Docker/planka
Docker/planka
1
0
Fork 0
mirror of https://github.com/plankanban/planka.git synced 2025-07-19 13:19:44 +02:00
Code Issues Releases Activity

feat: extend is-authenticated.js logic with api key checking

Browse source
This commit is contained in:
Samuel 2025-07-13 01:00:56 +02:00
parent ea8c42411f
commit d6cbb889fb
1 changed files with 20 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

21
server/api/policies/is-authenticated.js
View file

@ -3,10 +3,29 @@
* Licensed under the Fair Use License: https://github.com/plankanban/planka/blob/master/LICENSE.md
*/
const bcrypt = require('bcrypt');
const API_KEY_HEADER = 'x-api-key';
module.exports = async function isAuthenticated(req, res, proceed) {
if (!req.currentUser) {
if (req.currentUser) return proceed();
const apiKeyHeader = req.headers[API_KEY_HEADER.toLowerCase()];
if (!apiKeyHeader) {
return res.unauthorized('Access token is missing, invalid or expired');
}
if (!apiKeyHeader.includes('.')) return res.unauthorized('Invalid API key');
const [prefix] = apiKeyHeader.split('.');
if (!prefix) return res.unauthorized('Invalid API key');
const user = await User.findOne({ apiKeyPrefix: prefix, apiKeyHash: { '!=': null } });
if (!user) return res.unauthorized('Invalid API key');
const isMatch = await bcrypt.compare(apiKeyHeader, user.apiKeyHash);
if (!isMatch) return res.unauthorized('Invalid API key');
req.currentUser = user;
return proceed();
};