Protected against empty admin api key

refs #9865
2024-11-28 05:37:34 +03:00 · 2019-01-18 17:32:41 +01:00 · 2019-01-18 17:32:41 +01:00 · 3f758c6a0a
commit 3f758c6a0a
parent 1b5b95e198
3 changed files with 12 additions and 3 deletions
--- a/core/server/services/auth/api-key/admin.js
+++ b/core/server/services/auth/api-key/admin.js
@ -61,6 +61,13 @@ const authenticate = (req, res, next) => {

    const apiKeyId = decoded.payload.kid;

+    if (!apiKeyId) {
+        return next(new common.errors.BadRequestError({
+            message: common.i18n.t('errors.middleware.auth.adminApiKeyMissing'),
+            code: 'MISSING_ADMIN_API_KEY'
+        }));
+    }
+
    models.ApiKey.findOne({id: apiKeyId}).then((apiKey) => {
        if (!apiKey) {
            return next(new common.errors.UnauthorizedError({
--- a/core/server/translations/en.json
+++ b/core/server/translations/en.json
@ -79,6 +79,7 @@
                "accessDenied": "Access denied.",
                "pleaseSignIn": "Please Sign In",
                "pleaseSignInOrAuthenticate": "Please sign in or authenticate with an API Key",
+                "adminApiKeyMissing": "Admin API Key missing.",
                "unknownAdminApiKey": "Unknown Admin API Key",
                "unknownContentApiKey": "Unknown Content API Key",
                "invalidApiKeyType": "Invalid API Key type",
--- a/core/test/unit/services/auth/api-key/admin_spec.js
+++ b/core/test/unit/services/auth/api-key/admin_spec.js
@ -96,12 +96,13 @@ describe('Admin API Key Auth', function () {
    });

    it('shouldn\'t authenticate with invalid/unknown key', function (done) {
-        const token = jwt.sign({}, this.secret, {
+        const token = jwt.sign({
+            kid: 'unknown'
+        }, this.secret, {
            algorithm: 'HS256',
            expiresIn: '5m',
            audience: '/test/',
-            issuer: 'unknown',
-            keyid: 'unknown'
+            issuer: 'unknown'
        });

        const req = {