From 08947ca15d865c2fea6b883a44f16802c294a90e Mon Sep 17 00:00:00 2001 From: Arthur Lu Date: Sat, 13 May 2023 07:34:58 +0000 Subject: [PATCH] implement safer pve ticket endpoint --- main.js | 27 +++++++++++++++++++++++++-- vars.js.template | 1 + 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/main.js b/main.js index bfd4815..360b124 100644 --- a/main.js +++ b/main.js @@ -5,7 +5,7 @@ import cors from "cors"; import morgan from "morgan"; import api from "./package.json" assert {type: "json"}; -import { pveAPIToken, listenPort, domain } from "./vars.js"; +import { pveAPIToken, listenPort, hostname, domain } from "./vars.js"; import { checkAuth, requestPVE, handleResponse, getDiskInfo } from "./pve.js"; import { getAllocatedResources, approveResources } from "./utils.js"; import { getUserConfig } from "./db.js"; @@ -13,7 +13,7 @@ import { getUserConfig } from "./db.js"; const app = express(); app.use(bodyParser.urlencoded({extended: true})); app.use(cookieParser()) -app.use(cors({origin: domain})); +app.use(cors({origin: hostname})); app.use(morgan("combined")); app.get("/api/version", (req, res) => { @@ -41,6 +41,29 @@ app.post("/api/proxmox/*", async (req, res) => { // proxy endpoint for POST prox res.status(result.status).send(result.data); }); +app.post("/api/ticket", async (req, res) => { + let response = await requestPVE("/access/ticket", "POST", null, JSON.stringify(req.body)); + let ticket = response.data.data.ticket; + let csrftoken = response.data.data.CSRFPreventionToken; + let username = response.data.data.username; + let expire = new Date(Date.now() + (2*60*60*1000)); + res.cookie("PVEAuthCookie", ticket, {domain: domain, path: "/", httpOnly: true, secure: true, expires: expire}); + res.cookie("CSRFPreventionToken", csrftoken, {domain: domain, path: "/", httpOnly: true, secure: true, expires: expire}); + res.cookie("username", username, {domain: domain, path: "/", httpOnly: true, secure: true, expires: expire}); + res.cookie("auth", 1, {domain: domain, path: "/", secure: true, expires: expire}); + res.status(200).send({auth: true}); +}); + +app.delete("/api/ticket", async (req, res) => { + let expire = new Date(0); + res.cookie("PVEAuthCookie", "", {domain: domain, path: "/", httpOnly: true, secure: true, expires: expire}); + res.cookie("CSRFPreventionToken", "", {domain: domain, path: "/", httpOnly: true, secure: true, expires: expire}); + res.cookie("username", "", {domain: domain, path: "/", httpOnly: true, secure: true, expires: expire}); + res.cookie("auth", 0, {domain: domain, path: "/", expires: expire}); + res.status(200).send({auth: false}); +}); + + app.get("/api/user/resources", async (req, res) => { // check auth await checkAuth(req.cookies, res); diff --git a/vars.js.template b/vars.js.template index 0e11e9a..0a6dcd8 100644 --- a/vars.js.template +++ b/vars.js.template @@ -6,4 +6,5 @@ export const pveAPIToken = { uuid: "" }; export const listenPort = 80; +export const hostname = ""; export const domain = "";