fix: authenticateRequest

opencollective · Feb 19, 2024 · 32827ed · 32827ed
1 parent 187eb87
commit 32827ed
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 11 deletions.
diff --git a/lib/req-utils.js b/lib/req-utils.js
@@ -4,17 +4,15 @@ import { get, isEmpty } from 'lodash';
  * To forward API Key or Authorization headers from the request to the API calls.
  * Returns `null` if no headers are found.
  */
-export const getAuthorizationHeadersFromReq = (req) => {
+const getAuthorizationHeadersFromReq = (req) => {
   const { headers, query } = req;
   const result = {};
   const apiKey = get(headers, 'api-key') || get(query, 'apiKey');
   const personalToken = get(headers, 'personal-token') || get(query, 'personalToken') || get(query, 'app_key');
-  const authorization = get(headers, 'authorization') || req.cookies?.authorization;
+  const authorization = get(headers, 'authorization');
   if (authorization) {
-    const parts = authorization.split(' ');
-    const scheme = parts[0];
-    const accessToken = parts[1];
-    if (!/^Bearer$/i.test(scheme) || !accessToken) {
+    const [scheme, accessToken] = authorization.split(' ');
+    if (scheme !== 'Bearer' || !accessToken) {
       throw new Error('Invalid authorization header. Format should be: Authorization: Bearer [token]');
     }
 
@@ -29,19 +27,19 @@ export const getAuthorizationHeadersFromReq = (req) => {
     result['Personal-Token'] = personalToken;
   }
 
-  return isEmpty(headers) ? null : headers;
+  return isEmpty(headers) ? null : result;
 };
 
 /**
  * Some syntax sugar around the `getAuthorizationHeadersFromReq` function, that throws for non-authenticated requests
  * but allows `OPTIONS` requests to pass through
  */
-export const authenticateRequest = (ctx) => {
-  const authorizationHeaders = getAuthorizationHeadersFromReq(ctx);
+export const authenticateRequest = (req) => {
+  const authorizationHeaders = getAuthorizationHeadersFromReq(req);
   if (!authorizationHeaders) {
     // Frontend sends an OPTIONS request to check CORS, we should just return OK when that happens
-    if (ctx.req.method === 'OPTIONS') {
-      return {};
+    if (req.method === 'OPTIONS') {
+      return null;
     } else {
       throw new Error('Please provide an access token or an APP key');
     }

diff --git a/pages/expense/[id]/[filename].js b/pages/expense/[id]/[filename].js
@@ -12,6 +12,10 @@ class TransactionReceipt extends React.Component {
     if (isServer) {
       const { id } = ctx.query;
       const authorizationHeaders = authenticateRequest(ctx.req);
+      if (!authorizationHeaders) {
+        return {};
+      }
+
       const expense = await fetchExpenseInvoiceData(id, authorizationHeaders);
       return { expense, pageFormat: ctx.query.pageFormat };
     }

diff --git a/...ectives/[fromCollectiveSlug]/[toCollectiveSlug]/[isoStartDate]/[isoEndDate]/[filename].js b/...ectives/[fromCollectiveSlug]/[toCollectiveSlug]/[isoStartDate]/[isoEndDate]/[filename].js
@@ -12,6 +12,10 @@ class TransactionReceipt extends React.Component {
     if (isServer) {
       const { fromCollectiveSlug, toCollectiveSlug: hostSlug, isoStartDate: dateFrom, isoEndDate: dateTo } = ctx.query;
       const authorizationHeaders = authenticateRequest(ctx.req);
+      if (!authorizationHeaders) {
+        return {};
+      }
+
       const queryParams = { fromCollectiveSlug, hostSlug, dateFrom, dateTo };
       const response = await fetchInvoiceByDateRange(queryParams, authorizationHeaders);
 

diff --git a/pages/receipts/transactions/[id]/[filename].js b/pages/receipts/transactions/[id]/[filename].js
@@ -12,6 +12,10 @@ class TransactionReceipt extends React.Component {
     if (isServer) {
       const { id, pageFormat } = ctx.query;
       const authorizationHeaders = authenticateRequest(ctx.req);
+      if (!authorizationHeaders) {
+        return {};
+      }
+
       const transaction = await fetchTransactionInvoice(id, authorizationHeaders);
       return {
         pageFormat: pageFormat,