implemented role and state based authorization

api/src/routes/loa.ts

@@ -5,7 +5,7 @@ import { Request, Response } from 'express';
 import pool from '../db';
 import { closeLOA, createNewLOA, getAllLOA, getLOAbyID, getLoaTypes, getUserLOA, setLOAExtension } from '../services/loaService';
 import { LOARequest } from '@app/shared/types/loa';
-import { requireLogin } from '../middleware/auth';
+import { requireLogin, requireRole } from '../middleware/auth';
 
 router.use(requireLogin);
 
@@ -26,7 +26,7 @@ router.post("/", async (req: Request, res: Response) => {
 });
 
 //admin posts LOA
-router.post("/admin", async (req: Request, res: Response) => {
+router.post("/admin", [requireRole("17th Administrator")], async (req: Request, res: Response) => {
     let LOARequest = req.body as LOARequest;
     LOARequest.created_by = req.user.id;
     LOARequest.filed_date = new Date();
@@ -66,7 +66,7 @@ router.get("/history", async (req: Request, res: Response) => {
     }
 })
 
-router.get('/all', async (req, res) => {
+router.get('/all', [requireRole("17th Administrator")], async (req, res) => {
     try {
         const result = await getAllLOA();
         res.status(200).json(result)
@@ -104,7 +104,7 @@ router.post('/cancel/:id', async (req: Request, res: Response) => {
 })
 
 //TODO: enforce admin only
-router.post('/adminCancel/:id', async (req: Request, res: Response) => {
+router.post('/adminCancel/:id', [requireRole("17th Administrator")], async (req: Request, res: Response) => {
     let closer = req.user.id;
     try {
         await closeLOA(Number(req.params.id), closer);
@@ -116,7 +116,7 @@ router.post('/adminCancel/:id', async (req: Request, res: Response) => {
 })
 
 // TODO: Enforce admin only
-router.post('/extend/:id', async (req: Request, res: Response) => {
+router.post('/extend/:id', [requireRole("17th Administrator")], async (req: Request, res: Response) => {
     const to: Date = req.body.to;
 
     if (!to) {