krikkert/habitica
1
0
Fork 0
mirror of https://github.com/HabitRPG/habitica.git synced 2025-12-19 07:37:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

v3: fallbackto authWithHeaders if wuthWithSession or authWithUrl fails

Browse Source
This commit is contained in:
Matteo Pagliazzi
2016-05-18 18:29:38 +02:00
parent ef9dc9a15a
commit f0f67e1e88
3 changed files with 16 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
test/api/v3/integration/challenges/GET-challenges_challengeId_export_csv.test.js
View File

@@ -40,6 +40,7 @@ describe('GET /challenges/:challengeId/export/csv', () => {
it('fails if challenge doesn\'t exists', async () => { it('fails if challenge doesn\'t exists', async () => {
user = await generateUser(); user = await generateUser();
user.get('/user');
await expect(user.get(`/challenges/${generateUUID()}/export/csv`)).to.eventually.be.rejected.and.eql({ await expect(user.get(`/challenges/${generateUUID()}/export/csv`)).to.eventually.be.rejected.and.eql({
code: 404, code: 404,
error: 'NotFound', error: 'NotFound',
@@ -49,6 +50,7 @@ describe('GET /challenges/:challengeId/export/csv', () => {
it('fails if user doesn\'t have access to the challenge', async () => { it('fails if user doesn\'t have access to the challenge', async () => {
user = await generateUser(); user = await generateUser();
user.get('/user');
await expect(user.get(`/challenges/${challenge._id}/export/csv`)).to.eventually.be.rejected.and.eql({ await expect(user.get(`/challenges/${challenge._id}/export/csv`)).to.eventually.be.rejected.and.eql({
code: 404, code: 404,

7
test/helpers/api-integration/requester.js
View File

@@ -64,13 +64,6 @@ function _requestMaker (user, method, additionalSets = {}) {
return reject(parsedError); return reject(parsedError);
} }
// if any cookies was sent, save it for the next request
if (response.headers['set-cookie']) {
additionalSets.cookie = response.headers['set-cookie'].map(cookieString => {
return cookieString.split(';')[0];
}).join('; ');
}
resolve(_parseRes(response)); resolve(_parseRes(response));
}); });
}); });

16
website/server/middlewares/api-v3/auth.js
View File

@@ -41,7 +41,14 @@ export function authWithHeaders (optional = false) {
export function authWithSession (req, res, next) { export function authWithSession (req, res, next) {
let userId = req.session.userId; let userId = req.session.userId;
if (!userId) return next(new NotAuthorized(res.t('invalidCredentials'))); // Always allow authentication with headers
if (!userId) {
if (!req.header('x-api-user') || !req.header('x-api-key')) {
return next(new NotAuthorized(res.t('invalidCredentials')));
} else {
return authWithHeaders()(req, res, next);
}
}
return User.findOne({ return User.findOne({
_id: userId, _id: userId,
@@ -60,8 +67,13 @@ export function authWithUrl (req, res, next) {
let userId = req.query._id; let userId = req.query._id;
let apiToken = req.query.apiToken; let apiToken = req.query.apiToken;
// Always allow authentication with headers
if (!userId || !apiToken) { if (!userId || !apiToken) {
throw new NotAuthorized(res.t('missingAuthParams')); if (!req.header('x-api-user') || !req.header('x-api-key')) {
return next(new NotAuthorized(res.t('missingAuthParams')));
} else {
return authWithHeaders()(req, res, next);
}
} }
return User.findOne({ _id: userId, apiToken }).exec() return User.findOne({ _id: userId, apiToken }).exec()