Fix cli api key auth (#762)

nucleuscloud · Dec 6, 2023 · 088ec8e · 088ec8e
1 parent cd4c7ef
commit 088ec8e
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 5 deletions.
diff --git a/backend/internal/auth/apikey/client.go b/backend/internal/auth/apikey/client.go
@@ -48,7 +48,10 @@ func (c *Client) InjectTokenCtx(ctx context.Context, header http.Header) (contex
 		return nil, InvalidApiKeyErr
 	}
 
-	apiKey, err := c.q.GetAccountApiKeyByKeyValue(ctx, c.db, token)
+	hashedKeyValue := utils.ToSha256(
+		token,
+	)
+	apiKey, err := c.q.GetAccountApiKeyByKeyValue(ctx, c.db, hashedKeyValue)
 	if err != nil {
 		return nil, err
 	}

diff --git a/backend/internal/auth/apikey/client_test.go b/backend/internal/auth/apikey/client_test.go
@@ -13,6 +13,7 @@ import (
 	db_queries "github.com/nucleuscloud/neosync/backend/gen/go/db"
 	"github.com/nucleuscloud/neosync/backend/internal/apikey"
 	"github.com/nucleuscloud/neosync/backend/internal/nucleusdb"
+	"github.com/nucleuscloud/neosync/backend/internal/utils"
 	"github.com/stretchr/testify/mock"
 	"github.com/zeebo/assert"
 )
@@ -31,13 +32,16 @@ func Test_Client_InjectTokenCtx(t *testing.T) {
 	client := New(mockQuerier, mockDbTx)
 
 	fakeToken := apikey.NewV1AccountKey()
+	hashedFakeToken := utils.ToSha256(
+		fakeToken,
+	)
 	expiresAt, err := nucleusdb.ToTimestamp(time.Now().Add(5 * time.Minute))
 	assert.NoError(t, err)
 	apiKeyRecord := db_queries.NeosyncApiAccountApiKey{
 		ID:        pgtype.UUID{Valid: true},
 		ExpiresAt: expiresAt,
 	}
-	mockQuerier.On("GetAccountApiKeyByKeyValue", mock.Anything, mock.Anything, fakeToken).
+	mockQuerier.On("GetAccountApiKeyByKeyValue", mock.Anything, mock.Anything, hashedFakeToken).
 		Return(apiKeyRecord, nil)
 
 	newctx, err := client.InjectTokenCtx(context.Background(), http.Header{
@@ -66,13 +70,16 @@ func Test_Client_InjectTokenCtx_Expired(t *testing.T) {
 	client := New(mockQuerier, mockDbTx)
 
 	fakeToken := apikey.NewV1AccountKey()
+	hashedFakeToken := utils.ToSha256(
+		fakeToken,
+	)
 	expiresAt, err := nucleusdb.ToTimestamp(time.Now().Add(-5 * time.Second))
 	assert.NoError(t, err)
 	apiKeyRecord := db_queries.NeosyncApiAccountApiKey{
 		ID:        pgtype.UUID{Valid: true},
 		ExpiresAt: expiresAt,
 	}
-	mockQuerier.On("GetAccountApiKeyByKeyValue", mock.Anything, mock.Anything, fakeToken).
+	mockQuerier.On("GetAccountApiKeyByKeyValue", mock.Anything, mock.Anything, hashedFakeToken).
 		Return(apiKeyRecord, nil)
 
 	newctx, err := client.InjectTokenCtx(context.Background(), http.Header{
@@ -109,8 +116,11 @@ func Test_Client_InjectTokenCtx_NotFoundKeyValue(t *testing.T) {
 	client := New(mockQuerier, mockDbTx)
 
 	fakeToken := apikey.NewV1AccountKey()
+	hashedFakeToken := utils.ToSha256(
+		fakeToken,
+	)
 
-	mockQuerier.On("GetAccountApiKeyByKeyValue", mock.Anything, mock.Anything, fakeToken).
+	mockQuerier.On("GetAccountApiKeyByKeyValue", mock.Anything, mock.Anything, hashedFakeToken).
 		Return(db_queries.NeosyncApiAccountApiKey{}, pgx.ErrNoRows)
 
 	newctx, err := client.InjectTokenCtx(context.Background(), http.Header{

diff --git a/cli/internal/auth/tokens.go b/cli/internal/auth/tokens.go
@@ -26,7 +26,7 @@ func GetAuthHeaderTokenFn(
 ) func(ctx context.Context) (string, error) {
 	return func(ctx context.Context) (string, error) {
 		if apiKey != nil && *apiKey != "" {
-			return *apiKey, nil
+			return fmt.Sprintf("Bearer %s", *apiKey), nil
 		}
 		return getAuthHeaderToken(ctx)
 	}