You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Create an express middleware function that verifies API keys, and apply that function to every express endpoint that needs auth.
Note, https://github.com/spaship/spaship/blob/master/packages/sync-service/lib/db.apikey.js already provides functions for creating, storing, and verifying API keys. This issue is asking for an express middleware function that uses db.apikey.js to enforce API key auth on certain endpoints. The function getUserByKey is the best one to use for validating that an incoming API key is valid.
It should work something like this:
HTTP request comes in
If no Authorization header, return 401
If Authorization header exists and is of the form Authorization: APIKey MY_API_KEY then get the value of MY_API_KEY and pass it into db.apikey.getUserByKey("MY_API_KEY") to determine if it's a valid key. Proceed to step 6.
If Authorization header exists and is of the form Authorization: Bearer MY_TOKEN then get the value of MY_TOKEN and validate it with a JWT validation library.
If the token is valid, take the sub property (we treat this property as a UUID for users) and pass it into db.apikey.getKeysByUser(sub) and proceed to step 6.
If Authorization header exists but is not of the form Authorization: APIKey MY_KEY or Authorization: Bearer MY_TOKEN, then return a 403
If the function returns a non-empty array, allow the request to proceed (by passing through to the next middleware function). If it returns an empty array, return a 403.
Todo: determine which endpoints need auth.
The text was updated successfully, but these errors were encountered:
Create an express middleware function that verifies API keys, and apply that function to every express endpoint that needs auth.
Note, https://github.com/spaship/spaship/blob/master/packages/sync-service/lib/db.apikey.js already provides functions for creating, storing, and verifying API keys. This issue is asking for an express middleware function that uses
db.apikey.js
to enforce API key auth on certain endpoints. The functiongetUserByKey
is the best one to use for validating that an incoming API key is valid.It should work something like this:
Authorization: APIKey MY_API_KEY
then get the value of MY_API_KEY and pass it intodb.apikey.getUserByKey("MY_API_KEY")
to determine if it's a valid key. Proceed to step 6.Authorization: Bearer MY_TOKEN
then get the value of MY_TOKEN and validate it with a JWT validation library.sub
property (we treat this property as a UUID for users) and pass it intodb.apikey.getKeysByUser(sub)
and proceed to step 6.Authorization: APIKey MY_KEY
orAuthorization: Bearer MY_TOKEN
, then return a 403Todo: determine which endpoints need auth.
The text was updated successfully, but these errors were encountered: