tronnet/ProxmoxAAS-API
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add missing valid pve token check to checkAuth

Browse Source
This commit is contained in:
Arthur Lu 2024-07-08 19:25:23 +00:00
parent 800033c6f8
commit 8f7ea51787
6 changed files with 42 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/backends/pve.js
View File

@ -92,7 +92,7 @@ export default class PVE extends PVE_BACKEND {
async handleResponse (node, result, res) { async handleResponse (node, result, res) {
const waitFor = delay => new Promise(resolve => setTimeout(resolve, delay)); const waitFor = delay => new Promise(resolve => setTimeout(resolve, delay));
if (result.status !== 200) { if (result.status !== 200) {
res.status(result.status).send({error: result.statusText}); res.status(result.status).send({ error: result.statusText });
res.end(); res.end();
} }
else if (result.data.data && typeof (result.data.data) === "string" && result.data.data.startsWith("UPID:")) { else if (result.data.data && typeof (result.data.data) === "string" && result.data.data.startsWith("UPID:")) {

6
src/routes/access.js
View File

@ -115,6 +115,12 @@ router.post("/password", async (req, res) => {
password: req.body.password password: req.body.password
}; };
// check auth
const auth = await checkAuth(req.cookies, res);
if (!auth) {
return;
}
const userObj = global.utils.getUserObjFromUsername(params.username); const userObj = global.utils.getUserObjFromUsername(params.username);
const newAttributes = { const newAttributes = {
userpassword: params.password userpassword: params.password

9
src/routes/access/groups.js
View File

@ -1,6 +1,8 @@
import { Router } from "express"; import { Router } from "express";
export const router = Router({ mergeParams: true }); export const router = Router({ mergeParams: true });
const checkAuth = global.utils.checkAuth;
/** /**
* GET - get all groups * GET - get all groups
* responses: * responses:
@ -8,9 +10,10 @@ export const router = Router({ mergeParams: true });
* - 201: {auth: false} * - 201: {auth: false}
*/ */
router.get("/", async (req, res) => { router.get("/", async (req, res) => {
const auth = await checkAuth(req.cookies, res); // check auth
const auth = await checkAuth(req.cookies, res);
if (!auth) { if (!auth) {
return; return;
} }
res.status(200).send(global.userManager.getAllGroups()) res.status(200).send(global.userManager.getAllGroups());
}); });

9
src/routes/access/users.js
View File

@ -1,6 +1,8 @@
import { Router } from "express"; import { Router } from "express";
export const router = Router({ mergeParams: true }); export const router = Router({ mergeParams: true });
const checkAuth = global.utils.checkAuth;
/** /**
* GET - get all users * GET - get all users
* responses: * responses:
@ -8,9 +10,10 @@ export const router = Router({ mergeParams: true });
* - 201: {auth: false} * - 201: {auth: false}
*/ */
router.get("/", async (req, res) => { router.get("/", async (req, res) => {
const auth = await checkAuth(req.cookies, res); // check auth
const auth = await checkAuth(req.cookies, res);
if (!auth) { if (!auth) {
return; return;
} }
res.status(200).send(global.userManager.getAllUsers()) res.status(200).send(global.userManager.getAllUsers());
}); });

6
src/routes/user.js
View File

@ -12,13 +12,17 @@ const getUserResources = global.utils.getUserResources;
* - 401: {auth: false} * - 401: {auth: false}
*/ */
router.get("/dynamic/resources", async (req, res) => { router.get("/dynamic/resources", async (req, res) => {
const params = {
username: req.cookies.username
};
// check auth // check auth
const auth = await checkAuth(req.cookies, res); const auth = await checkAuth(req.cookies, res);
if (!auth) { if (!auth) {
return; return;
} }
const userObj = global.utils.getUserObjFromUsername(req.cookies.username); const userObj = global.utils.getUserObjFromUsername(params.username);
const resources = await getUserResources(req, userObj); const resources = await getUserResources(req, userObj);
res.status(200).send(resources); res.status(200).send(resources);

22
src/utils.js
View File

@ -15,20 +15,34 @@ import { exit } from "process";
export async function checkAuth (cookies, res, vmpath = null) { export async function checkAuth (cookies, res, vmpath = null) {
let auth = false; let auth = false;
const userObj = getUserObjFromUsername(cookies.username); const userObj = getUserObjFromUsername(cookies.username); // check if username exists and is valid
if (!userObj) { if (!userObj) {
res.status(401).send({ auth, path: vmpath ? `${vmpath}/config` : "/version", error: "Username was missing or invalid." }); res.status(401).send({ auth, path: vmpath ? `${vmpath}/config` : "/version", error: "Username was missing or invalid." });
res.end(); res.end();
return false; return false;
} }
if ((await global.userManager.getUser(userObj)) === null) { if (!cookies.PVEAuthCookie) { // check if PVE token exists
res.status(401).send({ auth, path: vmpath ? `${vmpath}/config` : "/version", error: `User ${cookies.username} not found in localdb.` }); res.status(401).send({ auth, path: vmpath ? `${vmpath}/config` : "/version", error: "Token was missing or invalid." });
res.end(); res.end();
return false; return false;
} }
if (vmpath) { const pveTicket = cookies.PVEAuthCookie;
const result = await global.pve.requestPVE("/access/ticket", "POST", null, { username: cookies.username, password: pveTicket });
if (result.status !== 200) { // check if PVE token is valid by using /access/ticket to validate ticket with Proxmox
res.status(401).send({ auth, path: vmpath ? `${vmpath}/config` : "/version", error: "Username did not match token." });
res.end();
return false;
}
if ((await global.userManager.getUser(userObj)) === null) { // check if user exists in database
res.status(401).send({ auth, path: vmpath ? `${vmpath}/config` : "/version", error: `User ${cookies.username} not found in database.` });
res.end();
return false;
}
if (vmpath) { // if a path is specified, check the permissions on the path
const result = await global.pve.requestPVE(`/${vmpath}/config`, "GET", { cookies }); const result = await global.pve.requestPVE(`/${vmpath}/config`, "GET", { cookies });
auth = result.status === 200; auth = result.status === 200;
} }