feat: add redirectIfNotAuthenticatedMiddleware to enforce authentication before accessing app routes

We were previously relying on API calls to redirect the user on app load,
but if the user does not have a session then there is no reason to server the application

Author: paustint

apps/api/src/app/routes/route.middleware.ts

@@ -167,6 +167,17 @@ export async function redirectIfMfaEnrollmentRequiredMiddleware(req: express.Req
   next();
 }
 
+export async function redirectIfNotAuthenticatedMiddleware(req: express.Request, res: express.Response, next: express.NextFunction) {
+  const user = req.session.user;
+
+  if (!user || user.id === PLACEHOLDER_USER_ID) {
+    res.redirect(302, '/auth/login');
+    return;
+  }
+
+  next();
+}
+
 export async function checkAuth(req: express.Request, res: express.Response, next: express.NextFunction) {
   const userAgent = req.get('User-Agent');
 

apps/api/src/main.ts

@@ -39,6 +39,7 @@ import {
   destroySessionIfPendingVerificationIsExpired,
   notFoundMiddleware,
   redirectIfMfaEnrollmentRequiredMiddleware,
+  redirectIfNotAuthenticatedMiddleware,
   redirectIfPendingTosAcceptanceMiddleware,
   redirectIfPendingVerificationMiddleware,
   setApplicationCookieMiddleware,
@@ -427,6 +428,7 @@ if (ENV.NODE_ENV === 'production' && !ENV.CI && cluster.isPrimary) {
     app.use(
       '/app',
       spaRateLimit,
+      redirectIfNotAuthenticatedMiddleware,
       redirectIfPendingVerificationMiddleware,
       redirectIfPendingTosAcceptanceMiddleware,
       redirectIfMfaEnrollmentRequiredMiddleware,