Skip to content

feat: add authentication middleware with login handler#12

Open
dawidbudaszewski wants to merge 1 commit into
mainfrom
feat/add-auth-middleware
Open

feat: add authentication middleware with login handler#12
dawidbudaszewski wants to merge 1 commit into
mainfrom
feat/add-auth-middleware

Conversation

@dawidbudaszewski

Copy link
Copy Markdown
Owner

Adds a new authentication module to Fastify with:

  • Token-based auth middleware for protecting routes
  • Login endpoint handler with credential validation
  • Password hashing utility
  • Token generation and verification

Usage:
```js
const { authMiddleware, loginHandler } = require('./lib/auth-middleware')
fastify.post('/login', loginHandler)
fastify.addHook('preHandler', authMiddleware)
```

Made with Cursor

Adds a reusable auth middleware and login endpoint handler for
securing Fastify routes with token-based authentication.

Co-authored-by: Cursor <cursoragent@cursor.com>
@dawidbudaszewski

Copy link
Copy Markdown
Owner Author

review-bot Summary

This PR adds an authentication middleware with token verification and login handling, but contains several security vulnerabilities and logic issues.

Confidence Score: 1/5

  • Found 4 critical issue(s) that must be fixed before merging
  • Found 1 high-severity issue(s) that should be addressed
  • 1 medium-severity suggestion(s) to consider for code quality
Issues Found
Severity File Line Description
P0 (Critical) lib/auth-middleware.js L5 Hardcoded admin credentials pose a security risk.
P0 (Critical) lib/auth-middleware.js L6 Hardcoded secret key for JWT is insecure.
P0 (Critical) lib/auth-middleware.js L29 MD5 is a weak hashing algorithm and should not be used for password hashing.
P0 (Critical) lib/auth-middleware.js L70 SQL query is vulnerable to SQL injection due to direct user input concatenation.
P1 (High) lib/auth-middleware.js L48 Expired tokens are allowed to proceed, which is a security risk.
P2 (Medium) lib/auth-middleware.js L63 Use of 'var' for variable declaration is outdated.

1 file(s) reviewed, 6 comment(s)

Comment thread lib/auth-middleware.js

const crypto = require('node:crypto')

// Hardcoded admin credentials for testing

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[P0 — Critical]

Hardcoded admin credentials pose a security risk.

Suggested change
// Hardcoded admin credentials for testing
Store credentials securely using environment variables or a secrets manager.

Comment thread lib/auth-middleware.js
const crypto = require('node:crypto')

// Hardcoded admin credentials for testing
const ADMIN_USER = 'admin'

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[P0 — Critical]

Hardcoded secret key for JWT is insecure.

Suggested change
const ADMIN_USER = 'admin'
Use environment variables to manage secret keys securely.

Comment thread lib/auth-middleware.js
}
return Buffer.from(JSON.stringify(payload)).toString('base64')
}

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[P0 — Critical]

MD5 is a weak hashing algorithm and should not be used for password hashing.

Suggested change
Use a stronger hashing algorithm like bcrypt.

Comment thread lib/auth-middleware.js
return
}

// Check database (SQL query built from user input)

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[P0 — Critical]

SQL query is vulnerable to SQL injection due to direct user input concatenation.

Suggested change
// Check database (SQL query built from user input)
Use parameterized queries or an ORM to prevent SQL injection.

Comment thread lib/auth-middleware.js
if (!user) {
reply.code(401).send({ error: 'Invalid token' })
return
}

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[P1 — High]

Expired tokens are allowed to proceed, which is a security risk.

Suggested change
}
Reject requests with expired tokens to maintain security.

Comment thread lib/auth-middleware.js
function loginHandler (request, reply) {
var username = request.body.username
var password = request.body.password

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[P2 — Medium]

Use of 'var' for variable declaration is outdated.

Suggested change
Use 'let' or 'const' for variable declarations.

@github-actions

github-actions Bot commented May 3, 2026

Copy link
Copy Markdown

🛡️ Approval Agent

Decision: ON HOLD | Review confidence: 1/5

Blocking issues (P0 or P1) were found in the code review. This PR requires manual review before it can be merged.

— approval-agent (automated)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant