CHANGE: added protection to create booking route

Backend/endpoints/time.go

@@ -62,7 +62,7 @@ func getBookings(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-// TODO add config for timeoffset
+	// TODO add config for timeoffset
 	tsFrom, err := parseTimestamp(r, "time_from", time.Now().AddDate(0, -1, 0).Format("2006-01-02"))
 	if(err != nil ){
 		log.Println("Error parsing 'from' time", err)
@@ -85,8 +85,6 @@ func getBookings(w http.ResponseWriter, r *http.Request) {
 	}
 	ctx := context.WithValue(r.Context(), "user", user)
 	templates.TimeDashboard(bookings).Render(ctx, w)
-	// w.Header().Set("Content-Type", "application/json")
-	// json.NewEncoder(w).Encode(bookings)
 }
 
 func updateBooking(w http.ResponseWriter, r *http.Request){
@@ -115,6 +113,47 @@ func updateBooking(w http.ResponseWriter, r *http.Request){
 	getBookings(w, r)
 }
 
+func getBookingsAPI(w http.ResponseWriter, r *http.Request){
+	_user_pn := r.URL.Query().Get("personal_nummer")
+	user_pn, err := strconv.Atoi(_user_pn)
+	if(err != nil){
+		log.Println("No personal numver found!")
+		http.Error(w, "No personal number found", http.StatusBadRequest)
+		return
+	}
+
+	user, err := (*models.User).GetByPersonalNummer(nil, user_pn)
+	if(err != nil){
+		log.Println("No user found with the given personal number!")
+		http.Error(w, "No user found", http.StatusNotFound)
+		return
+	}
+
+	// TODO add config for timeoffset
+	tsFrom, err := parseTimestamp(r, "time_from", time.Now().AddDate(0, -1, 0).Format("2006-01-02"))
+	if(err != nil ){
+		log.Println("Error parsing 'from' time", err)
+		http.Error(w, "Timestamp 'from' cannot be parsed!", http.StatusBadRequest)
+		return
+	}
+	tsTo, err := parseTimestamp(r, "time_to", time.Now().Format("2006-01-02"))
+	if(err != nil ){
+		log.Println("Error parsing 'to' time", err)
+		http.Error(w, "Timestamp 'to' cannot be parsed!", http.StatusBadRequest)
+		return
+	}
+	tsTo = tsTo.AddDate(0,0,1) // so that today is inside
+
+	bookings, err := (*models.Booking).GetBookingsGrouped(nil, user.CardUID, tsFrom, tsTo)
+	if err != nil {
+		log.Println("Error getting bookings: ", err)
+		http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(bookings)
+}
+
 // Updates a booking form the given json body
 func updateBookingAPI(w http.ResponseWriter, r *http.Request) {
 	_booking_id := r.URL.Query().Get("counter_id")

Backend/endpoints/time_create.go

@@ -13,13 +13,12 @@ import (
 // GET only for demo purpose
 func TimeCreateHandler(w http.ResponseWriter, r *http.Request) {
 	helper.SetCors(w)
-	// switch with request methods
 	switch r.Method {
-	case "PUT":
+	case http.MethodPut:
 		createBooking(w, r)
-	case "GET":
+	case http.MethodGet:
 		createBooking(w, r)
-	case "OPTIONS":
+	case http.MethodOptions:
 		// just support options header for non GET Requests from SWAGGER
 		w.WriteHeader(http.StatusOK)
 	default:
@@ -27,11 +26,14 @@ func TimeCreateHandler(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
-
-
 // Creates a booking from the http query params -> no body needed
 // after that entry wi'll be written to database and the booking is returned as json
 func createBooking(w http.ResponseWriter, r *http.Request) {
+	if(!checkPassword(r)){
+		log.Println("Wrong or no API key provided!")
+		http.Error(w, "Wrong or no API key provided", http.StatusUnauthorized)
+		return
+	}
 
 	booking := (*models.Booking).FromUrlParams(nil, r.URL.Query())
 	if booking.Verify() {
@@ -51,3 +53,10 @@ func createBooking(w http.ResponseWriter, r *http.Request) {
 	}
 	w.WriteHeader(http.StatusBadRequest)
 }
+
+func checkPassword(r *http.Request) bool {
+	authToken := helper.GetEnv("apiToken", "dont_access")
+	authHeaders := r.Header.Get("Authorization")
+	_authStart := len("Bearer ")
+	return authToken == authHeaders[_authStart:]
+}