CHANGE: added protection to create booking route

2025-02-22 18:35:04 +01:00
parent 5274a165a3
commit 6a264a20c0
2 changed files with 57 additions and 9 deletions
--- a/Backend/endpoints/time_create.go
+++ b/Backend/endpoints/time_create.go
@@ -13,13 +13,12 @@ import (
 // GET only for demo purpose
 func TimeCreateHandler(w http.ResponseWriter, r *http.Request) {
 	helper.SetCors(w)
-	// switch with request methods
 	switch r.Method {
-	case "PUT":
+	case http.MethodPut:
 		createBooking(w, r)
-	case "GET":
+	case http.MethodGet:
 		createBooking(w, r)
-	case "OPTIONS":
+	case http.MethodOptions:
 		// just support options header for non GET Requests from SWAGGER
 		w.WriteHeader(http.StatusOK)
 	default:
@@ -27,11 +26,14 @@ func TimeCreateHandler(w http.ResponseWriter, r *http.Request) {
 	}
 }

-
-
 // Creates a booking from the http query params -> no body needed
 // after that entry wi'll be written to database and the booking is returned as json
 func createBooking(w http.ResponseWriter, r *http.Request) {
+	if(!checkPassword(r)){
+		log.Println("Wrong or no API key provided!")
+		http.Error(w, "Wrong or no API key provided", http.StatusUnauthorized)
+		return
+	}

 	booking := (*models.Booking).FromUrlParams(nil, r.URL.Query())
 	if booking.Verify() {
@@ -51,3 +53,10 @@ func createBooking(w http.ResponseWriter, r *http.Request) {
 	}
 	w.WriteHeader(http.StatusBadRequest)
 }
+
+func checkPassword(r *http.Request) bool {
+	authToken := helper.GetEnv("apiToken", "dont_access")
+	authHeaders := r.Header.Get("Authorization")
+	_authStart := len("Bearer ")
+	return authToken == authHeaders[_authStart:]
+}