Use a token to protect POST API queries

README.md

@@ -49,6 +49,8 @@ adapt the behavior to your needs.
     to `/`). The value should end with a trailing slash.
 * `THUNDERFOREST_API_KEY=` to pass an API key server to use for
     [Thunderforest](http://thunderforest.com/) tiles (OpenCycleMap, etc).
+* `API_TOKEN=` to pass a token required to access the server side API (check
+    below in the server part environment variables for more details).
 
 You should also have a look at the build variables under the `config/`
 subdirectory.
@@ -79,6 +81,7 @@ adapt its behavior:
 * `DATABASE=` to specify a [database URL](http://docs.peewee-orm.com/en/latest/peewee/playhouse.html#db-url) to connect to (defaults to
     `sqlite:///reports.db` which means a SQLite database named `reports.db` in
     the current working directory).
+* `API_TOKEN=` to specify a token required to `POST` data to the API.
 
 #### Serving in production
 

config/prod.env.js

@@ -1,6 +1,7 @@
 'use strict'
 module.exports = {
-  NODE_ENV: '"production"',
+    NODE_ENV: '"production"',
-  API_BASE_URL: JSON.stringify(process.env.API_BASE_URL),
+    API_BASE_URL: JSON.stringify(process.env.API_BASE_URL),
-  THUNDERFOREST_API_KEY: JSON.stringify(process.env.THUNDERFOREST_API_KEY),
+    API_TOKEN: JSON.stringify(process.env.API_TOKEN),
+    THUNDERFOREST_API_KEY: JSON.stringify(process.env.THUNDERFOREST_API_KEY),
 }

server/jsonapi.py

@@ -34,7 +34,8 @@ def enable_cors():
         'PUT, GET, POST, DELETE, OPTIONS, PATCH'
     )
     bottle.response.headers[str('Access-Control-Allow-Headers')] = str(
-        'Origin, Accept, Content-Type, X-Requested-With, X-CSRF-Token'
+        'Origin, Accept, Content-Type, X-Requested-With, X-CSRF-Token, '
+        'Authorization'
     )
 
 

server/routes.py

@@ -5,6 +5,7 @@ Routes definitions
 """
 import arrow
 import json
+import os
 
 import bottle
 
@@ -12,6 +13,29 @@ from server.models import Report
 from server import jsonapi
 
 
+class AuthenticationError(Exception):
+    pass
+
+
+def check_auth():
+    """
+    Check authentication.
+
+    :return: Abort and return a HTTP 403 page if authentication is not ok.
+    """
+    if not os.getenv('API_TOKEN'):
+        return
+
+    auth = bottle.request.headers.get('Authorization', None)
+    if not auth:
+        raise AuthenticationError()
+    parts = auth.split()
+    if parts[0].lower() != 'bearer' or parts[1] != os.getenv('API_TOKEN'):
+        raise AuthenticationError()
+
+    return
+
+
 def get_reports(only_active=False):
     """
     Get reports for the reports getting routes.
@@ -151,6 +175,12 @@ def post_report():
     if bottle.request.method == 'OPTIONS':
         return {}
 
+    # Check authentication
+    try:
+        check_auth()
+    except AuthenticationError:
+        return jsonapi.JsonApiError(403, "Invalid authentication.")
+
     try:
         payload = json.load(bottle.request.body)
     except ValueError as exc:
@@ -189,6 +219,12 @@ def upvote_report(id):
     if bottle.request.method == 'OPTIONS':
         return {}
 
+    # Check authentication
+    try:
+        check_auth()
+    except AuthenticationError:
+        return jsonapi.JsonApiError(403, "Invalid authentication.")
+
     r = Report.get(Report.id == id)
     if not r:
         return jsonapi.JsonApiError(404, "Invalid report id.")
@@ -213,6 +249,12 @@ def downvote_report(id):
     if bottle.request.method == 'OPTIONS':
         return {}
 
+    # Check authentication
+    try:
+        check_auth()
+    except AuthenticationError:
+        return jsonapi.JsonApiError(403, "Invalid authentication.")
+
     r = Report.get(Report.id == id)
     if not r:
         return jsonapi.JsonApiError(404, "Invalid report id.")

src/api/index.js

@@ -3,6 +3,10 @@ require('isomorphic-fetch');
 
 // With trailing slash
 export const BASE_URL = process.env.API_BASE_URL || '/';
+const AUTHORIZATION_HEADERS = new Headers({});
+if (process.env.API_TOKEN) {
+    AUTHORIZATION_HEADERS.set('Authorization', `Bearer ${process.env.API_TOKEN}`);
+}
 
 export function saveReport(type, lat, lng) {
     return fetch(`${BASE_URL}api/v1/reports`, {
@@ -12,6 +16,7 @@ export function saveReport(type, lat, lng) {
             lat,
             lng,
         }),
+        headers: AUTHORIZATION_HEADERS,
     })
         .then(response => response.json())
         .then(response => response.data)
@@ -34,6 +39,7 @@ export function getActiveReports() {
 export function downvote(id) {
     return fetch(`${BASE_URL}api/v1/reports/${id}/downvote`, {
         method: 'POST',
+        headers: AUTHORIZATION_HEADERS,
     })
         .then(response => response.json())
         .then(response => response.data)
@@ -46,6 +52,7 @@ export function downvote(id) {
 export function upvote(id) {
     return fetch(`${BASE_URL}api/v1/reports/${id}/upvote`, {
         method: 'POST',
+        headers: AUTHORIZATION_HEADERS,
     })
         .then(response => response.json())
         .then(response => response.data)