From ffdce767abd0d444fb196909fe2be94799d15c50 Mon Sep 17 00:00:00 2001 From: Arthur Lu Date: Fri, 7 Jul 2023 00:06:36 +0000 Subject: [PATCH] fix some endpoint comments, add user node permission check to /node/pci --- src/main.js | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/src/main.js b/src/main.js index becf97b..ae4583e 100644 --- a/src/main.js +++ b/src/main.js @@ -60,8 +60,8 @@ app.post("/api/proxmox/*", async (req, res) => { // proxy endpoint for POST prox /** * GET - check authentication * responses: - * - 200: {auth: true, path: String} - * - 401: {auth: false, path: String} + * - 200: {auth: true} + * - 401: {auth: false} */ app.get("/api/auth", async (req, res) => { const auth = await checkAuth(req.cookies, res); @@ -77,8 +77,8 @@ app.get("/api/auth", async (req, res) => { * - username: String * - password: String * responses: - * - 200: {auth: true, path: String} - * - 401: {auth: false, path: String} + * - 200: {auth: true} + * - 401: {auth: false} */ app.post("/api/auth/ticket", async (req, res) => { const response = await requestPVE("/access/ticket", "POST", null, JSON.stringify(req.body)); @@ -101,7 +101,7 @@ app.post("/api/auth/ticket", async (req, res) => { /** * DELETE - request to destroy ticket * responses: - * - 200: {auth: false, path: String} + * - 200: {auth: false} */ app.delete("/api/auth/ticket", async (req, res) => { const expire = new Date(0); @@ -140,7 +140,7 @@ app.get("/api/global/config/:key", async (req, res) => { * GET - get db user resource information including allocated, free, and maximum resource values along with resource metadata * responses: * - 200: {avail: Object, max: Object, used: Object, resources: Object} - * - 401: {auth: false, path: String} + * - 401: {auth: false} */ app.get("/api/user/dynamic/resources", async (req, res) => { // check auth @@ -158,7 +158,7 @@ app.get("/api/user/dynamic/resources", async (req, res) => { * - key: User config key * responses: * - 200: Object - * - 401: {auth: false, path: String} + * - 401: {auth: false} * - 401: {auth: false, error: String} */ app.get("/api/user/config/:key", async (req, res) => { @@ -184,7 +184,7 @@ app.get("/api/user/config/:key", async (req, res) => { * POST - detach mounted disk from instance * request: * - node: String - vm host node id - * - type: String - vm type (lxc, qemu) + * -y tpe: String - vm type (lxc, qemu) * - vmid: Number - vm id number * - disk: String - disk id (sata0, NOT unused) * responses: @@ -742,6 +742,7 @@ app.get(`/api/:node(${nodeRegexP})/:type(${typeRegexP})/:vmid(${vmidRegexP})/pci * - node: String - vm host node id * responses: * - 200: PVE PCI Device Object + * - 401: {auth: false} * - 401: {auth: false, path: String} * - 500: {error: String} */ @@ -754,6 +755,12 @@ app.get(`/api/:node(${nodeRegexP})/pci`, async (req, res) => { if (!auth) { return; } + let userNodes = db.getUserConfig(req.cookies.username).nodes; + if (!userNodes.includes(params.node)){ + res.status(401).send({auth: false, path: params.node}); + res.end(); + return; + } // get remaining user resources const userAvailPci = (await getUserResources(req, req.cookies.username)).avail.pci; // get node avail devices