feature/IO-3258-Shop-User-Vendor-Creation: Finish

server/middleware/vsstaIntegrationMiddleware.js

@@ -1,16 +1,19 @@
 /**
  * VSSTA Integration Middleware
- * @param req
- * @param res
- * @param next
- * @returns {*}
+ * Fails closed if the env var is missing or empty, and strictly compares header.
  */
 const vsstaIntegrationMiddleware = (req, res, next) => {
-  if (req?.headers?.["vssta-integration-secret"] !== process.env?.VSSTA_INTEGRATION_SECRET) {
+  const secret = process.env.VSSTA_INTEGRATION_SECRET;
+  if (typeof secret !== "string" || secret.length === 0) {
+    return res.status(500).send("Server misconfiguration");
+  }
+
+  const headerValue = req.headers["vssta-integration-secret"];
+  if (typeof headerValue !== "string" || headerValue.trim() !== secret) {
     return res.status(401).send("Unauthorized");
   }
 
-  req.isIntegrationAuthorized = true;
+  req.isVsstaIntegrationAuthorized = true;
   next();
 };