From 3f758c6a0aa88788cbbe30131b64137e759f66eb Mon Sep 17 00:00:00 2001
From: kirrg001 <katharina.irrgang@googlemail.com>
Date: Fri, 18 Jan 2019 17:32:41 +0100
Subject: [PATCH] Protected against empty admin api key

refs #9865
---
 core/server/services/auth/api-key/admin.js         | 7 +++++++
 core/server/translations/en.json                   | 1 +
 core/test/unit/services/auth/api-key/admin_spec.js | 7 ++++---
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/core/server/services/auth/api-key/admin.js b/core/server/services/auth/api-key/admin.js
index 886261536f..9842293d8c 100644
--- a/core/server/services/auth/api-key/admin.js
+++ b/core/server/services/auth/api-key/admin.js
@@ -61,6 +61,13 @@ const authenticate = (req, res, next) => {
 
     const apiKeyId = decoded.payload.kid;
 
+    if (!apiKeyId) {
+        return next(new common.errors.BadRequestError({
+            message: common.i18n.t('errors.middleware.auth.adminApiKeyMissing'),
+            code: 'MISSING_ADMIN_API_KEY'
+        }));
+    }
+
     models.ApiKey.findOne({id: apiKeyId}).then((apiKey) => {
         if (!apiKey) {
             return next(new common.errors.UnauthorizedError({
diff --git a/core/server/translations/en.json b/core/server/translations/en.json
index ed835e830e..b71cf279bc 100644
--- a/core/server/translations/en.json
+++ b/core/server/translations/en.json
@@ -79,6 +79,7 @@
                 "accessDenied": "Access denied.",
                 "pleaseSignIn": "Please Sign In",
                 "pleaseSignInOrAuthenticate": "Please sign in or authenticate with an API Key",
+                "adminApiKeyMissing": "Admin API Key missing.",
                 "unknownAdminApiKey": "Unknown Admin API Key",
                 "unknownContentApiKey": "Unknown Content API Key",
                 "invalidApiKeyType": "Invalid API Key type",
diff --git a/core/test/unit/services/auth/api-key/admin_spec.js b/core/test/unit/services/auth/api-key/admin_spec.js
index 91c7e8445f..9b857ca58b 100644
--- a/core/test/unit/services/auth/api-key/admin_spec.js
+++ b/core/test/unit/services/auth/api-key/admin_spec.js
@@ -96,12 +96,13 @@ describe('Admin API Key Auth', function () {
     });
 
     it('shouldn\'t authenticate with invalid/unknown key', function (done) {
-        const token = jwt.sign({}, this.secret, {
+        const token = jwt.sign({
+            kid: 'unknown'
+        }, this.secret, {
             algorithm: 'HS256',
             expiresIn: '5m',
             audience: '/test/',
-            issuer: 'unknown',
-            keyid: 'unknown'
+            issuer: 'unknown'
         });
 
         const req = {