From 3c8dd684730def05ea75539f6ec6aeb268ad0c2e Mon Sep 17 00:00:00 2001 From: newtbot Date: Mon, 22 Jan 2024 03:23:48 +0800 Subject: [PATCH] Refactor API key validation logic Added API page documentation --- consumerWebsite/views/api.ejs | 507 +++++++++++++++++++++++---------- webserver/middleware/apiKey.js | 76 ++--- 2 files changed, 398 insertions(+), 185 deletions(-) diff --git a/consumerWebsite/views/api.ejs b/consumerWebsite/views/api.ejs index db3d1b7..eeabf16 100644 --- a/consumerWebsite/views/api.ejs +++ b/consumerWebsite/views/api.ejs @@ -5,156 +5,363 @@ https://github.com/ticlekiwi/API-Documentation-HTML-Template !--> - <%- include('top') %> +<%- include('top') %> - -
- -
-
-
-
Version: 1.0.5
-
Last Updated: 15th Sep, 2021
-
- -
-
- - -
-
-
-

Get started

-

- The Westeros API provides programmatic access to read Game of Thrones data. Retrieve a character, provide an oauth connexion, retrieve a familly, filter them, etc. -

-

- To use this API, you need an API key. Please contact us at jon.snow@nightswatch.wes to get your own API key. -

-
-
-

get characters

-

- To get characters you need to make a POST call to the following url :
- http://api.westeros.com/character/get -

-
-

QUERY PARAMETERS

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescription
secret_keyStringYour API key.
searchString(optional) A search word to find character by name.
houseString - (optional) a string array of houses: -
aliveBoolean - (optional) a boolean to filter alived characters -
genderString - (optional) a string to filter character by gender:
m: male
f: female -
offsetInteger(optional - default: 0) A cursor for use in pagination. Pagination starts offset the specified offset.
limitInteger(optional - default: 10) A limit on the number of objects to be returned, between 1 and 100.
-
-
-

Errors

-

- The Westeros API uses the following error codes: -

- - - - - - - - - - - - - - - - - - - - - - - - - -
Error CodeMeaning
X000 - Some parameters are missing. This error appears when you don't pass every mandatory parameters. -
X001 - Unknown or unvalid secret_key. This error appears if you use an unknow API key or if your API key expired. -
X002 - Unvalid secret_key for this domain. This error appears if you use an API key non specified for your domain. Developper or Universal API keys doesn't have domain checker. -
X003 - Unknown or unvalid user token. This error appears if you use an unknow user token or if the user token expired. -
-
-
-
+ +
+ +
+
+
+
Version: 0
+
Last Updated: 22th January 2024
+
+ +
+
- - - +
+
+
+

Get started

+

+ The following API is provided by the Eco saver developer team. It allows you to get Location and + Sensor and Sensor Data from the Eco saver database. +

+

+ To use this API, you need an API key. +

+
+
+

Get all location

+

+ To get Location of sensors you need to make a GET call to the following url :
+ https://api.teeseng.uk/api/v0/location +
+
+ Return Response :
+ {"status":"200"} +

+
+

QUERY PARAMETERS

+ + + + + + + + + + + + + + + + + +
FieldTypeDescription
AuthorizationJSONYour API key.(Required) Example: curl https://api.teeseng.uk/api/v0/location -H "Authorization: {provide your + API key here}"
+
+
+

Get location by ID

+

+ To get Location you need to make a GET call to the following url :
+ https://api.teeseng.uk/api/v0/location/{id} +
+
+ Return Response :
+ {"status":"200"} +

+
+

QUERY PARAMETERS

+ + + + + + + + + + + + + + + + + +
FieldTypeDescription
AuthorizationJSON(Required) Your API key.Example: curl https://api.teeseng.uk/api/v0/location -H "Authorization: {provide your + API key here}"
+
+
+

Add Location (Only for system or admin API key)

+

+ To add an Location you need to make a POST call to the following url :
+ https://api.teeseng.uk/api/v0/location/new +
+
+ Example :
+ curl https://api.teeseng.uk/api/v0/location/new -H "Content-Type: application/json" -X POST -d '{"name": "SAMPLE", "added_by": "system" , "description": "test"}' +
+
+ Return Response :
+ {"status":"200"} +

+
+

QUERY PARAMETERS

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldTypeDescription
AuthorizationJSONYour API key.(Required) Example: curl https://api.teeseng.uk/api/v0/location/new -H "Authorization: {provide your + API key here}"
Location nameJSONLocation name.(Required) Location name. Example: curl https://api.teeseng.uk/api/v0/location/new -H "Authorization: provide + your API key here" -d '{"name":"Location name"}'
Added by JSONSystem or Admin(Required) System or Admin Example: curl https://api.teeseng.uk/api/v0/location/new -H "Authorization: provide + your API key here" -d '{"added_by":"system"}'
DescriptionJSONDescription of Location(Required) System or Admin Example: curl https://api.teeseng.uk/api/v0/location/new -H "Authorization: provide + your API key here" -d '{"description":"test"}'
+
+ +
+

Update Location (Only for system or admin API key)

+

+ To update an Location you need to make a PUT call to the following url :
+ https://api.teeseng.uk/api/v0/location/update +
+
+ Example :
+ curl https://api.teeseng.uk/api/v0/location/update -H "Content-Type: application/json" -X POST -d '{"id": "7" , "name": "SAMPLE", "added_by": "system" , "description": "test"}' +
+
+ Return Response :
+ {"status":"200","message":"Location 7 updated"} +

+
+

QUERY PARAMETERS

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldTypeDescription
AuthorizationJSONYour API key.(Required) example: curl https://api.teeseng.uk/api/v0/location/update -H "Authorization: {provide your + API key here}"
IDJSONLocation ID(Required) Location ID Example: curl https://api.teeseng.uk/api/v0/location/update -H "Authorization: provide + your API key here" -d '{"id": "7"}'
Location nameJSONLocation name.(Optional) Location name. Example: curl https://api.teeseng.uk/api/v0/location/new -H "Authorization: provide + your API key here" -d '{"name":"Location name"}'
Added by JSONSystem or Admin(Optional) System or Admin Example: curl https://api.teeseng.uk/api/v0/location/new -H "Authorization: provide + your API key here" -d '{"added_by":"system"}'
DescriptionJSONDescription of Location(Optional) System or Admin Example: curl https://api.teeseng.uk/api/v0/location/new -H "Authorization: provide + your API key here" -d '{"description":"test"}'
+
+ +
+

Delete Location (Only for system or admin API key)

+

+ To delete an Location you need to make a DELETE call to the following url :
+ https://api.teeseng.uk/api/v0/location/delete +
+
+ Example :
+ curl https://api.teeseng.uk/api/v0/location/delete -H "Content-Type: application/json" -X POST -d '{"id": "7"}' +

+
+

QUERY PARAMETERS

+ + + + + + + + + + + + + + + + + + + + + + + + +
FieldTypeDescription
AuthorizationJSONYour API key.(Required) example: curl https://api.teeseng.uk/api/v0/location/delete -H "Authorization: {provide your + API key here}"
IDJSONLocation ID(Required) Location ID Example: curl https://api.teeseng.uk/api/v0/location/delete -H "Authorization: provide + your API key here" -d '{"id": "7"}'
+
+ + + + + + + + + + + + + + + + + + + +
+

Errors

+

+ The Westeros API uses the following error codes: +

+ + + + + + + + + + + + + + + + + + + + + + + + + +
Error CodeMeaning
X000 + Some parameters are missing. This error appears when you don't pass every mandatory + parameters. +
403 + Unknown or unvalid secret_key. This error appears if + you use an unknow API key or if your API key expired. +
500 + Unvalid secret_key No API key was supplied. Invalid + request. +
X003 + Unknown or unvalid user token. This error appears if + you use an unknow user token or if the user token expired. +
+
+
+
+ + + + \ No newline at end of file diff --git a/webserver/middleware/apiKey.js b/webserver/middleware/apiKey.js index 38e0031..042514d 100644 --- a/webserver/middleware/apiKey.js +++ b/webserver/middleware/apiKey.js @@ -1,39 +1,45 @@ -const { checkAPikey } = require('../functions/database.js'); +const { checkAPikey } = require("../functions/database.js"); async function apikeyCheck(req, res, next) { - //const authHeader = req.headers.authorization - try{ - let apikey = req.headers.authorization - if(!apikey){ - throw new Error('No API key was supplied. Invalid request') - } - else{ - //split the string by the - - let splitAPIkey = apikey.split('-'); - let rowid = splitAPIkey[0]; - - //rejoin withouth the rowid - let SuppliedKey = splitAPIkey.slice(1).join('-'); - if (checkAPikey(SuppliedKey , rowid)) - { - //get permission - let permission = await checkAPikey(SuppliedKey , rowid); - console.log(permission); - if (req.method === 'GET' && permission === 'canRead'){ - return next() - } - //['POST', 'PUT', 'PATCH', 'DELETE'].includes(req.method) - if (["GET" , "POST" , "PUT" , "DELETE"].includes(req.method) && permission === 'canWrite'){ - console.log('write') - return next() - } - throw new Error('Your API key does not have the correct permissions to access this resource') - - } - } - }catch(error){ - next(error); - } + //const authHeader = req.headers.authorization + try { + let apikey = req.headers.authorization; + if (!apikey) { + res.status(401).json({ + message: "No API key was supplied. Invalid request", + }); + //throw new Error("No API key was supplied. Invalid request"); + } else { + //split the string by the - + let splitAPIkey = apikey.split("-"); + let rowid = splitAPIkey[0]; + //rejoin withouth the rowid + let SuppliedKey = splitAPIkey.slice(1).join("-"); + if (checkAPikey(SuppliedKey, rowid)) { + //get permission + let permission = await checkAPikey(SuppliedKey, rowid); + console.log(permission); + if (req.method === "GET" && permission === "canRead") { + return next(); + } + //['POST', 'PUT', 'PATCH', 'DELETE'].includes(req.method) + if ( + ["GET", "POST", "PUT", "DELETE"].includes(req.method) && + permission === "canWrite" + ) { + console.log("write"); + return next(); + } + //throw status 403 + res.status(403).json({ + message: + "Your API key does not have the correct permissions to access this resource", + }); + } + } + } catch (error) { + next(error); + } } module.exports = { apikeyCheck }; @@ -56,4 +62,4 @@ If it's correct API key and has canWrite perms I allow it to access put and post -*/ \ No newline at end of file +*/