defmodule PlausibleWeb.AuthorizeSitesApiPlug do import Plug.Conn use Plausible.Repo alias Plausible.Auth.ApiKey alias PlausibleWeb.Api.Helpers, as: H def init(options) do options end def call(conn, _opts) do with {:ok, raw_api_key} <- get_bearer_token(conn), {:ok, api_key} <- verify_access(raw_api_key) do assign(conn, :current_user_id, api_key.user_id) else {:error, :missing_api_key} -> H.unauthorized( conn, "Missing API key. Please use a valid Plausible API key as a Bearer Token." ) {:error, :invalid_api_key} -> H.unauthorized( conn, "Invalid API key. Please make sure you're using a valid API key with access to the resource you've requested." ) end end defp verify_access(api_key) do hashed_key = ApiKey.do_hash(api_key) found_key = Repo.one( from a in ApiKey, where: a.key_hash == ^hashed_key, where: fragment("? @> ?", a.scopes, ["sites:provision:*"]) ) cond do found_key -> {:ok, found_key} true -> {:error, :invalid_api_key} end end defp get_bearer_token(conn) do authorization_header = Plug.Conn.get_req_header(conn, "authorization") |> List.first() case authorization_header do "Bearer " <> token -> {:ok, String.trim(token)} _ -> {:error, :missing_api_key} end end end