add missing valid pve token check to checkAuth

This commit is contained in:
Arthur Lu 2024-07-08 19:25:23 +00:00
parent 800033c6f8
commit 8f7ea51787
6 changed files with 42 additions and 12 deletions

View File

@ -92,7 +92,7 @@ export default class PVE extends PVE_BACKEND {
async handleResponse (node, result, res) {
const waitFor = delay => new Promise(resolve => setTimeout(resolve, delay));
if (result.status !== 200) {
res.status(result.status).send({error: result.statusText});
res.status(result.status).send({ error: result.statusText });
res.end();
}
else if (result.data.data && typeof (result.data.data) === "string" && result.data.data.startsWith("UPID:")) {

View File

@ -115,6 +115,12 @@ router.post("/password", async (req, res) => {
password: req.body.password
};
// check auth
const auth = await checkAuth(req.cookies, res);
if (!auth) {
return;
}
const userObj = global.utils.getUserObjFromUsername(params.username);
const newAttributes = {
userpassword: params.password

View File

@ -1,6 +1,8 @@
import { Router } from "express";
export const router = Router({ mergeParams: true });
const checkAuth = global.utils.checkAuth;
/**
* GET - get all groups
* responses:
@ -8,9 +10,10 @@ export const router = Router({ mergeParams: true });
* - 201: {auth: false}
*/
router.get("/", async (req, res) => {
const auth = await checkAuth(req.cookies, res);
// check auth
const auth = await checkAuth(req.cookies, res);
if (!auth) {
return;
}
res.status(200).send(global.userManager.getAllGroups())
res.status(200).send(global.userManager.getAllGroups());
});

View File

@ -1,6 +1,8 @@
import { Router } from "express";
export const router = Router({ mergeParams: true });
const checkAuth = global.utils.checkAuth;
/**
* GET - get all users
* responses:
@ -8,9 +10,10 @@ export const router = Router({ mergeParams: true });
* - 201: {auth: false}
*/
router.get("/", async (req, res) => {
const auth = await checkAuth(req.cookies, res);
// check auth
const auth = await checkAuth(req.cookies, res);
if (!auth) {
return;
}
res.status(200).send(global.userManager.getAllUsers())
res.status(200).send(global.userManager.getAllUsers());
});

View File

@ -12,13 +12,17 @@ const getUserResources = global.utils.getUserResources;
* - 401: {auth: false}
*/
router.get("/dynamic/resources", async (req, res) => {
const params = {
username: req.cookies.username
};
// check auth
const auth = await checkAuth(req.cookies, res);
if (!auth) {
return;
}
const userObj = global.utils.getUserObjFromUsername(req.cookies.username);
const userObj = global.utils.getUserObjFromUsername(params.username);
const resources = await getUserResources(req, userObj);
res.status(200).send(resources);

View File

@ -15,20 +15,34 @@ import { exit } from "process";
export async function checkAuth (cookies, res, vmpath = null) {
let auth = false;
const userObj = getUserObjFromUsername(cookies.username);
const userObj = getUserObjFromUsername(cookies.username); // check if username exists and is valid
if (!userObj) {
res.status(401).send({ auth, path: vmpath ? `${vmpath}/config` : "/version", error: "Username was missing or invalid." });
res.end();
return false;
}
if ((await global.userManager.getUser(userObj)) === null) {
res.status(401).send({ auth, path: vmpath ? `${vmpath}/config` : "/version", error: `User ${cookies.username} not found in localdb.` });
if (!cookies.PVEAuthCookie) { // check if PVE token exists
res.status(401).send({ auth, path: vmpath ? `${vmpath}/config` : "/version", error: "Token was missing or invalid." });
res.end();
return false;
}
if (vmpath) {
const pveTicket = cookies.PVEAuthCookie;
const result = await global.pve.requestPVE("/access/ticket", "POST", null, { username: cookies.username, password: pveTicket });
if (result.status !== 200) { // check if PVE token is valid by using /access/ticket to validate ticket with Proxmox
res.status(401).send({ auth, path: vmpath ? `${vmpath}/config` : "/version", error: "Username did not match token." });
res.end();
return false;
}
if ((await global.userManager.getUser(userObj)) === null) { // check if user exists in database
res.status(401).send({ auth, path: vmpath ? `${vmpath}/config` : "/version", error: `User ${cookies.username} not found in database.` });
res.end();
return false;
}
if (vmpath) { // if a path is specified, check the permissions on the path
const result = await global.pve.requestPVE(`/${vmpath}/config`, "GET", { cookies });
auth = result.status === 200;
}