fix(api): accept the api key to perform actions on the api with X-API…

…-Key header
sct · Dec 15, 2020 · 33f8831 · 33f8831
1 parent 20b119c
commit 33f8831
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 1 deletion.
diff --git a/overseerr-api.yml b/overseerr-api.yml
@@ -966,6 +966,10 @@ components:
       type: apiKey
       name: connect.sid
       in: cookie
+    apiKey:
+      type: apiKey
+      in: header
+      name: X-Api-Key
 
 paths:
   /settings/main:
@@ -2485,3 +2489,4 @@ paths:
 
 security:
   - cookieAuth: []
+  - apiKey: []
diff --git a/server/middleware/auth.ts b/server/middleware/auth.ts
@@ -1,9 +1,25 @@
 import { getRepository } from 'typeorm';
 import { User } from '../entity/User';
 import { Permission } from '../lib/permissions';
+import { getSettings } from '../lib/settings';
 
 export const checkUser: Middleware = async (req, _res, next) => {
-  if (req.session?.userId) {
+  const settings = getSettings();
+  if (req.header('X-API-Key') === settings.main.apiKey) {
+    const userRepository = getRepository(User);
+
+    let userId = 1; // Work on original administrator account
+
+    // If a User ID is provided, we will act on that users behalf
+    if (req.header('X-API-User')) {
+      userId = Number(req.header('X-API-User'));
+    }
+    const user = await userRepository.findOne({ where: { id: userId } });
+
+    if (user) {
+      req.user = user;
+    }
+  } else if (req.session?.userId) {
     const userRepository = getRepository(User);
 
     const user = await userRepository.findOne({