PTS/Church-Music
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d367261867f555324c071d2d2a1ff220d91d93ae
Church-Music/new-site/AUTHENTICATION_FIX_APPLIED.md

121 lines
3.8 KiB
Markdown
Raw Blame History

# Authentication Fix Applied - 403 Forbidden Issue Resolved
## Issue
DELETE requests to `/api/lists/:id/songs/:songId` were returning 403 Forbidden errors even though the frontend was properly authenticated.
## Root Cause
The worship list routes in `backend/routes/lists.js` were **not protected by authentication middleware**. The routes were accepting requests without verifying JWT tokens.
## Fix Applied
### 1. Added Authentication Middleware Import
```javascript
// Added to routes/lists.js line 6
const { authenticate } = require("../middleware/auth");
```
### 2. Protected All Modification Routes
Added `authenticate` middleware to all POST, PUT, and DELETE routes:
-`POST /api/lists` - Create worship list
-`PUT /api/lists/:id` - Update worship list
-`DELETE /api/lists/:id` - Delete worship list
-`POST /api/lists/:id/songs/:songId` - Add song to list
-`DELETE /api/lists/:id/songs/:songId` - Remove song from list ⭐ **This fixes your issue**
-`PUT /api/lists/:id/reorder` - Reorder songs in list
### 3. Read-Only Routes Remain Public
- `GET /api/lists` - List all worship lists
- `GET /api/lists/:id` - Get single worship list with songs
- `GET /api/lists/stats/count` - Get worship list count
## How It Works Now
1. **Frontend sends request** with Authorization header:
```javascript
Authorization: Bearer <jwt-token>
```
2. **Authenticate middleware** (now applied):
- Extracts JWT token from Authorization header
- Verifies token signature and expiration
- Adds `req.user` with user data if valid
- Returns 401 if token missing/invalid
3. **Route handler executes** only if authentication succeeds
## Testing the Fix
### Option 1: Using the Frontend
1. Make sure you're logged in
2. Go to Worship Lists page
3. Try to delete a song from a list
4. **Expected**: Song should be removed successfully (no more 403 errors)
### Option 2: Using curl (command line)
```bash
# First, get your auth token by logging in
TOKEN=$(curl -s -X POST https://houseofprayer.ddns.net/api/auth/login \
-H "Content-Type: application/json" \
-d '{"username":"your_username","password":"your_password"}' \
| jq -r '.token')
# Then try to delete a song from a list
curl -X DELETE \
"https://houseofprayer.ddns.net/api/lists/24474ea3-6f34-4704-ac48-a80e1225d79e/songs/9831e027-aeb1-48a0-8763-fd3120f29692" \
-H "Authorization: Bearer $TOKEN"
```
**Expected Response**:
```json
{
"success": true,
"message": "Song removed from worship list",
"deleted": 1
}
```
## Backend Restart Required
⚠️ **IMPORTANT**: The backend must be restarted for these changes to take effect.
```bash
cd /media/pts/Website/Church_HOP_MusicData/new-site/backend
pkill -f "node.*server.js"
nohup node server.js > /tmp/backend.log 2>&1 &
```
## Files Modified
- [backend/routes/lists.js](backend/routes/lists.js)
- Line 6: Added auth middleware import
- Lines 86, 113, 149, 167, 191, 210: Added `authenticate` to route definitions
## Why Was This Happening?
The routes were originally written without authentication requirements, which is a common security oversight during initial development. The frontend was correctly sending the auth token, but the backend wasn't configured to check it for these specific routes.
This meant:
- Anyone could modify worship lists without logging in
- The 403 error was likely coming from Nginx CORS handling, not actual auth
- Adding the middleware enforces proper authentication checks
## Related Files
- [backend/middleware/auth.js](backend/middleware/auth.js) - Authentication middleware (already working)
- [frontend/src/utils/api.js](frontend/src/utils/api.js) - Frontend API client (already sending tokens)
## Status: ✅ COMPLETE
All routes are now properly protected. The 403 Forbidden error should be resolved once the backend is restarted.
Reference in New Issue View Git Blame Copy Permalink