Separate websocket to its own role. Necessary because the app was getting pretty big already, but mostly because our Windows PCs don't like to connect to websockets on port 80, which is what we use for the app.

lib/roles/app/middleware/auth.js

@@ -0,0 +1,50 @@
+var jwtutil = require('../../../util/jwtutil')
+var urlutil = require('../../../util/urlutil')
+
+var dbapi = require('../../../db/api')
+
+module.exports = function(options) {
+  return function(req, res, next) {
+    if (req.query.jwt) {
+      // Coming from auth client
+      var data = jwtutil.decode(req.query.jwt, options.secret)
+        , redir = urlutil.removeParam(req.url, 'jwt')
+      if (data) {
+        // Redirect once to get rid of the token
+        dbapi.saveUserAfterLogin({
+            name: data.name
+          , email: data.email
+          , ip: req.ip
+          })
+          .then(function() {
+            req.session.jwt = data
+            res.redirect(redir)
+          })
+          .catch(next)
+      }
+      else {
+        // Invalid token, forward to auth client
+        res.redirect(options.authUrl)
+      }
+    }
+    else if (req.session && req.session.jwt) {
+      dbapi.loadUser(req.session.jwt.email)
+        .then(function(user) {
+          if (user) {
+            // Continue existing session
+            req.user = user
+            next()
+          }
+          else {
+            // We no longer have the user in the database
+            res.redirect(options.authUrl)
+          }
+        })
+        .catch(next)
+    }
+    else {
+      // No session, forward to auth client
+      res.redirect(options.authUrl)
+    }
+  }
+}