Improve authorizedByAPIKey

2015-07-06 03:19:56 +02:00 · 2015-07-06 03:19:56 +02:00 · aa266f9b61
commit aa266f9b61
parent ccd3d0a3bf
2 changed files with 17 additions and 28 deletions
--- a/lib/cartodb/controllers/named_maps.js
+++ b/lib/cartodb/controllers/named_maps.js
@ -171,7 +171,7 @@ NamedMapsController.prototype.create = function(req, res) {

    step(
        function checkPerms(){
-            self.app.authorizedByAPIKey(req, this);
+            self.app.authorizedByAPIKey(cdbuser, req, this);
        },
        function addTemplate(err, authenticated) {
            assert.ifError(err);
@ -199,7 +199,7 @@ NamedMapsController.prototype.update = function(req, res) {
    var tpl_id;
    step(
        function checkPerms(){
-            self.app.authorizedByAPIKey(req, this);
+            self.app.authorizedByAPIKey(cdbuser, req, this);
        },
        function updateTemplate(err, authenticated) {
            assert.ifError(err);
@ -233,7 +233,7 @@ NamedMapsController.prototype.retrieve = function(req, res) {
    var tpl_id;
    step(
        function checkPerms(){
-            self.app.authorizedByAPIKey(req, this);
+            self.app.authorizedByAPIKey(cdbuser, req, this);
        },
        function getTemplate(err, authenticated) {
            assert.ifError(err);
@ -271,7 +271,7 @@ NamedMapsController.prototype.destroy = function(req, res) {
    var tpl_id;
    step(
        function checkPerms(){
-            self.app.authorizedByAPIKey(req, this);
+            self.app.authorizedByAPIKey(cdbuser, req, this);
        },
        function deleteTemplate(err, authenticated) {
            assert.ifError(err);
@ -300,7 +300,7 @@ NamedMapsController.prototype.list = function(req, res) {

    step(
        function checkPerms(){
-            self.app.authorizedByAPIKey(req, this);
+            self.app.authorizedByAPIKey(cdbuser, req, this);
        },
        function listTemplates(err, authenticated) {
            assert.ifError(err);
@ -490,7 +490,7 @@ function finishFn(app, res, description, okResponse) {
 }

 function ifUnauthenticated(authenticated, description) {
-    if (authenticated !== 1) {
+    if (!authenticated) {
        var err = new Error(description);
        err.http_status = 403;
        throw err;
--- a/lib/cartodb/server.js
+++ b/lib/cartodb/server.js
@ -805,11 +805,6 @@ module.exports = function(serverOptions) {
        var layergroup_id = req.params.token;
        var auth_token = req.params.auth_token;

-        var mapStore = req.app.mapStore;
-        if (!mapStore) {
-            throw new Error('Unable to retrieve map configuration token');
-        }
-
        mapStore.load(layergroup_id, function(err, mapConfig) {
            if (err) {
                return callback(err);
@ -823,29 +818,27 @@ module.exports = function(serverOptions) {

    // Check if a request is authorized by api_key
    //
+    // @param user
    // @param req express request object
    // @param callback function(err, authorized)
    //        NOTE: authorized is expected to be 0 or 1 (integer)
    //
-    app.authorizedByAPIKey = function(req, callback) {
+    app.authorizedByAPIKey = function(user, req, callback) {
        var givenKey = req.query.api_key || req.query.map_key;
        if ( ! givenKey && req.body ) {
            // check also in request body
            givenKey = req.body.api_key || req.body.map_key;
        }
        if ( ! givenKey ) {
-            callback(null, 0); // no api key, no authorization...
-            return;
+            return callback(null, 0); // no api key, no authorization...
        }
-        //console.log("given ApiKey: " + givenKey);
-        var user = cdbRequest.userByReq(req);
        step(
-            function (){
+            function () {
                metadataBackend.getUserMapKey(user, this);
            },
            function checkApiKey(err, val){
                assert.ifError(err);
-                return ( val && givenKey == val ) ? 1 : 0;
+                return val && givenKey == val;
            },
            function finish(err, authorized) {
                callback(err, authorized);
@ -865,7 +858,7 @@ module.exports = function(serverOptions) {

        step(
            function () {
-                self.authorizedByAPIKey(req, this);
+                self.authorizedByAPIKey(user, req, this);
            },
            function checkApiKey(err, authorized){
                if (req.profiler) {
@ -874,11 +867,9 @@ module.exports = function(serverOptions) {
                assert.ifError(err);

                // if not authorized by api_key, continue
-                if (authorized !== 1)  {
-                    // not authorized by api_key,
-                    // check if authorized by signer
-                    self.authorizedBySigner(req, this);
-                    return;
+                if (!authorized)  {
+                    // not authorized by api_key, check if authorized by signer
+                    return self.authorizedBySigner(req, this);
                }

                // authorized by api key, login as the given username and stop
@ -898,13 +889,11 @@ module.exports = function(serverOptions) {
                    // PostgreSQL do the rest.
                    //
                    if ( ! req.params.signer ) {
-                        callback(null, true); // authorized so far
-                        return;
+                        return callback(null, true); // authorized so far
                    }

                    // if signer name was given, return no authorization
-                    callback(null, false);
-                    return;
+                    return callback(null, false);
                }

                pgConnection.setDBAuth(signed_by, req.params, function(err) {