validate API key for config APIs (#58)

boxyhq · Jan 8, 2022 · 230df55 · 230df55
1 parent 9d43298
commit 230df55
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 27 deletions.
diff --git a/lib/utils.ts b/lib/utils.ts
@@ -0,0 +1,16 @@
+import { NextApiRequest } from 'next';
+import env from '@lib/env';
+
+export const validateApiKey = (token) => {
+  return env.apiKeys.includes(token);
+};
+
+export const extractAuthToken = (req: NextApiRequest) => {
+  const authHeader = req.headers['authorization'];
+  const parts = (authHeader || '').split(' ');
+  if (parts.length > 1) {
+    return parts[1];
+  }
+
+  return null;
+};
diff --git a/npm/src/controller/utils.ts b/npm/src/controller/utils.ts
@@ -1,16 +1,3 @@
-import { Request } from 'express';
-
-export const extractAuthToken = (req: Request): string | null => {
-  const authHeader = req.get('authorization');
-  const parts = (authHeader || '').split(' ');
-
-  if (parts.length > 1) {
-    return parts[1];
-  }
-
-  return null;
-};
-
 export enum IndexNames {
   EntityID = 'entityID',
   TenantProduct = 'tenantProduct',

diff --git a/pages/api/oauth/userinfo.ts b/pages/api/oauth/userinfo.ts
@@ -1,16 +1,7 @@
 import { NextApiRequest, NextApiResponse } from 'next';
 
 import jackson from '@lib/jackson';
-
-const extractAuthToken = (req: NextApiRequest) => {
-  const authHeader = req.headers['authorization'];
-  const parts = (authHeader || '').split(' ');
-  if (parts.length > 1) {
-    return parts[1];
-  }
-
-  return null;
-};
+import { extractAuthToken } from '@lib/utils';
 
 export default async function handler(req: NextApiRequest, res: NextApiResponse) {
   try {

diff --git a/pages/api/v1/saml/config.ts b/pages/api/v1/saml/config.ts
@@ -1,12 +1,16 @@
 import { NextApiRequest, NextApiResponse } from 'next';
 
 import jackson from '@lib/jackson';
+import { extractAuthToken, validateApiKey } from '@lib/utils';
 
-export default async function handler(
-  req: NextApiRequest,
-  res: NextApiResponse
-) {
+export default async function handler(req: NextApiRequest, res: NextApiResponse) {
   try {
+    const apiKey = extractAuthToken(req);
+    if (!validateApiKey(apiKey)) {
+      res.status(401).json({ message: 'Unauthorized' });
+      return;
+    }
+
     const { apiController } = await jackson();
     if (req.method === 'POST') {
       res.json(await apiController.config(req.body));