add missing valid pve token check to checkAuth
This commit is contained in:
parent
800033c6f8
commit
8f7ea51787
@ -92,7 +92,7 @@ export default class PVE extends PVE_BACKEND {
|
||||
async handleResponse (node, result, res) {
|
||||
const waitFor = delay => new Promise(resolve => setTimeout(resolve, delay));
|
||||
if (result.status !== 200) {
|
||||
res.status(result.status).send({error: result.statusText});
|
||||
res.status(result.status).send({ error: result.statusText });
|
||||
res.end();
|
||||
}
|
||||
else if (result.data.data && typeof (result.data.data) === "string" && result.data.data.startsWith("UPID:")) {
|
||||
|
@ -115,6 +115,12 @@ router.post("/password", async (req, res) => {
|
||||
password: req.body.password
|
||||
};
|
||||
|
||||
// check auth
|
||||
const auth = await checkAuth(req.cookies, res);
|
||||
if (!auth) {
|
||||
return;
|
||||
}
|
||||
|
||||
const userObj = global.utils.getUserObjFromUsername(params.username);
|
||||
const newAttributes = {
|
||||
userpassword: params.password
|
||||
|
@ -1,6 +1,8 @@
|
||||
import { Router } from "express";
|
||||
export const router = Router({ mergeParams: true });
|
||||
|
||||
const checkAuth = global.utils.checkAuth;
|
||||
|
||||
/**
|
||||
* GET - get all groups
|
||||
* responses:
|
||||
@ -8,9 +10,10 @@ export const router = Router({ mergeParams: true });
|
||||
* - 201: {auth: false}
|
||||
*/
|
||||
router.get("/", async (req, res) => {
|
||||
// check auth
|
||||
const auth = await checkAuth(req.cookies, res);
|
||||
if (!auth) {
|
||||
return;
|
||||
}
|
||||
res.status(200).send(global.userManager.getAllGroups())
|
||||
res.status(200).send(global.userManager.getAllGroups());
|
||||
});
|
@ -1,6 +1,8 @@
|
||||
import { Router } from "express";
|
||||
export const router = Router({ mergeParams: true });
|
||||
|
||||
const checkAuth = global.utils.checkAuth;
|
||||
|
||||
/**
|
||||
* GET - get all users
|
||||
* responses:
|
||||
@ -8,9 +10,10 @@ export const router = Router({ mergeParams: true });
|
||||
* - 201: {auth: false}
|
||||
*/
|
||||
router.get("/", async (req, res) => {
|
||||
// check auth
|
||||
const auth = await checkAuth(req.cookies, res);
|
||||
if (!auth) {
|
||||
return;
|
||||
}
|
||||
res.status(200).send(global.userManager.getAllUsers())
|
||||
res.status(200).send(global.userManager.getAllUsers());
|
||||
});
|
@ -12,13 +12,17 @@ const getUserResources = global.utils.getUserResources;
|
||||
* - 401: {auth: false}
|
||||
*/
|
||||
router.get("/dynamic/resources", async (req, res) => {
|
||||
const params = {
|
||||
username: req.cookies.username
|
||||
};
|
||||
|
||||
// check auth
|
||||
const auth = await checkAuth(req.cookies, res);
|
||||
if (!auth) {
|
||||
return;
|
||||
}
|
||||
|
||||
const userObj = global.utils.getUserObjFromUsername(req.cookies.username);
|
||||
const userObj = global.utils.getUserObjFromUsername(params.username);
|
||||
|
||||
const resources = await getUserResources(req, userObj);
|
||||
res.status(200).send(resources);
|
||||
|
22
src/utils.js
22
src/utils.js
@ -15,20 +15,34 @@ import { exit } from "process";
|
||||
export async function checkAuth (cookies, res, vmpath = null) {
|
||||
let auth = false;
|
||||
|
||||
const userObj = getUserObjFromUsername(cookies.username);
|
||||
const userObj = getUserObjFromUsername(cookies.username); // check if username exists and is valid
|
||||
if (!userObj) {
|
||||
res.status(401).send({ auth, path: vmpath ? `${vmpath}/config` : "/version", error: "Username was missing or invalid." });
|
||||
res.end();
|
||||
return false;
|
||||
}
|
||||
|
||||
if ((await global.userManager.getUser(userObj)) === null) {
|
||||
res.status(401).send({ auth, path: vmpath ? `${vmpath}/config` : "/version", error: `User ${cookies.username} not found in localdb.` });
|
||||
if (!cookies.PVEAuthCookie) { // check if PVE token exists
|
||||
res.status(401).send({ auth, path: vmpath ? `${vmpath}/config` : "/version", error: "Token was missing or invalid." });
|
||||
res.end();
|
||||
return false;
|
||||
}
|
||||
|
||||
if (vmpath) {
|
||||
const pveTicket = cookies.PVEAuthCookie;
|
||||
const result = await global.pve.requestPVE("/access/ticket", "POST", null, { username: cookies.username, password: pveTicket });
|
||||
if (result.status !== 200) { // check if PVE token is valid by using /access/ticket to validate ticket with Proxmox
|
||||
res.status(401).send({ auth, path: vmpath ? `${vmpath}/config` : "/version", error: "Username did not match token." });
|
||||
res.end();
|
||||
return false;
|
||||
}
|
||||
|
||||
if ((await global.userManager.getUser(userObj)) === null) { // check if user exists in database
|
||||
res.status(401).send({ auth, path: vmpath ? `${vmpath}/config` : "/version", error: `User ${cookies.username} not found in database.` });
|
||||
res.end();
|
||||
return false;
|
||||
}
|
||||
|
||||
if (vmpath) { // if a path is specified, check the permissions on the path
|
||||
const result = await global.pve.requestPVE(`/${vmpath}/config`, "GET", { cookies });
|
||||
auth = result.status === 200;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user