a207449095
Previously, suspended users could continue using browser extension endpoints if they had created an API key before suspension. The normal JWT session path blocked suspended users, but the browser extension middleware did not. Changes: - Add suspension and user existence checks to validBrowserExtensionApiKey - Delete browser extension API keys when a user is deleted - Add deleteAllForUser method to BrowserExtensionApiKey model GHSA-7754-8jcc-2rg3
52 lines
1.2 KiB
JavaScript
52 lines
1.2 KiB
JavaScript
const {
|
|
BrowserExtensionApiKey,
|
|
} = require("../../models/browserExtensionApiKey");
|
|
const { SystemSettings } = require("../../models/systemSettings");
|
|
const { User } = require("../../models/user");
|
|
|
|
async function validBrowserExtensionApiKey(request, response, next) {
|
|
const multiUserMode = await SystemSettings.isMultiUserMode();
|
|
response.locals.multiUserMode = multiUserMode;
|
|
|
|
const auth = request.header("Authorization");
|
|
const bearerKey = auth ? auth.split(" ")[1] : null;
|
|
if (!bearerKey) {
|
|
response.status(403).json({
|
|
error: "No valid API key found.",
|
|
});
|
|
return;
|
|
}
|
|
|
|
const apiKey = await BrowserExtensionApiKey.validate(bearerKey);
|
|
if (!apiKey) {
|
|
response.status(403).json({
|
|
error: "No valid API key found.",
|
|
});
|
|
return;
|
|
}
|
|
|
|
if (multiUserMode) {
|
|
const user = await User.get({ id: apiKey.user_id });
|
|
if (!user) {
|
|
response.status(403).json({
|
|
error: "User not found.",
|
|
});
|
|
return;
|
|
}
|
|
|
|
if (user.suspended) {
|
|
response.status(401).json({
|
|
error: "User is suspended from system",
|
|
});
|
|
return;
|
|
}
|
|
|
|
response.locals.user = user;
|
|
}
|
|
|
|
response.locals.apiKey = apiKey;
|
|
next();
|
|
}
|
|
|
|
module.exports = { validBrowserExtensionApiKey };
|