diff --git a/test/api/v3/unit/middlewares/auth.test.js b/test/api/v3/unit/middlewares/auth.test.js index c2b3a35993..ac1903c984 100644 --- a/test/api/v3/unit/middlewares/auth.test.js +++ b/test/api/v3/unit/middlewares/auth.test.js @@ -15,7 +15,7 @@ describe('auth middleware', () => { describe('auth with headers', () => { it('allows to specify a list of user field that we do not want to load', (done) => { - const authWithHeaders = authWithHeadersFactory(false, { + const authWithHeaders = authWithHeadersFactory({ userFieldsToExclude: ['items', 'flags', 'auth.timestamps'], }); diff --git a/website/server/controllers/api-v3/auth.js b/website/server/controllers/api-v3/auth.js index ae62382f48..5da13eedfd 100644 --- a/website/server/controllers/api-v3/auth.js +++ b/website/server/controllers/api-v3/auth.js @@ -93,7 +93,9 @@ function hasBackupAuth (user, networkToRemove) { */ api.registerLocal = { method: 'POST', - middlewares: [authWithHeaders(true)], + middlewares: [authWithHeaders({ + optional: true, + })], url: '/user/auth/local/register', async handler (req, res) { let existingUser = res.locals.user; // If adding local auth to social user @@ -299,7 +301,9 @@ function _passportProfile (network, accessToken) { // Called as a callback by Facebook (or other social providers). Internal route api.loginSocial = { method: 'POST', - middlewares: [authWithHeaders(true)], + middlewares: [authWithHeaders({ + optional: true, + })], url: '/user/auth/social', // this isn't the most appropriate url but must be the same as v2 async handler (req, res) { let existingUser = res.locals.user; diff --git a/website/server/controllers/api-v3/challenges.js b/website/server/controllers/api-v3/challenges.js index 92551952d5..46f39b022e 100644 --- a/website/server/controllers/api-v3/challenges.js +++ b/website/server/controllers/api-v3/challenges.js @@ -183,7 +183,9 @@ let api = {}; api.createChallenge = { method: 'POST', url: '/challenges', - middlewares: [authWithHeaders()], + middlewares: [authWithHeaders({ + userFieldsToExclude: ['inbox'], + })], async handler (req, res) { let user = res.locals.user; @@ -232,7 +234,9 @@ api.createChallenge = { api.joinChallenge = { method: 'POST', url: '/challenges/:challengeId/join', - middlewares: [authWithHeaders()], + middlewares: [authWithHeaders({ + userFieldsToExclude: ['inbox'], + })], async handler (req, res) { let user = res.locals.user; @@ -289,7 +293,9 @@ api.joinChallenge = { api.leaveChallenge = { method: 'POST', url: '/challenges/:challengeId/leave', - middlewares: [authWithHeaders()], + middlewares: [authWithHeaders({ + userFieldsToExclude: ['inbox'], + })], async handler (req, res) { let user = res.locals.user; let keep = req.body.keep === 'remove-all' ? 'remove-all' : 'keep-all'; @@ -338,7 +344,9 @@ api.leaveChallenge = { api.getUserChallenges = { method: 'GET', url: '/challenges/user', - middlewares: [authWithHeaders()], + middlewares: [authWithHeaders({ + userFieldsToExclude: ['inbox'], + })], async handler (req, res) { const CHALLENGES_PER_PAGE = 10; const page = req.query.page; @@ -439,7 +447,9 @@ api.getUserChallenges = { api.getGroupChallenges = { method: 'GET', url: '/challenges/groups/:groupId', - middlewares: [authWithHeaders()], + middlewares: [authWithHeaders({ + userFieldsToExclude: ['inbox'], + })], async handler (req, res) { let user = res.locals.user; let groupId = req.params.groupId; @@ -497,7 +507,9 @@ api.getGroupChallenges = { api.getChallenge = { method: 'GET', url: '/challenges/:challengeId', - middlewares: [authWithHeaders()], + middlewares: [authWithHeaders({ + userFieldsToExclude: ['inbox'], + })], async handler (req, res) { req.checkParams('challengeId', res.t('challengeIdRequired')).notEmpty().isUUID(); @@ -651,7 +663,9 @@ api.exportChallengeCsv = { api.updateChallenge = { method: 'PUT', url: '/challenges/:challengeId', - middlewares: [authWithHeaders()], + middlewares: [authWithHeaders({ + userFieldsToExclude: ['inbox'], + })], async handler (req, res) { req.checkParams('challengeId', res.t('challengeIdRequired')).notEmpty().isUUID(); @@ -693,7 +707,9 @@ api.updateChallenge = { api.deleteChallenge = { method: 'DELETE', url: '/challenges/:challengeId', - middlewares: [authWithHeaders()], + middlewares: [authWithHeaders({ + userFieldsToExclude: ['inbox'], + })], async handler (req, res) { let user = res.locals.user; @@ -738,7 +754,9 @@ api.deleteChallenge = { api.selectChallengeWinner = { method: 'POST', url: '/challenges/:challengeId/selectWinner/:winnerId', - middlewares: [authWithHeaders()], + middlewares: [authWithHeaders({ + userFieldsToExclude: ['inbox'], + })], async handler (req, res) { let user = res.locals.user; @@ -787,7 +805,9 @@ api.selectChallengeWinner = { api.cloneChallenge = { method: 'POST', url: '/challenges/:challengeId/clone', - middlewares: [authWithHeaders()], + middlewares: [authWithHeaders({ + userFieldsToExclude: ['inbox'], + })], async handler (req, res) { let user = res.locals.user; diff --git a/website/server/controllers/api-v3/chat.js b/website/server/controllers/api-v3/chat.js index 880b78f9bb..d3381e9184 100644 --- a/website/server/controllers/api-v3/chat.js +++ b/website/server/controllers/api-v3/chat.js @@ -61,7 +61,9 @@ function textContainsBannedSlur (message) { api.getChat = { method: 'GET', url: '/groups/:groupId/chat', - middlewares: [authWithHeaders()], + middlewares: [authWithHeaders({ + userFieldsToExclude: ['inbox'], + })], async handler (req, res) { let user = res.locals.user; @@ -100,7 +102,9 @@ function getBannedWordsFromText (message) { api.postChat = { method: 'POST', url: '/groups/:groupId/chat', - middlewares: [authWithHeaders()], + middlewares: [authWithHeaders({ + userFieldsToExclude: ['inbox'], + })], async handler (req, res) { let user = res.locals.user; let groupId = req.params.groupId; @@ -221,7 +225,9 @@ api.postChat = { api.likeChat = { method: 'POST', url: '/groups/:groupId/chat/:chatId/like', - middlewares: [authWithHeaders()], + middlewares: [authWithHeaders({ + userFieldsToExclude: ['inbox'], + })], async handler (req, res) { let user = res.locals.user; let groupId = req.params.groupId; @@ -278,7 +284,9 @@ api.likeChat = { api.flagChat = { method: 'POST', url: '/groups/:groupId/chat/:chatId/flag', - middlewares: [authWithHeaders()], + middlewares: [authWithHeaders({ + userFieldsToExclude: ['inbox'], + })], async handler (req, res) { const chatReporter = chatReporterFactory('Group', req, res); const message = await chatReporter.flag(); @@ -307,7 +315,9 @@ api.flagChat = { api.clearChatFlags = { method: 'Post', url: '/groups/:groupId/chat/:chatId/clearflags', - middlewares: [authWithHeaders()], + middlewares: [authWithHeaders({ + userFieldsToExclude: ['inbox'], + })], async handler (req, res) { let user = res.locals.user; let groupId = req.params.groupId; @@ -377,7 +387,9 @@ api.clearChatFlags = { api.seenChat = { method: 'POST', url: '/groups/:groupId/chat/seen', - middlewares: [authWithHeaders()], + middlewares: [authWithHeaders({ + userFieldsToExclude: ['inbox'], + })], async handler (req, res) { let user = res.locals.user; let groupId = req.params.groupId; @@ -443,7 +455,9 @@ api.seenChat = { api.deleteChat = { method: 'DELETE', url: '/groups/:groupId/chat/:chatId', - middlewares: [authWithHeaders()], + middlewares: [authWithHeaders({ + userFieldsToExclude: ['inbox'], + })], async handler (req, res) { let user = res.locals.user; let groupId = req.params.groupId; diff --git a/website/server/controllers/api-v3/coupon.js b/website/server/controllers/api-v3/coupon.js index 5fc0f4cbf1..bec35182b4 100644 --- a/website/server/controllers/api-v3/coupon.js +++ b/website/server/controllers/api-v3/coupon.js @@ -67,7 +67,9 @@ api.getCoupons = { api.generateCoupons = { method: 'POST', url: '/coupons/generate/:event', - middlewares: [authWithHeaders(), ensureSudo], + middlewares: [authWithHeaders({ + userFieldsToExclude: ['inbox'], + }), ensureSudo], async handler (req, res) { req.checkParams('event', res.t('eventRequired')).notEmpty(); req.checkQuery('count', res.t('countRequired')).notEmpty().isNumeric(); @@ -92,7 +94,9 @@ api.generateCoupons = { api.enterCouponCode = { method: 'POST', url: '/coupons/enter/:code', - middlewares: [authWithHeaders()], + middlewares: [authWithHeaders({ + userFieldsToExclude: ['inbox'], + })], async handler (req, res) { let user = res.locals.user; @@ -118,7 +122,10 @@ api.enterCouponCode = { api.validateCoupon = { method: 'POST', url: '/coupons/validate/:code', - middlewares: [authWithHeaders(true)], + middlewares: [authWithHeaders({ + optional: true, + userFieldsToExclude: ['inbox'], + })], async handler (req, res) { req.checkParams('code', res.t('couponCodeRequired')).notEmpty(); diff --git a/website/server/controllers/api-v3/members.js b/website/server/controllers/api-v3/members.js index 61e0e3ec19..a09cda938a 100644 --- a/website/server/controllers/api-v3/members.js +++ b/website/server/controllers/api-v3/members.js @@ -312,7 +312,9 @@ function _getMembersForItem (type) { api.getMembersForGroup = { method: 'GET', url: '/groups/:groupId/members', - middlewares: [authWithHeaders()], + middlewares: [authWithHeaders({ + userFieldsToExclude: ['inbox'], + })], handler: _getMembersForItem('group-members'), }; @@ -333,7 +335,9 @@ api.getMembersForGroup = { api.getInvitesForGroup = { method: 'GET', url: '/groups/:groupId/invites', - middlewares: [authWithHeaders()], + middlewares: [authWithHeaders({ + userFieldsToExclude: ['inbox'], + })], handler: _getMembersForItem('group-invites'), }; @@ -359,7 +363,9 @@ api.getInvitesForGroup = { api.getMembersForChallenge = { method: 'GET', url: '/challenges/:challengeId/members', - middlewares: [authWithHeaders()], + middlewares: [authWithHeaders({ + userFieldsToExclude: ['inbox'], + })], handler: _getMembersForItem('challenge-members'), }; @@ -379,7 +385,9 @@ api.getMembersForChallenge = { api.getChallengeMemberProgress = { method: 'GET', url: '/challenges/:challengeId/members/:memberId', - middlewares: [authWithHeaders()], + middlewares: [authWithHeaders({ + userFieldsToExclude: ['inbox'], + })], async handler (req, res) { req.checkParams('challengeId', res.t('challengeIdRequired')).notEmpty().isUUID(); req.checkParams('memberId', res.t('memberIdRequired')).notEmpty().isUUID(); diff --git a/website/server/controllers/api-v3/news.js b/website/server/controllers/api-v3/news.js index c590c23813..4b87078827 100644 --- a/website/server/controllers/api-v3/news.js +++ b/website/server/controllers/api-v3/news.js @@ -60,7 +60,9 @@ api.getNews = { */ api.tellMeLaterNews = { method: 'POST', - middlewares: [authWithHeaders()], + middlewares: [authWithHeaders({ + userFieldsToExclude: ['inbox'], + })], url: '/news/tell-me-later', async handler (req, res) { const user = res.locals.user; diff --git a/website/server/controllers/api-v3/user/stats.js b/website/server/controllers/api-v3/user/stats.js index 3e54dc2bb9..be303dcb48 100644 --- a/website/server/controllers/api-v3/user/stats.js +++ b/website/server/controllers/api-v3/user/stats.js @@ -27,7 +27,9 @@ let api = {}; */ api.allocate = { method: 'POST', - middlewares: [authWithHeaders()], + middlewares: [authWithHeaders({ + userFieldsToExclude: ['inbox'], + })], url: '/user/allocate', async handler (req, res) { let user = res.locals.user; @@ -67,7 +69,9 @@ api.allocate = { */ api.allocateBulk = { method: 'POST', - middlewares: [authWithHeaders()], + middlewares: [authWithHeaders({ + userFieldsToExclude: ['inbox'], + })], url: '/user/allocate-bulk', async handler (req, res) { let user = res.locals.user; @@ -123,7 +127,9 @@ api.allocateBulk = { */ api.allocateNow = { method: 'POST', - middlewares: [authWithHeaders()], + middlewares: [authWithHeaders({ + userFieldsToExclude: ['inbox'], + })], url: '/user/allocate-now', async handler (req, res) { let user = res.locals.user; diff --git a/website/server/middlewares/auth.js b/website/server/middlewares/auth.js index 91c3c67eae..fde7cf5929 100644 --- a/website/server/middlewares/auth.js +++ b/website/server/middlewares/auth.js @@ -34,10 +34,11 @@ function getUserFields (userFieldsToExclude, req) { // Authenticate a request through the x-api-user and x-api key header // If optional is true, don't error on missing authentication -export function authWithHeaders (optional = false, options = {}) { +export function authWithHeaders (options = {}) { return function authWithHeadersHandler (req, res, next) { - let userId = req.header('x-api-user'); - let apiToken = req.header('x-api-key'); + const userId = req.header('x-api-user'); + const apiToken = req.header('x-api-key'); + const optional = options.optional || false; if (!userId || !apiToken) { if (optional) return next();