mirror of
https://github.com/Unleash/unleash.git
synced 2025-10-13 11:17:26 +02:00
7ea0c9ca9b
## About the changes This PR introduces environment-specific etags. This way clients will not react by updating features when there are changes in environments the SDK doesn't care about. ## Details There's a bit of scouting work (please don't make me split this 🙏) and other details are in comments, but the most relevant for the lazy ones: - Important **decision** on how we detect changes, unifying polling and delta: https://github.com/Unleash/unleash/pull/10512#discussion_r2285677129 - **Decision** on how we update revision id per environment: https://github.com/Unleash/unleash/pull/10512#discussion_r2291888401 - and how we do initial fetch on the read path: https://github.com/Unleash/unleash/pull/10512#discussion_r2291884777 - The singleton pattern that gave me **nightmares**: https://github.com/Unleash/unleash/pull/10512#discussion_r2291848934 - **Do we still have ALL_ENVS tokens?** https://github.com/Unleash/unleash/pull/10512#discussion_r2291913249 ## Feature flag To control the rollout introduced `etagByEnv` feature: [0da567d](0da567dd9b)
95 lines
3.3 KiB
TypeScript
95 lines
3.3 KiB
TypeScript
import { ApiTokenType } from '../types/model.js';
|
|
import type { IUnleashConfig } from '../types/option.js';
|
|
import type { IApiRequest, IAuthRequest } from '../routes/unleash-types.js';
|
|
import type { IUnleashServices } from '../services/index.js';
|
|
|
|
const isClientApi = ({ path }) => {
|
|
return path && path.indexOf('/api/client') > -1;
|
|
};
|
|
|
|
const isEdgeMetricsApi = ({ path }) => {
|
|
return path && path.indexOf('/edge/metrics') > -1;
|
|
};
|
|
|
|
const isProxyApi = ({ path }) => {
|
|
if (!path) {
|
|
return;
|
|
}
|
|
|
|
// Handle all our current proxy paths which will redirect to the new
|
|
// embedded proxy endpoint
|
|
return (
|
|
path.indexOf('/api/proxy') > -1 ||
|
|
path.indexOf('/api/development/proxy') > -1 ||
|
|
path.indexOf('/api/production/proxy') > -1 ||
|
|
path.indexOf('/api/frontend') > -1
|
|
);
|
|
};
|
|
|
|
export const TOKEN_TYPE_ERROR_MESSAGE =
|
|
'invalid token: expected a different token type for this endpoint';
|
|
|
|
export const NO_TOKEN_WHERE_TOKEN_WAS_REQUIRED =
|
|
'This endpoint requires an API token. Please add an authorization header to your request with a valid token';
|
|
|
|
export const apiAccessMiddleware = (
|
|
{
|
|
getLogger,
|
|
authentication,
|
|
flagResolver,
|
|
}: Pick<IUnleashConfig, 'getLogger' | 'authentication' | 'flagResolver'>,
|
|
{ apiTokenService }: Pick<IUnleashServices, 'apiTokenService'>,
|
|
): any => {
|
|
const logger = getLogger('/middleware/api-token.ts');
|
|
logger.debug('Enabling api-token middleware');
|
|
|
|
if (!authentication.enableApiToken) {
|
|
return (req, res, next) => next();
|
|
}
|
|
|
|
return async (req: IAuthRequest | IApiRequest, res, next) => {
|
|
if (req.user) {
|
|
return next();
|
|
}
|
|
|
|
try {
|
|
const apiToken = req.header('authorization');
|
|
if (!apiToken?.startsWith('user:')) {
|
|
const apiUser = apiToken
|
|
? await apiTokenService.getUserForToken(apiToken)
|
|
: undefined;
|
|
const { CLIENT, BACKEND, FRONTEND } = ApiTokenType;
|
|
|
|
if (apiUser) {
|
|
if (
|
|
((apiUser.type === CLIENT ||
|
|
apiUser.type === BACKEND) &&
|
|
!isClientApi(req) &&
|
|
!isEdgeMetricsApi(req)) ||
|
|
(apiUser.type === FRONTEND && !isProxyApi(req))
|
|
) {
|
|
res.status(403).send({
|
|
message: TOKEN_TYPE_ERROR_MESSAGE,
|
|
});
|
|
return;
|
|
}
|
|
req.user = apiUser;
|
|
} else if (isClientApi(req) || isProxyApi(req)) {
|
|
// If we're here, we know that api token middleware was enabled, otherwise we'd returned a no-op middleware
|
|
// We explicitly only protect client and proxy apis, since admin apis are protected by our permission checker
|
|
// Reject with 401
|
|
res.status(401).send({
|
|
message: NO_TOKEN_WHERE_TOKEN_WAS_REQUIRED,
|
|
});
|
|
return;
|
|
}
|
|
}
|
|
} catch (error) {
|
|
logger.warn(error);
|
|
}
|
|
next();
|
|
};
|
|
};
|
|
|
|
export default apiAccessMiddleware;
|