From 0e13a40cb01fcf08fe832b074d0f93ff65110745 Mon Sep 17 00:00:00 2001
From: Bryan Stitt <bryan@satoshiandkin.com>
Date: Sun, 27 Nov 2022 19:49:32 +0000
Subject: [PATCH] error for unauthenticated user queries

---
 TODO.md                        |  2 +-
 web3_proxy/src/user_queries.rs | 10 +++++-----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/TODO.md b/TODO.md
index ffc582ec..585d621f 100644
--- a/TODO.md
+++ b/TODO.md
@@ -253,7 +253,6 @@ These are roughly in order of completition
   - one option: we need the insert to be an upsert, but how do we merge historgrams?
 - [ ] add block timestamp to the /status page
   - [ ] be sure to save the timestamp in a way that our request routing logic can make use of it
-- [ ] change invite codes to set the user_tier
 - [ ] if a websocket connection hasn't received a new block in a while, do a reconnect or just query the block. its possible that the node was syncing when the proxy started
 
 - [ ] actually block unauthenticated requests instead of emitting warning of "allowing without auth during development!"
@@ -551,3 +550,4 @@ in another repo: event subscriber
   - [ ] if --address not given, use the --description
   - [ ] if it is too long, (the last 4 bytes must be zero), give an error so descriptions like this stand out
 - [ ] we need to use docker-compose's proper environment variable handling. because now if someone tries to start dev containers in their prod, remove orphans stops and removes them
+- [ ] change invite codes to set the user_tier
diff --git a/web3_proxy/src/user_queries.rs b/web3_proxy/src/user_queries.rs
index 8680183a..a59a8dd2 100644
--- a/web3_proxy/src/user_queries.rs
+++ b/web3_proxy/src/user_queries.rs
@@ -52,14 +52,14 @@ pub async fn get_user_id_from_params(
         }
         (None, Some(x)) => {
             // they do not have a bearer token, but requested a specific id. block
-            // TODO: proper error code
+            // TODO: proper error code from a useful error code
             // TODO: maybe instead of this sharp edged warn, we have a config value?
             // TODO: check config for if we should deny or allow this
-            // Err(anyhow::anyhow!("permission denied"))
+            Err(anyhow::anyhow!("permission denied"))
 
-            // TODO: make this a flag
-            warn!("allowing without auth during development!");
-            Ok(x.parse()?)
+            // // TODO: make this a flag
+            // warn!("allowing without auth during development!");
+            // Ok(x.parse()?)
         }
     }
 }