Require a freshly authenticated JWT when creating an api_key

Change-type: major
balena-io · May 30, 2024 · fab43ac · fab43ac
1 parent b6988c2
commit fab43ac
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/src/features/auth/hooks/index.ts b/src/features/auth/hooks/index.ts
@@ -3,6 +3,7 @@ import './create-application-actor.js';
 import './create-device-actor.js';
 import './create-user-actor.js';
 import './fetch-api-key.js';
+import './restrict-api-key-creation.js';
 import './restrict-user-deletion.js';
 import './update-jwt-secret.js';
 import './validate-username-email.js';
diff --git a/src/features/auth/hooks/restrict-api-key-creation.ts b/src/features/auth/hooks/restrict-api-key-creation.ts
@@ -0,0 +1,15 @@
+import { hooks, errors } from '@balena/pinejs';
+
+import { getUser } from '../../../infra/auth/auth.js';
+import { checkSudoValidity } from '../../../infra/auth/jwt.js';
+
+const { UnauthorizedError } = errors;
+
+hooks.addPureHook('POST', 'resin', 'api_key', {
+	PRERUN: async ({ req, tx }) => {
+		const user = await getUser(req, tx);
+		if (!(await checkSudoValidity(user))) {
+			throw new UnauthorizedError('Fresh authentication token required');
+		}
+	},
+});