From 354d3feaee385d50d9ea09b044daa473514a7433 Mon Sep 17 00:00:00 2001
From: Bouncey <staylor1012@gmail.com>
Date: Fri, 15 Feb 2019 21:02:38 +0000
Subject: [PATCH] fix: Allow un-authed loopback api calls

---
 .../middlewares/jwt-authorizaion.test.js      | 29 +++++++++++++++++++
 .../server/middlewares/jwt-authorization.js   | 17 +++++++++--
 2 files changed, 43 insertions(+), 3 deletions(-)
 create mode 100644 api-server/server/middlewares/jwt-authorizaion.test.js

diff --git a/api-server/server/middlewares/jwt-authorizaion.test.js b/api-server/server/middlewares/jwt-authorizaion.test.js
new file mode 100644
index 00000000000..98b497f886a
--- /dev/null
+++ b/api-server/server/middlewares/jwt-authorizaion.test.js
@@ -0,0 +1,29 @@
+import { isWhiteListedPath } from './jwt-authorization';
+
+describe('jwt-authorization', () => {
+  describe('isWhiteListedPath', () => {
+    const whiteList = [/^\/is-ok\//, /^\/this-is\/also\/ok\//];
+
+    it('returns a boolean', () => {
+      const result = isWhiteListedPath();
+
+      expect(typeof result).toBe('boolean');
+    });
+
+    it('returns true for a white listed path', () => {
+      expect.assertions(2);
+
+      const resultA = isWhiteListedPath('/is-ok/should-be/good', whiteList);
+      const resultB = isWhiteListedPath('/this-is/also/ok/surely', whiteList);
+      expect(resultA).toBe(true);
+      expect(resultB).toBe(true);
+    });
+
+    it('returns false for a non-white-listed path', () => {
+      const result = isWhiteListedPath('/hax0r-42/no-go', whiteList);
+      expect(result).toBe(false);
+    });
+  });
+
+  xdescribe('authorizeByJWT')
+});
diff --git a/api-server/server/middlewares/jwt-authorization.js b/api-server/server/middlewares/jwt-authorization.js
index 3379446b836..2ba1864ecb4 100644
--- a/api-server/server/middlewares/jwt-authorization.js
+++ b/api-server/server/middlewares/jwt-authorization.js
@@ -8,12 +8,23 @@ import { wrapHandledError } from '../utils/create-handled-error';
 
 // We need to tunnel through a proxy path set up within
 // the gatsby app, at this time, that path is /internal
-export const apiProxyRE = /^\/internal\/|^\/external\//;
-export const newsShortLinksRE = /^\/internal\/n\/|^\/internal\/p\?/;
+const apiProxyRE = /^\/internal\/|^\/external\//;
+const newsShortLinksRE = /^\/internal\/n\/|^\/internal\/p\?/;
+const loopbackAPIPathRE = /^\/internal\/api\//;
+
+const _whiteListREs = [
+  newsShortLinksRE,
+  loopbackAPIPathRE
+];
+
+export function isWhiteListedPath(path, whiteListREs= _whiteListREs) {
+  return whiteListREs.some(re => re.test(path))
+}
 
 
 export default () => function authorizeByJWT(req, res, next) {
-  if (apiProxyRE.test(req.path) && !newsShortLinksRE.test(req.path)) {
+  const { path } = req;
+  if (apiProxyRE.test(path) && !isWhiteListedPath(path)) {
     const cookie = req.signedCookies && req.signedCookies['jwt_access_token'] ||
       req.cookie && req.cookie['jwt_access_token'];