in fallback mode, use default api key if api key token doesnt exist

2018-02-16 11:20:04 +01:00 · 2018-02-16 11:20:04 +01:00 · 4ac224688c
commit 4ac224688c
parent 890f0d1ef6
3 changed files with 37 additions and 6 deletions
--- a/lib/cartodb/api/auth_api.js
+++ b/lib/cartodb/api/auth_api.js
@ -88,6 +88,8 @@ AuthApi.prototype.authorizedByAPIKey = function(user, req, callback) {
        }

        if ( !isValidApiKey(apikey)) {
+            return callback(null, true); // AUTH_FALLBACK :S If api key not found, use default_public
+
            const error = new Error('Unauthorized');
            error.type = 'auth';
            error.subtype = 'api-key-not-found';
--- a/lib/cartodb/backends/pg_connection.js
+++ b/lib/cartodb/backends/pg_connection.js
@ -36,7 +36,7 @@ PgConnection.prototype.setDBAuth = function(username, params, apikeyType, callba

            return callback();
        });
-    } else if (apikeyType === 'regular') {
+    } else if (apikeyType === 'regular') { //Actually it can be any type of api key
        this.metadataBackend.getApikey(username, params.api_key || params.map_key, (err, apikey) => {
            if (err) {
                return callback(err);
@ -57,6 +57,13 @@ PgConnection.prototype.setDBAuth = function(username, params, apikeyType, callba
                params.dbpassword = global.environment.postgres.password;
            }

+            //Remove this block when Auth fallback is not used anymore
+            // AUTH_FALLBACK
+            // If api key not found use default
+            if (!params.dbuser && !params.dbpassword) {
+                return this.setDBAuth(username, params, 'default', callback);
+            }
+
            return callback();           
        });
    } else if (apikeyType === 'default') {
--- a/test/acceptance/auth/authorization-fallback.js
+++ b/test/acceptance/auth/authorization-fallback.js
@ -101,7 +101,6 @@ describe('authorization fallback', function () {
        );
    });

-
    it("succeed with default - sending no api key token", function (done) {
        var layergroup = singleLayergroupConfig(pointSqlPublic, '#layer { marker-fill:red; }');

@ -125,17 +124,24 @@ describe('authorization fallback', function () {
        );
    });

-    it("fail with non-existent api key", function (done) {
-        var layergroup = singleLayergroupConfig(pointSqlMaster, '#layer { marker-fill:red; }');
+    it("succeed with non-existent api key - defaults to default", function (done) {
+        var layergroup = singleLayergroupConfig(pointSqlPublic, '#layer { marker-fill:red; }');

        assert.response(server,
            createRequest(layergroup, 'user_previous_to_project_auth', 'THIS-API-KEY-DOESNT-EXIST'),
            {
-                status: 401
+                status: 200
            },
            function (res, err) {
                assert.ifError(err);

+                var parsed = JSON.parse(res.body);
+                assert.ok(parsed.layergroupid);
+                assert.equal(res.headers['x-layergroup-id'], parsed.layergroupid);
+
+                keysToDelete['map_cfg|' + LayergroupToken.parse(parsed.layergroupid).token] = 0;
+                keysToDelete['user:user_previous_to_project_auth:mapviews:global'] = 5;
+
                done();
            }
        );
@ -156,4 +162,20 @@ describe('authorization fallback', function () {
            }
        );
    });
-});
+
+    it("fail with non-existent api key - defaults to default", function (done) {
+        var layergroup = singleLayergroupConfig(pointSqlMaster, '#layer { marker-fill:red; }');
+
+        assert.response(server,
+            createRequest(layergroup, 'user_previous_to_project_auth', 'THIS-API-KEY-DOESNT-EXIST'),
+            {
+                status: 403
+            },
+            function (res, err) {
+                assert.ifError(err);
+
+                done();
+            }
+        );
+    });
+});