Skip to content

update: admin decode token flow #847

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nevil-mathew merged 1 commit into from
Oct 16, 2025
Merged

update: admin decode token flow #847

nevil-mathew merged 1 commit into from
Oct 16, 2025

Conversation

@nevil-mathew
Copy link
Collaborator

@nevil-mathew nevil-mathew commented Oct 16, 2025
edited by coderabbitai bot
Loading

Summary by CodeRabbit

  • Bug Fixes
    • Improved authentication middleware logic for admin authorization flow and token handling to ensure consistent credential assignment and proper middleware chain execution.

@coderabbitai
Copy link

coderabbitai bot commented Oct 16, 2025
edited
Loading

Walkthrough

The authenticator middleware was modified to add an explicit early return in the admin path and introduce a redundant assignment of req.decodedToken, with the variable assignment moved outside an else block while duplicated inside.

Changes

Cohort / File(s) Summary
Authenticator middleware modifications
src/middlewares/authenticator.js		 Added explicit return next() in admin branch for early middleware continuation; moved req.decodedToken assignment outside else block with duplicate assignment remaining inside

Sequence Diagram

sequenceDiagram
    participant Request
    participant Authenticator
    participant NextMiddleware

    Note over Authenticator: Old Flow
    Request->>Authenticator: incoming request
    Authenticator->>Authenticator: decode token
    alt isAdmin
        Authenticator->>Authenticator: apply header overrides
        Authenticator->>Authenticator: check permissions
        Authenticator->>NextMiddleware: next()
    else not admin
        Authenticator->>Authenticator: set req.decodedToken
        Authenticator->>NextMiddleware: next()
    end

    Note over Authenticator: New Flow
    Request->>Authenticator: incoming request
    Authenticator->>Authenticator: decode token
    Authenticator->>Authenticator: set req.decodedToken (moved)
    alt isAdmin
        Authenticator->>Authenticator: apply header overrides
        Authenticator->>NextMiddleware: return next() (early exit)
    else not admin
        Authenticator->>Authenticator: set req.decodedToken (duplicate)
        Authenticator->>NextMiddleware: next()
    end
Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

The change is contained to a single file with straightforward logic modifications, but requires attention to verify the early return doesn't unintentionally skip necessary permission checks and to assess whether the redundant assignment is intentional or an oversight.

Poem

🐰 Hops through the middleware with glee,
Early returns set admins free,
Though tokens assigned twice—quite the quirk,
The flow's now faster, if it still works!

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check ✅ Passed The title succinctly describes the main change to the admin token decode flow within the authentication middleware and directly reflects the modifications in the pull request. It is concise, clear, and specific enough for a reviewer to understand the primary update at a glance.
Docstring Coverage ✅ Passed No functions found in the changes. Docstring coverage check skipped.
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch auth-fix
📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c424b1d and e27a9de.

📒 Files selected for processing (1)
  • src/middlewares/authenticator.js (1 hunks)
🧰 Additional context used
📓 Path-based instructions (1)
src/middlewares/**

⚙️ CodeRabbit configuration file

This is security-sensitive middleware. Scrutinize for potential vulnerabilities.

Files:

  • src/middlewares/authenticator.js
🧬 Code graph analysis (1)
src/middlewares/authenticator.js (2)
src/services/account.js (1)
  • decodedToken (888-888)
src/services/user-sessions.js (1)
  • decodedToken (264-264)
🔇 Additional comments (1)
src/middlewares/authenticator.js (1)

260-260: Assignment required for admin early return.

This assignment is necessary because admin users now return early at line 266 and would never reach the assignment at line 300. The placement ensures req.decodedToken is properly set before continuing to the next middleware.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@nevil-mathew nevil-mathew merged commit 9f3ff43 into develop Oct 16, 2025
1 of 2 checks passed
This was referenced Oct 22, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nevil-mathew