59 lines
1.8 KiB
JavaScript
59 lines
1.8 KiB
JavaScript
const { checkAPikey } = require('../functions/database.js');
|
|
async function apikeyCheck(req, res, next) {
|
|
//const authHeader = req.headers.authorization
|
|
try{
|
|
let apikey = req.headers.authorization
|
|
if(!apikey){
|
|
throw new Error('No API key was supplied. Invalid request')
|
|
}
|
|
else{
|
|
//split the string by the -
|
|
let splitAPIkey = apikey.split('-');
|
|
let rowid = splitAPIkey[0];
|
|
|
|
//rejoin withouth the rowid
|
|
let SuppliedKey = splitAPIkey.slice(1).join('-');
|
|
if (checkAPikey(SuppliedKey , rowid))
|
|
{
|
|
//get permission
|
|
let permission = await checkAPikey(SuppliedKey , rowid);
|
|
console.log(permission);
|
|
if (req.method === 'GET' && permission === 'canRead'){
|
|
return next()
|
|
}
|
|
//['POST', 'PUT', 'PATCH', 'DELETE'].includes(req.method)
|
|
if (["GET" , "POST" , "PUT" , "DELETE"].includes(req.method) && permission === 'canWrite'){
|
|
console.log('write')
|
|
return next()
|
|
}
|
|
throw new Error('Your API key does not have the correct permissions to access this resource')
|
|
|
|
}
|
|
}
|
|
}catch(error){
|
|
next(error);
|
|
}
|
|
|
|
}
|
|
|
|
module.exports = { apikeyCheck };
|
|
|
|
/*
|
|
//web server microservice
|
|
1) take user supplied rowid-apikey
|
|
2) split the string by -
|
|
3) get the rowid or table id
|
|
4) get the apikey
|
|
5) compare the apikey with the one in database
|
|
6) if match, return true
|
|
*/
|
|
|
|
/*
|
|
|
|
I plan to seed some data in user and api
|
|
Than use the system info and my API middleware will somehow check the supplied API key and check
|
|
If it's correct API key and has canWrite perms
|
|
I allow it to access put and post
|
|
|
|
|
|
*/ |