From 3a7824a2e8ac38cae89b423346d91deda940e7ee Mon Sep 17 00:00:00 2001
From: Christopher Kolstad <chriswk@getunleash.ai>
Date: Tue, 2 Jan 2024 09:51:01 +0100
Subject: [PATCH] Added a check that allows posting edge bulk metrics with a
 client token (#5735)

This allows bulk metrics posted with a Client token to be accepted.
Previously you needed an admin token to have bulk metrics accepted
---
 .../middleware/api-token-middleware.test.ts   | 31 +++++++++++++++++++
 src/lib/middleware/api-token-middleware.ts    |  8 ++++-
 2 files changed, 38 insertions(+), 1 deletion(-)

diff --git a/src/lib/middleware/api-token-middleware.test.ts b/src/lib/middleware/api-token-middleware.test.ts
index 1222d06585..4f2685301d 100644
--- a/src/lib/middleware/api-token-middleware.test.ts
+++ b/src/lib/middleware/api-token-middleware.test.ts
@@ -243,3 +243,34 @@ test('should call next if apiTokenService throws x2', async () => {
 
     expect(cb).toHaveBeenCalled();
 });
+
+test('should add user if client token and /edge/metrics', async () => {
+    const apiUser = new ApiUser({
+        tokenName: 'default',
+        permissions: [CLIENT],
+        project: ALL,
+        environment: ALL,
+        type: ApiTokenType.CLIENT,
+        secret: 'a',
+    });
+    const apiTokenService = {
+        getUserForToken: jest.fn().mockReturnValue(apiUser),
+    } as unknown as ApiTokenService;
+
+    const func = apiTokenMiddleware(config, { apiTokenService });
+
+    const cb = jest.fn();
+
+    const req = {
+        header: jest.fn().mockReturnValue('some-known-token'),
+        user: undefined,
+        path: '/edge/metrics',
+        method: 'POST',
+    };
+
+    await func(req, undefined, cb);
+
+    expect(cb).toHaveBeenCalled();
+    expect(req.header).toHaveBeenCalled();
+    expect(req.user).toBe(apiUser);
+});
diff --git a/src/lib/middleware/api-token-middleware.ts b/src/lib/middleware/api-token-middleware.ts
index 7dbd1e64e8..9b7c4f9133 100644
--- a/src/lib/middleware/api-token-middleware.ts
+++ b/src/lib/middleware/api-token-middleware.ts
@@ -7,6 +7,10 @@ const isClientApi = ({ path }) => {
     return path && path.indexOf('/api/client') > -1;
 };
 
+const isEdgeMetricsApi = ({ path }) => {
+    return path && path.indexOf('/edge/metrics') > -1;
+};
+
 const isProxyApi = ({ path }) => {
     if (!path) {
         return;
@@ -57,7 +61,9 @@ const apiAccessMiddleware = (
 
                 if (apiUser) {
                     if (
-                        (apiUser.type === CLIENT && !isClientApi(req)) ||
+                        (apiUser.type === CLIENT &&
+                            !isClientApi(req) &&
+                            !isEdgeMetricsApi(req)) ||
                         (apiUser.type === FRONTEND && !isProxyApi(req)) ||
                         (apiUser.type === FRONTEND &&
                             !flagResolver.isEnabled('embedProxy'))