updated blogpost controller, auth middleware

app.js

@@ -41,7 +41,7 @@ app.use(
   cors({
     origin: true,
     credentials: true,
-    methods: ["GET", "PUT", "POST"],
+    methods: ["GET", "PUT", "POST", "DELETE"],
     allowedHeaders: [
       "Access-Control-Allow-Headers",
       "Origin, X-Requested-With, Content-Type, Accept",

controllers/post.js

@@ -10,24 +10,26 @@ const sameAuthor = require("../middleware/sameAuthor.js");
 
 exports.index = asyncHandler(async (req, res, next) => {
   // get all posts
-  const dbPosts = await Post.find({ published: true }).lean().exec();
+  let dbPosts = await Post.find().lean().exec();
   // check for authorization
   const token = req.cookies.JWT_TOKEN;
-  blocc: if (token) {
-    try {
-      const username = jwt.verify(token, process.env.SECRET_KEY);
-    } catch {
-      break blocc;
-    }
-    // run through unpublished posts
-    const unpublished = await Post.find({ published: false }).lean().exec();
-    for (let z = 0; z < unpublished.length; z++) {
-      const post = unpublished[i];
-      // if any are by the current user, append to dbPosts
-      if (username == post.author) {
-        dbPosts.push(post);
+  if (token) {
+    const username = jwt.verify(token, process.env.SECRET_KEY).username;
+    // filter
+    dbPosts.forEach((post, index) => {
+      if (post.published == false) {
+        if (post.author != username) {
+          dbPosts.splice(index, 1);
+        }
       }
-    }
+    });
+  } else {
+    // filter
+    dbPosts.forEach((post, index) => {
+      if (post.published == false) {
+        dbPosts.splice(index, 1);
+      }
+    });
   }
   const posts = [];
   for (let i = 0; i < dbPosts.length; i++) {
@@ -37,6 +39,7 @@ exports.index = asyncHandler(async (req, res, next) => {
       date: dbPosts[i].date,
       text: dbPosts[i].text,
       author: dbPosts[i].author,
+      published: dbPosts[i].published,
       _id: dbPosts[i]._id,
       comments: comments,
     };
@@ -108,14 +111,25 @@ exports.get = asyncHandler(async (req, res, next) => {
     date: dbPost.date,
     text: dbPost.text,
     author: dbPost.author,
+    published: dbPost.published,
     _id: dbPost._id,
     comments: comments,
   };
   // if post is not published, not publicly visible
   if (!dbPost.published) {
-    hasToken();
-    sameAuthor();
-    return res.status(200).json({ post });
+    const token = req.cookies.JWT_TOKEN;
+    if (token) {
+      const username = jwt.verify(token, process.env.SECRET_KEY).username;
+      if (username == dbPost.author) {
+        return res.status(200).json({ post });
+      }
+      return res.status(403).json({
+        message: "Not authorized!",
+      });
+    }
+    return res.status(403).json({
+      message: "Token not found!",
+    });
   }
   // otherwise return post if published
   return res.status(200).json({ post });

middleware/sameAuthor.js

@@ -7,7 +7,7 @@ const sameAuthor = asyncHandler(async (req, res, next) => {
   // get token
   const token = req.cookies.JWT_TOKEN;
   // extract username from token
-  const username = jwt.verify(token, process.env.SECRET_KEY);
+  const username = jwt.verify(token, process.env.SECRET_KEY).username;
   // get post
   const post = await Post.findById(req.params.postID).lean().exec();
   // if different usernames

middleware/sameUser.js

@@ -4,7 +4,7 @@ const sameUser = (req, res, next) => {
   // get token
   const token = req.cookies.JWT_TOKEN;
   // extract username from token
-  const username = jwt.verify(token, process.env.SECRET_KEY);
+  const username = jwt.verify(token, process.env.SECRET_KEY).username;
   // if different usernames
   if (username != req.params.username) {
     return res.status(403).json({