Add access for endpoints that can be accessed by any user

src/constants/api.js

@@ -1,6 +1,7 @@
 module.exports = {
   defaultRoutes: ['_users', '_roles', '_roles_permissions', '_users_roles'],
   baseTableUrl: '/api/tables',
+  universalAccessEndpoints: ['/api/auth/change-password'],
   fields: {
     _users: {
       SALT: 'salt',
@@ -14,4 +15,11 @@ module.exports = {
     TOO_WEAK: 'Too weak',
     WEAK: 'Weak',
   },
+
+  httpVerbs: {
+    POST: 'CREATE',
+    GET: 'READ',
+    PUT: 'UPDATE',
+    DELETE: 'DELETE',
+  },
 };

src/constants/httpVerbs.js

@@ -1,6 +0,0 @@
-module.exports = {
-  POST: 'CREATE',
-  GET: 'READ',
-  PUT: 'UPDATE',
-  DELETE: 'DELETE',
-};

src/middlewares/auth.js

@@ -1,11 +1,12 @@
 const config = require('../config');
 const { decodeToken, toBoolean } = require('../utils/index');
-const httpVerbs = require('../constants/httpVerbs');
+const { apiConstants } = require('../constants');
 
 const isAuthenticated = async (req, res, next) => {
   let payload;
   const { name: tableName } = req.params;
   const verb = req.method;
+  const originalURL = req.originalUrl;
 
   try {
     if (config.auth) {
@@ -25,6 +26,11 @@ const isAuthenticated = async (req, res, next) => {
         return next();
       }
 
+      // if the endpoint is set to be accessed by any user regardless of there roles, then allow access
+      if (apiConstants.universalAccessEndpoints.includes(originalURL)) {
+        return next();
+      }
+
       // if table_name is not passed from the router throw unauthorized error
       if (!tableName) {
         return res.status(403).send({ message: 'Not authorized' });
@@ -45,7 +51,7 @@ const isAuthenticated = async (req, res, next) => {
       let hasPermission = false;
 
       permissions.some((resource) => {
-        const httpMethod = httpVerbs[verb].toLowerCase();
+        const httpMethod = apiConstants.httpVerbs[verb].toLowerCase();
 
         if (toBoolean(resource[httpMethod])) {
           hasPermission = true;