From 44ea2d89aef5cce2e5da29c137f73b9030f0849c Mon Sep 17 00:00:00 2001
From: Bonsung Koo <developer@bonsung.me>
Date: Fri, 31 Jan 2025 10:01:01 +1300
Subject: [PATCH] Checking authorisation scheme on admin api calls #56

---
 functions/src/shared/authentication/AdminAuth.ts | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/functions/src/shared/authentication/AdminAuth.ts b/functions/src/shared/authentication/AdminAuth.ts
index 6c5570a..58b7333 100644
--- a/functions/src/shared/authentication/AdminAuth.ts
+++ b/functions/src/shared/authentication/AdminAuth.ts
@@ -8,13 +8,20 @@ export const AdminAuth = async (
   next: NextFunction
 ) => {
 
-  const idToken = request.headers.authorization
+  const authorization = request.headers.authorization
 
-  if (!idToken) {
-    response.status(400).send({ message: 'Bad request' })
+  if (!authorization) {
+    response.status(401).send()
     return 
   }
 
+  const [scheme, idToken] = authorization.split(' ')
+
+  if (scheme !== 'Bearer') {
+    response.status(401).send()
+    return
+  }
+
   try {
     await admin.auth().verifyIdToken(idToken)
     next()