Skip to content

Commit

Permalink
fix(#91): API endpoints exposed even w/ invalid oauth2 token
Browse files Browse the repository at this point in the history
CRITICAL
  • Loading branch information
barthofu committed Mar 7, 2023
1 parent 66c6a2e commit 315c360
Showing 1 changed file with 8 additions and 7 deletions.
15 changes: 8 additions & 7 deletions src/api/middlewares/authenticated.ts
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ export class Authenticated {
})
}

use(@Context() { request }: PlatformContext) {
async use(@Context() { request }: PlatformContext) {

// if we are in development mode, we don't need to check the token
// if (process.env['NODE_ENV'] === 'development') return next()
Expand All @@ -47,8 +47,9 @@ export class Authenticated {
if (authorizedAPITokens.includes(token)) return

// we get the user's profile from the token using the `discord-oauth2` package
discordOauth2.getUser(token)
.then(async (user) => {
try {

const user = await discordOauth2.getUser(token)

// check if logged user is a dev (= admin) of the bot
if (isDev(user.id)) {
Expand All @@ -62,9 +63,9 @@ export class Authenticated {
} else {
throw new Unauthorized('Unauthorized')
}
})
.catch(async (err) => {
throw new BadRequest('Invalid token')
})

} catch (err) {
throw new BadRequest('Invalid discord token')
}
}
}

0 comments on commit 315c360

Please sign in to comment.