feat: API keys work

Author: izadoesdev

apps/api/src/lib/api-key.ts

@@ -50,7 +50,12 @@ const getCachedAccessEntries = cacheable(
 export async function getApiKeyFromHeader(
 	headers: Headers
 ): Promise<ApiKeyRow | null> {
-	const secret = headers.get('x-api-key');
+	const xApiKey = headers.get('x-api-key');
+	const auth = headers.get('authorization');
+	const bearer = auth?.toLowerCase().startsWith('bearer ')
+		? auth.slice(7).trim()
+		: null;
+	const secret = xApiKey ?? bearer ?? null;
 	if (!secret) {
 		return null;
 	}
@@ -64,6 +69,15 @@ export async function getApiKeyFromHeader(
 	return key;
 }
 
+export function isApiKeyPresent(headers: Headers): boolean {
+	const xApiKey = headers.get('x-api-key');
+	if (xApiKey) {
+		return true;
+	}
+	const auth = headers.get('authorization');
+	return auth?.toLowerCase().startsWith('bearer ') ?? false;
+}
+
 export async function resolveEffectiveScopesForWebsite(
 	key: ApiKeyRow,
 	websiteId: string

apps/api/src/lib/website-utils.ts

@@ -3,7 +3,11 @@ import { db, userPreferences, websites } from '@databuddy/db';
 import { cacheable } from '@databuddy/redis';
 import type { Website } from '@databuddy/shared';
 import { eq } from 'drizzle-orm';
-import { getApiKeyFromHeader, hasWebsiteScope } from './api-key';
+import {
+	getApiKeyFromHeader,
+	hasWebsiteScope,
+	isApiKeyPresent,
+} from './api-key';
 
 export interface WebsiteContext {
 	user: unknown;
@@ -115,8 +119,7 @@ export async function getTimezone(
 }
 
 export async function deriveWebsiteContext({ request }: { request: Request }) {
-	const apiKeyPresent = request.headers.get('x-api-key') != null;
-	if (apiKeyPresent) {
+	if (isApiKeyPresent(request.headers)) {
 		return await deriveWithApiKey(request);
 	}
 	return await deriveWithSession(request);

apps/api/src/middleware/website-auth.ts

@@ -1,6 +1,10 @@
 import { auth } from '@databuddy/auth';
 import { Elysia } from 'elysia';
-import { getApiKeyFromHeader, hasWebsiteScope } from '../lib/api-key';
+import {
+	getApiKeyFromHeader,
+	hasWebsiteScope,
+	isApiKeyPresent,
+} from '../lib/api-key';
 import { getCachedWebsite, getTimezone } from '../lib/website-utils';
 
 function json(status: number, body: unknown) {
@@ -40,7 +44,10 @@ export function websiteAuth() {
 		.derive(async ({ request }) => {
 			const url = new URL(request.url);
 			const websiteId = url.searchParams.get('website_id');
-			const session = await auth.api.getSession({ headers: request.headers });
+			const apiKeyPresent = isApiKeyPresent(request.headers);
+			const session = apiKeyPresent
+				? null
+				: await auth.api.getSession({ headers: request.headers });
 			const timezone = session?.user
 				? await getTimezone(request, session)
 				: await getTimezone(request, null);