Only allow basic auth credentials with a known appId (#2574)

* Only allow basic auth credentials with a known appId * Update middlewares.js * Updating basic auth tests to use valid appId
2016-08-25 10:04:23 -07:00
parent 8eafe45664
commit 2aa14adf87
2 changed files with 28 additions and 21 deletions
--- a/spec/index.spec.js
+++ b/spec/index.spec.js
@@ -26,27 +26,31 @@ describe('server', () => {
  });

  it('support http basic authentication with masterkey', done => {
-    request.get({
-      url: 'http://localhost:8378/1/classes/TestObject',
-      headers: {
-      	'Authorization': 'Basic ' + new Buffer('test:' + 'test').toString('base64')
-      }
-    }, (error, response, body) => {
-      expect(response.statusCode).toEqual(200);
-      done();
-    });
+    reconfigureServer({ appId: 'test' }).then(() => {
+      request.get({
+        url: 'http://localhost:8378/1/classes/TestObject',
+        headers: {
+          'Authorization': 'Basic ' + new Buffer('test:' + 'test').toString('base64')
+        }
+      }, (error, response, body) => {
+        expect(response.statusCode).toEqual(200);
+        done();
+      });
+    })
  });

  it('support http basic authentication with javascriptKey', done => {
-    request.get({
-      url: 'http://localhost:8378/1/classes/TestObject',
-      headers: {
-      	'Authorization': 'Basic ' + new Buffer('test:javascript-key=' + 'test').toString('base64')
-      }
-    }, (error, response, body) => {
-      expect(response.statusCode).toEqual(200);
-      done();
-    });
+    reconfigureServer({ appId: 'test' }).then(() => {
+      request.get({
+        url: 'http://localhost:8378/1/classes/TestObject',
+        headers: {
+          'Authorization': 'Basic ' + new Buffer('test:javascript-key=' + 'test').toString('base64')
+        }
+      }, (error, response, body) => {
+        expect(response.statusCode).toEqual(200);
+        done();
+      });
+    })
  });

  it('fails if database is unreachable', done => {
--- a/src/middlewares.js
+++ b/src/middlewares.js
@@ -31,9 +31,12 @@ export function handleParseHeaders(req, res, next) {
  var basicAuth = httpAuth(req);

  if (basicAuth) {
-    info.appId = basicAuth.appId
-    info.masterKey = basicAuth.masterKey || info.masterKey;
-    info.javascriptKey = basicAuth.javascriptKey || info.javascriptKey;
+    var basicAuthAppId = basicAuth.appId;
+    if (AppCache.get(basicAuthAppId)) {
+      info.appId = basicAuthAppId;
+      info.masterKey = basicAuth.masterKey || info.masterKey;
+      info.javascriptKey = basicAuth.javascriptKey || info.javascriptKey;
+    }
  }

  if (req.body) {