mirror of
https://github.com/sct/overseerr.git
synced 2025-09-17 17:24:35 +02:00
fix(api): accept the api key to perform actions on the api with X-API-Key header
This commit is contained in:
@@ -966,6 +966,10 @@ components:
|
|||||||
type: apiKey
|
type: apiKey
|
||||||
name: connect.sid
|
name: connect.sid
|
||||||
in: cookie
|
in: cookie
|
||||||
|
apiKey:
|
||||||
|
type: apiKey
|
||||||
|
in: header
|
||||||
|
name: X-Api-Key
|
||||||
|
|
||||||
paths:
|
paths:
|
||||||
/settings/main:
|
/settings/main:
|
||||||
@@ -2485,3 +2489,4 @@ paths:
|
|||||||
|
|
||||||
security:
|
security:
|
||||||
- cookieAuth: []
|
- cookieAuth: []
|
||||||
|
- apiKey: []
|
||||||
|
@@ -1,9 +1,25 @@
|
|||||||
import { getRepository } from 'typeorm';
|
import { getRepository } from 'typeorm';
|
||||||
import { User } from '../entity/User';
|
import { User } from '../entity/User';
|
||||||
import { Permission } from '../lib/permissions';
|
import { Permission } from '../lib/permissions';
|
||||||
|
import { getSettings } from '../lib/settings';
|
||||||
|
|
||||||
export const checkUser: Middleware = async (req, _res, next) => {
|
export const checkUser: Middleware = async (req, _res, next) => {
|
||||||
if (req.session?.userId) {
|
const settings = getSettings();
|
||||||
|
if (req.header('X-API-Key') === settings.main.apiKey) {
|
||||||
|
const userRepository = getRepository(User);
|
||||||
|
|
||||||
|
let userId = 1; // Work on original administrator account
|
||||||
|
|
||||||
|
// If a User ID is provided, we will act on that users behalf
|
||||||
|
if (req.header('X-API-User')) {
|
||||||
|
userId = Number(req.header('X-API-User'));
|
||||||
|
}
|
||||||
|
const user = await userRepository.findOne({ where: { id: userId } });
|
||||||
|
|
||||||
|
if (user) {
|
||||||
|
req.user = user;
|
||||||
|
}
|
||||||
|
} else if (req.session?.userId) {
|
||||||
const userRepository = getRepository(User);
|
const userRepository = getRepository(User);
|
||||||
|
|
||||||
const user = await userRepository.findOne({
|
const user = await userRepository.findOne({
|
||||||
|
Reference in New Issue
Block a user