RocketChat · kodiakhq · Jun 28, 2022 · Jun 15, 2022 · Jun 22, 2022 · Jun 23, 2022
diff --git a/apps/meteor/app/api/server/middlewares/authentication.ts b/apps/meteor/app/api/server/middlewares/authentication.ts
@@ -0,0 +1,33 @@
+import { Request, Response, NextFunction } from 'express';
+
+import { Users } from '../../../models/server';
+import { oAuth2ServerAuth } from '../../../oauth2-server-config/server/oauth/oauth2-server';
+
+export type AuthenticationMiddlewareConfig = {
+	rejectUnauthorized: boolean;
+};
+
+export const defaultAuthenticationMiddlewareConfig = {
+	rejectUnauthorized: true,
+};
+
+export function authenticationMiddleware(config: AuthenticationMiddlewareConfig = defaultAuthenticationMiddlewareConfig) {
+	return (req: Request, res: Response, next: NextFunction): void => {
+		const { 'x-user-id': userId, 'x-auth-token': authToken } = req.headers;
+
+		if (userId && authToken) {
+			req.user = Users.findOneByIdAndLoginToken(userId, authToken);
+		} else {
+			req.user = oAuth2ServerAuth(req)?.user;
+		}
+
+		if (config.rejectUnauthorized && !req.user) {
+			res.status(401).send('Unauthorized');
+			return;
+		}
+
+		req.userId = req.user?._id;
+
+		next();
+	};
+}
@@ -7,17 +7,18 @@ import { AppApi } from '@rocket.chat/apps-engine/server/managers/AppApi';
 import { RequestMethod } from '@rocket.chat/apps-engine/definition/accessors';
 
 import { AppServerOrchestrator } from '../orchestrator';
+import { authenticationMiddleware } from '../../../api/server/middlewares/authentication';
 
 const apiServer = express();
 
 apiServer.disable('x-powered-by');
 
 WebApp.connectHandlers.use(apiServer);
 
-type RequestWithPrivateHash = Request & {
+interface IRequestWithPrivateHash extends Request {
 	_privateHash?: string;
 	content?: any;
-};
+}
 
 export class AppApisBridge extends ApiBridge {
 	appRouters: Map<string, IRouter>;
@@ -27,7 +28,7 @@ export class AppApisBridge extends ApiBridge {
 		super();
 		this.appRouters = new Map();
 
-		apiServer.use('/api/apps/private/:appId/:hash', (req: RequestWithPrivateHash, res: Response) => {
+		apiServer.use('/api/apps/private/:appId/:hash', (req: IRequestWithPrivateHash, res: Response) => {
 			const notFound = (): Response => res.sendStatus(404);
 
 			const router = this.appRouters.get(req.params.appId);
@@ -73,7 +74,7 @@ export class AppApisBridge extends ApiBridge {
 		}
 
 		if (router[method] instanceof Function) {
-			router[method](routePath, Meteor.bindEnvironment(this._appApiExecutor(endpoint, appId)));
+			router[method](routePath, this._authMiddleware(endpoint, appId), Meteor.bindEnvironment(this._appApiExecutor(endpoint, appId)));
 		}
 	}
 
@@ -85,6 +86,11 @@ export class AppApisBridge extends ApiBridge {
 		}
 	}
 
+	private _authMiddleware(endpoint: IApiEndpoint, _appId: string): RequestHandler {
+		const authFunction = authenticationMiddleware({ rejectUnauthorized: !!endpoint.authRequired });
+		return Meteor.bindEnvironment(authFunction);
+	}
+
 	private _verifyApi(api: IApi, endpoint: IApiEndpoint): void {
 		if (typeof api !== 'object') {
 			throw new Error('Invalid Api parameter provided, it must be a valid IApi object.');
@@ -96,14 +102,15 @@ export class AppApisBridge extends ApiBridge {
 	}
 
 	private _appApiExecutor(endpoint: IApiEndpoint, appId: string): RequestHandler {
-		return (req: RequestWithPrivateHash, res: Response): void => {
+		return (req: IRequestWithPrivateHash, res: Response): void => {
 			const request: IApiRequest = {
 				method: req.method.toLowerCase() as RequestMethod,
 				headers: req.headers as { [key: string]: string },
 				query: (req.query as { [key: string]: string }) || {},
 				params: req.params || {},
 				content: req.body,
 				privateHash: req._privateHash,
+				user: req.user && this.orch.getConverters()?.get('users')?.convertToApp(req.user),
 			};
 
 			this.orch

@@ -6,10 +6,10 @@ import { WebApp } from 'meteor/webapp';
 import { UIKitIncomingInteractionType } from '@rocket.chat/apps-engine/definition/uikit';
 import { AppInterface } from '@rocket.chat/apps-engine/definition/metadata';
 
-import { Users } from '../../../models/server';
 import { settings } from '../../../settings/server';
 import { Apps, AppServerOrchestrator } from '../orchestrator';
 import { UiKitCoreApp } from '../../../../server/sdk';
+import { authenticationMiddleware } from '../../../api/server/middlewares/authentication';
 
 const apiServer = express();
 
@@ -51,16 +51,14 @@ Meteor.startup(() => {
 			settings.get('API_Enable_Rate_Limiter') !== true ||
 			(process.env.NODE_ENV === 'development' && settings.get('API_Enable_Rate_Limiter_Dev') !== true),
 	});
+
 	router.use(apiLimiter);
 });
 
-router.use((req, res, next) => {
-	const { 'x-user-id': userId, 'x-auth-token': authToken, 'x-visitor-token': visitorToken } = req.headers;
+router.use(authenticationMiddleware({ rejectUnauthorized: false }));
 
-	if (userId && authToken) {
-		req.body.user = Users.findOneByIdAndLoginToken(userId, authToken);
-		req.body.userId = req.body.user._id;
-	}
+router.use((req, res, next) => {
+	const { 'x-visitor-token': visitorToken } = req.headers;
 
 	if (visitorToken) {
 		req.body.visitor = Apps.getConverters()?.get('visitors').convertByToken(visitorToken);

diff --git a/apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts b/apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts
@@ -4,6 +4,7 @@ import { Mongo } from 'meteor/mongo';
 import { WebApp } from 'meteor/webapp';
 import { OAuth2Server } from 'meteor/rocketchat:oauth2-server';
 import { Request, Response } from 'express';
+import { IUser } from '@rocket.chat/core-typings';
 import { OAuthApps } from '@rocket.chat/models';
 
 import { Users } from '../../../models/server';
@@ -25,6 +26,28 @@ function getAccessToken(accessToken: string): any {
 	});
 }
 
+export function oAuth2ServerAuth(partialRequest: {
+	headers: Record<string, any>;
+	query: Record<string, any>;
+}): { user: IUser } | undefined {
+	const headerToken = partialRequest.headers.authorization?.replace('Bearer ', '');
+	const queryToken = partialRequest.query.access_token;
+
+	const accessToken = getAccessToken(headerToken || queryToken);
+
+	if (accessToken?.expires != null && accessToken?.expires !== 0 && accessToken?.expires < new Date()) {
+		return;
+	}
+
+	const user = Users.findOne(accessToken.userId);
+
+	if (user == null) {
+		return;
+	}
+
+	return { user };
+}
+
 oauth2server.app.disable('x-powered-by');
 oauth2server.routes.disable('x-powered-by');
 
@@ -57,33 +80,5 @@ oauth2server.routes.get('/oauth/userinfo', function (req: Request, res: Response
 });
 
 API.v1.addAuthMethod(function () {
-	const headerToken = this.request.headers.authorization;
-	const getToken = this.request.query.access_token;
-
-	let token: string | undefined;
-	if (headerToken != null) {
-		const matches = headerToken.match(/Bearer\s(\S+)/);
-		if (matches) {
-			token = matches[1];
-		} else {
-			token = undefined;
-		}
-	}
-	const bearerToken = token || getToken;
-	if (bearerToken == null) {
-		return;
-	}
-
-	const accessToken = getAccessToken(bearerToken);
-	if (accessToken == null) {
-		return;
-	}
-	if (accessToken.expires != null && accessToken.expires !== 0 && accessToken.expires < new Date()) {
-		return;
-	}
-	const user = Users.findOne(accessToken.userId);
-	if (user == null) {
-		return;
-	}
-	return { user };
+	return oAuth2ServerAuth(this.request);
 });
diff --git a/apps/meteor/definition/externals/express.d.ts b/apps/meteor/definition/externals/express.d.ts
@@ -0,0 +1,11 @@
+import 'express';
+
+import { IUser } from '@rocket.chat/core-typings';
+
+declare module 'express' {
+	// eslint-disable-next-line @typescript-eslint/interface-name-prefix
+	export interface Request {
+		userId?: string;
+		user?: IUser;
+	}
+}
diff --git a/apps/meteor/package.json b/apps/meteor/package.json
@@ -190,7 +190,7 @@
 		"@nivo/line": "0.62.0",
 		"@nivo/pie": "0.73.0",
 		"@rocket.chat/api-client": "workspace:^",
-		"@rocket.chat/apps-engine": "1.32.0",
+		"@rocket.chat/apps-engine": "1.33.0-alpha.6426",
 		"@rocket.chat/core-typings": "workspace:^",
 		"@rocket.chat/css-in-js": "~0.31.12",
 		"@rocket.chat/emitter": "~0.31.12",

diff --git a/yarn.lock b/yarn.lock
@@ -3275,7 +3275,21 @@ __metadata:
   languageName: unknown
   linkType: soft
 
-"@rocket.chat/apps-engine@npm:1.32.0, @rocket.chat/apps-engine@npm:^1.31.0":
+"@rocket.chat/apps-engine@npm:1.33.0-alpha.6426":
+  version: 1.33.0-alpha.6426
+  resolution: "@rocket.chat/apps-engine@npm:1.33.0-alpha.6426"
+  dependencies:
+    adm-zip: ^0.4.9
+    cryptiles: ^4.1.3
+    lodash.clonedeep: ^4.5.0
+    semver: ^5.5.0
+    stack-trace: 0.0.10
+    uuid: ^3.2.1
+  checksum: 412fac1389daaacbba245456866af65bc2feac0076fd00f9e81f859d547a933680c4a506d27c206cb637fbcfa6ddb78c3e9cfaba4fef5bb1064da428e53e4cca
+  languageName: node
+  linkType: hard
+
+"@rocket.chat/apps-engine@npm:^1.31.0":
   version: 1.32.0
   resolution: "@rocket.chat/apps-engine@npm:1.32.0"
   dependencies:
@@ -3819,7 +3833,7 @@ __metadata:
     "@nivo/pie": 0.73.0
     "@playwright/test": ^1.21.1
     "@rocket.chat/api-client": "workspace:^"
-    "@rocket.chat/apps-engine": 1.32.0
+    "@rocket.chat/apps-engine": 1.33.0-alpha.6426
     "@rocket.chat/core-typings": "workspace:^"
     "@rocket.chat/css-in-js": ~0.31.12
     "@rocket.chat/emitter": ~0.31.12