maxp/lt-auth-proxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity

fix(auth): validate API key from POST body and handle content type

Browse Source 
- Switch API key validation to use POST body parameters
- Add support for `application/x-www-form-urlencoded` content type
- Store parsed body in context state for further use
- Reject unsupported content types with 415 status
This commit is contained in:
0xMax42
2025-05-11 10:59:39 +02:00
parent 60dcc30c0d
commit 4326a2d92c
2 changed files with 45 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
src/__tests__/ltProxyAuth.test.ts
View File

@@ -6,11 +6,19 @@ import { ltProxyAuth } from '../ltProxyAuth.ts';
Deno.test('ltProxyAuth: accepts valid API key', async () => {
Deno.env.set('API_KEYS', 'valid123');
const req = new Request('http://localhost/?apiKey=valid123');
const body = new URLSearchParams({ apiKey: 'valid123' });
const req = new Request('http://localhost/', {
method: 'POST',
headers: {
'content-type': 'application/x-www-form-urlencoded',
},
body,
});
const ctx: IContext = {
req,
params: {},
query: { apiKey: 'valid123' },
query: {},
state: {},
};
@@ -26,11 +34,19 @@ Deno.test('ltProxyAuth: accepts valid API key', async () => {
Deno.test('ltProxyAuth: rejects invalid API key', async () => {
Deno.env.set('API_KEYS', 'valid123');
const req = new Request('http://localhost/?apiKey=invalid456');
const body = new URLSearchParams({ apiKey: 'invalid456' });
const req = new Request('http://localhost/', {
method: 'POST',
headers: {
'content-type': 'application/x-www-form-urlencoded',
},
body,
});
const ctx: IContext = {
req,
params: {},
query: { apiKey: 'invalid456' },
query: {},
state: {},
};
@@ -46,7 +62,15 @@ Deno.test('ltProxyAuth: rejects invalid API key', async () => {
Deno.test('ltProxyAuth: rejects missing API key', async () => {
Deno.env.set('API_KEYS', 'valid123');
const req = new Request('http://localhost/');
const body = new URLSearchParams({ text: 'nur text ohne apiKey' });
const req = new Request('http://localhost/', {
method: 'POST',
headers: {
'content-type': 'application/x-www-form-urlencoded',
},
body,
});
const ctx: IContext = {
req,
params: {},
@@ -60,4 +84,5 @@ Deno.test('ltProxyAuth: rejects missing API key', async () => {
);
assertEquals(response.status, 403);
assertEquals(await response.text(), 'Forbidden – Invalid API key');
});

22
src/ltProxyAuth.ts
View File

@@ -2,17 +2,25 @@ import { Middleware } from 'http-kernel/Types/mod.ts';
import { Env } from './env.ts';
/**
* Middleware that checks for a valid API key via ?apiKey=... query/form param.
* Rejects request with 403 if the key is missing or invalid.
* Middleware that checks for a valid API key via form param.
* Also stores the body in ctx.state.body for later use.
*/
export const authMiddleware: Middleware = async (ctx, next) => {
const key = ctx.query.apiKey;
const contentType = ctx.req.headers.get('content-type') || '';
// Support both ?apiKey=... and form body with apiKey=...
const extractedKey = Array.isArray(key) ? key[0] : key;
if (contentType.includes('application/x-www-form-urlencoded')) {
const bodyBuffer = await ctx.req.arrayBuffer();
ctx.state.body = new Uint8Array(bodyBuffer);
if (!extractedKey || !Env.apiKeys.includes(extractedKey)) {
return new Response('Forbidden – Invalid API key', { status: 403 });
const text = new TextDecoder().decode(ctx.state.body as Uint8Array);
const params = new URLSearchParams(text);
const key = params.get('apiKey');
if (!key || !Env.apiKeys.includes(key)) {
return new Response('Forbidden – Invalid API key', { status: 403 });
}
} else {
return new Response('Unsupported content type', { status: 415 });
}
return await next();