add old got as dependency (is a security vulnerability),

use axios as http request handler
This commit is contained in:
Arthur Lu 2023-02-13 02:11:55 +00:00
parent b69d248560
commit b3379bfa3c
2 changed files with 89 additions and 123 deletions

211
index.js
View File

@ -4,10 +4,11 @@ const cookieParser = require("cookie-parser")
const cors = require("cors"); const cors = require("cors");
const helmet = require("helmet"); const helmet = require("helmet");
const morgan = require("morgan"); const morgan = require("morgan");
const https = require("https"); const axios = require('axios');
var package = require("./package.json"); var api = require("./package.json");
const {pveAPI, pveAPIToken, listenPort} = require("./vars.js") const {pveAPI, pveAPIToken, listenPort} = require("./vars.js");
const { token } = require("morgan");
const app = express(); const app = express();
app.use(helmet()); app.use(helmet());
@ -18,173 +19,137 @@ app.use(morgan("combined"));
app.get("/api/version", (req, res) => { app.get("/api/version", (req, res) => {
res.send({version: package.version}); res.send({version: api.version});
}); });
app.get("/api/echo", (req, res) => { app.get("/api/echo", (req, res) => {
res.send({body: req.body, cookies: req.cookies}); res.send({body: req.body, cookies: req.cookies});
}); });
app.get("/api/auth", (req, res) => { app.get("/api/auth", async (req, res) => {
checkAuth(req.cookies, (result) => { let result = await checkAuth(req.cookies);
res.send({auth: result}); res.send({auth: result});
});
}); });
app.post("/api/disk/detach", (req, res) => { app.post("/api/disk/detach", async (req, res) => {
let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`; let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`;
checkAuth(req.cookies, (result) => {
if (result) { let auth = await checkAuth(req.cookies, vmpath);
let method = req.body.type === "qemu" ? "POST" : "PUT"; if (auth) {
requestPVE(`${vmpath}/config`, method, req.cookies, (result) => { let method = req.body.type === "qemu" ? "POST" : "PUT";
res.send(result); let result = await requestPVE(`${vmpath}/config`, method, req.cookies, req.body.action, pveAPIToken);
}, body = req.body.action, token = pveAPIToken); res.send({auth: auth, status: result.status, data: result.data.data});
} }
else { else {
res.send({auth: result}); res.send({auth: auth});
} }
}, vmpath);
}); });
app.post("/api/disk/attach", (req, res) => { app.post("/api/disk/attach", async (req, res) => {
let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`; let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`;
checkAuth(req.cookies, (result) => {
if (result) { let auth = await checkAuth(req.cookies, vmpath);
let method = req.body.type === "qemu" ? "POST" : "PUT"; if (auth) {
requestPVE(`${vmpath}/config`, method, req.cookies, (result) => { let method = req.body.type === "qemu" ? "POST" : "PUT";
res.send(result); let result = await requestPVE(`${vmpath}/config`, method, req.cookies, req.body.action, pveAPIToken);
}, body = req.body.action, token = pveAPIToken); res.send({auth: auth, status: result.status, data: result.data.data});
} }
else { else {
res.send({auth: result}); res.send({auth: auth});
} }
}, vmpath);
}); });
app.post("/api/disk/resize", (req, res) => { app.post("/api/disk/resize", async (req, res) => {
let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`; let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`;
checkAuth(req.cookies, (result) => {
if (result) { let auth = await checkAuth(req.cookies, vmpath);
let method = "PUT"; if (auth) {
requestPVE(`${vmpath}/resize`, method, req.cookies, (result) => { let method = "PUT";
res.send(result); let result = await requestPVE(`${vmpath}/resize`, method, req.cookies, req.body.action, pveAPIToken);
}, body = req.body.action, token = pveAPIToken); res.send({auth: auth, status: result.status, data: result.data.data});
} }
else { else {
res.send({auth: result}); res.send({auth: auth});
} }
}, vmpath);
}); });
app.post("/api/disk/move", (req, res) => { app.post("/api/disk/move", async (req, res) => {
let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`; let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`;
let route = req.body.type === "qemu" ? "move_disk" : "move_volume"; let route = req.body.type === "qemu" ? "move_disk" : "move_volume";
checkAuth(req.cookies, (result) => {
if (result) { let auth = await checkAuth(req.cookies, vmpath);
let method = "POST"; if (auth) {
requestPVE(`${vmpath}/${route}`, method, req.cookies, (result) => { let method = "POST";
res.send(result); let result = await requestPVE(`${vmpath}/${route}`, method, req.cookies, req.body.action, pveAPIToken);
}, body = req.body.action, token = pveAPIToken); res.send({auth: auth, status: result.status, data: result.data.data});
} }
else { else {
res.send({auth: result}); res.send({auth: auth});
} }
}, vmpath);
}); });
app.post("/api/disk/delete", (req, res) => { app.post("/api/disk/delete", async (req, res) => {
let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`; let vmpath = `/nodes/${req.body.node}/${req.body.type}/${req.body.vmid}`;
checkAuth(req.cookies, (result) => {
if (result) { let auth = await checkAuth(req.cookies, vmpath);
let method = req.body.type === "qemu" ? "POST" : "PUT"; if (auth) {
requestPVE(`${vmpath}/config`, method, req.cookies, (result) => { let method = req.body.type === "qemu" ? "POST" : "PUT";
res.send(result); let result = await requestPVE(`${vmpath}/config`, method, req.cookies, req.body.action, pveAPIToken);
}, body = req.body.action, token = pveAPIToken); res.send({auth: auth, status: result.status, data: result.data.data});
} }
else { else {
res.send({auth: result}); res.send({auth: auth});
} }
}, vmpath);
}); });
function checkAuth (cookies, callback, vmpath = null) { async function checkAuth (cookies, vmpath = null) {
if (vmpath) { if (vmpath) {
requestPVE(`/${vmpath}/config`, "GET", cookies, (result) => { let result = await requestPVE(`/${vmpath}/config`, "GET", cookies);
if(result.status === 200){ if (result) {
callback(true); return result.status === 200;
} }
else { else {
callback(false); return false;
} }
})
} }
else { // if no path is specified, then do a simple authentication else { // if no path is specified, then do a simple authentication
requestPVE("/version", "GET", cookies, (result) => { let result = await requestPVE("/version", "GET", cookies);
if(result.status === 200){ return result.status === 200;
callback(true);
}
else {
callback(false);
}
});
} }
} }
function requestPVE (path, method, cookies, callback, body = null, token = null) { async function requestPVE (path, method, cookies, body = null, token = null) {
let url = `${pveAPI}${path}`; let url = `${pveAPI}${path}`;
let content = { let content = {
method: method, method: method,
mode: "cors", mode: "cors",
credentials: "include", credentials: "include",
headers: { headers: {
"Content-Type": "application/x-www-form-urlencoded", "Content-Type": "application/x-www-form-urlencoded"
"CSRFPreventionToken": cookies.CSRFPreventionToken },
}
} }
if (token) { if (token) {
content.headers.Authorization = `PVEAPIToken=${token.user}@${token.realm}!${token.id}=${token.uuid}`; content.headers.Authorization = `PVEAPIToken=${token.user}@${token.realm}!${token.id}=${token.uuid}`;
} }
else { else {
content.headers.CSRFPreventionToken = cookies.CSRFPreventionToken;
content.headers.Cookie = `PVEAuthCookie=${cookies.PVEAuthCookie}; CSRFPreventionToken=${cookies.CSRFPreventionToken}`; content.headers.Cookie = `PVEAuthCookie=${cookies.PVEAuthCookie}; CSRFPreventionToken=${cookies.CSRFPreventionToken}`;
} }
const promiseResponse = new Promise((resolve, reject) => { if (body) {
const fullResponse = { content.data = JSON.parse(body);
status: "", }
body: "",
headers: ""
};
const request = https.request(url, content);
request.on("error", reject);
request.on("response", response => {
response.setEncoding("utf8");
fullResponse.status = response.statusCode;
fullResponse.headers = response.headers;
response.on("data", chunk => { fullResponse.body += chunk; });
response.on("end", () => {
if(fullResponse.body){
fullResponse.body = JSON.parse(fullResponse.body);
}
resolve(fullResponse);
});
});
if (body) { try {
let prms = new URLSearchParams(JSON.parse(body)); let response = await axios.request(url, content);
request.write(prms.toString()); return response;
} }
catch (error) {
request.end(); return error;
}); }
promiseResponse.then(
response => {callback(response);},
error => {callback(error);}
);
} }
app.listen(listenPort, () => { app.listen(listenPort, () => {
console.log(`proxmoxaas-api v${package.version} listening on port ${listenPort}`); console.log(`proxmoxaas-api v${api.version} listening on port ${listenPort}`);
}); });

View File

@ -4,6 +4,7 @@
"description": "REST API for ProxmoxAAS", "description": "REST API for ProxmoxAAS",
"main": "index.js", "main": "index.js",
"dependencies": { "dependencies": {
"axios": "^1.3.2",
"body-parser": "^1.20.1", "body-parser": "^1.20.1",
"cookie-parser": "^1.4.6", "cookie-parser": "^1.4.6",
"cors": "^2.8.5", "cors": "^2.8.5",