apimiddleware done?
Not fully tested
This commit is contained in:
newtbot
@ -1,53 +1,55 @@
|
||||
const { sequelize } = require("../Database/mySql.js");
|
||||
const { api_log_Model } = require("../Database/model/apiLogModel.js");
|
||||
const { sequelize } = require("../Database/mySql.js");
|
||||
const { api_log_Model } = require("../Database/model/apiLogModel.js");
|
||||
const { sensorDataModel } = require("../Database/model/sensorDataModel.js");
|
||||
const { apikeyModel } = require("../Database/model/apiKeyModel.js");
|
||||
const { compareAPIKey } = require("../functions/bcrypt.js");
|
||||
|
||||
async function insertLogData(log){
|
||||
try{
|
||||
api_log_Model.create({
|
||||
ip: log.ip,
|
||||
time: log.time,
|
||||
method: log.method,
|
||||
host: log.host,
|
||||
statusCode: log.statusCode,
|
||||
Responsesize: log.Responsesize,
|
||||
referrer: log.referrer,
|
||||
userAgent: log.userAgent,
|
||||
});
|
||||
}
|
||||
catch
|
||||
(error){
|
||||
console.error(error);
|
||||
}
|
||||
async function insertLogData(log) {
|
||||
try {
|
||||
api_log_Model.create({
|
||||
ip: log.ip,
|
||||
time: log.time,
|
||||
method: log.method,
|
||||
host: log.host,
|
||||
statusCode: log.statusCode,
|
||||
Responsesize: log.Responsesize,
|
||||
referrer: log.referrer,
|
||||
userAgent: log.userAgent,
|
||||
});
|
||||
} catch (error) {
|
||||
console.error(error);
|
||||
}
|
||||
}
|
||||
|
||||
async function insertDatatoDB(data) {
|
||||
try {
|
||||
sensorDataModel.create({
|
||||
sensorid: data.sensorid,
|
||||
locationid: data.locationid,
|
||||
measurement: data.measurement,
|
||||
});
|
||||
}
|
||||
catch (error) {
|
||||
console.error(error);
|
||||
}
|
||||
try {
|
||||
sensorDataModel.create({
|
||||
sensorid: data.sensorid,
|
||||
locationid: data.locationid,
|
||||
measurement: data.measurement,
|
||||
});
|
||||
} catch (error) {
|
||||
console.error(error);
|
||||
}
|
||||
}
|
||||
|
||||
async function checkAPikey(unverified){
|
||||
const apikey = apikeyModel.findOne({
|
||||
where: {
|
||||
apikey: unverified
|
||||
}
|
||||
});
|
||||
return apikey;
|
||||
|
||||
async function checkAPikey(SuppliedKey, rowid) {
|
||||
try {
|
||||
const retrivedKey = await apikeyModel.findOne({
|
||||
raw: true,
|
||||
attributes: ["apikey" , "permission"],
|
||||
where: {
|
||||
userid: rowid,
|
||||
},
|
||||
});
|
||||
//console.log(retrivedKey.apikey);
|
||||
if (compareAPIKey(SuppliedKey, retrivedKey.apikey)) {
|
||||
//return true;
|
||||
return retrivedKey.permission;
|
||||
}
|
||||
} catch (error) {
|
||||
console.error(error);
|
||||
}
|
||||
}
|
||||
|
||||
module.exports = { insertLogData , insertDatatoDB , checkAPikey};
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
module.exports = { insertLogData, insertDatatoDB, checkAPikey };
|
||||
|
||||
@ -1,17 +1,35 @@
|
||||
const { compareAPIKey } = require('../functions/bcrypt.js');
|
||||
const { checkAPikey } = require('../functions/database.js');
|
||||
async function apikeyCheck(req, res, next) {
|
||||
//const authHeader = req.headers.authorization
|
||||
try{
|
||||
let apikey = req.headers.authorization
|
||||
if(!apikey){
|
||||
throw new Error('NotAuthed')
|
||||
throw new Error('No API key was supplied. Invalid request')
|
||||
}
|
||||
else{
|
||||
//compare apikey to db
|
||||
|
||||
//split the string by the -
|
||||
let splitAPIkey = apikey.split('-');
|
||||
let rowid = splitAPIkey[0];
|
||||
|
||||
//rejoin withouth the rowid
|
||||
let SuppliedKey = splitAPIkey.slice(1).join('-');
|
||||
if (checkAPikey(SuppliedKey , rowid))
|
||||
{
|
||||
//get permission
|
||||
let permission = await checkAPikey(SuppliedKey , rowid);
|
||||
console.log(permission);
|
||||
if (req.method === 'GET' && permission === 'canRead'){
|
||||
return next()
|
||||
}
|
||||
//['POST', 'PUT', 'PATCH', 'DELETE'].includes(req.method)
|
||||
if (["GET" , "POST" , "PUT" , "DELETE"].includes(req.method) && permission === 'canWrite'){
|
||||
console.log('write')
|
||||
return next()
|
||||
}
|
||||
throw new Error('Your API key does not have the correct permissions to access this resource')
|
||||
|
||||
}
|
||||
}
|
||||
next()
|
||||
}catch(error){
|
||||
next(error);
|
||||
}
|
||||
@ -21,13 +39,15 @@ async function apikeyCheck(req, res, next) {
|
||||
module.exports = { apikeyCheck };
|
||||
|
||||
/*
|
||||
1) take user supplied api key
|
||||
2) hash and salt
|
||||
3) compare to stored hash and salt in db
|
||||
4) if match, check permissions
|
||||
5) if permissions allow, continue
|
||||
6) else throw error
|
||||
//web server microservice
|
||||
1) take user supplied rowid-apikey
|
||||
2) split the string by -
|
||||
3) get the rowid
|
||||
4) get the apikey
|
||||
5) compare the apikey with the one in database
|
||||
6) if match, return true
|
||||
*/
|
||||
|
||||
/*
|
||||
|
||||
I plan to seed some data in user and api
|
||||
@ -36,27 +56,4 @@ If it's correct API key and has canWrite perms
|
||||
I allow it to access put and post
|
||||
|
||||
|
||||
async function auth(req, res, next){
|
||||
try{
|
||||
let token = // get token
|
||||
|
||||
req.token = token
|
||||
|
||||
if(req.method === 'GET' && token.canRead){
|
||||
return next()
|
||||
}
|
||||
|
||||
if(req.method === 'POST' && token.canWrite){
|
||||
return next()
|
||||
}
|
||||
|
||||
throw new Error('NotAuthed')
|
||||
|
||||
}catch(error){
|
||||
next(error);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
*/
|
||||
Reference in New Issue
Block a user