fix(visitor): Remove global auth from Kiosk routes

- Removed global onRequest jwtVerify hook - Added explicit auth check to secure routes (revoke, report) - Kiosk check-in/out and create visitor are now public
2025-12-11 13:59:43 -08:00 · 2025-12-11 13:59:43 -08:00 · 668e213cd8
commit 668e213cd8
parent 15e1a8b199
1 changed files with 51 additions and 8 deletions
--- a/backend/src/routes/visitors.routes.ts
+++ b/backend/src/routes/visitors.routes.ts
@ -28,14 +28,8 @@ const checkInSchema = z.object({
 });

 export async function visitorRoutes(fastify: FastifyInstance) {
-    // Auth middleware
-    fastify.addHook('onRequest', async (request) => {
-        try {
-            await request.jwtVerify();
-        } catch (err) {
-            throw err;
-        }
-    });
+    // Note: Most visitor routes are public to support the Kiosk mode.
+    // Specific admin routes (Revoke, Report) are protected inside their handlers.

    /**
     * GET /visitors
@ -320,6 +314,54 @@ export async function visitorRoutes(fastify: FastifyInstance) {
        }
    });

+    /**
+     * POST /visitors/:id/revoke
+     * Revoke visitor access immediately
+     */
+    fastify.post('/:id/revoke', {
+        handler: async (request, reply) => {
+            try {
+                await request.jwtVerify();
+                const { id } = request.params as any;
+                const { notes } = request.body as any;
+                const userId = (request.user as any)?.id;
+
+                const log = await prisma.visitorLog.findFirst({
+                    where: {
+                        visitorId: id,
+                        status: 'CHECKED_IN',
+                        exitTime: null
+                    }
+                });
+
+                if (!log) {
+                    return reply.status(400).send({ error: 'Visitor not currently checked in' });
+                }
+
+                const updatedLog = await prisma.visitorLog.update({
+                    where: { id: log.id },
+                    data: {
+                        status: 'REVOKED',
+                        exitTime: new Date(),
+                        notes: `ACCESS REVOKED by User ${userId}. ${notes || ''}`.trim()
+                    },
+                    include: {
+                        visitor: true
+                    }
+                });
+
+                return {
+                    success: true,
+                    message: 'Access revoked successfully',
+                    log: updatedLog
+                };
+            } catch (error) {
+                fastify.log.error(error);
+                return reply.status(500).send({ error: 'Failed to revoke access' });
+            }
+        }
+    });
+
    /**
     * GET /visitors/report
     * Generate visitor report for compliance
@ -327,6 +369,7 @@ export async function visitorRoutes(fastify: FastifyInstance) {
    fastify.get('/report', {
        handler: async (request, reply) => {
            try {
+                await request.jwtVerify();
                const { startDate, endDate, type } = request.query as any;

                const where: any = {