apimiddleware done?

Not fully tested
2024-01-16 20:54:18 +08:00
parent 7e4b2d8026
commit 915e4a7e5c
7 changed files with 139 additions and 132 deletions
--- a/webserver/middleware/apiKey.js
+++ b/webserver/middleware/apiKey.js
@ -1,17 +1,35 @@
-const { compareAPIKey } = require('../functions/bcrypt.js');
 const { checkAPikey } = require('../functions/database.js');
 async function apikeyCheck(req, res, next) {
    //const authHeader = req.headers.authorization
    try{
        let apikey = req.headers.authorization
        if(!apikey){
-            throw new Error('NotAuthed')
+            throw new Error('No API key was supplied. Invalid request')
        }
        else{
-            //compare apikey to db
-            
+            //split the string by the - 
+            let splitAPIkey = apikey.split('-');
+            let rowid = splitAPIkey[0];
+
+            //rejoin withouth the rowid
+            let SuppliedKey  = splitAPIkey.slice(1).join('-');
+            if (checkAPikey(SuppliedKey , rowid))
+            {
+                //get permission
+                let permission = await checkAPikey(SuppliedKey , rowid);
+                console.log(permission);
+                if (req.method === 'GET' && permission === 'canRead'){
+                    return next()
+                }
+                //['POST', 'PUT', 'PATCH', 'DELETE'].includes(req.method)
+                if (["GET" , "POST" , "PUT" , "DELETE"].includes(req.method) && permission === 'canWrite'){
+                    console.log('write')
+                    return next()
+                }
+                throw new Error('Your API key does not have the correct permissions to access this resource')
+
+            }
        }
-        next()
    }catch(error){
        next(error);
    }
@ -21,13 +39,15 @@ async function apikeyCheck(req, res, next) {
 module.exports = { apikeyCheck };

 /*
-1) take user supplied api key
-2) hash and salt 
-3) compare to stored hash and salt in db 
-4) if match, check permissions
-5) if permissions allow, continue
-6) else throw error
+//web server microservice
+1) take user supplied rowid-apikey
+2) split the string by -
+3) get the rowid
+4) get the apikey
+5) compare the apikey with the one in database
+6) if match, return true
 */
+
 /*

 I plan to seed some data in user and api
@ -36,27 +56,4 @@ If it's correct API key and has canWrite perms
 I allow it to access put and post


-async function auth(req, res, next){
-    try{
-        let token = // get token
-        
-        req.token = token
-
-        if(req.method === 'GET' && token.canRead){
-          return next()
-        }
-
-        if(req.method === 'POST' && token.canWrite){
-          return next()
-        }
-
-        throw new Error('NotAuthed')
-                
-    }catch(error){
-        next(error);
-    }
-}
-
-
-
 */