From d48d7f6e197128cb701f91ac5300757891f9689d Mon Sep 17 00:00:00 2001 From: mike12345567 Date: Tue, 15 Mar 2022 19:24:34 +0000 Subject: [PATCH 1/3] Quick fix for #4914 - adding some checks in API middleware to confirm headers have been set correctly. --- .../server/src/api/routes/public/index.ts | 20 +++++++++++++----- packages/server/src/middleware/publicApi.js | 21 +++++++++++++++++++ 2 files changed, 36 insertions(+), 5 deletions(-) create mode 100644 packages/server/src/middleware/publicApi.js diff --git a/packages/server/src/api/routes/public/index.ts b/packages/server/src/api/routes/public/index.ts index 04446d543f..41a05d3bc7 100644 --- a/packages/server/src/api/routes/public/index.ts +++ b/packages/server/src/api/routes/public/index.ts @@ -5,6 +5,7 @@ import rowEndpoints from "./rows" import userEndpoints from "./users" import usage from "../../../middleware/usageQuota" import authorized from "../../../middleware/authorized" +import publicApiMiddleware from "../../../middleware/publicApi" import { paramResource, paramSubResource } from "../../../middleware/resourceId" import { CtxFn } from "./utils/Endpoint" import mapperMiddleware from "./middleware/mapper" @@ -101,17 +102,26 @@ function applyRoutes( const paramMiddleware = subResource ? paramSubResource(resource, subResource) : paramResource(resource) + function both(middleware: any, opts?: any) { + addMiddleware(endpoints.read, middleware, opts) + addMiddleware(endpoints.write, paramMiddleware, opts) + } + // add the public API headers check + both( + publicApiMiddleware({ + requiresAppId: + permType !== PermissionTypes.APP && permType !== PermissionTypes.USER, + }) + ) + // add the output mapper middleware + both(mapperMiddleware, { output: true }) // add the parameter capture middleware - addMiddleware(endpoints.read, paramMiddleware) - addMiddleware(endpoints.write, paramMiddleware) + both(paramMiddleware) // add the authorization middleware, using the correct perm type addMiddleware(endpoints.read, authorized(permType, PermissionLevels.READ)) addMiddleware(endpoints.write, authorized(permType, PermissionLevels.WRITE)) // add the usage quota middleware addMiddleware(endpoints.write, usage) - // add the output mapper middleware - addMiddleware(endpoints.read, mapperMiddleware, { output: true }) - addMiddleware(endpoints.write, mapperMiddleware, { output: true }) addToRouter(endpoints.read) addToRouter(endpoints.write) } diff --git a/packages/server/src/middleware/publicApi.js b/packages/server/src/middleware/publicApi.js new file mode 100644 index 0000000000..4638363602 --- /dev/null +++ b/packages/server/src/middleware/publicApi.js @@ -0,0 +1,21 @@ +const { Headers } = require("../../../backend-core/src/constants") +const { getAppId } = require("@budibase/backend-core/utils") + +module.exports = function ({ requiresAppId } = {}) { + return async (ctx, next) => { + const appId = getAppId(ctx) + if (requiresAppId && !appId) { + ctx.throw( + 400, + `Invalid app ID provided, please check the ${Headers.APP_ID} header.` + ) + } + if (!ctx.headers[Headers.API_KEY]) { + ctx.throw( + 400, + `Invalid API key provided, please check the ${Headers.API_KEY} header.` + ) + } + return next() + } +} From ba9d6cf8f74e56299a7a2ef5b0552965d53733f8 Mon Sep 17 00:00:00 2001 From: mike12345567 Date: Tue, 15 Mar 2022 19:53:05 +0000 Subject: [PATCH 2/3] Fixing an issue that was breaking build. --- packages/server/src/middleware/publicApi.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/server/src/middleware/publicApi.js b/packages/server/src/middleware/publicApi.js index 4638363602..563612c1ea 100644 --- a/packages/server/src/middleware/publicApi.js +++ b/packages/server/src/middleware/publicApi.js @@ -1,4 +1,4 @@ -const { Headers } = require("../../../backend-core/src/constants") +const { Headers } = require("@budibase/backend-core/constants") const { getAppId } = require("@budibase/backend-core/utils") module.exports = function ({ requiresAppId } = {}) { From 75375be9f7e51ce7cf0f287bea57ea088c2d07bb Mon Sep 17 00:00:00 2001 From: mike12345567 Date: Tue, 15 Mar 2022 20:17:41 +0000 Subject: [PATCH 3/3] Fixing issue found by test case. --- .../server/src/api/routes/public/index.ts | 27 +++++++++---------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/packages/server/src/api/routes/public/index.ts b/packages/server/src/api/routes/public/index.ts index 41a05d3bc7..57436def1d 100644 --- a/packages/server/src/api/routes/public/index.ts +++ b/packages/server/src/api/routes/public/index.ts @@ -5,7 +5,7 @@ import rowEndpoints from "./rows" import userEndpoints from "./users" import usage from "../../../middleware/usageQuota" import authorized from "../../../middleware/authorized" -import publicApiMiddleware from "../../../middleware/publicApi" +import publicApi from "../../../middleware/publicApi" import { paramResource, paramSubResource } from "../../../middleware/resourceId" import { CtxFn } from "./utils/Endpoint" import mapperMiddleware from "./middleware/mapper" @@ -102,26 +102,23 @@ function applyRoutes( const paramMiddleware = subResource ? paramSubResource(resource, subResource) : paramResource(resource) - function both(middleware: any, opts?: any) { - addMiddleware(endpoints.read, middleware, opts) - addMiddleware(endpoints.write, paramMiddleware, opts) - } - // add the public API headers check - both( - publicApiMiddleware({ - requiresAppId: - permType !== PermissionTypes.APP && permType !== PermissionTypes.USER, - }) - ) - // add the output mapper middleware - both(mapperMiddleware, { output: true }) + const publicApiMiddleware = publicApi({ + requiresAppId: + permType !== PermissionTypes.APP && permType !== PermissionTypes.USER, + }) + addMiddleware(endpoints.read, publicApiMiddleware) + addMiddleware(endpoints.write, publicApiMiddleware) // add the parameter capture middleware - both(paramMiddleware) + addMiddleware(endpoints.read, paramMiddleware) + addMiddleware(endpoints.write, paramMiddleware) // add the authorization middleware, using the correct perm type addMiddleware(endpoints.read, authorized(permType, PermissionLevels.READ)) addMiddleware(endpoints.write, authorized(permType, PermissionLevels.WRITE)) // add the usage quota middleware addMiddleware(endpoints.write, usage) + // add the output mapper middleware + addMiddleware(endpoints.read, mapperMiddleware, { output: true }) + addMiddleware(endpoints.write, mapperMiddleware, { output: true }) addToRouter(endpoints.read) addToRouter(endpoints.write) }