feat: migrate MDAPI to use OAuth tokens

guardian · Jan 18, 2024 · c1e6213 · c1e6213
1 parent 4c7ac71
commit c1e6213
Showing 1 changed file with 24 additions and 1 deletion.
diff --git a/server/apiProxy.ts b/server/apiProxy.ts
@@ -9,6 +9,7 @@ import { conf } from './config';
 import { getCookiesOrEmptyString } from './idapiAuth';
 import { log, putMetric } from './log';
 import { augmentRedirectURL } from './middleware/requestMiddleware';
+import { OAuthAccessTokenCookieName } from './oauthConfig';
 
 type BodyHandler = (res: Response, body: Buffer) => void;
 type JsonString = Buffer | string | undefined;
@@ -86,12 +87,34 @@ export const proxyApiHandler =
 			outgoingURL,
 		};
 
+		const authorizationOrCookieHeader = ({
+			req,
+			host,
+		}: {
+			req: Request;
+			host: string;
+		}): Headers => {
+			switch (host) {
+				case 'members-data-api.' + conf.DOMAIN:
+					return {
+						Authorization: `Bearer ${req.signedCookies[OAuthAccessTokenCookieName]}`,
+					};
+				default:
+					// TODO: This is legacy code!
+					// We don't want to send literally all cookies to APIs so when
+					// we migrate to Okta tokens entirely we should remove this
+					return {
+						Cookie: getCookiesOrEmptyString(req),
+					};
+			}
+		};
+
 		fetch(outgoingURL, {
 			method: httpMethod,
 			body: requestBody,
 			headers: {
+				...authorizationOrCookieHeader({ req, host }),
 				'Content-Type': 'application/json', // TODO: set this from the client req headers (would need to check all client calls actually specify content-type)
-				Cookie: getCookiesOrEmptyString(req),
 				[X_GU_ID_FORWARDED_SCOPE]:
 					req.header(X_GU_ID_FORWARDED_SCOPE) || '',
 				...headers,