diff --git a/server/middleware/validateFirebaseIdTokenLiteMiddleware.js b/server/middleware/validateFirebaseIdTokenLiteMiddleware.js new file mode 100644 index 000000000..3da2d0871 --- /dev/null +++ b/server/middleware/validateFirebaseIdTokenLiteMiddleware.js @@ -0,0 +1,42 @@ +const logger = require("../utils/logger"); +const admin = require("firebase-admin"); + +/** + * Lite Firebase ID token validator. + * - Only accepts Authorization: Bearer + * - Sets req.user to the decoded token on success + */ +const validateFirebaseIdTokenLite = async (req, res, next) => { + const authHeader = req.headers.authorization || ""; + const match = authHeader.match(/^Bearer\s+(.+)$/i); + + if (!match) { + logger.log("api-authorization-call", "warn", null, null, { + type: "unauthorized", + reason: "missing Bearer token", + path: req.path, + body: req.body + }); + return res.status(401).send("Unauthorized"); + } + + const idToken = match[1].trim(); + + try { + const decodedIdToken = await admin.auth().verifyIdToken(idToken); + req.user = decodedIdToken; + return next(); + } catch (error) { + logger.log("api-unauthorized-call", "warn", null, null, { + type: "unauthorized", + reason: "invalid or expired token", + path: req.path, + body: req.body, + code: error?.errorInfo?.code || error?.code, + message: error?.message + }); + return res.status(401).send("Unauthorized"); + } +}; + +module.exports = validateFirebaseIdTokenLite; diff --git a/server/routes/renderRoutes.js b/server/routes/renderRoutes.js index 41b6cf6aa..5bf651a34 100644 --- a/server/routes/renderRoutes.js +++ b/server/routes/renderRoutes.js @@ -1,13 +1,14 @@ const express = require("express"); const router = express.Router(); const { inlineCSS } = require("../render/inlinecss"); -const validateFirebaseIdTokenMiddleware = require("../middleware/validateFirebaseIdTokenMiddleware"); +const validateFirebaseIdTokenLite = require("../middleware/validateFirebaseIdTokenLiteMiddleware"); const { canvas } = require("../render/canvas-handler"); const validateCanvasInputMiddleware = require("../middleware/validateCanvasInputMiddleware"); // Define the route for inline CSS rendering -router.post("/inlinecss", validateFirebaseIdTokenMiddleware, inlineCSS); -router.post("/canvas-skia", validateFirebaseIdTokenMiddleware, validateCanvasInputMiddleware, canvas); -router.post("/canvas", validateFirebaseIdTokenMiddleware, validateCanvasInputMiddleware, canvas); +router.post("/inlinecss", validateFirebaseIdTokenLite, inlineCSS); + +router.post("/canvas-skia", validateFirebaseIdTokenLite, validateCanvasInputMiddleware, canvas); +router.post("/canvas", validateFirebaseIdTokenLite, validateCanvasInputMiddleware, canvas); module.exports = router;