unleash.unleash/src/lib/middleware/api-token-middleware.ts

/* eslint-disable @typescript-eslint/explicit-module-boundary-types */
import { ApiTokenType } from '../types/models/api-token';
import { IUnleashConfig } from '../types/option';
import { IAuthRequest } from '../routes/unleash-types';

const isClientApi = ({ path }) => {
    return path && path.indexOf('/api/client') > -1;
};

const isProxyApi = ({ path }) => {
    if (!path) {
        return;
    }

    // Handle all our current proxy paths which will redirect to the new
    // embedded proxy endpoint
    return (
        path.indexOf('/api/proxy') > -1 ||
        path.indexOf('/api/development/proxy') > -1 ||
        path.indexOf('/api/production/proxy') > -1 ||
        path.indexOf('/api/frontend') > -1
    );
};

export const TOKEN_TYPE_ERROR_MESSAGE =
    'invalid token: expected a different token type for this endpoint';

export const NO_TOKEN_WHERE_TOKEN_WAS_REQUIRED =
    'This endpoint requires an API token. Please add an authorization header to your request with a valid token';
const apiAccessMiddleware = (
    {
        getLogger,
        authentication,
        flagResolver,
    }: Pick<IUnleashConfig, 'getLogger' | 'authentication' | 'flagResolver'>,
    { apiTokenService }: any,
): any => {
    const logger = getLogger('/middleware/api-token.ts');
    logger.debug('Enabling api-token middleware');

    if (!authentication.enableApiToken) {
        return (req, res, next) => next();
    }

    return (req: IAuthRequest, res, next) => {
        if (req.user) {
            return next();
        }

        try {
            const apiToken = req.header('authorization');
            if (!apiToken?.startsWith('user:')) {
                const apiUser = apiTokenService.getUserForToken(apiToken);
                const { CLIENT, FRONTEND } = ApiTokenType;

                if (apiUser) {
                    if (
                        (apiUser.type === CLIENT && !isClientApi(req)) ||
                        (apiUser.type === FRONTEND && !isProxyApi(req)) ||
                        (apiUser.type === FRONTEND &&
                            !flagResolver.isEnabled('embedProxy'))
                    ) {
                        res.status(403).send({
                            message: TOKEN_TYPE_ERROR_MESSAGE,
                        });
                        return;
                    }
                    req.user = apiUser;
                } else if (isClientApi(req) || isProxyApi(req)) {
                    // If we're here, we know that api token middleware was enabled, otherwise we'd returned a no-op middleware
                    // We explicitly only protect client and proxy apis, since admin apis are protected by our permission checker
                    // Reject with 401
                    res.status(401).send({
                        message: NO_TOKEN_WHERE_TOKEN_WAS_REQUIRED,
                    });
                    return;
                }
            }
        } catch (error) {
            logger.warn(error);
        }

        next();
    };
};

export default apiAccessMiddleware;
Feat: Api-Tokens (#774) fixes: #774 2021-03-29 19:58:11 +02:00			`/* eslint-disable @typescript-eslint/explicit-module-boundary-types */`
Feat/api key scoping (#941) Co-authored-by: Christopher Kolstad <chriswk@getunleash.ai> 2021-09-15 20:28:10 +02:00			`import { ApiTokenType } from '../types/models/api-token';`
Feat/options need types (#794) feat: options are now typed - This makes it easier to know what to send to unleash.start / unleash.create - Using a Partial to instantiate the config, then melding it with defaults to get a config object with all fields set either to their defaults or to whatever is passed in. Co-authored-by: Fredrik Strand Oseberg <fredrik.no@gmail.com> Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com> 2021-04-22 10:07:10 +02:00			`import { IUnleashConfig } from '../types/option';`
Personal access token middleware (#2069) * Middleware first version * Middleware tests * Add tests * Finish middleware tests * Add type for request * Add flagresolver * Fix snapshot * Update flags and tests * Put it back as default * Update snapshot 2022-09-28 15:53:56 +02:00			`import { IAuthRequest } from '../routes/unleash-types';`
Feat: Api-Tokens (#774) fixes: #774 2021-03-29 19:58:11 +02:00
Feat/api key scoping (#941) Co-authored-by: Christopher Kolstad <chriswk@getunleash.ai> 2021-09-15 20:28:10 +02:00			`const isClientApi = ({ path }) => {`
fix: reject unauthorized client requests (#3881) If apiTokens are enabled breaks middleware chain with a 401 if no token is found for requests to client and frontend apis. Previously the middleware allowed the chain to process. Removes the regex search for multiple slashes, and instead configures the apiTokenMiddleware to reject unauthorized requests. 2023-05-27 16:29:54 +02:00			`return path && path.indexOf('/api/client') > -1;`
Feat/api key scoping (#941) Co-authored-by: Christopher Kolstad <chriswk@getunleash.ai> 2021-09-15 20:28:10 +02:00			`};`

feat: embed proxy endpoints (#1926) * refactor: remove unused API definition routes * feat: add support for proxy keys * feat: support listening for any event * feat: embed proxy endpoints * refactor: add an experimental flag for the embedded proxy 2022-08-16 15:33:33 +02:00			`const isProxyApi = ({ path }) => {`
fix: proxy api check (#1965) * fix: proxy api check * fix: add await * fix: revert async setup for prehook * fix: stricter endpoint checks 2022-08-26 11:44:12 +02:00			`if (!path) {`
			`return;`
			`}`

			`// Handle all our current proxy paths which will redirect to the new`
			`// embedded proxy endpoint`
			`return (`
fix: reject unauthorized client requests (#3881) If apiTokens are enabled breaks middleware chain with a 401 if no token is found for requests to client and frontend apis. Previously the middleware allowed the chain to process. Removes the regex search for multiple slashes, and instead configures the apiTokenMiddleware to reject unauthorized requests. 2023-05-27 16:29:54 +02:00			`path.indexOf('/api/proxy') > -1 \|\|`
			`path.indexOf('/api/development/proxy') > -1 \|\|`
			`path.indexOf('/api/production/proxy') > -1 \|\|`
			`path.indexOf('/api/frontend') > -1`
fix: proxy api check (#1965) * fix: proxy api check * fix: add await * fix: revert async setup for prehook * fix: stricter endpoint checks 2022-08-26 11:44:12 +02:00			`);`
feat: embed proxy endpoints (#1926) * refactor: remove unused API definition routes * feat: add support for proxy keys * feat: support listening for any event * feat: embed proxy endpoints * refactor: add an experimental flag for the embedded proxy 2022-08-16 15:33:33 +02:00			`};`

refactor: improve token type error message (#1709) 2022-06-17 09:00:13 +02:00			`export const TOKEN_TYPE_ERROR_MESSAGE =`
feat: embed proxy endpoints (#1926) * refactor: remove unused API definition routes * feat: add support for proxy keys * feat: support listening for any event * feat: embed proxy endpoints * refactor: add an experimental flag for the embedded proxy 2022-08-16 15:33:33 +02:00			`'invalid token: expected a different token type for this endpoint';`
refactor: improve token type error message (#1709) 2022-06-17 09:00:13 +02:00
fix: reject unauthorized client requests (#3881) If apiTokens are enabled breaks middleware chain with a 401 if no token is found for requests to client and frontend apis. Previously the middleware allowed the chain to process. Removes the regex search for multiple slashes, and instead configures the apiTokenMiddleware to reject unauthorized requests. 2023-05-27 16:29:54 +02:00			`export const NO_TOKEN_WHERE_TOKEN_WAS_REQUIRED =`
			`'This endpoint requires an API token. Please add an authorization header to your request with a valid token';`
Feat: Api-Tokens (#774) fixes: #774 2021-03-29 19:58:11 +02:00			`const apiAccessMiddleware = (`
Feat/options need types (#794) feat: options are now typed - This makes it easier to know what to send to unleash.start / unleash.create - Using a Partial to instantiate the config, then melding it with defaults to get a config object with all fields set either to their defaults or to whatever is passed in. Co-authored-by: Fredrik Strand Oseberg <fredrik.no@gmail.com> Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com> 2021-04-22 10:07:10 +02:00			`{`
			`getLogger,`
			`authentication,`
Feat/unleash flags embedded proxy (#1974) * feat: use unleash flags for embedded proxy * feat: add a separate flag for the proxy frontend * fix: setup unleash in dev * fix: check flagResolver on each request * fix: remove unleash client setup * refactor: update frontend routes snapshot * refactor: make batchMetrics flag dynamic * fix: always check dynamic CORS origins config * fix: make conditionalMiddleware work with the OpenAPI schema generation Co-authored-by: olav <mail@olav.io> 2022-08-26 15:16:29 +02:00			`flagResolver,`
			`}: Pick<IUnleashConfig, 'getLogger' \| 'authentication' \| 'flagResolver'>,`
Feat: Api-Tokens (#774) fixes: #774 2021-03-29 19:58:11 +02:00			`{ apiTokenService }: any,`
			`): any => {`
Feat/options need types (#794) feat: options are now typed - This makes it easier to know what to send to unleash.start / unleash.create - Using a Partial to instantiate the config, then melding it with defaults to get a config object with all fields set either to their defaults or to whatever is passed in. Co-authored-by: Fredrik Strand Oseberg <fredrik.no@gmail.com> Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com> 2021-04-22 10:07:10 +02:00			`const logger = getLogger('/middleware/api-token.ts');`
Feat/api key scoping (#941) Co-authored-by: Christopher Kolstad <chriswk@getunleash.ai> 2021-09-15 20:28:10 +02:00			`logger.debug('Enabling api-token middleware');`
Feat: Api-Tokens (#774) fixes: #774 2021-03-29 19:58:11 +02:00
Feat/options need types (#794) feat: options are now typed - This makes it easier to know what to send to unleash.start / unleash.create - Using a Partial to instantiate the config, then melding it with defaults to get a config object with all fields set either to their defaults or to whatever is passed in. Co-authored-by: Fredrik Strand Oseberg <fredrik.no@gmail.com> Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com> 2021-04-22 10:07:10 +02:00			`if (!authentication.enableApiToken) {`
Feat: Api-Tokens (#774) fixes: #774 2021-03-29 19:58:11 +02:00			`return (req, res, next) => next();`
			`}`

Personal access token middleware (#2069) * Middleware first version * Middleware tests * Add tests * Finish middleware tests * Add type for request * Add flagresolver * Fix snapshot * Update flags and tests * Put it back as default * Update snapshot 2022-09-28 15:53:56 +02:00			`return (req: IAuthRequest, res, next) => {`
Feat/api key scoping (#941) Co-authored-by: Christopher Kolstad <chriswk@getunleash.ai> 2021-09-15 20:28:10 +02:00			`if (req.user) {`
Feat: Api-Tokens (#774) fixes: #774 2021-03-29 19:58:11 +02:00			`return next();`
			`}`

			`try {`
fix: User should require a ID field set (#799) 2021-04-22 23:40:52 +02:00			`const apiToken = req.header('authorization');`
Personal access token middleware (#2069) * Middleware first version * Middleware tests * Add tests * Finish middleware tests * Add type for request * Add flagresolver * Fix snapshot * Update flags and tests * Put it back as default * Update snapshot 2022-09-28 15:53:56 +02:00			`if (!apiToken?.startsWith('user:')) {`
			`const apiUser = apiTokenService.getUserForToken(apiToken);`
			`const { CLIENT, FRONTEND } = ApiTokenType;`
refactor: improve token type error message (#1709) 2022-06-17 09:00:13 +02:00
Personal access token middleware (#2069) * Middleware first version * Middleware tests * Add tests * Finish middleware tests * Add type for request * Add flagresolver * Fix snapshot * Update flags and tests * Put it back as default * Update snapshot 2022-09-28 15:53:56 +02:00			`if (apiUser) {`
			`if (`
			`(apiUser.type === CLIENT && !isClientApi(req)) \|\|`
			`(apiUser.type === FRONTEND && !isProxyApi(req)) \|\|`
			`(apiUser.type === FRONTEND &&`
			`!flagResolver.isEnabled('embedProxy'))`
			`) {`
			`res.status(403).send({`
			`message: TOKEN_TYPE_ERROR_MESSAGE,`
			`});`
			`return;`
			`}`
			`req.user = apiUser;`
fix: reject unauthorized client requests (#3881) If apiTokens are enabled breaks middleware chain with a 401 if no token is found for requests to client and frontend apis. Previously the middleware allowed the chain to process. Removes the regex search for multiple slashes, and instead configures the apiTokenMiddleware to reject unauthorized requests. 2023-05-27 16:29:54 +02:00			`} else if (isClientApi(req) \|\| isProxyApi(req)) {`
			`// If we're here, we know that api token middleware was enabled, otherwise we'd returned a no-op middleware`
			`// We explicitly only protect client and proxy apis, since admin apis are protected by our permission checker`
			`// Reject with 401`
			`res.status(401).send({`
			`message: NO_TOKEN_WHERE_TOKEN_WAS_REQUIRED,`
			`});`
			`return;`
Feat/api key scoping (#941) Co-authored-by: Christopher Kolstad <chriswk@getunleash.ai> 2021-09-15 20:28:10 +02:00			`}`
Feat: Api-Tokens (#774) fixes: #774 2021-03-29 19:58:11 +02:00			`}`
			`} catch (error) {`
fix: reduce severity of api token middleware errors (#4216) This isn't something our on-calls can do something about when it fails, so downgrading to WARN seems like the right level. 2023-07-11 12:33:02 +02:00			`logger.warn(error);`
Feat: Api-Tokens (#774) fixes: #774 2021-03-29 19:58:11 +02:00			`}`

refactor: improve token type error message (#1709) 2022-06-17 09:00:13 +02:00			`next();`
Feat: Api-Tokens (#774) fixes: #774 2021-03-29 19:58:11 +02:00			`};`
			`};`

			`export default apiAccessMiddleware;`