malty/ca-grow-ops-manager
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(visitor): Remove global auth from Kiosk routes
Some checks failed
Deploy to Production / deploy (push) Failing after 0s
Details
Test / backend-test (push) Failing after 0s
Details
Test / frontend-test (push) Failing after 0s
Details

Browse source 
- Removed global onRequest jwtVerify hook
- Added explicit auth check to secure routes (revoke, report)
- Kiosk check-in/out and create visitor are now public
This commit is contained in:
fullsizemalt 2025-12-11 13:59:43 -08:00
parent 15e1a8b199
commit 668e213cd8
1 changed files with 51 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

59
backend/src/routes/visitors.routes.ts
View file

@ -28,14 +28,8 @@ const checkInSchema = z.object({
}); });
export async function visitorRoutes(fastify: FastifyInstance) { export async function visitorRoutes(fastify: FastifyInstance) {
// Auth middleware // Note: Most visitor routes are public to support the Kiosk mode.
fastify.addHook('onRequest', async (request) => { // Specific admin routes (Revoke, Report) are protected inside their handlers.
try {
await request.jwtVerify();
} catch (err) {
throw err;
}
});
/** /**
* GET /visitors * GET /visitors
@ -320,6 +314,54 @@ export async function visitorRoutes(fastify: FastifyInstance) {
} }
}); });
/**
* POST /visitors/:id/revoke
* Revoke visitor access immediately
*/
fastify.post('/:id/revoke', {
handler: async (request, reply) => {
try {
await request.jwtVerify();
const { id } = request.params as any;
const { notes } = request.body as any;
const userId = (request.user as any)?.id;
const log = await prisma.visitorLog.findFirst({
where: {
visitorId: id,
status: 'CHECKED_IN',
exitTime: null
}
});
if (!log) {
return reply.status(400).send({ error: 'Visitor not currently checked in' });
}
const updatedLog = await prisma.visitorLog.update({
where: { id: log.id },
data: {
status: 'REVOKED',
exitTime: new Date(),
notes: `ACCESS REVOKED by User ${userId}. ${notes || ''}`.trim()
},
include: {
visitor: true
}
});
return {
success: true,
message: 'Access revoked successfully',
log: updatedLog
};
} catch (error) {
fastify.log.error(error);
return reply.status(500).send({ error: 'Failed to revoke access' });
}
}
});
/** /**
* GET /visitors/report * GET /visitors/report
* Generate visitor report for compliance * Generate visitor report for compliance
@ -327,6 +369,7 @@ export async function visitorRoutes(fastify: FastifyInstance) {
fastify.get('/report', { fastify.get('/report', {
handler: async (request, reply) => { handler: async (request, reply) => {
try { try {
await request.jwtVerify();
const { startDate, endDate, type } = request.query as any; const { startDate, endDate, type } = request.query as any;
const where: any = { const where: any = {