Added optional API key auth to REST API. Returning HTTP status codes from GraphQL API.

src/stashes.js

@@ -271,11 +271,11 @@ export async function removeStash(stashId, sessionUser) {
 		.delete()
 		.returning('*');
 
-	if (removed === 0) {
-		throw new HttpError('Unable to remove this stash', 400);
+	if (!removed) {
+		throw new HttpError('This stash could not be removed', 409);
 	}
 
-	return curateStash(stash);
+	return curateStash(removed);
 }
 
 export async function stashActor(actorId, stashId, sessionUser) {

src/web/graphql.js

@@ -138,7 +138,7 @@ export async function graphqlApi(req, res) {
 		},
 	});
 
-	// console.log(data);
+	const statusCode = data.errors?.[0]?.originalError.httpCode || 200;
 
-	res.send(data);
+	res.status(statusCode).send(data);
 }

src/web/server.js

@@ -20,6 +20,7 @@ import { fetchMoviesApi } from './movies.js';
 import { fetchEntitiesApi } from './entities.js';
 import { fetchTagsApi } from './tags.js';
 
+import { verifyKey } from '../auth.js';
 import { graphqlApi } from './graphql.js';
 
 import mainHandler from './main.js';
@@ -120,6 +121,18 @@ export default async function initServer() {
 		res.sendFile(path.join(import.meta.dirname, '../../assets/consent.html'));
 	});
 
+	router.use('/api/*', async (req, res, next) => {
+		if (req.headers['api-user']) {
+			await verifyKey(req.headers['api-user'], req.headers['api-key'], req);
+
+			req.user = { // eslint-disable-line no-param-reassign
+				id: Number(req.headers['api-user']),
+			};
+		}
+
+		next();
+	});
+
 	// SESSION
 	router.post('/api/session', loginApi);
 	router.delete('/api/session', logoutApi);

src/web/stashes.js

@@ -134,7 +134,7 @@ export async function updateStashGraphql(query, req) {
 }
 
 export async function removeStashApi(req, res) {
-	await removeStash(Number(req.params.stashId), req.user);
+	await removeStash(Number(req.params.stashId) || req.params.stashId, req.user);
 
 	res.status(204).send();
 }