feat: upload release with api token (#216) (#225)

Co-authored-by: Geoffroy Empain <geoffroy@charlie-bravo.be>
getmeli · Apr 13, 2021 · 1d5ceb6 · 1d5ceb6
1 parent b045ce5
commit 1d5ceb6
Showing 1 changed file with 14 additions and 4 deletions.
diff --git a/server/src/entities/sites/guards/can-upload-release-guard.ts b/server/src/entities/sites/guards/can-upload-release-guard.ts
@@ -1,13 +1,13 @@
-import {
-  NextFunction, Request, Response,
-} from 'express';
+import { NextFunction, Request, Response } from 'express';
 import { object, string } from 'joi';
 import { ForbiddenError } from '../../../commons/errors/forbidden-error';
 import { UnauthorizedError } from '../../../commons/errors/unauthorized-error';
 import { params } from '../../../commons/express-joi/params';
 import { wrapAsyncMiddleware } from '../../../commons/utils/wrap-async-middleware';
 import { Sites } from '../site';
 import { siteExistsGuard } from './site-exists-guard';
+import { canAdminSite } from './can-admin-site';
+import { getUser } from '../../../auth/utils/get-user';
 
 export const canUploadReleaseGuard = [
   params(object({
@@ -16,7 +16,15 @@ export const canUploadReleaseGuard = [
   ...siteExistsGuard,
   wrapAsyncMiddleware(async (req: Request, res: Response, next: NextFunction) => {
     const { siteId } = req.params;
-    // TODO should we use req.header('X-Meli-Token') ?
+    const user = getUser(req);
+
+    // if user authenticated, check if they have access to the site
+    if (user && await canAdminSite(siteId, user._id)) {
+      next();
+      return;
+    }
+
+    // verify against a site token
     const token = req.headers['x-meli-token'];
 
     if (!token) {
@@ -27,10 +35,12 @@ export const canUploadReleaseGuard = [
     const site = await Sites().findOne({
       _id: siteId,
     });
+
     if (!site.tokens.some(t => t.value === token)) {
       next(new UnauthorizedError('Invalid token'));
       return;
     }
+
     next();
   }),
 ];