feat: Update authentication middleware (#6447)

* authentication middleware update

* disable customer authentication

* call correct feature flag method

* fix authentication middleware for store/customers

* fix integration tests and add middleware for admin customers

* update seeders

* customer groups fix

* add authentication middleware for all admin endpoints

* Feat(medusa, user): require authentication for invite accept (#6448)

* initial invite token validation for authentication invocation

* remove invite auth

* remove unused import

* cleanup tests

* refactor to auth instead of auth_user

* pr feedback

* update authenticatedRequest type

* update store authenticated endpoints

* update routes with type

* fix build

* fix build

* fix build

* use auth middleware for api-keys

packages/medusa/src/api-v2/admin/users/[id]/route.ts

@@ -1,15 +1,18 @@
 import {
-  ContainerRegistrationKeys,
-  remoteQueryObjectFromString,
-} from "@medusajs/utils"
-import { MedusaRequest, MedusaResponse } from "../../../../types/routing"
-import { deleteUsersWorkflow, updateUsersWorkflow } from "@medusajs/core-flows"
+  AuthenticatedMedusaRequest,
+  MedusaResponse,
+} from "../../../../types/routing"
 import { IUserModuleService, UpdateUserDTO } from "@medusajs/types"
-import { ModuleRegistrationName } from "../../../../../../modules-sdk/dist"
+import { deleteUsersWorkflow, updateUsersWorkflow } from "@medusajs/core-flows"
+
 import { AdminUpdateUserRequest } from "../validators"
+import { ModuleRegistrationName } from "../../../../../../modules-sdk/dist"
 
 // Get user
-export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
+export const GET = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const { id } = req.params
 
   const moduleService: IUserModuleService = req.scope.resolve(
@@ -21,14 +24,17 @@ export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
 }
 
 // update user
-export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
+export const POST = async (
+  req: AuthenticatedMedusaRequest<AdminUpdateUserRequest>,
+  res: MedusaResponse
+) => {
   const workflow = updateUsersWorkflow(req.scope)
 
   const input = {
     updates: [
       {
         id: req.params.id,
-        ...(req.validatedBody as AdminUpdateUserRequest),
+        ...req.validatedBody,
       } as UpdateUserDTO,
     ],
   }
@@ -41,7 +47,10 @@ export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
 }
 
 // delete user
-export const DELETE = async (req: MedusaRequest, res: MedusaResponse) => {
+export const DELETE = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const { id } = req.params
   const workflow = deleteUsersWorkflow(req.scope)
 

packages/medusa/src/api-v2/admin/users/middlewares.ts

@@ -1,14 +1,22 @@
-import { transformBody, transformQuery } from "../../../api/middlewares"
+import * as QueryConfig from "./query-config"
+
 import {
   AdminCreateUserRequest,
   AdminGetUsersParams,
   AdminGetUsersUserParams,
   AdminUpdateUserRequest,
 } from "./validators"
-import * as QueryConfig from "./query-config"
+import { transformBody, transformQuery } from "../../../api/middlewares"
+
 import { MiddlewareRoute } from "../../../types/middlewares"
+import { authenticate } from "../../../utils/authenticate-middleware"
 
 export const adminUserRoutesMiddlewares: MiddlewareRoute[] = [
+  {
+    method: ["ALL"],
+    matcher: "/admin/users*",
+    middlewares: [authenticate("admin", ["bearer", "session"])],
+  },
   {
     method: ["GET"],
     matcher: "/admin/users",

packages/medusa/src/api-v2/admin/users/route.ts

@@ -1,12 +1,19 @@
+import {
+  AuthenticatedMedusaRequest,
+  MedusaResponse,
+} from "../../../types/routing"
 import {
   ContainerRegistrationKeys,
   remoteQueryObjectFromString,
 } from "@medusajs/utils"
-import { MedusaRequest, MedusaResponse } from "../../../types/routing"
-import { createUsersWorkflow } from "@medusajs/core-flows"
-import { CreateUserDTO } from "@medusajs/types"
 
-export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
+import { CreateUserDTO } from "@medusajs/types"
+import { createUsersWorkflow } from "@medusajs/core-flows"
+
+export const GET = async (
+  req: AuthenticatedMedusaRequest,
+  res: MedusaResponse
+) => {
   const remoteQuery = req.scope.resolve(ContainerRegistrationKeys.REMOTE_QUERY)
 
   const query = remoteQueryObjectFromString({
@@ -32,12 +39,15 @@ export const GET = async (req: MedusaRequest, res: MedusaResponse) => {
   })
 }
 
-export const POST = async (req: MedusaRequest, res: MedusaResponse) => {
+export const POST = async (
+  req: AuthenticatedMedusaRequest<CreateUserDTO>,
+  res: MedusaResponse
+) => {
   const workflow = createUsersWorkflow(req.scope)
 
   const input = {
     input: {
-      users: [req.validatedBody as CreateUserDTO],
+      users: [req.validatedBody],
     },
   }