1
0
mirror of https://github.com/Unleash/unleash.git synced 2025-01-20 00:08:02 +01:00
unleash.unleash/src/lib/middleware/api-token-middleware.ts

95 lines
3.3 KiB
TypeScript
Raw Normal View History

import { ApiTokenType } from '../types/models/api-token';
import { IUnleashConfig } from '../types/option';
import { IApiRequest, IAuthRequest } from '../routes/unleash-types';
import { IUnleashServices } from 'lib/server-impl';
2021-03-29 19:58:11 +02:00
const isClientApi = ({ path }) => {
return path && path.indexOf('/api/client') > -1;
};
const isEdgeMetricsApi = ({ path }) => {
return path && path.indexOf('/edge/metrics') > -1;
};
const isProxyApi = ({ path }) => {
if (!path) {
return;
}
// Handle all our current proxy paths which will redirect to the new
// embedded proxy endpoint
return (
path.indexOf('/api/proxy') > -1 ||
path.indexOf('/api/development/proxy') > -1 ||
path.indexOf('/api/production/proxy') > -1 ||
path.indexOf('/api/frontend') > -1
);
};
export const TOKEN_TYPE_ERROR_MESSAGE =
'invalid token: expected a different token type for this endpoint';
export const NO_TOKEN_WHERE_TOKEN_WAS_REQUIRED =
'This endpoint requires an API token. Please add an authorization header to your request with a valid token';
2021-03-29 19:58:11 +02:00
const apiAccessMiddleware = (
{
getLogger,
authentication,
flagResolver,
}: Pick<IUnleashConfig, 'getLogger' | 'authentication' | 'flagResolver'>,
{ apiTokenService }: Pick<IUnleashServices, 'apiTokenService'>,
2021-03-29 19:58:11 +02:00
): any => {
const logger = getLogger('/middleware/api-token.ts');
logger.debug('Enabling api-token middleware');
2021-03-29 19:58:11 +02:00
if (!authentication.enableApiToken) {
2021-03-29 19:58:11 +02:00
return (req, res, next) => next();
}
return (req: IAuthRequest | IApiRequest, res, next) => {
if (req.user) {
2021-03-29 19:58:11 +02:00
return next();
}
try {
const apiToken = req.header('authorization');
if (!apiToken?.startsWith('user:')) {
const apiUser = apiToken
? apiTokenService.getUserForToken(apiToken)
: undefined;
const { CLIENT, FRONTEND } = ApiTokenType;
if (apiUser) {
if (
(apiUser.type === CLIENT &&
!isClientApi(req) &&
!isEdgeMetricsApi(req)) ||
(apiUser.type === FRONTEND && !isProxyApi(req)) ||
(apiUser.type === FRONTEND &&
!flagResolver.isEnabled('embedProxy'))
) {
res.status(403).send({
message: TOKEN_TYPE_ERROR_MESSAGE,
});
return;
}
req.user = apiUser;
} else if (isClientApi(req) || isProxyApi(req)) {
// If we're here, we know that api token middleware was enabled, otherwise we'd returned a no-op middleware
// We explicitly only protect client and proxy apis, since admin apis are protected by our permission checker
// Reject with 401
res.status(401).send({
message: NO_TOKEN_WHERE_TOKEN_WAS_REQUIRED,
});
return;
}
2021-03-29 19:58:11 +02:00
}
} catch (error) {
logger.warn(error);
2021-03-29 19:58:11 +02:00
}
next();
2021-03-29 19:58:11 +02:00
};
};
export default apiAccessMiddleware;