From ba96cd6e245d1789de89638eaf6629759770d3ea Mon Sep 17 00:00:00 2001 From: SabreCat Date: Tue, 22 Aug 2023 12:24:16 -0500 Subject: [PATCH] Squashed commit of the following: commit 22971a0c0bd1c25e147fdc9d662fd55ca522193b Author: SabreCat Date: Fri Aug 18 21:13:49 2023 -0500 fix(auth): don't mix include/exclude commit efbb8fa136587a4c781660246cb426968cfe108a Author: SabreCat Date: Fri Aug 18 20:51:30 2023 -0500 refactor(auth): remove unneeded query field --- website/server/middlewares/auth.js | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/website/server/middlewares/auth.js b/website/server/middlewares/auth.js index cf7804cf20..88f137aa66 100644 --- a/website/server/middlewares/auth.js +++ b/website/server/middlewares/auth.js @@ -65,18 +65,22 @@ export function authWithHeaders (options = {}) { return next(new NotAuthorized(res.t('missingAuthHeaders'))); } - const userQuery = { - _id: userId, - apiToken, - }; + const userQuery = { _id: userId }; + + let fields = getUserFields(options, req); + // If the request didn't include the API Token, retrieve it for validation + if (fields && fields.indexOf('apiToken') === -1 && fields.indexOf('-') === -1) { + fields = `${fields} apiToken`; + } - const fields = getUserFields(options, req); const findPromise = fields ? User.findOne(userQuery).select(fields) : User.findOne(userQuery); return findPromise .exec() .then(user => { - if (!user) throw new NotAuthorized(res.t('invalidCredentials')); + if (!user || apiToken !== user.apiToken) { + throw new NotAuthorized(res.t('invalidCredentials')); + } if (user.auth.blocked) { // We want the accountSuspended message to be translated but the language