELETE FROM books WHERE id = $1 RETURNING *", // Returns the deleted book details.
-        [id],
-      );
-
-      // If no rows are returned, the book with the given ID does not exist.
-      if (result.rows.length === 0) {
-        reply.status(404).send({ message: "Book not found" });
+  app.post(
+    "/books",
+    { preValidation: app.authenticate },
+    async (request, reply) => {
+      const { name, url } = request.body;
+      if (!name || !url) {
+        reply.status(400).send("Missing name or url");
         return;
       }
+      const client = await app.pg.connect();
+      try {
+        const response = await client.query(
+          "INSERT INTO books (name, url) VALUES ($1, $2) RETURNing *",
+          [name, url],
+        );
+        reply.send(response.rows[0]);
+      } catch (error) {
+        reply.status(500).send(error);
+      } finally {
+        client.release();
+      }
+    },
+  );
 
-      // Send back the details of the deleted book.
-      reply.send(result.rows[0]);
-    } catch (error) {
-      // Handle any errors that occur during the database operation.
-      reply.status(500).send(error);
-    } finally {
-      // Release the client back to the pool.
-      client.release();
-    }
-  });
+  app.delete(
+    "/books/:id",
+    { preValidation: app.authenticate },
+    async (request, reply) => {
+      const { id } = request.params; // Extract the ID from the request parameters.
+
+      // Assuming app.pg.connect() is your method to get a database client.
+      const client = await app.pg.connect();
+      try {
+        // Execute a SQL query to delete the book by its ID.
+        // Ensure your query is protected against SQL injection by using parameterized queries.
+        const result = await client.query(
+          "DELETE FROM books WHERE id = $1 RETURNING *", // Returns the deleted book details.
+          [id],
+        );
 
-  app.put("/books/:id", async (request, reply) => {
-    const { id } = request.params; // Extract the ID from the route parameters.
-    const { name, url } = request.body; // Extract the updated name and url from the request body.
+        // If no rows are returned, the book with the given ID does not exist.
+        if (result.rows.length === 0) {
+          reply.status(404).send({ message: "Book not found" });
+          return;
+        }
 
-    // Input validation (optional but recommended)
-    if (!name || !url) {
-      reply
-        .status(400)
-        .send({ message: "Missing name or url in request body." });
-      return;
-    }
+        // Send back the details of the deleted book.
+        reply.send(result.rows[0]);
+      } catch (error) {
+        // Handle any errors that occur during the database operation.
+        reply.status(500).send(error);
+      } finally {
+        // Release the client back to the pool.
+        client.release();
+      }
+    },
+  );
 
-    const client = await app.pg.connect(); // Assuming app.pg.connect() is your method to get a database client.
-    try {
-      // Execute a SQL query to update the book by its ID.
-      // Ensure your query is protected against SQL injection by using parameterized queries.
-      const result = await client.query(
-        "UPDATE books SET name = $1, url = $2 WHERE id = $3 RETURNING *", // Returns the updated book details.
-        [name, url, id],
-      );
+  app.put(
+    "/books/:id",
+    { preValidation: app.authenticate },
+    async (request, reply) => {
+      const { id } = request.params; // Extract the ID from the route parameters.
+      const { name, url } = request.body; // Extract the updated name and url from the request body.
 
-      // If no rows are returned, the book with the given ID does not exist.
-      if (result.rows.length === 0) {
-        reply.status(404).send({ message: "Book not found" });
+      // Input validation (optional but recommended)
+      if (!name || !url) {
+        reply
+          .status(400)
+          .send({ message: "Missing name or url in request body." });
         return;
       }
 
-      // Send back the details of the updated book.
-      reply.send(result.rows[0]);
-    } catch (error) {
-      // Handle any errors that occur during the database operation.
-      reply
-        .status(500)
-        .send({ error: "An error occurred while updating the book." });
-    } finally {
-      // Release the client back to the pool.
-      client.release();
-    }
-  });
+      const client = await app.pg.connect(); // Assuming app.pg.connect() is your method to get a database client.
+      try {
+        // Execute a SQL query to update the book by its ID.
+        // Ensure your query is protected against SQL injection by using parameterized queries.
+        const result = await client.query(
+          "UPDATE books SET name = $1, url = $2 WHERE id = $3 RETURNING *", // Returns the updated book details.
+          [name, url, id],
+        );
+
+        // If no rows are returned, the book with the given ID does not exist.
+        if (result.rows.length === 0) {
+          reply.status(404).send({ message: "Book not found" });
+          return;
+        }
+
+        // Send back the details of the updated book.
+        reply.send(result.rows[0]);
+      } catch (error) {
+        // Handle any errors that occur during the database operation.
+        reply
+          .status(500)
+          .send({ error: "An error occurred while updating the book." });
+      } finally {
+        // Release the client back to the pool.
+        client.release();
+      }
+    },
+  );
 }
diff --git a/server.js b/server.js
@@ -2,6 +2,7 @@ import compress from "@fastify/compress";
 import cors from "@fastify/cors";
 import formbody from "@fastify/formbody";
 import helmet from "@fastify/helmet";
+import jwt from "@fastify/jwt";
 import postgres from "@fastify/postgres";
 import rateLimit from "@fastify/rate-limit";
 import swagger from "@fastify/swagger";
@@ -38,6 +39,17 @@ await app.register(compress, { encodings: ["gzip"] });
 await app.register(cors);
 await app.register(formbody);
 await app.register(helmet);
+await app.register(jwt, {
+  secret: process.env.JWT_SECRET,
+})
+app.decorate("authenticate", async (request, reply) => {
+  try {
+    await request.jwtVerify();
+  } catch (err) {
+    reply.send(err);
+  }
+});
+
 await app.register(rateLimit, {
   max: 100,
   timeWindow: "1 minute",
