Only allow basic auth credentials with a known appId (#2574)

* Only allow basic auth credentials with a known appId * Update middlewares.js * Updating basic auth tests to use valid appId
2016-08-25 10:04:23 -07:00
parent 8eafe45664
commit 2aa14adf87
2 changed files with 28 additions and 21 deletions
--- a/spec/index.spec.js
+++ b/spec/index.spec.js
@@ -26,6 +26,7 @@ describe('server', () => {
  });

  it('support http basic authentication with masterkey', done => {
+    reconfigureServer({ appId: 'test' }).then(() => {
      request.get({
        url: 'http://localhost:8378/1/classes/TestObject',
        headers: {
@@ -35,9 +36,11 @@ describe('server', () => {
        expect(response.statusCode).toEqual(200);
        done();
      });
+    })
  });

  it('support http basic authentication with javascriptKey', done => {
+    reconfigureServer({ appId: 'test' }).then(() => {
      request.get({
        url: 'http://localhost:8378/1/classes/TestObject',
        headers: {
@@ -47,6 +50,7 @@ describe('server', () => {
        expect(response.statusCode).toEqual(200);
        done();
      });
+    })
  });

  it('fails if database is unreachable', done => {
--- a/src/middlewares.js
+++ b/src/middlewares.js
@@ -31,10 +31,13 @@ export function handleParseHeaders(req, res, next) {
  var basicAuth = httpAuth(req);

  if (basicAuth) {
-    info.appId = basicAuth.appId
+    var basicAuthAppId = basicAuth.appId;
+    if (AppCache.get(basicAuthAppId)) {
+      info.appId = basicAuthAppId;
      info.masterKey = basicAuth.masterKey || info.masterKey;
      info.javascriptKey = basicAuth.javascriptKey || info.javascriptKey;
    }
+  }

  if (req.body) {
    // Unity SDK sends a _noBody key which needs to be removed.