Khởi tạo dự án 3dtours

backend/middlewares/authMiddleware.js

@@ -0,0 +1,46 @@
+const jwt = require('jsonwebtoken');
+const User = require('../models/User');
+
+/**
+ * Strict authentication middleware. Rejects requests without a valid JWT.
+ */
+const protect = async (req, res, next) => {
+    let token;
+    if (req.headers.authorization && req.headers.authorization.startsWith('Bearer')) {
+        try {
+            token = req.headers.authorization.split(' ')[1];
+            const decoded = jwt.verify(token, process.env.JWT_SECRET);
+            req.user = await User.findById(decoded.id).select('-password');
+            if (!req.user) {
+                return res.status(401).json({ message: 'User not found' });
+            }
+            return next();
+        } catch (error) {
+            return res.status(401).json({ message: 'Not authorized, token failed' });
+        }
+    }
+    
+    return res.status(401).json({ message: 'Not authorized, no token provided' });
+};
+
+/**
+ * Optional authentication middleware. Populates req.user if a valid token is present,
+ * but allows the request to proceed as a guest if no token is found.
+ */
+const optionalAuth = async (req, res, next) => {
+    if (req.headers.authorization && req.headers.authorization.startsWith('Bearer')) {
+        try {
+            const token = req.headers.authorization.split(' ')[1];
+            const decoded = jwt.verify(token, process.env.JWT_SECRET);
+            req.user = await User.findById(decoded.id).select('-password');
+        } catch (error) {
+            // Ignore error and continue as guest
+        }
+    }
+    next();
+};
+
+module.exports = {
+    protect,
+    optionalAuth
+};

backend/middlewares/securityMiddleware.js

@@ -0,0 +1,55 @@
+const { URL } = require('url');
+
+/**
+ * Anti-hotlinking middleware. Ensures that requests for assets originate
+ * from the official app domain (SYSTEM_HOST). Blocks direct URL access.
+ */
+const verifyReferer = (req, res, next) => {
+    const referer = req.headers.referer;
+    const origin = req.headers.origin;
+    const systemHost = process.env.SYSTEM_HOST || 'http://localhost:5000';
+
+    let allowedOrigin;
+    try {
+        allowedOrigin = new URL(systemHost).origin;
+    } catch (e) {
+        allowedOrigin = systemHost;
+    }
+
+    const isMatch = (headerValue) => {
+        if (!headerValue) return false;
+        try {
+            return new URL(headerValue).origin === allowedOrigin;
+        } catch (e) {
+            return headerValue.startsWith(allowedOrigin);
+        }
+    };
+
+    const hasValidReferer = isMatch(referer);
+    const hasValidOrigin = isMatch(origin);
+
+    // Block request if both referer and origin are missing or do not match SYSTEM_HOST
+    if (!hasValidReferer && !hasValidOrigin) {
+        return res.status(403).json({ 
+            message: 'Access denied: Hotlinking detected or direct file access is prohibited.' 
+        });
+    }
+
+    next();
+};
+
+/**
+ * Cache prevention middleware. Ensures that sensitive image assets are never
+ * cached by client browsers or intermediate proxies.
+ */
+const setNoCacheHeaders = (req, res, next) => {
+    res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate, proxy-revalidate');
+    res.setHeader('Pragma', 'no-cache');
+    res.setHeader('Expires', '0');
+    next();
+};
+
+module.exports = {
+    verifyReferer,
+    setNoCacheHeaders
+};