Quick fix for #4914 - adding some checks in API middleware to confirm headers have been set correctly.

packages/server/src/api/routes/public/index.ts

@@ -5,6 +5,7 @@ import rowEndpoints from "./rows"
 import userEndpoints from "./users"
 import usage from "../../../middleware/usageQuota"
 import authorized from "../../../middleware/authorized"
+import publicApiMiddleware from "../../../middleware/publicApi"
 import { paramResource, paramSubResource } from "../../../middleware/resourceId"
 import { CtxFn } from "./utils/Endpoint"
 import mapperMiddleware from "./middleware/mapper"
@@ -101,17 +102,26 @@ function applyRoutes(
   const paramMiddleware = subResource
     ? paramSubResource(resource, subResource)
     : paramResource(resource)
+  function both(middleware: any, opts?: any) {
+    addMiddleware(endpoints.read, middleware, opts)
+    addMiddleware(endpoints.write, paramMiddleware, opts)
+  }
+  // add the public API headers check
+  both(
+    publicApiMiddleware({
+      requiresAppId:
+        permType !== PermissionTypes.APP && permType !== PermissionTypes.USER,
+    })
+  )
+  // add the output mapper middleware
+  both(mapperMiddleware, { output: true })
   // add the parameter capture middleware
-  addMiddleware(endpoints.read, paramMiddleware)
+  both(paramMiddleware)
-  addMiddleware(endpoints.write, paramMiddleware)
   // add the authorization middleware, using the correct perm type
   addMiddleware(endpoints.read, authorized(permType, PermissionLevels.READ))
   addMiddleware(endpoints.write, authorized(permType, PermissionLevels.WRITE))
   // add the usage quota middleware
   addMiddleware(endpoints.write, usage)
-  // add the output mapper middleware
-  addMiddleware(endpoints.read, mapperMiddleware, { output: true })
-  addMiddleware(endpoints.write, mapperMiddleware, { output: true })
   addToRouter(endpoints.read)
   addToRouter(endpoints.write)
 }

packages/server/src/middleware/publicApi.js

@@ -0,0 +1,21 @@
+const { Headers } = require("../../../backend-core/src/constants")
+const { getAppId } = require("@budibase/backend-core/utils")
+
+module.exports = function ({ requiresAppId } = {}) {
+  return async (ctx, next) => {
+    const appId = getAppId(ctx)
+    if (requiresAppId && !appId) {
+      ctx.throw(
+        400,
+        `Invalid app ID provided, please check the ${Headers.APP_ID} header.`
+      )
+    }
+    if (!ctx.headers[Headers.API_KEY]) {
+      ctx.throw(
+        400,
+        `Invalid API key provided, please check the ${Headers.API_KEY} header.`
+      )
+    }
+    return next()
+  }
+}