feat: pre-validate body for ecom modules endpoints

ecomplus · Jun 21, 2019 · f06bdb0 · f06bdb0
1 parent 8b64d58
commit f06bdb0
Showing 1 changed file with 19 additions and 11 deletions.
diff --git a/app/bin/web.js b/app/bin/web.js
@@ -19,19 +19,27 @@ app.use(bodyParser.urlencoded({ extended: false }))
 app.use(bodyParser.json())
 
 app.use((req, res, next) => {
-  if (req.url.startsWith('/ecom/') && process.env.NODE_ENV === 'production') {
-    // check if request is comming from E-Com Plus servers
-    if (ecomServerIps.indexOf(req.get('x-real-ip')) === -1) {
-      res.status(403).send('Who are you? Unauthorized IP address')
-    } else {
-      // get E-Com Plus Store ID from request header
-      req.storeId = parseInt(req.get('x-store-id'), 10)
-      next()
+  if (req.url.startsWith('/ecom/')) {
+    // get E-Com Plus Store ID from request header
+    req.storeId = parseInt(req.get('x-store-id'), 10)
+    if (req.url.startsWith('/ecom/modules/')) {
+      // request from Mods API
+      // https://github.com/ecomclub/modules-api
+      const { body } = req
+      if (typeof body !== 'object' || body === null || !body.params || !body.application) {
+        return res.status(406).send('Request not comming from Mods API? Invalid body')
+      }
+    }
+
+    // on production check if request is comming from E-Com Plus servers
+    if (process.env.NODE_ENV === 'production' && ecomServerIps.indexOf(req.get('x-real-ip')) === -1) {
+      return res.status(403).send('Who are you? Unauthorized IP address')
     }
-  } else {
-    // bypass
-    next()
   }
+
+  // pass to the endpoint handler
+  // next Express middleware
+  next()
 })
 
 ecomAuth.then(appSdk => {