From 1dd2cf99d0ed8a50e760d3e2988a228b98c8b8d6 Mon Sep 17 00:00:00 2001 From: mike12345567 Date: Tue, 15 Mar 2022 19:24:34 +0000 Subject: [PATCH] Quick fix for #4914 - adding some checks in API middleware to confirm headers have been set correctly. --- .../server/src/api/routes/public/index.ts | 20 +++++++++++++----- packages/server/src/middleware/publicApi.js | 21 +++++++++++++++++++ 2 files changed, 36 insertions(+), 5 deletions(-) create mode 100644 packages/server/src/middleware/publicApi.js diff --git a/packages/server/src/api/routes/public/index.ts b/packages/server/src/api/routes/public/index.ts index 04446d543f..41a05d3bc7 100644 --- a/packages/server/src/api/routes/public/index.ts +++ b/packages/server/src/api/routes/public/index.ts @@ -5,6 +5,7 @@ import rowEndpoints from "./rows" import userEndpoints from "./users" import usage from "../../../middleware/usageQuota" import authorized from "../../../middleware/authorized" +import publicApiMiddleware from "../../../middleware/publicApi" import { paramResource, paramSubResource } from "../../../middleware/resourceId" import { CtxFn } from "./utils/Endpoint" import mapperMiddleware from "./middleware/mapper" @@ -101,17 +102,26 @@ function applyRoutes( const paramMiddleware = subResource ? paramSubResource(resource, subResource) : paramResource(resource) + function both(middleware: any, opts?: any) { + addMiddleware(endpoints.read, middleware, opts) + addMiddleware(endpoints.write, paramMiddleware, opts) + } + // add the public API headers check + both( + publicApiMiddleware({ + requiresAppId: + permType !== PermissionTypes.APP && permType !== PermissionTypes.USER, + }) + ) + // add the output mapper middleware + both(mapperMiddleware, { output: true }) // add the parameter capture middleware - addMiddleware(endpoints.read, paramMiddleware) - addMiddleware(endpoints.write, paramMiddleware) + both(paramMiddleware) // add the authorization middleware, using the correct perm type addMiddleware(endpoints.read, authorized(permType, PermissionLevels.READ)) addMiddleware(endpoints.write, authorized(permType, PermissionLevels.WRITE)) // add the usage quota middleware addMiddleware(endpoints.write, usage) - // add the output mapper middleware - addMiddleware(endpoints.read, mapperMiddleware, { output: true }) - addMiddleware(endpoints.write, mapperMiddleware, { output: true }) addToRouter(endpoints.read) addToRouter(endpoints.write) } diff --git a/packages/server/src/middleware/publicApi.js b/packages/server/src/middleware/publicApi.js new file mode 100644 index 0000000000..4638363602 --- /dev/null +++ b/packages/server/src/middleware/publicApi.js @@ -0,0 +1,21 @@ +const { Headers } = require("../../../backend-core/src/constants") +const { getAppId } = require("@budibase/backend-core/utils") + +module.exports = function ({ requiresAppId } = {}) { + return async (ctx, next) => { + const appId = getAppId(ctx) + if (requiresAppId && !appId) { + ctx.throw( + 400, + `Invalid app ID provided, please check the ${Headers.APP_ID} header.` + ) + } + if (!ctx.headers[Headers.API_KEY]) { + ctx.throw( + 400, + `Invalid API key provided, please check the ${Headers.API_KEY} header.` + ) + } + return next() + } +}