Quick fix for #4914 - adding some checks in API middleware to confirm headers have been set correctly.

This commit is contained in:
mike12345567 2022-03-15 19:24:34 +00:00
parent 18d85fd4ac
commit 1dd2cf99d0
2 changed files with 36 additions and 5 deletions

View File

@ -5,6 +5,7 @@ import rowEndpoints from "./rows"
import userEndpoints from "./users"
import usage from "../../../middleware/usageQuota"
import authorized from "../../../middleware/authorized"
import publicApiMiddleware from "../../../middleware/publicApi"
import { paramResource, paramSubResource } from "../../../middleware/resourceId"
import { CtxFn } from "./utils/Endpoint"
import mapperMiddleware from "./middleware/mapper"
@ -101,17 +102,26 @@ function applyRoutes(
const paramMiddleware = subResource
? paramSubResource(resource, subResource)
: paramResource(resource)
function both(middleware: any, opts?: any) {
addMiddleware(endpoints.read, middleware, opts)
addMiddleware(endpoints.write, paramMiddleware, opts)
}
// add the public API headers check
both(
publicApiMiddleware({
requiresAppId:
permType !== PermissionTypes.APP && permType !== PermissionTypes.USER,
})
)
// add the output mapper middleware
both(mapperMiddleware, { output: true })
// add the parameter capture middleware
addMiddleware(endpoints.read, paramMiddleware)
addMiddleware(endpoints.write, paramMiddleware)
both(paramMiddleware)
// add the authorization middleware, using the correct perm type
addMiddleware(endpoints.read, authorized(permType, PermissionLevels.READ))
addMiddleware(endpoints.write, authorized(permType, PermissionLevels.WRITE))
// add the usage quota middleware
addMiddleware(endpoints.write, usage)
// add the output mapper middleware
addMiddleware(endpoints.read, mapperMiddleware, { output: true })
addMiddleware(endpoints.write, mapperMiddleware, { output: true })
addToRouter(endpoints.read)
addToRouter(endpoints.write)
}

View File

@ -0,0 +1,21 @@
const { Headers } = require("../../../backend-core/src/constants")
const { getAppId } = require("@budibase/backend-core/utils")
module.exports = function ({ requiresAppId } = {}) {
return async (ctx, next) => {
const appId = getAppId(ctx)
if (requiresAppId && !appId) {
ctx.throw(
400,
`Invalid app ID provided, please check the ${Headers.APP_ID} header.`
)
}
if (!ctx.headers[Headers.API_KEY]) {
ctx.throw(
400,
`Invalid API key provided, please check the ${Headers.API_KEY} header.`
)
}
return next()
}
}