diff --git a/packages/server/src/api/routes/public/index.ts b/packages/server/src/api/routes/public/index.ts index 04446d543f..57436def1d 100644 --- a/packages/server/src/api/routes/public/index.ts +++ b/packages/server/src/api/routes/public/index.ts @@ -5,6 +5,7 @@ import rowEndpoints from "./rows" import userEndpoints from "./users" import usage from "../../../middleware/usageQuota" import authorized from "../../../middleware/authorized" +import publicApi from "../../../middleware/publicApi" import { paramResource, paramSubResource } from "../../../middleware/resourceId" import { CtxFn } from "./utils/Endpoint" import mapperMiddleware from "./middleware/mapper" @@ -101,6 +102,12 @@ function applyRoutes( const paramMiddleware = subResource ? paramSubResource(resource, subResource) : paramResource(resource) + const publicApiMiddleware = publicApi({ + requiresAppId: + permType !== PermissionTypes.APP && permType !== PermissionTypes.USER, + }) + addMiddleware(endpoints.read, publicApiMiddleware) + addMiddleware(endpoints.write, publicApiMiddleware) // add the parameter capture middleware addMiddleware(endpoints.read, paramMiddleware) addMiddleware(endpoints.write, paramMiddleware) diff --git a/packages/server/src/middleware/publicApi.js b/packages/server/src/middleware/publicApi.js new file mode 100644 index 0000000000..563612c1ea --- /dev/null +++ b/packages/server/src/middleware/publicApi.js @@ -0,0 +1,21 @@ +const { Headers } = require("@budibase/backend-core/constants") +const { getAppId } = require("@budibase/backend-core/utils") + +module.exports = function ({ requiresAppId } = {}) { + return async (ctx, next) => { + const appId = getAppId(ctx) + if (requiresAppId && !appId) { + ctx.throw( + 400, + `Invalid app ID provided, please check the ${Headers.APP_ID} header.` + ) + } + if (!ctx.headers[Headers.API_KEY]) { + ctx.throw( + 400, + `Invalid API key provided, please check the ${Headers.API_KEY} header.` + ) + } + return next() + } +}