Security Issue

[Plant-for-the-Planet]

In order to allow for more verbose error messages, development usually uses the server API in debug mode by inserting /app_dev.php into the URL right after the domain name.
This is done automatically by setting the context property base: '/app_dev.php' in app/config/index.js. Accessing the server in this way requires the request to come from an authenticated source in order to prevent misuse or intrusion.
API access to the server will shortly be prohibited without proper authentication which must therefore be implemented by sending an additional request header: X-REACT-AUTH-ID
The value of this header must be the MD5 hash of the concatenation of the user's IP and the following string: 'XXX (ask us!)'.

The IP can either be determined on the fly using some library (e.g. internal-ip) or be placed directly into the context (app/config/index.js). As app/config/index.js is no longer under version control, the latter might be the most efficient solution.
Note: If debug mode is deactivated (base: '') no such header has to be sent which means that the function that generates the header must take the base property of the context under consideration.

Example solution:

• determine your IP address and add to app/config/index.js as context.ip
• install some md5 library and import into app/utils/api.js

modify the getHeaders function in app/utils/api.js:

async function getHeaders(authenticated = false) {
  const headers = { 'X-SESSION-ID': await getSessionId() };

>  if(context.base === '/app_dev.php' && 'ip' in context and context.ip !== '') {
>    headers['X-REACT-AUTH-ID'] = md5(context.ip + '5Pk0v7NTOkmlXNcRTC4uQC7Q1HZu0dm2');
>  }

  if (authenticated) {
    return {
      headers: { ...headers, Authorization: `Bearer ${await getAccessToken()}` }
    };
  } else {
    return { headers };
  }
}