API: I can query the graphql and possible rest api endpoints without providing an api key

[waptik]

Describe the bug
Today I came across a bug that allow anyone to query both v1 and v2 of the graphql endpoints.
I wasn't sure if it was a bug or not but after getting a reply, i decided to open a bug report and provide a possible fix.

Per my understanding this line is responsible for allowing any provided api key to proceed with its operations as long as its an internal apiKey/clientId or a valid one from a collective.

But https://github.com/opencollective/opencollective-api/blob/master/server/middleware/authentication.js#L358 doesn't return an error when an api key is not provided which allows anyone to use both graphql endpoints even if an api key is not provided.

So I'm pretty sure that rest api endpoints defined in https://github.com/opencollective/opencollective-api/blob/master/server/routes.js as well can be used without an api key.

To Reproduce
Steps to reproduce the behavior:

For v1:

1. Use any GraphQL UI viewer of your choice(eg: GraphQL Playground)
2. Enter https://api.opencollective.com/graphql as your endpoint
3. use the following query as an example

{
  Collective(slug: "opencollective") {
    id
    name
    createdAt
    company
    contributionPolicy
    description
    isActive
    isArchived
    location {
      country
      name
      lat
      long
    }
    createdByUser {
      id
      firstName
      lastName
      isLimited
      email
      emailWaitingForValidation
      username
    }
  }
}

4. Hit the play button
5. See info about the collective in question

For v2:

1. Use any GraphQL UI viewer of your choice(eg: GraphQL Playground)
2. Enter https://api.opencollective.com/graphql/v2 as your endpoint
3. use the following query as an example

{
  account(slug:"opencollective") {
    id
    name
    slug
    currency
    twitterHandle
    githubHandle
    categories
  }
}

4. Hit the play button
5. See info about the collective in question

Expected behavior
When an api key is not provided, all requests should not proceed but instead display an error message such as:

{
  "error": {
    "error": {
      "code": 401,
      "type": "unauthorized",
      "message": "Missing API key or Client Id"
    }
  }
}

As of writing this, that's not the case.

Screenshots
Here are some screenshots for both graphql endpoints when an api key is provided and when it is not provided.

Desktop (please complete the following information):

• Device: HP
• OS: Windows 10
• Browser: Brave
• Version: 1.18.77

Additional context
A possible fix would be replacing the code found at https://github.com/opencollective/opencollective-api/blob/master/server/middleware/authentication.js#L358 with the one below:

next(new Unauthorized('Missing API key or Client Id'))

[SudharakaP]

@waptik : Thanks for opening the issue; I've just verified the issue as well. And I opened a PR with your suggested fix. Thanks a lot. 👍🏽

[waptik]

@SudharakaP You're welcome. I'm glad I could help.

[znarf]

Thank you for the report.

We're letting people use our API without API key on purpose. It's a better developer experience to test it!

We're however enforcing strong rate limiting in this case, 10 requests / minute / ip address maximum.
https://github.com/opencollective/opencollective-api/blob/master/server/routes.js#L62

Using an App Key:

• You have up to 100 requests / per minute / per app key
• Authenticate yourself and:
  • Can see things that non-authenticated user can't see
  • Can use mutations (limited to what your user account can do)

[waptik]

Thank you for the report.

We're letting people use our API without API key on purpose. It's a better developer experience to test it!

We're however enforcing strong rate limiting in this case, 10 requests / minute / ip address maximum.
opencollective/opencollective-api@master/server/routes.js#L62

Using an App Key:

• You have up to 100 requests / per minute / per app key

• Authenticate yourself and:

  • Can see things that non-authenticated user can't see
  • Can use mutations (limited to what your user account can do)

Oh I see. I guess it wasn't a bug, so the PR @SudharakaP opened wasn't needed after all.