remove auth with url

2025-12-18 15:17:25 +01:00 · 2018-08-15 10:40:25 +02:00
parent 2a7dfff88a
commit 696121fb24
7 changed files with 16 additions and 44 deletions
--- a/website/client/components/settings/promoCode.vue
+++ b/website/client/components/settings/promoCode.vue
@@ -40,7 +40,7 @@ export default {
    ...mapState({user: 'user.data', credentials: 'credentials'}),
    getCodesUrl () {
      if (!this.user) return '';
-      return `/api/v4/coupons?_id=${this.user._id}&apiToken=${this.credentials.API_TOKEN}`;
+      return '/api/v4/coupons';
    },
  },
  methods: {
--- a/website/client/mixins/payments.js
+++ b/website/client/mixins/payments.js
@@ -13,10 +13,10 @@ export default {
    ...mapState(['credentials']),
    // @TODO refactor into one single computed property
    paypalCheckoutLink () {
-      return `/paypal/checkout?_id=${this.credentials.API_ID}&apiToken=${this.credentials.API_TOKEN}`;
+      return '/paypal/checkout';
    },
    paypalSubscriptionLink () {
-      return `/paypal/subscribe?_id=${this.credentials.API_ID}&apiToken=${this.credentials.API_TOKEN}&sub=${this.subscriptionPlan}`;
+      return `/paypal/subscribe?sub=${this.subscriptionPlan}`;
    },
    paypalPurchaseLink () {
      if (!this.subscription) {
@@ -26,7 +26,7 @@ export default {
      }
      let couponString = '';
      if (this.subscription.coupon) couponString = `&coupon=${this.subscription.coupon}`;
-      return `/paypal/subscribe?_id=${this.credentials.API_ID}&apiToken=${this.credentials.API_TOKEN}&sub=${this.subscription.key}${couponString}`;
+      return `/paypal/subscribe?sub=${this.subscription.key}${couponString}`;
    },
  },
  methods: {
@@ -39,7 +39,7 @@ export default {
      if (!this.checkGemAmount(data)) return;

      let gift = this.encodeGift(data.giftedTo, data.gift);
-      const url = `/paypal/checkout?_id=${this.credentials.API_ID}&apiToken=${this.credentials.API_TOKEN}&gift=${gift}`;
+      const url = `/paypal/checkout?gift=${gift}`;

      window.open(url, '_blank');
    },
@@ -210,8 +210,6 @@ export default {
      }

      let queryParams = {
-        _id: this.user._id,
-        apiToken: this.credentials.API_TOKEN,
        noRedirect: true,
      };

--- a/website/server/controllers/top-level/payments/amazon.js
+++ b/website/server/controllers/top-level/payments/amazon.js
@@ -4,7 +4,6 @@ import {
 import amzLib from '../../../libs/payments/amazon';
 import {
  authWithHeaders,
-  authWithUrl,
 } from '../../../middlewares/auth';
 import shared from '../../../../common';

@@ -128,7 +127,7 @@ api.subscribe = {
 api.subscribeCancel = {
  method: 'GET',
  url: '/amazon/subscribe/cancel',
-  middlewares: [authWithUrl],
+  middlewares: [authWithHeaders()],
  async handler (req, res) {
    let user = res.locals.user;
    let groupId = req.query.groupId;
--- a/website/server/controllers/top-level/payments/iap.js
+++ b/website/server/controllers/top-level/payments/iap.js
@@ -1,6 +1,5 @@
 import {
  authWithHeaders,
-  authWithUrl,
 } from '../../../middlewares/auth';
 import {
  BadRequest,
@@ -21,7 +20,7 @@ let api = {};
 api.iapAndroidVerify = {
  method: 'POST',
  url: '/iap/android/verify',
-  middlewares: [authWithUrl],
+  middlewares: [authWithHeaders()],
  async handler (req, res) {
    let user = res.locals.user;
    let iapBody = req.body;
@@ -41,7 +40,7 @@ api.iapAndroidVerify = {
 api.iapSubscriptionAndroid = {
  method: 'POST',
  url: '/iap/android/subscribe',
-  middlewares: [authWithUrl],
+  middlewares: [authWithHeaders()],
  async handler (req, res) {
    if (!req.body.sku) throw new BadRequest(res.t('missingSubscriptionCode'));
    let user = res.locals.user;
@@ -62,7 +61,7 @@ api.iapSubscriptionAndroid = {
 api.iapCancelSubscriptionAndroid = {
  method: 'GET',
  url: '/iap/android/subscribe/cancel',
-  middlewares: [authWithUrl],
+  middlewares: [authWithHeaders()],
  async handler (req, res) {
    let user = res.locals.user;

@@ -104,7 +103,7 @@ api.iapiOSVerify = {
 api.iapSubscriptioniOS = {
  method: 'POST',
  url: '/iap/ios/subscribe',
-  middlewares: [authWithUrl],
+  middlewares: [authWithHeaders()],
  async handler (req, res) {
    if (!req.body.sku) throw new BadRequest(res.t('missingSubscriptionCode'));
    if (!req.body.receipt) throw new BadRequest(res.t('missingReceipt'));
@@ -124,7 +123,7 @@ api.iapSubscriptioniOS = {
 api.iapCancelSubscriptioniOS = {
  method: 'GET',
  url: '/iap/ios/subscribe/cancel',
-  middlewares: [authWithUrl],
+  middlewares: [authWithHeaders()],
  async handler (req, res) {
    let user = res.locals.user;

--- a/website/server/controllers/top-level/payments/paypal.js
+++ b/website/server/controllers/top-level/payments/paypal.js
@@ -2,8 +2,8 @@
 import paypalPayments from '../../../libs/payments/paypal';
 import shared from '../../../../common';
 import {
-  authWithUrl,
  authWithSession,
+  authWithHeaders,
 } from '../../../middlewares/auth';
 import {
  BadRequest,
@@ -21,7 +21,7 @@ let api = {};
 api.checkout = {
  method: 'GET',
  url: '/paypal/checkout',
-  middlewares: [authWithUrl],
+  middlewares: [authWithSession],
  async handler (req, res) {
    let gift = req.query.gift ? JSON.parse(req.query.gift) : undefined;
    req.session.gift = req.query.gift;
@@ -75,7 +75,7 @@ api.checkoutSuccess = {
 api.subscribe = {
  method: 'GET',
  url: '/paypal/subscribe',
-  middlewares: [authWithUrl],
+  middlewares: [authWithSession],
  async handler (req, res) {
    if (!req.query.sub) throw new BadRequest(apiError('missingSubKey'));

@@ -136,7 +136,7 @@ api.subscribeSuccess = {
 api.subscribeCancel = {
  method: 'GET',
  url: '/paypal/subscribe/cancel',
-  middlewares: [authWithUrl],
+  middlewares: [authWithHeaders()],
  async handler (req, res) {
    let user = res.locals.user;
    let groupId = req.query.groupId;
--- a/website/server/controllers/top-level/payments/stripe.js
+++ b/website/server/controllers/top-level/payments/stripe.js
@@ -1,7 +1,6 @@
 import shared from '../../../../common';
 import {
  authWithHeaders,
-  authWithUrl,
 } from '../../../middlewares/auth';
 import stripePayments from '../../../libs/payments/stripe';

@@ -74,7 +73,7 @@ api.subscribeEdit = {
 api.subscribeCancel = {
  method: 'GET',
  url: '/stripe/subscribe/cancel',
-  middlewares: [authWithUrl],
+  middlewares: [authWithHeaders()],
  async handler (req, res) {
    let user = res.locals.user;
    let groupId = req.query.groupId;
--- a/website/server/middlewares/auth.js
+++ b/website/server/middlewares/auth.js
@@ -97,26 +97,3 @@ export function authWithSession (req, res, next) {
    })
    .catch(next);
 }
-
-export function authWithUrl (req, res, next) {
-  let userId = req.query._id;
-  let apiToken = req.query.apiToken;
-
-  // Always allow authentication with headers
-  if (!userId || !apiToken) {
-    if (!req.header('x-api-user') || !req.header('x-api-key')) {
-      return next(new NotAuthorized(res.t('missingAuthParams')));
-    } else {
-      return authWithHeaders()(req, res, next);
-    }
-  }
-
-  return User.findOne({ _id: userId, apiToken }).exec()
-    .then((user) => {
-      if (!user) throw new NotAuthorized(res.t('invalidCredentials'));
-
-      res.locals.user = user;
-      return next();
-    })
-    .catch(next);
-}