31 lines
906 B
TypeScript
31 lines
906 B
TypeScript
export default defineEventHandler((event) => {
|
|
const path = event.path || event.node.req.url || ""
|
|
|
|
// Le middleware ne s'applique qu'aux routes API, sauf l'endpoint de ping
|
|
// qui reste public pour les tests de connectivite.
|
|
if (!path.startsWith("/api/") || path === "/api/ping") {
|
|
return
|
|
}
|
|
|
|
const runtimeConfig = useRuntimeConfig(event)
|
|
const authorization = getHeader(event, "authorization")
|
|
const expectedToken = runtimeConfig.apiSecretKey
|
|
|
|
// Si aucun secret n'est configure cote serveur, on refuse la requete.
|
|
if (!expectedToken) {
|
|
throw createError({
|
|
statusCode: 401,
|
|
statusMessage: "Unauthorized"
|
|
})
|
|
}
|
|
|
|
// Le header doit correspondre exactement au format attendu :
|
|
// Authorization: Bearer <token>
|
|
if (authorization !== `Bearer ${expectedToken}`) {
|
|
throw createError({
|
|
statusCode: 401,
|
|
statusMessage: "Unauthorized"
|
|
})
|
|
}
|
|
})
|