fix: HASSU-977-api-sivujen-autentikaatio (#357)

* add validation for testapi calls
finnishtransportagency · Sep 9, 2022 · 0ec08a4 · 0ec08a4
1 parent dda6393
commit 0ec08a4
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 5 deletions.
diff --git a/src/pages/api/test/[oid]/nahtavillaolomenneisyyteen.dev.ts b/src/pages/api/test/[oid]/nahtavillaolomenneisyyteen.dev.ts
@@ -1,10 +1,10 @@
 import { NextApiRequest, NextApiResponse } from "next";
 import { projektiDatabase } from "../../../../../backend/src/database/projektiDatabase";
-import { validateCredentials } from "../../../../util/basicAuthentication";
+import { validateApiCredentials } from "../../../../util/basicAuthentication";
 
 export default async function handler(req: NextApiRequest, res: NextApiResponse) {
   let environment = process.env.ENVIRONMENT;
-  if ((environment == "dev" || environment == "test") && !(await validateCredentials(req.headers.authorization))) {
+  if ((environment == "dev" || environment == "test") && !(await validateApiCredentials(req.headers.authorization))) {
     res.status(401);
     res.setHeader("www-authenticate", "Basic");
 

diff --git a/src/util/basicAuthentication.ts b/src/util/basicAuthentication.ts
@@ -1,13 +1,12 @@
+import { getCredentials } from "./apiUtil";
 import { parameterStore } from "./parameterStore";
 
 export function createAuthorizationHeader(username: string, password: string) {
   return "Basic " + Buffer.from(username + ":" + password, "binary").toString("base64");
 }
 
 export async function validateCredentials(authorization: string | undefined): Promise<boolean> {
-  let configuredCredentials: string[] | undefined = (
-    await parameterStore.getParameter("/IlmoitustauluSyoteCredentials")
-  )?.split("\n");
+  let configuredCredentials: string[] | undefined = (await parameterStore.getParameter("/IlmoitustauluSyoteCredentials"))?.split("\n");
   if (!configuredCredentials || !authorization) {
     return false;
   }
@@ -23,3 +22,11 @@ export async function validateCredentials(authorization: string | undefined): Pr
   }
   return false;
 }
+
+export async function validateApiCredentials(authorization: string | undefined): Promise<boolean> {
+  let configuredCredentials: { username: string; password: string } = await getCredentials();
+  if (!configuredCredentials || !authorization) {
+    return false;
+  }
+  return authorization == createAuthorizationHeader(configuredCredentials.username, configuredCredentials.password);
+}