Require an apikey for supervisor api in production unmanaged

Change-type: minor Signed-off-by: Cameron Diver <cameron@balena.io>
2025-01-31 08:25:36 +00:00 · 2018-12-12 12:42:53 +00:00 · 2018-12-12 12:42:53 +00:00 · 178e80d92a
commit 178e80d92a
parent 5bb3820d6a
1 changed files with 14 additions and 10 deletions
--- a/src/supervisor-api.coffee
+++ b/src/supervisor-api.coffee
@ -11,19 +11,23 @@ authenticate = (config) ->
 		header = req.get('Authorization') ? ''
 		match = header.match(/^ApiKey (\w+)$/)
 		headerKey = match?[1]
-		config.getMany([ 'apiSecret', 'localMode' ])
+		config.getMany([ 'apiSecret', 'localMode', 'unmanaged', 'osVariant' ])
 		.then (conf) ->
-			if queryKey? && bufferEq(new Buffer(queryKey), new Buffer(conf.apiSecret))
-				next()
-			else if headerKey? && bufferEq(new Buffer(headerKey), new Buffer(conf.apiSecret))
-				next()
-			else if checkTruthy(conf.localMode)
-				next()
+			needsAuth = if conf.unmanaged
+				conf.osVariant is 'prod'
 			else
-				res.sendStatus(401)
+				not conf.localMode
+
+			if needsAuth
+				key = queryKey ? headerKey
+				if bufferEq(Buffer.from(key), Buffer.from(conf.apiSecret))
+					next()
+				else
+					res.sendStatus(401)
+			else
+				next()
 		.catch (err) ->
-			# This should never happen...
-			res.status(503).send('Invalid API key in supervisor')
+			res.status(503).send("Unexpected error: #{err}")

 module.exports = class SupervisorAPI
 	constructor: ({ @config, @eventTracker, @routers, @healthchecks }) ->