From 8f7ea517879b4912cf9d844b5260cfe61d03c7b4 Mon Sep 17 00:00:00 2001 From: Arthur Lu Date: Mon, 8 Jul 2024 19:25:23 +0000 Subject: [PATCH] add missing valid pve token check to checkAuth --- src/backends/pve.js | 2 +- src/routes/access.js | 6 ++++++ src/routes/access/groups.js | 9 ++++++--- src/routes/access/users.js | 9 ++++++--- src/routes/user.js | 6 +++++- src/utils.js | 22 ++++++++++++++++++---- 6 files changed, 42 insertions(+), 12 deletions(-) diff --git a/src/backends/pve.js b/src/backends/pve.js index 0e0a84b..e5272ab 100644 --- a/src/backends/pve.js +++ b/src/backends/pve.js @@ -92,7 +92,7 @@ export default class PVE extends PVE_BACKEND { async handleResponse (node, result, res) { const waitFor = delay => new Promise(resolve => setTimeout(resolve, delay)); if (result.status !== 200) { - res.status(result.status).send({error: result.statusText}); + res.status(result.status).send({ error: result.statusText }); res.end(); } else if (result.data.data && typeof (result.data.data) === "string" && result.data.data.startsWith("UPID:")) { diff --git a/src/routes/access.js b/src/routes/access.js index 150ef7a..bfa69f6 100644 --- a/src/routes/access.js +++ b/src/routes/access.js @@ -115,6 +115,12 @@ router.post("/password", async (req, res) => { password: req.body.password }; + // check auth + const auth = await checkAuth(req.cookies, res); + if (!auth) { + return; + } + const userObj = global.utils.getUserObjFromUsername(params.username); const newAttributes = { userpassword: params.password diff --git a/src/routes/access/groups.js b/src/routes/access/groups.js index 48dff09..d2693d1 100644 --- a/src/routes/access/groups.js +++ b/src/routes/access/groups.js @@ -1,6 +1,8 @@ import { Router } from "express"; export const router = Router({ mergeParams: true }); +const checkAuth = global.utils.checkAuth; + /** * GET - get all groups * responses: @@ -8,9 +10,10 @@ export const router = Router({ mergeParams: true }); * - 201: {auth: false} */ router.get("/", async (req, res) => { - const auth = await checkAuth(req.cookies, res); + // check auth + const auth = await checkAuth(req.cookies, res); if (!auth) { return; } - res.status(200).send(global.userManager.getAllGroups()) -}); \ No newline at end of file + res.status(200).send(global.userManager.getAllGroups()); +}); diff --git a/src/routes/access/users.js b/src/routes/access/users.js index ce6accd..df29917 100644 --- a/src/routes/access/users.js +++ b/src/routes/access/users.js @@ -1,6 +1,8 @@ import { Router } from "express"; export const router = Router({ mergeParams: true }); +const checkAuth = global.utils.checkAuth; + /** * GET - get all users * responses: @@ -8,9 +10,10 @@ export const router = Router({ mergeParams: true }); * - 201: {auth: false} */ router.get("/", async (req, res) => { - const auth = await checkAuth(req.cookies, res); + // check auth + const auth = await checkAuth(req.cookies, res); if (!auth) { return; } - res.status(200).send(global.userManager.getAllUsers()) -}); \ No newline at end of file + res.status(200).send(global.userManager.getAllUsers()); +}); diff --git a/src/routes/user.js b/src/routes/user.js index 0eb704b..3ea0242 100644 --- a/src/routes/user.js +++ b/src/routes/user.js @@ -12,13 +12,17 @@ const getUserResources = global.utils.getUserResources; * - 401: {auth: false} */ router.get("/dynamic/resources", async (req, res) => { + const params = { + username: req.cookies.username + }; + // check auth const auth = await checkAuth(req.cookies, res); if (!auth) { return; } - const userObj = global.utils.getUserObjFromUsername(req.cookies.username); + const userObj = global.utils.getUserObjFromUsername(params.username); const resources = await getUserResources(req, userObj); res.status(200).send(resources); diff --git a/src/utils.js b/src/utils.js index 7cd20ff..bbed7cd 100644 --- a/src/utils.js +++ b/src/utils.js @@ -15,20 +15,34 @@ import { exit } from "process"; export async function checkAuth (cookies, res, vmpath = null) { let auth = false; - const userObj = getUserObjFromUsername(cookies.username); + const userObj = getUserObjFromUsername(cookies.username); // check if username exists and is valid if (!userObj) { res.status(401).send({ auth, path: vmpath ? `${vmpath}/config` : "/version", error: "Username was missing or invalid." }); res.end(); return false; } - if ((await global.userManager.getUser(userObj)) === null) { - res.status(401).send({ auth, path: vmpath ? `${vmpath}/config` : "/version", error: `User ${cookies.username} not found in localdb.` }); + if (!cookies.PVEAuthCookie) { // check if PVE token exists + res.status(401).send({ auth, path: vmpath ? `${vmpath}/config` : "/version", error: "Token was missing or invalid." }); res.end(); return false; } - if (vmpath) { + const pveTicket = cookies.PVEAuthCookie; + const result = await global.pve.requestPVE("/access/ticket", "POST", null, { username: cookies.username, password: pveTicket }); + if (result.status !== 200) { // check if PVE token is valid by using /access/ticket to validate ticket with Proxmox + res.status(401).send({ auth, path: vmpath ? `${vmpath}/config` : "/version", error: "Username did not match token." }); + res.end(); + return false; + } + + if ((await global.userManager.getUser(userObj)) === null) { // check if user exists in database + res.status(401).send({ auth, path: vmpath ? `${vmpath}/config` : "/version", error: `User ${cookies.username} not found in database.` }); + res.end(); + return false; + } + + if (vmpath) { // if a path is specified, check the permissions on the path const result = await global.pve.requestPVE(`/${vmpath}/config`, "GET", { cookies }); auth = result.status === 200; }