Protected against empty admin api key

refs #9865

core/server/services/auth/api-key/admin.js

@@ -61,6 +61,13 @@ const authenticate = (req, res, next) => {
 
     const apiKeyId = decoded.payload.kid;
 
+    if (!apiKeyId) {
+        return next(new common.errors.BadRequestError({
+            message: common.i18n.t('errors.middleware.auth.adminApiKeyMissing'),
+            code: 'MISSING_ADMIN_API_KEY'
+        }));
+    }
+
     models.ApiKey.findOne({id: apiKeyId}).then((apiKey) => {
         if (!apiKey) {
             return next(new common.errors.UnauthorizedError({

core/server/translations/en.json

@@ -79,6 +79,7 @@
                 "accessDenied": "Access denied.",
                 "pleaseSignIn": "Please Sign In",
                 "pleaseSignInOrAuthenticate": "Please sign in or authenticate with an API Key",
+                "adminApiKeyMissing": "Admin API Key missing.",
                 "unknownAdminApiKey": "Unknown Admin API Key",
                 "unknownContentApiKey": "Unknown Content API Key",
                 "invalidApiKeyType": "Invalid API Key type",

core/test/unit/services/auth/api-key/admin_spec.js

@@ -96,12 +96,13 @@ describe('Admin API Key Auth', function () {
     });
 
     it('shouldn\'t authenticate with invalid/unknown key', function (done) {
-        const token = jwt.sign({}, this.secret, {
+        const token = jwt.sign({
+            kid: 'unknown'
+        }, this.secret, {
             algorithm: 'HS256',
             expiresIn: '5m',
             audience: '/test/',
-            issuer: 'unknown',
+            issuer: 'unknown'
-            keyid: 'unknown'
         });
 
         const req = {