From fe628e0f7fe39f6a5515d79ae654ae93aa825e38 Mon Sep 17 00:00:00 2001
From: Alexey <alex@oblat.lv>
Date: Wed, 6 Aug 2025 14:01:27 +0300
Subject: [PATCH] develop jwt auth for methods

---
 com/Auth/DeleteUnit.lua | 33 +++++++++++++++++++++++++++------
 com/Auth/GetAccess.lua  | 22 ++++++++++------------
 com/Auth/PutNewUnit.lua | 33 +++++++++++++++++++++++++++------
 3 files changed, 64 insertions(+), 24 deletions(-)

diff --git a/com/Auth/DeleteUnit.lua b/com/Auth/DeleteUnit.lua
index 35b83d7..2d33839 100644
--- a/com/Auth/DeleteUnit.lua
+++ b/com/Auth/DeleteUnit.lua
@@ -1,13 +1,14 @@
 -- com/DeleteUnit.lua
 
 ---@diagnostic disable: redefined-local
-local db = require("internal.database-sqlite").connect("db/user-database.db", {log = true})
+local db = require("internal.database.sqlite").connect("db/user-database.db", {log = true})
 local log = require("internal.log")
 local session = require("internal.session")
 local crypt = require("internal.crypt.bcrypt")
+local jwt = require("internal.crypt.jwt")
 
 local params = session.request.params.get()
-local token = session.request.headers.get("x-session-token")
+local token = session.request.headers.get("authorization")
 
 local function close_db()
   if db then
@@ -25,12 +26,32 @@ local function error_response(message, code, data)
   close_db()
 end
 
-if not params then
-  return error_response("no params provided")
+if not token or type(token) ~= "string" then
+  return error_response("Access denied")
 end
 
-if not (token and token == require("_config").token()) then
-  return error_response("access denied")
+local prefix = "Bearer "
+if token:sub(1, #prefix) ~= prefix then
+  return error_response("Invalid Authorization scheme")
+end
+
+local access_token = token:sub(#prefix + 1)
+
+local err, data = jwt.decode(access_token, { secret = require("_config").token() })
+
+if err or not data then
+  session.response.error = {
+    message = err
+  }
+  return
+end
+
+if data.session_uuid ~= session.id then
+  return error_response("Access denied")
+end
+
+if not params then
+  return error_response("no params provided")
 end
 
 if not (params.username and params.email and params.password) then
diff --git a/com/Auth/GetAccess.lua b/com/Auth/GetAccess.lua
index 25e48d2..2b8bb30 100644
--- a/com/Auth/GetAccess.lua
+++ b/com/Auth/GetAccess.lua
@@ -1,13 +1,14 @@
 -- com/GetAccess
 
 ---@diagnostic disable: redefined-local
-local db = require("internal.database-sqlite").connect("db/user-database.db", {log = true})
+local db = require("internal.database.sqlite").connect("db/user-database.db", {log = true})
 local log = require("internal.log")
 local session = require("internal.session")
 local crypt = require("internal.crypt.bcrypt")
+local jwt = require("internal.crypt.jwt")
 
 local params = session.request.params.get()
-local token = session.request.headers.get("x-session-token")
+local secret = require("_config").token()
 
 local function close_db()
   if db then
@@ -29,10 +30,6 @@ if not params then
   return error_response("No params provided")
 end
 
-if not (token and token == require("_config").token()) then
-  return error_response("access denied")
-end
-
 if not (params.username and params.email and params.password) then
   return error_response("Missing username, email or password")
 end
@@ -62,13 +59,14 @@ if not ok then
   return error_response("Invalid password")
 end
 
+local token = jwt.encode({
+  secret = secret,
+  payload = { session_uuid = session.id, admin_user = params.username },
+  expires_in = 3600
+})
+
 session.response.result = {
-  user = {
-    id = unit.id,
-    username = unit.username,
-    email = unit.email,
-    created_at = unit.created_at
-  }
+  access_token = token
 }
 
 close_db()
diff --git a/com/Auth/PutNewUnit.lua b/com/Auth/PutNewUnit.lua
index 25a2510..9aa8bfa 100644
--- a/com/Auth/PutNewUnit.lua
+++ b/com/Auth/PutNewUnit.lua
@@ -1,13 +1,14 @@
 -- com/PutNewUnit.lua
 
 ---@diagnostic disable: redefined-local
-local db = require("internal.database-sqlite").connect("db/user-database.db", {log = true})
+local db = require("internal.database.sqlite").connect("db/user-database.db", {log = true})
 local log = require("internal.log")
 local session = require("internal.session")
 local crypt = require("internal.crypt.bcrypt")
+local jwt = require("internal.crypt.jwt")
 
 local params = session.request.params.get()
-local token = session.request.headers.get("x-session-token")
+local token = session.request.headers.get("authorization")
 
 local function close_db()
   if db then
@@ -25,12 +26,32 @@ local function error_response(message, code, data)
   close_db()
 end
 
-if not params then
-  return error_response("no params provided")
+if not token or type(token) ~= "string" then
+  return error_response("Access denied")
 end
 
-if not (token and token == require("_config").token()) then
-  return error_response("access denied")
+local prefix = "Bearer "
+if token:sub(1, #prefix) ~= prefix then
+  return error_response("Invalid Authorization scheme")
+end
+
+local access_token = token:sub(#prefix + 1)
+
+local err, data = jwt.decode(access_token, { secret = require("_config").token() })
+
+if err or not data then
+  session.response.error = {
+    message = err
+  }
+  return
+end
+
+if data.session_uuid ~= session.id then
+  return error_response("Access denied")
+end
+
+if not params then
+  return error_response("no params provided")
 end
 
 if not (params.username and params.email and params.password) then