minimum attempt to protect /api/v2/ endpoints (nightscout#7554)

bewest · sulkaharo · web-flow · commit 3b7528a8edba · 2023-01-27T08:42:26.000+02:00
* minimum attempt to protect /api/v2/ endpoints These endpoints should be protected as reported in nightscout#7546. * remove spurious line Co-authored-by: Sulka Haro <sulka@sulka.net>
diff --git a/lib/api/properties.js b/lib/api/properties.js
@@ -18,6 +18,8 @@ function create (env, ctx) {
    *
    * Expecting to define extended syntax and support for several query params
    */
+  properties.use(ctx.authorization.isPermitted('api:entries:read'),
+    ctx.authorization.isPermitted('api:treatments:read'));
   properties.get(['/', '/*'], function getProperties (req, res) {
 
     var sbx = sandbox.serverInit(env, ctx);
@@ -57,4 +59,4 @@ function create (env, ctx) {
   return properties;
 }
 
-module.exports = create;
+module.exports = create;
diff --git a/lib/data/endpoints.js b/lib/data/endpoints.js
@@ -64,6 +64,8 @@ function configure (app, ctx) {
     next( );
   });
 
+  api.use(ctx.authorization.isPermitted('api:entries:read'),
+    ctx.authorization.isPermitted('api:treatments:read'));
   api.get('/at/:at?', ensure_at, get_ddata, format_result);
 
   return api;

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,8 @@ function create (env, ctx) {`
`18`	`18`	`*`
`19`	`19`	`* Expecting to define extended syntax and support for several query params`
`20`	`20`	`*/`
	`21`	`+ properties.use(ctx.authorization.isPermitted('api:entries:read'),`
	`22`	`+ ctx.authorization.isPermitted('api:treatments:read'));`
`21`	`23`	`properties.get(['/', '/*'], function getProperties (req, res) {`
`22`	`24`
`23`	`25`	`var sbx = sandbox.serverInit(env, ctx);`
`@@ -57,4 +59,4 @@ function create (env, ctx) {`
`57`	`59`	`return properties;`
`58`	`60`	`}`
`59`	`61`
`60`		`-module.exports = create;`
	`62`	`+module.exports = create;`