Multiple DAC - Update Auth Rules for Removed Roles

[joneubank]

Description

Build will be broken by #523 and require these changes to build successfully.

The Auth Middleware restricts access to endpoints based on being authenticated, or belonging to a specific role.

After our change of roles this is no longer possible, the auth rules will require the user to be a DAC chair/member of the specific DAC for the given application.

This means the authMiddleware will only be useful for filtering out unauthenticated requests.

Details

• Remove role dependency in authMiddleware
• For routes that used to allow access to DAC Chair or DAC Member, these need to have the access rules moved into the route handler to check that the affected application belongs to a DAC that the user is a member of.

Notes

We could create a higher order function that performs all the checks on user having a session, application existing, and the application either belonging to the user or the user being a DAC member for the application, and then adds the application object to the request context. Its worth checking if this can be done in a clear way so that less code is required inside all the route handlers that perform this check. Ask @joneubank for details on this idea.