fix: reintroduce authMethods to APIClass

Author: d-gubert

apps/meteor/app/api/server/ApiClass.ts

@@ -170,7 +170,7 @@ export class APIClass<
 
 	private _routes: { path: string; options: Options; endpoints: Record<string, string> }[] = [];
 
-	public authMethods: ((...args: any[]) => any)[];
+	public authMethods: ((req: Request) => Promise<IUser | undefined>)[];
 
 	protected helperMethods: Map<string, () => any> = new Map();
 
@@ -252,7 +252,7 @@ export class APIClass<
 		return parseJsonQuery(this);
 	}
 
-	public addAuthMethod(func: (this: PartialThis, ...args: any[]) => any): void {
+	public addAuthMethod(func: (req: Request) => Promise<IUser | undefined>): void {
 		this.authMethods.push(func);
 	}
 
@@ -823,7 +823,7 @@ export class APIClass<
 				(operations[method as keyof Operations<TPathPattern, TOptions>] as Record<string, any>).action =
 					async function _internalRouteActionHandler() {
 						if (options.authRequired || options.authOrAnonRequired) {
-							const user = await api.authenticatedRoute.call(this, this.request);
+							const user = await api.authenticatedRoute.call(api, this.request);
 							this.user = user!;
 							this.userId = this.user?._id;
 							const authToken = this.request.headers.get('x-auth-token');
@@ -973,11 +973,8 @@ export class APIClass<
 	}
 
 	protected async authenticatedRoute(req: Request): Promise<IUser | null> {
-		const headers = Object.fromEntries(req.headers.entries());
-
-		const { 'x-user-id': userId } = headers;
-
-		const userToken = String(headers['x-auth-token']);
+		const userId = req.headers.get('x-user-id');
+		const userToken = req.headers.get('x-auth-token');
 
 		if (userId && userToken) {
 			return Users.findOne(
@@ -990,6 +987,16 @@ export class APIClass<
 				},
 			);
 		}
+
+		for (const method of this.authMethods) {
+			// eslint-disable-next-line no-await-in-loop -- we want serial execution
+			const user = await method(req);
+
+			if (user) {
+				return user;
+			}
+		}
+
 		return null;
 	}
 

apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts

@@ -19,13 +19,18 @@ async function getAccessToken(accessToken: string) {
 }
 
 export async function oAuth2ServerAuth(partialRequest: {
-	headers: Record<string, any>;
-	query: Record<string, any>;
-}): Promise<{ user: IUser } | undefined> {
+	headers: Record<string, string | undefined>;
+	query: Record<string, string | undefined>;
+}): Promise<IUser | undefined> {
 	const headerToken = partialRequest.headers.authorization?.replace('Bearer ', '');
 	const queryToken = partialRequest.query.access_token;
+	const incomingToken = headerToken || queryToken;
 
-	const accessToken = await getAccessToken(headerToken || queryToken);
+	if (!incomingToken) {
+		return;
+	}
+
+	const accessToken = await getAccessToken(incomingToken);
 
 	// If there is no token available or the token has expired, return undefined
 	if (!accessToken || (accessToken.expires != null && accessToken.expires < new Date())) {
@@ -38,7 +43,7 @@ export async function oAuth2ServerAuth(partialRequest: {
 		return;
 	}
 
-	return { user };
+	return user;
 }
 
 oauth2server.app.disable('x-powered-by');
@@ -69,8 +74,13 @@ oauth2server.app.get('/oauth/userinfo', async (req: Request, res: Response) => {
 	});
 });
 
-API.v1.addAuthMethod(async function () {
-	return oAuth2ServerAuth(this.request);
+API.v1.addAuthMethod((request: globalThis.Request) => {
+	const url = new URL(request.url);
+	const headers = Object.fromEntries(request.headers.entries());
+	const query = Object.fromEntries(url.searchParams.entries());
+
+	return oAuth2ServerAuth({ headers, query });
 });
 
 (WebApp.connectHandlers as unknown as ReturnType<typeof express>).use(oauth2server.app);
+