Only allow basic auth credentials with a known appId (#2574)

gyratorycircus · flovilmart · commit 2aa14adf876b · 2016-08-25T13:04:23.000-04:00
* Only allow basic auth credentials with a known appId

* Update middlewares.js

* Updating basic auth tests to use valid appId
diff --git a/spec/index.spec.js b/spec/index.spec.js
@@ -26,27 +26,31 @@ describe('server', () => {
   });
 
   it('support http basic authentication with masterkey', done => {
-    request.get({
-      url: 'http://localhost:8378/1/classes/TestObject',
-      headers: {
-      	'Authorization': 'Basic ' + new Buffer('test:' + 'test').toString('base64')
-      }
-    }, (error, response, body) => {
-      expect(response.statusCode).toEqual(200);
-      done();
-    });
+    reconfigureServer({ appId: 'test' }).then(() => {
+      request.get({
+        url: 'http://localhost:8378/1/classes/TestObject',
+        headers: {
+          'Authorization': 'Basic ' + new Buffer('test:' + 'test').toString('base64')
+        }
+      }, (error, response, body) => {
+        expect(response.statusCode).toEqual(200);
+        done();
+      });
+    })
   });
 
   it('support http basic authentication with javascriptKey', done => {
-    request.get({
-      url: 'http://localhost:8378/1/classes/TestObject',
-      headers: {
-      	'Authorization': 'Basic ' + new Buffer('test:javascript-key=' + 'test').toString('base64')
-      }
-    }, (error, response, body) => {
-      expect(response.statusCode).toEqual(200);
-      done();
-    });
+    reconfigureServer({ appId: 'test' }).then(() => {
+      request.get({
+        url: 'http://localhost:8378/1/classes/TestObject',
+        headers: {
+          'Authorization': 'Basic ' + new Buffer('test:javascript-key=' + 'test').toString('base64')
+        }
+      }, (error, response, body) => {
+        expect(response.statusCode).toEqual(200);
+        done();
+      });
+    })
   });
 
   it('fails if database is unreachable', done => {
diff --git a/src/middlewares.js b/src/middlewares.js
@@ -31,9 +31,12 @@ export function handleParseHeaders(req, res, next) {
   var basicAuth = httpAuth(req);
 
   if (basicAuth) {
-    info.appId = basicAuth.appId
-    info.masterKey = basicAuth.masterKey || info.masterKey;
-    info.javascriptKey = basicAuth.javascriptKey || info.javascriptKey;
+    var basicAuthAppId = basicAuth.appId;
+    if (AppCache.get(basicAuthAppId)) {
+      info.appId = basicAuthAppId;
+      info.masterKey = basicAuth.masterKey || info.masterKey;
+      info.javascriptKey = basicAuth.javascriptKey || info.javascriptKey;
+    }
   }
 
   if (req.body) {
