From 5db0e9c8d8aba2c50882a92c4da38f9f96651058 Mon Sep 17 00:00:00 2001 From: Eneko Lakasta Date: Thu, 15 Feb 2018 12:50:42 +0100 Subject: [PATCH] add middleware for apikeyToken --- lib/cartodb/api/auth_api.js | 17 +++++------- lib/cartodb/backends/pg_connection.js | 2 +- lib/cartodb/controllers/named_maps_admin.js | 2 +- .../middleware/context/apikey-token.js | 9 +++++++ lib/cartodb/middleware/context/index.js | 2 ++ .../lib}/get_api_key_token_from_request.js | 2 +- package.json | 1 + test/unit/cartodb/prepare-context.test.js | 26 +++++++++++++++++++ yarn.lock | 6 +++++ 9 files changed, 54 insertions(+), 13 deletions(-) create mode 100644 lib/cartodb/middleware/context/apikey-token.js rename lib/cartodb/{api => middleware/lib}/get_api_key_token_from_request.js (97%) diff --git a/lib/cartodb/api/auth_api.js b/lib/cartodb/api/auth_api.js index ca4c2724..22aca1ca 100644 --- a/lib/cartodb/api/auth_api.js +++ b/lib/cartodb/api/auth_api.js @@ -54,21 +54,18 @@ function isValidApiKey(apikey) { // Check if a request is authorized by api_key // // @param user -// @param req express request object +// @param res express response object // @param callback function(err, authorized) // NOTE: authorized is expected to be 0 or 1 (integer) // -AuthApi.prototype.authorizedByAPIKey = function(user, req, callback) { - var givenKey = req.query.api_key || req.query.map_key; - if ( ! givenKey && req.body ) { - // check also in request body - givenKey = req.body.api_key || req.body.map_key; - } - if ( ! givenKey ) { +AuthApi.prototype.authorizedByAPIKey = function(user, res, callback) { + const apikeyToken = res.locals.apikeyToken; + + if ( ! apikeyToken ) { return callback(null, false); // no api key, no authorization... } - this.metadataBackend.getApikey(user, givenKey, (err, apikey) => { + this.metadataBackend.getApikey(user, apikeyToken, (err, apikey) => { if (err) { return callback(err); } @@ -104,7 +101,7 @@ AuthApi.prototype.authorizedByAPIKey = function(user, req, callback) { AuthApi.prototype.authorize = function(req, res, callback) { var user = res.locals.user; - this.authorizedByAPIKey(user, req, (err, isAuthorizedByApikey) => { + this.authorizedByAPIKey(user, res, (err, isAuthorizedByApikey) => { if (err) { return callback(err); } diff --git a/lib/cartodb/backends/pg_connection.js b/lib/cartodb/backends/pg_connection.js index a145d0d2..37023c90 100644 --- a/lib/cartodb/backends/pg_connection.js +++ b/lib/cartodb/backends/pg_connection.js @@ -31,7 +31,7 @@ PgConnection.prototype.setDBAuth = function(username, params, apikeyType, callba return callback(); }); } else if (apikeyType === 'regular') { - this.metadataBackend.getApikey(username, params.api_key || params.map_key, (err, apikey) => { + this.metadataBackend.getApikey(username, params.apikeyToken, (err, apikey) => { if (err) { return callback(err); } diff --git a/lib/cartodb/controllers/named_maps_admin.js b/lib/cartodb/controllers/named_maps_admin.js index a4d05467..5839e147 100644 --- a/lib/cartodb/controllers/named_maps_admin.js +++ b/lib/cartodb/controllers/named_maps_admin.js @@ -70,7 +70,7 @@ NamedMapsAdminController.prototype.authorizedByAPIKey = function (action, label) return function authorizedByAPIKeyMiddleware (req, res, next) { const { user } = res.locals; - this.authApi.authorizedByAPIKey(user, req, (err, authenticated) => { + this.authApi.authorizedByAPIKey(user, res, (err, authenticated) => { if (err) { return next(err); } diff --git a/lib/cartodb/middleware/context/apikey-token.js b/lib/cartodb/middleware/context/apikey-token.js new file mode 100644 index 00000000..f18cf60a --- /dev/null +++ b/lib/cartodb/middleware/context/apikey-token.js @@ -0,0 +1,9 @@ +'use strict'; + +const getApikeyTokenFromRequest = require('../lib/get_api_key_token_from_request'); + +module.exports = () => function apikeyTokenMiddleware(req, res, next) { + res.locals.apikeyToken = getApikeyTokenFromRequest(req); + + return next(); +}; diff --git a/lib/cartodb/middleware/context/index.js b/lib/cartodb/middleware/context/index.js index 640aafd6..96b261a4 100644 --- a/lib/cartodb/middleware/context/index.js +++ b/lib/cartodb/middleware/context/index.js @@ -1,6 +1,7 @@ const locals = require('./locals'); const cleanUpQueryParams = require('./clean-up-query-params'); const layergroupToken = require('./layergroup-token'); +const apikeyToken = require('./apikey-token'); const authorize = require('./authorize'); const dbConnSetup = require('./db-conn-setup'); @@ -9,6 +10,7 @@ module.exports = function prepareContextMiddleware(authApi, pgConnection) { locals, cleanUpQueryParams(), layergroupToken, + apikeyToken(), authorize(authApi), dbConnSetup(pgConnection) ]; diff --git a/lib/cartodb/api/get_api_key_token_from_request.js b/lib/cartodb/middleware/lib/get_api_key_token_from_request.js similarity index 97% rename from lib/cartodb/api/get_api_key_token_from_request.js rename to lib/cartodb/middleware/lib/get_api_key_token_from_request.js index 6173b7c6..5fbc74c2 100644 --- a/lib/cartodb/api/get_api_key_token_from_request.js +++ b/lib/cartodb/middleware/lib/get_api_key_token_from_request.js @@ -6,7 +6,7 @@ module.exports = function getApiKeyTokenFromRequest(req) { let apiKeyToken = null; for (var getter of apiKeyGetters) { - (apiKeyToken = getter(req)); + apiKeyToken = getter(req); if (apiKeyTokenFound(apiKeyToken)) { break; } diff --git a/package.json b/package.json index 563aca4c..b2dc6652 100644 --- a/package.json +++ b/package.json @@ -24,6 +24,7 @@ "Simon Martin " ], "dependencies": { + "basic-auth": "^2.0.0", "body-parser": "^1.18.2", "camshaft": "0.61.2", "cartodb-psql": "0.10.2", diff --git a/test/unit/cartodb/prepare-context.test.js b/test/unit/cartodb/prepare-context.test.js index 61ba0c55..acb7707e 100644 --- a/test/unit/cartodb/prepare-context.test.js +++ b/test/unit/cartodb/prepare-context.test.js @@ -10,6 +10,7 @@ var TemplateMaps = require('../../../lib/cartodb/backends/template_maps'); const cleanUpQueryParamsMiddleware = require('../../../lib/cartodb/middleware/context/clean-up-query-params'); const authorizeMiddleware = require('../../../lib/cartodb/middleware/context/authorize'); const dbConnSetupMiddleware = require('../../../lib/cartodb/middleware/context/db-conn-setup'); +const apikeyTokenMiddleware = require('../../../lib/cartodb/middleware/context/apikey-token'); const localsMiddleware = require('../../../lib/cartodb/middleware/context/locals'); var windshaft = require('windshaft'); @@ -23,6 +24,7 @@ describe('prepare-context', function() { let cleanUpQueryParams; let dbConnSetup; let authorize; + let setApikeyToken; before(function() { var redisPool = new RedisPool(global.environment.redis); @@ -35,6 +37,7 @@ describe('prepare-context', function() { cleanUpQueryParams = cleanUpQueryParamsMiddleware(); authorize = authorizeMiddleware(authApi); dbConnSetup = dbConnSetupMiddleware(pgConnection); + setApikeyToken = apikeyTokenMiddleware(); }); @@ -180,4 +183,27 @@ describe('prepare-context', function() { }); }); + describe.only('Set apikey token', function(){ + it('from query param', function (done) { + var req = { + headers: { + host: 'localhost' + }, + query: { + api_quey: '1234', + } + }; + var res = {}; + setApikeyToken(prepareRequest(req), prepareResponse(res), function (err) { + if (err) { + return done(err); + } + var query = res.locals; + console.log(query); + + assert.equal('1234', query.apikeyToken); + done(); + }); + }); + }); }); diff --git a/yarn.lock b/yarn.lock index d8a290a4..c556c94e 100644 --- a/yarn.lock +++ b/yarn.lock @@ -143,6 +143,12 @@ balanced-match@^1.0.0: version "1.0.0" resolved "https://registry.yarnpkg.com/balanced-match/-/balanced-match-1.0.0.tgz#89b4d199ab2bee49de164ea02b89ce462d71b767" +basic-auth@^2.0.0: + version "2.0.0" + resolved "https://registry.yarnpkg.com/basic-auth/-/basic-auth-2.0.0.tgz#015db3f353e02e56377755f962742e8981e7bbba" + dependencies: + safe-buffer "5.1.1" + bcrypt-pbkdf@^1.0.0: version "1.0.1" resolved "https://registry.yarnpkg.com/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.1.tgz#63bc5dcb61331b92bc05fd528953c33462a06f8d"