Skip to content

Commit

Permalink
fix: authenticateRequest
Browse files Browse the repository at this point in the history
  • Loading branch information
Betree committed Feb 19, 2024
1 parent 187eb87 commit 32827ed
Show file tree
Hide file tree
Showing 4 changed files with 21 additions and 11 deletions.
20 changes: 9 additions & 11 deletions lib/req-utils.js
Original file line number Diff line number Diff line change
Expand Up @@ -4,17 +4,15 @@ import { get, isEmpty } from 'lodash';
* To forward API Key or Authorization headers from the request to the API calls.
* Returns `null` if no headers are found.
*/
export const getAuthorizationHeadersFromReq = (req) => {
const getAuthorizationHeadersFromReq = (req) => {
const { headers, query } = req;
const result = {};
const apiKey = get(headers, 'api-key') || get(query, 'apiKey');
const personalToken = get(headers, 'personal-token') || get(query, 'personalToken') || get(query, 'app_key');
const authorization = get(headers, 'authorization') || req.cookies?.authorization;
const authorization = get(headers, 'authorization');
if (authorization) {
const parts = authorization.split(' ');
const scheme = parts[0];
const accessToken = parts[1];
if (!/^Bearer$/i.test(scheme) || !accessToken) {
const [scheme, accessToken] = authorization.split(' ');
if (scheme !== 'Bearer' || !accessToken) {
throw new Error('Invalid authorization header. Format should be: Authorization: Bearer [token]');
}

Expand All @@ -29,19 +27,19 @@ export const getAuthorizationHeadersFromReq = (req) => {
result['Personal-Token'] = personalToken;
}

return isEmpty(headers) ? null : headers;
return isEmpty(headers) ? null : result;
};

/**
* Some syntax sugar around the `getAuthorizationHeadersFromReq` function, that throws for non-authenticated requests
* but allows `OPTIONS` requests to pass through
*/
export const authenticateRequest = (ctx) => {
const authorizationHeaders = getAuthorizationHeadersFromReq(ctx);
export const authenticateRequest = (req) => {
const authorizationHeaders = getAuthorizationHeadersFromReq(req);
if (!authorizationHeaders) {
// Frontend sends an OPTIONS request to check CORS, we should just return OK when that happens
if (ctx.req.method === 'OPTIONS') {
return {};
if (req.method === 'OPTIONS') {
return null;
} else {
throw new Error('Please provide an access token or an APP key');
}
Expand Down
4 changes: 4 additions & 0 deletions pages/expense/[id]/[filename].js
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,10 @@ class TransactionReceipt extends React.Component {
if (isServer) {
const { id } = ctx.query;
const authorizationHeaders = authenticateRequest(ctx.req);
if (!authorizationHeaders) {
return {};
}

const expense = await fetchExpenseInvoiceData(id, authorizationHeaders);
return { expense, pageFormat: ctx.query.pageFormat };
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,10 @@ class TransactionReceipt extends React.Component {
if (isServer) {
const { fromCollectiveSlug, toCollectiveSlug: hostSlug, isoStartDate: dateFrom, isoEndDate: dateTo } = ctx.query;
const authorizationHeaders = authenticateRequest(ctx.req);
if (!authorizationHeaders) {
return {};
}

const queryParams = { fromCollectiveSlug, hostSlug, dateFrom, dateTo };
const response = await fetchInvoiceByDateRange(queryParams, authorizationHeaders);

Expand Down
4 changes: 4 additions & 0 deletions pages/receipts/transactions/[id]/[filename].js
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,10 @@ class TransactionReceipt extends React.Component {
if (isServer) {
const { id, pageFormat } = ctx.query;
const authorizationHeaders = authenticateRequest(ctx.req);
if (!authorizationHeaders) {
return {};
}

const transaction = await fetchTransactionInvoice(id, authorizationHeaders);
return {
pageFormat: pageFormat,
Expand Down

0 comments on commit 32827ed

Please sign in to comment.