Fix #470 Add validation to scopes field in apikey

decentralised-dataexchange · Nov 7, 2023 · df50ffb · df50ffb
1 parent 8831b3e
commit df50ffb
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 0 deletions.
diff --git a/internal/apikey/apikey.go b/internal/apikey/apikey.go
@@ -76,3 +76,22 @@ func Decode(apiKey string) (claims Claims, err error) {
 	}
 	return claims, nil
 }
+
+func ValidateScopes(scopes []string) bool {
+	allowedScopes := []string{"service", "audit", "config", "onboard"}
+
+	for _, scope := range scopes {
+		found := false
+		for _, allowed := range allowedScopes {
+			if scope == allowed {
+				found = true
+				break
+			}
+		}
+		if !found {
+			return false
+		}
+	}
+
+	return true
+}
diff --git a/internal/handler/v2/config/apikey/config_create_apikey.go b/internal/handler/v2/config/apikey/config_create_apikey.go
@@ -52,6 +52,14 @@ func ConfigCreateApiKey(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// validate scopes
+	validScopes := apikey.ValidateScopes(apiKeyReq.Apikey.Scopes)
+	if !validScopes {
+		m := "Invalid scopes provided for creating api key"
+		common.HandleErrorV2(w, http.StatusBadRequest, m, err)
+		return
+	}
+
 	// Repository
 	apiKeyRepo := apikey.ApiKeyRepository{}
 	apiKeyRepo.Init(organisationId)

diff --git a/internal/handler/v2/config/apikey/config_update_apikey.go b/internal/handler/v2/config/apikey/config_update_apikey.go
@@ -54,6 +54,14 @@ func ConfigUpdateApiKey(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// validate scopes
+	validScopes := apikey.ValidateScopes(apiKeyReq.Apikey.Scopes)
+	if !validScopes {
+		m := "Invalid scopes provided for updating api key"
+		common.HandleErrorV2(w, http.StatusBadRequest, m, err)
+		return
+	}
+
 	// Repository
 	apiKeyRepo := apikey.ApiKeyRepository{}
 	apiKeyRepo.Init(organisationId)