unee-t / frontend

Meteor front end

https://case.dev.unee-t.com/

req.query.accessToken should be a req.headers.authorization check instead on POST

kaihendry opened this issue 5 years ago · comments

Kai Hendry commented 5 years ago

I was wondering why in https://github.com/unee-t/lambda2sns APIAccessToken was used as get parameters as well as a header -H "Authorization: Bearer XXXXX".

I removed the parameter assuming both ways would work & Iit didn't. I can see now there is no code to check req.headers.authorization in the POST request for example in

frontend/imports/api/rest/post-process-api-payload-request.js

Lines 663 to 666 in eb78cb6

    
           if (req.query.accessToken !== process.env.API_ACCESS_TOKEN) { 
        
             res.send(401, 'Invalid access token') 
        
             return 
        
           }

frontend/imports/api/rest/post-process-db-change-message.js

Lines 84 to 87 in eb78cb6

    
           if (req.query.accessToken !== process.env.API_ACCESS_TOKEN) { 
        
             res.send(401) 
        
             return 
        
           }

So be good to update the code to support Authorization for two reasons:

get auth parameters isn't the norm for POST
also helps not put credentials in my logs