validate player secrets on public API requests

[matthewejones]

done:

• Validate player secrets for the following public api requests:

  • players
  • model
  • download
  • download/text

• Download buttons use get request

todo:

• send requests with secret in custom header

Resolves #70

[ChristophNiehoff]

Is it really the best way to temporarily create an a-tag?

[ChristophNiehoff]

Also, we should be consistent with using 'let' and 'var'

[matthewejones]

I think we may have talked about this, I couldn't actually get it to download using window.assign() or window.open() it would just display the file on the screen

[matthewejones]

• I've changed everything to use basic auth now.
• I also added some error handling so instead of the game crashing it will just print errors in the console. For the download buttons I've made them turn red like the copybuttons to give the user some feedback when they don't work
• I changed the copybuttons to use async, await and try{}catch{} instead of promises. I think this makes it more consistent with the rest of the application. I don't know much about promises/async functions so let me know if this is wrong/worse somehow

[ChristophNiehoff]

Do I understand it correctly that routes above this router.use() call are not authenticated and only the ones belows actually are?

If yes, I am not sure if this is a good solution. This will definitly lead to confusion if someone wants to add another endpoint in the future... Would it be possible to attach the middleware only to certain routes (and make this explicit)? Or alternatively, could you add something like a whitelist, such that the middleware by default wants to authorize everything and only the routes in the whitelist are not considered?

[matthewejones]

It should be that the routes which match the path '/:matchID/' use the authorisation.
the syntax is router.use(path, callback) where the path is either a string or an array of paths.
It might be better to use '/:matchID/*' (which acts the same but might be a bit clearer)
or to explicitly list all the complete paths: ['/:matchID/players', '/:matchID/model/', ... ]

[ChristophNiehoff]

Oh, I see. Cool! I think '/:matchID/*' would be good. Then the logic is that everything specific to a game should be authenticated, which sounds reasonable to me.

Just for clearity, could you move the router.use() statement above all the route definitions? And could you please mention in the comment that the middleware only applies to the '/:matchID/*' routes, please?

[ChristophNiehoff]

@matthewejones Just had a manual test of this PR. Works great! I love it!
And regarding your question: Personally, I prefer async/await over promises as I think that makes the code more readable. So, I am very happy with your change!