23 lines
781 B
JavaScript
23 lines
781 B
JavaScript
// Copyright (c) 2026 Gordon Bolton. MIT License.
|
|
function requireAuth(req, res, next) {
|
|
const signed = !!process.env.COOKIE_SECRET;
|
|
const raw = signed ? req.signedCookies.emby_user : req.cookies.emby_user;
|
|
if (!raw || raw === false) {
|
|
return res.status(401).json({ error: 'Not authenticated' });
|
|
}
|
|
let u;
|
|
try {
|
|
u = JSON.parse(raw);
|
|
} catch {
|
|
return res.status(401).json({ error: 'Invalid session' });
|
|
}
|
|
// Schema validation
|
|
if (typeof u.id !== 'string' || !u.id) return res.status(401).json({ error: 'Invalid session' });
|
|
if (typeof u.name !== 'string' || !u.name) return res.status(401).json({ error: 'Invalid session' });
|
|
if (typeof u.isAdmin !== 'boolean') u.isAdmin = !!u.isAdmin;
|
|
req.user = u;
|
|
next();
|
|
}
|
|
|
|
module.exports = requireAuth;
|