eliott/worldmonitor
1
0
Fork 0
mirror of https://github.com/koala73/worldmonitor.git synced 2026-04-25 17:14:57 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix(sidecar): add AVIATIONSTACK_API and ICAO_API_KEY to env allowlist (#632)

Browse Source 
Both keys were added to Rust SUPPORTED_SECRET_KEYS and runtime-config.ts
but the sidecar's own ALLOWED_ENV_KEYS was never updated. This caused
"key not in allowlist" 403 when saving/verifying these keys from the
desktop settings UI.

Also adds AviationStack API validation in validateSecretAgainstProvider.
This commit is contained in:
Elie Habib
2026-03-01 10:23:37 +04:00
committed by GitHub
parent 899c20f81f
commit 8a9aa2b254
1 changed files with 18 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
src-tauri/sidecar/local-api-server.mjs
View File

@@ -105,6 +105,7 @@ const ALLOWED_ENV_KEYS = new Set([
'VITE_OPENSKY_RELAY_URL', 'OPENSKY_CLIENT_ID', 'OPENSKY_CLIENT_SECRET',
'AISSTREAM_API_KEY', 'VITE_WS_RELAY_URL', 'FINNHUB_API_KEY', 'NASA_FIRMS_API_KEY',
'OLLAMA_API_URL', 'OLLAMA_MODEL', 'WORLDMONITOR_API_KEY', 'WTO_API_KEY',
'AVIATIONSTACK_API', 'ICAO_API_KEY',
]);
const CHROME_UA = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36';
@@ -900,6 +901,23 @@ async function validateSecretAgainstProvider(key, rawValue, context = {}) {
case 'WTO_API_KEY':
return ok('WTO API key stored (live verification not available in sidecar)');
case 'AVIATIONSTACK_API': {
const response = await fetchWithTimeout(
`https://api.aviationstack.com/v1/flights?access_key=${encodeURIComponent(value)}&limit=1`,
{ headers: { Accept: 'application/json', 'User-Agent': CHROME_UA } }
);
const text = await response.text();
if (isCloudflareChallenge403(response, text)) return ok('AviationStack key stored (Cloudflare blocked verification)');
let payload = null;
try { payload = JSON.parse(text); } catch { /* ignore */ }
if (payload?.error?.code === 101 || payload?.error?.code === 105) return fail('AviationStack rejected this key');
if (!response.ok && response.status !== 200) return fail(`AviationStack probe failed (${response.status})`);
return ok('AviationStack key verified');
}
case 'ICAO_API_KEY':
return ok('ICAO API key stored (verification requires NOTAM endpoint access)');
default:
return ok('Key stored');
}