CartoDB-SQL-API/app/models/apikey_auth.js

/**
 * this module allows to auth user using an pregenerated api key
 */

var _         = require('underscore')
    , Step    = require('step');

function ApikeyAuth(cartodb_redis, cartodb_request) {
  if ( ! cartodb_redis ) throw new Error("Cannot initialize ApikeyAuth with no cartodb_request");
  if ( ! cartodb_request ) throw new Error("Cannot initialize ApikeyAuth with no cartodb-redis");
  this.cdbRedis = cartodb_redis;
  this.cdbRequest = cartodb_request;
}

module.exports = ApikeyAuth;

var o = ApikeyAuth.prototype;

o.userByReq = function(req) {
  return this.cdbRequest.userByReq(req)
};

// Check if a request is authorized by api_key
//
// @param req express request object
// @param callback function(err, authorized) 
//                 
o.authorizedByAPIKey = function(req, callback)
{
    var user = this.userByReq(req);
    var that = this;
    Step(
      function (){
          that.cdbRedis.getUserMapKey(user, this);
      },
      function checkApiKey(err, val){
          if (err) throw err;

          var valid = 0;
          if ( val ) {
            if ( val == req.query.map_key ) valid = 1;
            else if ( val == req.query.api_key ) valid = 1;
            // check also in request body
            else if ( req.body && req.body.map_key && val == req.body.map_key ) valid = 1;
            else if ( req.body && req.body.api_key && val == req.body.api_key ) valid = 1;
          }

          return valid;
      },
      function finish(err, authorized) {
          callback(err, authorized);
      }
    );
};


/**
 * Get id of authorized user
 *
 * @param req - standard req object. Importantly contains table and host information
 * @param callback - err, user_id (null if no auth)
 */
o.verifyRequest = function(req, callback) {
    var user = this.userByReq(req);
    var that = this;

    Step(
        // check api key
        function(){
            that.authorizedByAPIKey(req, this);
        },
        // get user id or fail
        function (err, apikey_valid) {
            if ( err ) throw err;
            if (apikey_valid) {
                that.cdbRedis.getUserId(user, this);
            } else {
                // no auth
                callback(null, null);
            }
        },
        function (err, user_id){
            callback(err, user_id);
        }
    );
};