From b677927322a91dde2d66c64426e975c653056072 Mon Sep 17 00:00:00 2001 From: Naz Date: Wed, 7 Apr 2021 16:52:26 +1200 Subject: [PATCH] Refactored api key auth to use async/await syntax https://github.com/TryGhost/Team/issues/599 - Before introducing limit checks into this codebase rewrote the code to use async/await for more clarity and less nesting --- core/server/services/auth/api-key/admin.js | 22 ++++++++++++-------- core/server/services/auth/api-key/content.js | 11 ++++++---- 2 files changed, 20 insertions(+), 13 deletions(-) diff --git a/core/server/services/auth/api-key/admin.js b/core/server/services/auth/api-key/admin.js index fe51762986..f835d2b39c 100644 --- a/core/server/services/auth/api-key/admin.js +++ b/core/server/services/auth/api-key/admin.js @@ -78,7 +78,7 @@ const authenticateWithUrl = (req, res, next) => { * - the "Audience" claim should match the requested API path * https://tools.ietf.org/html/rfc7519#section-4.1.3 */ -const authenticateWithToken = (req, res, next, {token, JWT_OPTIONS}) => { +const authenticateWithToken = async (req, res, next, {token, JWT_OPTIONS}) => { const decoded = jwt.decode(token, {complete: true}); if (!decoded || !decoded.header) { @@ -97,7 +97,9 @@ const authenticateWithToken = (req, res, next, {token, JWT_OPTIONS}) => { })); } - models.ApiKey.findOne({id: apiKeyId}).then((apiKey) => { + try { + const apiKey = await models.ApiKey.findOne({id: apiKeyId}); + if (!apiKey) { return next(new errors.UnauthorizedError({ message: i18n.t('errors.middleware.auth.unknownAdminApiKey'), @@ -145,21 +147,23 @@ const authenticateWithToken = (req, res, next, {token, JWT_OPTIONS}) => { if (apiKey.get('user_id')) { // fetch the user and store it on the request for later checks and logging - return models.User.findOne( + const user = await models.User.findOne( {id: apiKey.get('user_id'), status: 'active'}, {require: true} - ).then((user) => { - req.user = user; - next(); - }); + ); + + req.user = user; + + next(); } // store the api key on the request for later checks and logging req.api_key = apiKey; + next(); - }).catch((err) => { + } catch (err) { next(new errors.InternalServerError({err})); - }); + } }; module.exports = { diff --git a/core/server/services/auth/api-key/content.js b/core/server/services/auth/api-key/content.js index 27ad6c8364..47d70576f8 100644 --- a/core/server/services/auth/api-key/content.js +++ b/core/server/services/auth/api-key/content.js @@ -2,7 +2,7 @@ const models = require('../../../models'); const errors = require('@tryghost/errors'); const {i18n} = require('../../../lib/common'); -const authenticateContentApiKey = function authenticateContentApiKey(req, res, next) { +const authenticateContentApiKey = async function authenticateContentApiKey(req, res, next) { // allow fallthrough to other auth methods or final ensureAuthenticated check if (!req.query || !req.query.key) { return next(); @@ -17,7 +17,9 @@ const authenticateContentApiKey = function authenticateContentApiKey(req, res, n let key = req.query.key; - models.ApiKey.findOne({secret: key}).then((apiKey) => { + try { + const apiKey = await models.ApiKey.findOne({secret: key}); + if (!apiKey) { return next(new errors.UnauthorizedError({ message: i18n.t('errors.middleware.auth.unknownContentApiKey'), @@ -34,10 +36,11 @@ const authenticateContentApiKey = function authenticateContentApiKey(req, res, n // authenticated OK, store the api key on the request for later checks and logging req.api_key = apiKey; + next(); - }).catch((err) => { + } catch (err) { next(new errors.InternalServerError({err})); - }); + } }; module.exports = {