fix: Allow un-authed loopback api calls
This commit is contained in:
Bouncey
committed by
mrugesh mohapatra
mrugesh mohapatra
parent
ca298e9bde
commit
354d3feaee
29
api-server/server/middlewares/jwt-authorizaion.test.js
Normal file
29
api-server/server/middlewares/jwt-authorizaion.test.js
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
import { isWhiteListedPath } from './jwt-authorization';
|
||||||
|
|
||||||
|
describe('jwt-authorization', () => {
|
||||||
|
describe('isWhiteListedPath', () => {
|
||||||
|
const whiteList = [/^\/is-ok\//, /^\/this-is\/also\/ok\//];
|
||||||
|
|
||||||
|
it('returns a boolean', () => {
|
||||||
|
const result = isWhiteListedPath();
|
||||||
|
|
||||||
|
expect(typeof result).toBe('boolean');
|
||||||
|
});
|
||||||
|
|
||||||
|
it('returns true for a white listed path', () => {
|
||||||
|
expect.assertions(2);
|
||||||
|
|
||||||
|
const resultA = isWhiteListedPath('/is-ok/should-be/good', whiteList);
|
||||||
|
const resultB = isWhiteListedPath('/this-is/also/ok/surely', whiteList);
|
||||||
|
expect(resultA).toBe(true);
|
||||||
|
expect(resultB).toBe(true);
|
||||||
|
});
|
||||||
|
|
||||||
|
it('returns false for a non-white-listed path', () => {
|
||||||
|
const result = isWhiteListedPath('/hax0r-42/no-go', whiteList);
|
||||||
|
expect(result).toBe(false);
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
|
xdescribe('authorizeByJWT')
|
||||||
|
});
|
||||||
@ -8,12 +8,23 @@ import { wrapHandledError } from '../utils/create-handled-error';
|
|||||||
|
|
||||||
// We need to tunnel through a proxy path set up within
|
// We need to tunnel through a proxy path set up within
|
||||||
// the gatsby app, at this time, that path is /internal
|
// the gatsby app, at this time, that path is /internal
|
||||||
export const apiProxyRE = /^\/internal\/|^\/external\//;
|
const apiProxyRE = /^\/internal\/|^\/external\//;
|
||||||
export const newsShortLinksRE = /^\/internal\/n\/|^\/internal\/p\?/;
|
const newsShortLinksRE = /^\/internal\/n\/|^\/internal\/p\?/;
|
||||||
|
const loopbackAPIPathRE = /^\/internal\/api\//;
|
||||||
|
|
||||||
|
const _whiteListREs = [
|
||||||
|
newsShortLinksRE,
|
||||||
|
loopbackAPIPathRE
|
||||||
|
];
|
||||||
|
|
||||||
|
export function isWhiteListedPath(path, whiteListREs= _whiteListREs) {
|
||||||
|
return whiteListREs.some(re => re.test(path))
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
export default () => function authorizeByJWT(req, res, next) {
|
export default () => function authorizeByJWT(req, res, next) {
|
||||||
if (apiProxyRE.test(req.path) && !newsShortLinksRE.test(req.path)) {
|
const { path } = req;
|
||||||
|
if (apiProxyRE.test(path) && !isWhiteListedPath(path)) {
|
||||||
const cookie = req.signedCookies && req.signedCookies['jwt_access_token'] ||
|
const cookie = req.signedCookies && req.signedCookies['jwt_access_token'] ||
|
||||||
req.cookie && req.cookie['jwt_access_token'];
|
req.cookie && req.cookie['jwt_access_token'];
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user