public-offering
/
cal.pub0.org
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix verifyapikey, add daabase_url to env.example

pull/9078/head
Agusti Fernandez Pardo 2022-04-18 23:24:57 +02:00
parent 25a2a405da
commit 8965601e6f
2 changed files with 21 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.env.example
View File

@ -1 +1,2 @@
API_KEY_PREFIX=cal_
API_KEY_PREFIX=cal_
DATABASE_URL="postgresql://postgres:@localhost:5450/calendso"

38
lib/helpers/verifyApiKey.ts
View File

@ -4,31 +4,31 @@ import { hashAPIKey } from "@calcom/ee/lib/api/apiKeys";
import prisma from "@calcom/prisma";
// Used to check if the API key is not expired, could be extracted if reused. but not for now.
export const dateInPast = function (firstDate: Date, secondDate: Date) {
if (firstDate.setHours(0, 0, 0, 0) <= secondDate.setHours(0, 0, 0, 0)) {
export const dateInPast = function (date: Date) {
const now = new Date();
if (now.setHours(0, 0, 0, 0) <= date.setHours(0, 0, 0, 0)) {
return true;
}
};
const today = new Date();
// This verifies the API key and sets the user if it is valid.
export const verifyApiKey: NextMiddleware = async (req, res, next) => {
if (!req.query.apiKey) res.status(401).json({ message: "No API key provided" });
if (!req.query.apiKey) res.status(401).json({ message: "No api key provided" });
// We remove the prefix from the user provided api_key. If no env set default to "cal_"
const strippedApiKey = `${req.query.apiKey}`.replace(process.env.API_KEY_PREFIX || "cal_", "");
// Hash the key again before matching against the database records.
const hashedKey = hashAPIKey(strippedApiKey);
await prisma.apiKey
.findUnique({ where: { hashedKey } })
.then(async (apiKey) => {
if (!apiKey) {
res.status(401).json({ error: "You did not provide an api key" });
throw new Error("No api key found");
}
if (apiKey.userId) res.setHeader("X-Calcom-User-ID", apiKey.userId);
if (apiKey.expiresAt && apiKey.userId && dateInPast(today, apiKey.expiresAt)) await next();
})
.catch((error) => {
res.status(401).json({ error: "Your api key is not valid" });
});
// Check if the hashed api key exists in database.
await prisma.apiKey.findUnique({ where: { hashedKey } }).then(async (apiKey) => {
// If we cannot find any api key. Throw a 401 Unauthorized.
if (!apiKey) res.status(401).json({ error: "Your api key is not valid" });
if (apiKey && apiKey.expiresAt && dateInPast(apiKey.expiresAt) && apiKey.userId) {
// Right now API Keys are user centric, we only allow resources related to this userId throughout the application.
// if the api key is not expired, and the user id is present in the database.
// Set the user in the request. as x-calcom-user-id.
res.setHeader("X-Calcom-User-ID", apiKey.userId);
// Pass the request to the next middleware.
await next();
}
});
};