diff --git a/website/client/components/settings/promoCode.vue b/website/client/components/settings/promoCode.vue index 2e4439ae01..fd12622856 100644 --- a/website/client/components/settings/promoCode.vue +++ b/website/client/components/settings/promoCode.vue @@ -40,7 +40,7 @@ export default { ...mapState({user: 'user.data', credentials: 'credentials'}), getCodesUrl () { if (!this.user) return ''; - return `/api/v4/coupons?_id=${this.user._id}&apiToken=${this.credentials.API_TOKEN}`; + return '/api/v4/coupons'; }, }, methods: { diff --git a/website/client/mixins/payments.js b/website/client/mixins/payments.js index 8d5662c026..71078350fc 100644 --- a/website/client/mixins/payments.js +++ b/website/client/mixins/payments.js @@ -13,10 +13,10 @@ export default { ...mapState(['credentials']), // @TODO refactor into one single computed property paypalCheckoutLink () { - return `/paypal/checkout?_id=${this.credentials.API_ID}&apiToken=${this.credentials.API_TOKEN}`; + return '/paypal/checkout'; }, paypalSubscriptionLink () { - return `/paypal/subscribe?_id=${this.credentials.API_ID}&apiToken=${this.credentials.API_TOKEN}&sub=${this.subscriptionPlan}`; + return `/paypal/subscribe?sub=${this.subscriptionPlan}`; }, paypalPurchaseLink () { if (!this.subscription) { @@ -26,7 +26,7 @@ export default { } let couponString = ''; if (this.subscription.coupon) couponString = `&coupon=${this.subscription.coupon}`; - return `/paypal/subscribe?_id=${this.credentials.API_ID}&apiToken=${this.credentials.API_TOKEN}&sub=${this.subscription.key}${couponString}`; + return `/paypal/subscribe?sub=${this.subscription.key}${couponString}`; }, }, methods: { @@ -39,7 +39,7 @@ export default { if (!this.checkGemAmount(data)) return; let gift = this.encodeGift(data.giftedTo, data.gift); - const url = `/paypal/checkout?_id=${this.credentials.API_ID}&apiToken=${this.credentials.API_TOKEN}&gift=${gift}`; + const url = `/paypal/checkout?gift=${gift}`; window.open(url, '_blank'); }, @@ -210,8 +210,6 @@ export default { } let queryParams = { - _id: this.user._id, - apiToken: this.credentials.API_TOKEN, noRedirect: true, }; diff --git a/website/server/controllers/top-level/payments/amazon.js b/website/server/controllers/top-level/payments/amazon.js index 660569135a..c2d5d09ffd 100644 --- a/website/server/controllers/top-level/payments/amazon.js +++ b/website/server/controllers/top-level/payments/amazon.js @@ -4,7 +4,6 @@ import { import amzLib from '../../../libs/payments/amazon'; import { authWithHeaders, - authWithUrl, } from '../../../middlewares/auth'; import shared from '../../../../common'; @@ -128,7 +127,7 @@ api.subscribe = { api.subscribeCancel = { method: 'GET', url: '/amazon/subscribe/cancel', - middlewares: [authWithUrl], + middlewares: [authWithHeaders()], async handler (req, res) { let user = res.locals.user; let groupId = req.query.groupId; diff --git a/website/server/controllers/top-level/payments/iap.js b/website/server/controllers/top-level/payments/iap.js index adca65e23c..f6f6a3653c 100644 --- a/website/server/controllers/top-level/payments/iap.js +++ b/website/server/controllers/top-level/payments/iap.js @@ -1,6 +1,5 @@ import { authWithHeaders, - authWithUrl, } from '../../../middlewares/auth'; import { BadRequest, @@ -21,7 +20,7 @@ let api = {}; api.iapAndroidVerify = { method: 'POST', url: '/iap/android/verify', - middlewares: [authWithUrl], + middlewares: [authWithHeaders()], async handler (req, res) { let user = res.locals.user; let iapBody = req.body; @@ -41,7 +40,7 @@ api.iapAndroidVerify = { api.iapSubscriptionAndroid = { method: 'POST', url: '/iap/android/subscribe', - middlewares: [authWithUrl], + middlewares: [authWithHeaders()], async handler (req, res) { if (!req.body.sku) throw new BadRequest(res.t('missingSubscriptionCode')); let user = res.locals.user; @@ -62,7 +61,7 @@ api.iapSubscriptionAndroid = { api.iapCancelSubscriptionAndroid = { method: 'GET', url: '/iap/android/subscribe/cancel', - middlewares: [authWithUrl], + middlewares: [authWithHeaders()], async handler (req, res) { let user = res.locals.user; @@ -104,7 +103,7 @@ api.iapiOSVerify = { api.iapSubscriptioniOS = { method: 'POST', url: '/iap/ios/subscribe', - middlewares: [authWithUrl], + middlewares: [authWithHeaders()], async handler (req, res) { if (!req.body.sku) throw new BadRequest(res.t('missingSubscriptionCode')); if (!req.body.receipt) throw new BadRequest(res.t('missingReceipt')); @@ -124,7 +123,7 @@ api.iapSubscriptioniOS = { api.iapCancelSubscriptioniOS = { method: 'GET', url: '/iap/ios/subscribe/cancel', - middlewares: [authWithUrl], + middlewares: [authWithHeaders()], async handler (req, res) { let user = res.locals.user; diff --git a/website/server/controllers/top-level/payments/paypal.js b/website/server/controllers/top-level/payments/paypal.js index cb3f9a00af..6461bccc79 100644 --- a/website/server/controllers/top-level/payments/paypal.js +++ b/website/server/controllers/top-level/payments/paypal.js @@ -2,8 +2,8 @@ import paypalPayments from '../../../libs/payments/paypal'; import shared from '../../../../common'; import { - authWithUrl, authWithSession, + authWithHeaders, } from '../../../middlewares/auth'; import { BadRequest, @@ -21,7 +21,7 @@ let api = {}; api.checkout = { method: 'GET', url: '/paypal/checkout', - middlewares: [authWithUrl], + middlewares: [authWithSession], async handler (req, res) { let gift = req.query.gift ? JSON.parse(req.query.gift) : undefined; req.session.gift = req.query.gift; @@ -75,7 +75,7 @@ api.checkoutSuccess = { api.subscribe = { method: 'GET', url: '/paypal/subscribe', - middlewares: [authWithUrl], + middlewares: [authWithSession], async handler (req, res) { if (!req.query.sub) throw new BadRequest(apiError('missingSubKey')); @@ -136,7 +136,7 @@ api.subscribeSuccess = { api.subscribeCancel = { method: 'GET', url: '/paypal/subscribe/cancel', - middlewares: [authWithUrl], + middlewares: [authWithHeaders()], async handler (req, res) { let user = res.locals.user; let groupId = req.query.groupId; diff --git a/website/server/controllers/top-level/payments/stripe.js b/website/server/controllers/top-level/payments/stripe.js index 216129ed76..9cac98ce3c 100644 --- a/website/server/controllers/top-level/payments/stripe.js +++ b/website/server/controllers/top-level/payments/stripe.js @@ -1,7 +1,6 @@ import shared from '../../../../common'; import { authWithHeaders, - authWithUrl, } from '../../../middlewares/auth'; import stripePayments from '../../../libs/payments/stripe'; @@ -74,7 +73,7 @@ api.subscribeEdit = { api.subscribeCancel = { method: 'GET', url: '/stripe/subscribe/cancel', - middlewares: [authWithUrl], + middlewares: [authWithHeaders()], async handler (req, res) { let user = res.locals.user; let groupId = req.query.groupId; diff --git a/website/server/middlewares/auth.js b/website/server/middlewares/auth.js index 301f14ea5e..906c8f42e9 100644 --- a/website/server/middlewares/auth.js +++ b/website/server/middlewares/auth.js @@ -97,26 +97,3 @@ export function authWithSession (req, res, next) { }) .catch(next); } - -export function authWithUrl (req, res, next) { - let userId = req.query._id; - let apiToken = req.query.apiToken; - - // Always allow authentication with headers - if (!userId || !apiToken) { - if (!req.header('x-api-user') || !req.header('x-api-key')) { - return next(new NotAuthorized(res.t('missingAuthParams'))); - } else { - return authWithHeaders()(req, res, next); - } - } - - return User.findOne({ _id: userId, apiToken }).exec() - .then((user) => { - if (!user) throw new NotAuthorized(res.t('invalidCredentials')); - - res.locals.user = user; - return next(); - }) - .catch(next); -}