From e3ce7b2458c6b6d52a402d402f7413d795fe675b Mon Sep 17 00:00:00 2001
From: Miodec <jack@monkeytype.com>
Date: Wed, 25 Oct 2023 16:00:03 +0100
Subject: [PATCH] refactor: allow apekeys if endpoint is public

This partially reverts 923f69ab55e1eae9c4e5e2eff31f27d96cf4416c.
This is because we sometimes still need the decoded token in public endpoints.

If an endpoint doesnt accept ape keys BUT its public, we dont return a 401 error.
---
 backend/src/middlewares/auth.ts | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/backend/src/middlewares/auth.ts b/backend/src/middlewares/auth.ts
index 6b84a733c..584762299 100644
--- a/backend/src/middlewares/auth.ts
+++ b/backend/src/middlewares/auth.ts
@@ -45,18 +45,18 @@ function authenticateRequest(authOptions = DEFAULT_OPTIONS): Handler {
     const { authorization: authHeader } = req.headers;
 
     try {
-      if (options.isPublic === true) {
-        token = {
-          type: "None",
-          uid: "",
-          email: "",
-        };
-      } else if (authHeader) {
+      if (authHeader) {
         token = await authenticateWithAuthHeader(
           authHeader,
           req.ctx.configuration,
           options
         );
+      } else if (options.isPublic === true) {
+        token = {
+          type: "None",
+          uid: "",
+          email: "",
+        };
       } else if (process.env.MODE === "dev") {
         token = authenticateWithBody(req.body);
       } else {
@@ -216,7 +216,7 @@ async function authenticateWithApeKey(
     throw new MonkeyError(503, "ApeKeys are not being accepted at this time");
   }
 
-  if (!options.acceptApeKeys) {
+  if (!options.acceptApeKeys && !options.isPublic) {
     throw new MonkeyError(401, "This endpoint does not accept ApeKeys");
   }