From 999eec14f94dceebc51411f88d0737cccf2bc89c Mon Sep 17 00:00:00 2001
From: Benjamin Piouffle <benjamin@opencollective.com>
Date: Mon, 19 Feb 2024 16:14:44 +0100
Subject: [PATCH] fix: authenticateRequest

---
 lib/req-utils.js                              | 20 +++++++++----------
 pages/expense/[id]/[filename].js              |  4 ++++
 .../[isoStartDate]/[isoEndDate]/[filename].js |  4 ++++
 .../receipts/transactions/[id]/[filename].js  |  4 ++++
 4 files changed, 21 insertions(+), 11 deletions(-)

diff --git a/lib/req-utils.js b/lib/req-utils.js
index 4703c1f6..ce21658d 100644
--- a/lib/req-utils.js
+++ b/lib/req-utils.js
@@ -4,17 +4,15 @@ import { get, isEmpty } from 'lodash';
  * To forward API Key or Authorization headers from the request to the API calls.
  * Returns `null` if no headers are found.
  */
-export const getAuthorizationHeadersFromReq = (req) => {
+const getAuthorizationHeadersFromReq = (req) => {
   const { headers, query } = req;
   const result = {};
   const apiKey = get(headers, 'api-key') || get(query, 'apiKey');
   const personalToken = get(headers, 'personal-token') || get(query, 'personalToken') || get(query, 'app_key');
-  const authorization = get(headers, 'authorization') || req.cookies?.authorization;
+  const authorization = get(headers, 'authorization');
   if (authorization) {
-    const parts = authorization.split(' ');
-    const scheme = parts[0];
-    const accessToken = parts[1];
-    if (!/^Bearer$/i.test(scheme) || !accessToken) {
+    const [scheme, accessToken] = authorization.split(' ');
+    if (scheme !== 'Bearer' || !accessToken) {
       throw new Error('Invalid authorization header. Format should be: Authorization: Bearer [token]');
     }
 
@@ -29,19 +27,19 @@ export const getAuthorizationHeadersFromReq = (req) => {
     result['Personal-Token'] = personalToken;
   }
 
-  return isEmpty(headers) ? null : headers;
+  return isEmpty(headers) ? null : result;
 };
 
 /**
  * Some syntax sugar around the `getAuthorizationHeadersFromReq` function, that throws for non-authenticated requests
  * but allows `OPTIONS` requests to pass through
  */
-export const authenticateRequest = (ctx) => {
-  const authorizationHeaders = getAuthorizationHeadersFromReq(ctx);
+export const authenticateRequest = (req) => {
+  const authorizationHeaders = getAuthorizationHeadersFromReq(req);
   if (!authorizationHeaders) {
     // Frontend sends an OPTIONS request to check CORS, we should just return OK when that happens
-    if (ctx.req.method === 'OPTIONS') {
-      return {};
+    if (req.method === 'OPTIONS') {
+      return null;
     } else {
       throw new Error('Please provide an access token or an APP key');
     }
diff --git a/pages/expense/[id]/[filename].js b/pages/expense/[id]/[filename].js
index 65ec6a23..b728c762 100644
--- a/pages/expense/[id]/[filename].js
+++ b/pages/expense/[id]/[filename].js
@@ -12,6 +12,10 @@ class TransactionReceipt extends React.Component {
     if (isServer) {
       const { id } = ctx.query;
       const authorizationHeaders = authenticateRequest(ctx.req);
+      if (!authorizationHeaders) {
+        return {};
+      }
+
       const expense = await fetchExpenseInvoiceData(id, authorizationHeaders);
       return { expense, pageFormat: ctx.query.pageFormat };
     }
diff --git a/pages/receipts/collectives/[fromCollectiveSlug]/[toCollectiveSlug]/[isoStartDate]/[isoEndDate]/[filename].js b/pages/receipts/collectives/[fromCollectiveSlug]/[toCollectiveSlug]/[isoStartDate]/[isoEndDate]/[filename].js
index 6cec0824..54c0c300 100644
--- a/pages/receipts/collectives/[fromCollectiveSlug]/[toCollectiveSlug]/[isoStartDate]/[isoEndDate]/[filename].js
+++ b/pages/receipts/collectives/[fromCollectiveSlug]/[toCollectiveSlug]/[isoStartDate]/[isoEndDate]/[filename].js
@@ -12,6 +12,10 @@ class TransactionReceipt extends React.Component {
     if (isServer) {
       const { fromCollectiveSlug, toCollectiveSlug: hostSlug, isoStartDate: dateFrom, isoEndDate: dateTo } = ctx.query;
       const authorizationHeaders = authenticateRequest(ctx.req);
+      if (!authorizationHeaders) {
+        return {};
+      }
+
       const queryParams = { fromCollectiveSlug, hostSlug, dateFrom, dateTo };
       const response = await fetchInvoiceByDateRange(queryParams, authorizationHeaders);
 
diff --git a/pages/receipts/transactions/[id]/[filename].js b/pages/receipts/transactions/[id]/[filename].js
index cde2a0b7..e35dfe19 100644
--- a/pages/receipts/transactions/[id]/[filename].js
+++ b/pages/receipts/transactions/[id]/[filename].js
@@ -12,6 +12,10 @@ class TransactionReceipt extends React.Component {
     if (isServer) {
       const { id, pageFormat } = ctx.query;
       const authorizationHeaders = authenticateRequest(ctx.req);
+      if (!authorizationHeaders) {
+        return {};
+      }
+
       const transaction = await fetchTransactionInvoice(id, authorizationHeaders);
       return {
         pageFormat: pageFormat,