feat: add user authentication middleware to notification API routes

2026-04-06 00:32:12 +02:00 · 2026-03-30 09:50:40 +01:00
parent 6ef8cc6db6
commit 9adbd04538
7 changed files with 52 additions and 1 deletions
--- a/App/FeatureSet/Notification/API/Call.ts
+++ b/App/FeatureSet/Notification/API/Call.ts
@@ -16,6 +16,7 @@ import Express, {
 } from "Common/Server/Utils/Express";
 import logger from "Common/Server/Utils/Logger";
 import Response from "Common/Server/Utils/Response";
+import UserMiddleware from "Common/Server/Middleware/UserAuthorization";
 import ProjectCallSMSConfig from "Common/Models/DatabaseModels/ProjectCallSMSConfig";

 const router: ExpressRouter = Express.getRouter();
@@ -60,6 +61,8 @@ router.post(

 router.post(
  "/test",
+  UserMiddleware.getUserMiddleware,
+  UserMiddleware.requireUserAuthentication,
  async (req: ExpressRequest, res: ExpressResponse, next: NextFunction) => {
    try {
      const body: JSONObject = req.body;
--- a/App/FeatureSet/Notification/API/PhoneNumber.ts
+++ b/App/FeatureSet/Notification/API/PhoneNumber.ts
@@ -13,6 +13,7 @@ import { JSONObject } from "Common/Types/JSON";
 import ObjectID from "Common/Types/ObjectID";
 import IncomingCallPolicyService from "Common/Server/Services/IncomingCallPolicyService";
 import ProjectService from "Common/Server/Services/ProjectService";
+import UserMiddleware from "Common/Server/Middleware/UserAuthorization";
 import Express, {
  ExpressRequest,
  ExpressResponse,
@@ -30,6 +31,8 @@ const router: ExpressRouter = Express.getRouter();
 // Search available phone numbers
 router.post(
  "/search",
+  UserMiddleware.getUserMiddleware,
+  UserMiddleware.requireUserAuthentication,
  async (req: ExpressRequest, res: ExpressResponse, next: NextFunction) => {
    try {
      const body: JSONObject = req.body as JSONObject;
@@ -154,6 +157,8 @@ router.post(
 // List owned phone numbers (already purchased in Twilio account)
 router.post(
  "/list-owned",
+  UserMiddleware.getUserMiddleware,
+  UserMiddleware.requireUserAuthentication,
  async (req: ExpressRequest, res: ExpressResponse, next: NextFunction) => {
    try {
      const body: JSONObject = req.body as JSONObject;
@@ -237,6 +242,8 @@ router.post(
 // Assign an existing phone number to a policy
 router.post(
  "/assign-existing",
+  UserMiddleware.getUserMiddleware,
+  UserMiddleware.requireUserAuthentication,
  async (req: ExpressRequest, res: ExpressResponse, next: NextFunction) => {
    try {
      const body: JSONObject = req.body as JSONObject;
@@ -385,6 +392,8 @@ router.post(
 // Purchase a phone number
 router.post(
  "/purchase",
+  UserMiddleware.getUserMiddleware,
+  UserMiddleware.requireUserAuthentication,
  async (req: ExpressRequest, res: ExpressResponse, next: NextFunction) => {
    try {
      const body: JSONObject = req.body as JSONObject;
@@ -528,6 +537,8 @@ router.post(
 // Release a phone number
 router.delete(
  "/release/:incomingCallPolicyId",
+  UserMiddleware.getUserMiddleware,
+  UserMiddleware.requireUserAuthentication,
  async (req: ExpressRequest, res: ExpressResponse, next: NextFunction) => {
    try {
      const incomingCallPolicyId: ObjectID | undefined = req.params[
--- a/App/FeatureSet/Notification/API/SMS.ts
+++ b/App/FeatureSet/Notification/API/SMS.ts
@@ -15,6 +15,7 @@ import Express, {
 } from "Common/Server/Utils/Express";
 import logger from "Common/Server/Utils/Logger";
 import Response from "Common/Server/Utils/Response";
+import UserMiddleware from "Common/Server/Middleware/UserAuthorization";
 import ProjectCallSMSConfig from "Common/Models/DatabaseModels/ProjectCallSMSConfig";

 const router: ExpressRouter = Express.getRouter();
@@ -59,6 +60,8 @@ router.post(

 router.post(
  "/test",
+  UserMiddleware.getUserMiddleware,
+  UserMiddleware.requireUserAuthentication,
  async (req: ExpressRequest, res: ExpressResponse, next: NextFunction) => {
    try {
      const body: JSONObject = req.body;
--- a/App/FeatureSet/Notification/API/SMTPConfig.ts
+++ b/App/FeatureSet/Notification/API/SMTPConfig.ts
@@ -18,12 +18,15 @@ import Express, {
 } from "Common/Server/Utils/Express";
 import logger from "Common/Server/Utils/Logger";
 import Response from "Common/Server/Utils/Response";
+import UserMiddleware from "Common/Server/Middleware/UserAuthorization";
 import ProjectSmtpConfig from "Common/Models/DatabaseModels/ProjectSmtpConfig";

 const router: ExpressRouter = Express.getRouter();

 router.post(
  "/test",
+  UserMiddleware.getUserMiddleware,
+  UserMiddleware.requireUserAuthentication,
  async (req: ExpressRequest, res: ExpressResponse, next: NextFunction) => {
    try {
      const body: JSONObject = req.body;
--- a/App/FeatureSet/Notification/API/WhatsApp.ts
+++ b/App/FeatureSet/Notification/API/WhatsApp.ts
@@ -12,6 +12,7 @@ import {
 } from "Common/Types/WhatsApp/WhatsAppTemplates";
 import WhatsAppStatus from "Common/Types/WhatsAppStatus";
 import ClusterKeyAuthorization from "Common/Server/Middleware/ClusterKeyAuthorization";
+import UserMiddleware from "Common/Server/Middleware/UserAuthorization";
 import WhatsAppAuthorization from "Common/Server/Middleware/WhatsAppAuthorization";
 import WhatsAppLogService from "Common/Server/Services/WhatsAppLogService";
 import GlobalConfigService from "Common/Server/Services/GlobalConfigService";
@@ -443,6 +444,8 @@ router.post(

 router.post(
  "/test",
+  UserMiddleware.getUserMiddleware,
+  UserMiddleware.requireUserAuthentication,
  async (req: ExpressRequest, res: ExpressResponse, next: NextFunction) => {
    try {
      const body: JSONObject = req.body as JSONObject;
--- a/Common/Server/API/StatusPageAPI.ts
+++ b/Common/Server/API/StatusPageAPI.ts
@@ -2234,7 +2234,11 @@ export default class StatusPageAPI extends BaseAPI<
              incidentStateTimelines,
              IncidentStateTimeline,
            ),
-            statusPage: BaseModel.toJSONObject(statusPage, StatusPage),
+            statusPage: (() => {
+              const statusPageJson: JSONObject = BaseModel.toJSONObject(statusPage, StatusPage);
+              delete statusPageJson["projectId"];
+              return statusPageJson;
+            })(),
            scheduledMaintenanceStateTimelines: BaseModel.toJSONArray(
              scheduledMaintenanceStateTimelines,
              ScheduledMaintenanceStateTimeline,
--- a/Common/Server/Middleware/UserAuthorization.ts
+++ b/Common/Server/Middleware/UserAuthorization.ts
@@ -336,6 +336,30 @@ export default class UserMiddleware {
    return next();
  }

+  @CaptureSpan()
+  public static async requireUserAuthentication(
+    req: ExpressRequest,
+    res: ExpressResponse,
+    next: NextFunction,
+  ): Promise<void> {
+    const oneuptimeRequest: OneUptimeRequest = req as OneUptimeRequest;
+
+    if (
+      !oneuptimeRequest.userType ||
+      oneuptimeRequest.userType === UserType.Public
+    ) {
+      return Response.sendErrorResponse(
+        req,
+        res,
+        new NotAuthenticatedException(
+          "Authentication required. Please log in to access this resource.",
+        ),
+      );
+    }
+
+    return next();
+  }
+
  @CaptureSpan()
  public static async getUserTenantAccessPermissionWithTenantId(data: {
    req: ExpressRequest;