archetecture security fix
This commit is contained in:
+31
@@ -0,0 +1,31 @@
|
||||
"use strict";
|
||||
Object.defineProperty(exports, "__esModule", { value: true });
|
||||
exports.requireApiKey = requireApiKey;
|
||||
const prisma_1 = require("../lib/prisma");
|
||||
const apiKeys_1 = require("../security/apiKeys");
|
||||
async function requireApiKey(req, res, next) {
|
||||
const apiKey = req.headers['x-api-key'];
|
||||
if (!apiKey) {
|
||||
return res.status(401).json({ error: 'missing_api_key', message: 'API key required in x-api-key header', statusCode: 401 });
|
||||
}
|
||||
const prefix = (0, apiKeys_1.getApiKeyPrefix)(apiKey);
|
||||
if (!prefix) {
|
||||
return res.status(401).json({ error: 'invalid_api_key', message: 'Invalid API key', statusCode: 401 });
|
||||
}
|
||||
const keyRecord = await prisma_1.prisma.companyApiKey.findUnique({
|
||||
where: { prefix },
|
||||
include: { company: true },
|
||||
});
|
||||
const hashed = (0, apiKeys_1.hashApiKey)(apiKey);
|
||||
if (!keyRecord || keyRecord.revokedAt || !(0, apiKeys_1.timingSafeEqualHex)(hashed, keyRecord.keyHash)) {
|
||||
return res.status(401).json({ error: 'invalid_api_key', message: 'Invalid API key', statusCode: 401 });
|
||||
}
|
||||
await prisma_1.prisma.companyApiKey.update({
|
||||
where: { id: keyRecord.id },
|
||||
data: { lastUsedAt: new Date() },
|
||||
});
|
||||
req.company = keyRecord.company;
|
||||
req.companyId = keyRecord.companyId;
|
||||
next();
|
||||
}
|
||||
//# sourceMappingURL=requireApiKey.js.map
|
||||
Reference in New Issue
Block a user