From 1c7508ffc5cf3ca324c568bc36a0ed7cf9bc7a28 Mon Sep 17 00:00:00 2001
From: Dragory <2606411+Dragory@users.noreply.github.com>
Date: Mon, 22 Jul 2019 00:49:05 +0300
Subject: [PATCH] Fix overzealous auth requirement in API

---
 src/api/auth.ts   |  8 ++------
 src/api/guilds.ts | 13 ++++---------
 2 files changed, 6 insertions(+), 15 deletions(-)

diff --git a/src/api/auth.ts b/src/api/auth.ts
index 2795ae78..4449e523 100644
--- a/src/api/auth.ts
+++ b/src/api/auth.ts
@@ -134,13 +134,13 @@ export function initAuth(app: express.Express) {
 
     res.json({ valid: true });
   });
-  app.post("/auth/logout", ...getRequireAPITokenHandlers(), async (req: Request, res: Response) => {
+  app.post("/auth/logout", ...apiTokenAuthHandlers(), async (req: Request, res: Response) => {
     await apiLogins.expireApiKey(req.user.apiKey);
     return ok(res);
   });
 }
 
-function getRequireAPITokenHandlers() {
+export function apiTokenAuthHandlers() {
   return [
     passport.authenticate("api-token", { failWithError: true }),
     (err, req, res, next) => {
@@ -148,7 +148,3 @@ function getRequireAPITokenHandlers() {
     },
   ];
 }
-
-export function requireAPIToken(router: express.Router) {
-  router.use(...getRequireAPITokenHandlers());
-}
diff --git a/src/api/guilds.ts b/src/api/guilds.ts
index 9f314820..48b31b2b 100644
--- a/src/api/guilds.ts
+++ b/src/api/guilds.ts
@@ -1,28 +1,25 @@
 import express from "express";
 import passport from "passport";
 import { AllowedGuilds } from "../data/AllowedGuilds";
-import { requireAPIToken } from "./auth";
 import { ApiPermissions } from "../data/ApiPermissions";
 import { clientError, error, ok, serverError, unauthorized } from "./responses";
 import { Configs } from "../data/Configs";
 import { ApiRoles } from "../data/ApiRoles";
 import { validateGuildConfig } from "../configValidator";
 import yaml, { YAMLException } from "js-yaml";
+import { apiTokenAuthHandlers } from "./auth";
 
 export function initGuildsAPI(app: express.Express) {
-  const guildAPIRouter = express.Router();
-  requireAPIToken(guildAPIRouter);
-
   const allowedGuilds = new AllowedGuilds();
   const apiPermissions = new ApiPermissions();
   const configs = new Configs();
 
-  guildAPIRouter.get("/guilds/available", async (req, res) => {
+  app.get("/guilds/available", ...apiTokenAuthHandlers(), async (req, res) => {
     const guilds = await allowedGuilds.getForApiUser(req.user.userId);
     res.json(guilds);
   });
 
-  guildAPIRouter.get("/guilds/:guildId/config", async (req, res) => {
+  app.get("/guilds/:guildId/config", ...apiTokenAuthHandlers(), async (req, res) => {
     const permissions = await apiPermissions.getByGuildAndUserId(req.params.guildId, req.user.userId);
     if (!permissions) return unauthorized(res);
 
@@ -30,7 +27,7 @@ export function initGuildsAPI(app: express.Express) {
     res.json({ config: config ? config.config : "" });
   });
 
-  guildAPIRouter.post("/guilds/:guildId/config", async (req, res) => {
+  app.post("/guilds/:guildId/config", ...apiTokenAuthHandlers(), async (req, res) => {
     const permissions = await apiPermissions.getByGuildAndUserId(req.params.guildId, req.user.userId);
     if (!permissions || ApiRoles[permissions.role] < ApiRoles.Editor) return unauthorized(res);
 
@@ -69,6 +66,4 @@ export function initGuildsAPI(app: express.Express) {
     await configs.saveNewRevision(`guild-${req.params.guildId}`, config, req.user.userId);
     ok(res);
   });
-
-  app.use(guildAPIRouter);
 }