Quick fix for #4914 - adding some checks in API middleware to confirm headers have been set correctly.

2024-06-21 11:51:00 +12:00 · 2022-03-15 19:24:34 +00:00 · 2022-03-15 19:24:34 +00:00 · 1dd2cf99d0
parent 18d85fd4ac
commit 1dd2cf99d0
2 changed files with 36 additions and 5 deletions
--- a/packages/server/src/api/routes/public/index.ts
+++ b/packages/server/src/api/routes/public/index.ts
@ -5,6 +5,7 @@ import rowEndpoints from "./rows"
 import userEndpoints from "./users"
 import usage from "../../../middleware/usageQuota"
 import authorized from "../../../middleware/authorized"
+import publicApiMiddleware from "../../../middleware/publicApi"
 import { paramResource, paramSubResource } from "../../../middleware/resourceId"
 import { CtxFn } from "./utils/Endpoint"
 import mapperMiddleware from "./middleware/mapper"
@ -101,17 +102,26 @@ function applyRoutes(
  const paramMiddleware = subResource
    ? paramSubResource(resource, subResource)
    : paramResource(resource)
+  function both(middleware: any, opts?: any) {
+    addMiddleware(endpoints.read, middleware, opts)
+    addMiddleware(endpoints.write, paramMiddleware, opts)
+  }
+  // add the public API headers check
+  both(
+    publicApiMiddleware({
+      requiresAppId:
+        permType !== PermissionTypes.APP && permType !== PermissionTypes.USER,
+    })
+  )
+  // add the output mapper middleware
+  both(mapperMiddleware, { output: true })
  // add the parameter capture middleware
-  addMiddleware(endpoints.read, paramMiddleware)
-  addMiddleware(endpoints.write, paramMiddleware)
+  both(paramMiddleware)
  // add the authorization middleware, using the correct perm type
  addMiddleware(endpoints.read, authorized(permType, PermissionLevels.READ))
  addMiddleware(endpoints.write, authorized(permType, PermissionLevels.WRITE))
  // add the usage quota middleware
  addMiddleware(endpoints.write, usage)
-  // add the output mapper middleware
-  addMiddleware(endpoints.read, mapperMiddleware, { output: true })
-  addMiddleware(endpoints.write, mapperMiddleware, { output: true })
  addToRouter(endpoints.read)
  addToRouter(endpoints.write)
 }
--- a/packages/server/src/middleware/publicApi.js
+++ b/packages/server/src/middleware/publicApi.js
@ -0,0 +1,21 @@
+const { Headers } = require("../../../backend-core/src/constants")
+const { getAppId } = require("@budibase/backend-core/utils")
+
+module.exports = function ({ requiresAppId } = {}) {
+  return async (ctx, next) => {
+    const appId = getAppId(ctx)
+    if (requiresAppId && !appId) {
+      ctx.throw(
+        400,
+        `Invalid app ID provided, please check the ${Headers.APP_ID} header.`
+      )
+    }
+    if (!ctx.headers[Headers.API_KEY]) {
+      ctx.throw(
+        400,
+        `Invalid API key provided, please check the ${Headers.API_KEY} header.`
+      )
+    }
+    return next()
+  }
+}