Add authentication for another node to access GET /api/servers/:server/archive, add POST /api/transfer route
This commit is contained in:
parent
c096d8802f
commit
ef0ad45b71
32
archive_auth.go
Normal file
32
archive_auth.go
Normal file
|
@ -0,0 +1,32 @@
|
|||
package main
|
||||
|
||||
import (
|
||||
"github.com/gbrlsnchs/jwt/v3"
|
||||
"github.com/pterodactyl/wings/config"
|
||||
"time"
|
||||
)
|
||||
|
||||
// ArchiveTokenPayload represents an Archive Token Payload.
|
||||
type ArchiveTokenPayload struct {
|
||||
jwt.Payload
|
||||
}
|
||||
|
||||
func ParseArchiveJWT(token []byte) (*ArchiveTokenPayload, error) {
|
||||
var payload ArchiveTokenPayload
|
||||
if alg == nil {
|
||||
alg = jwt.NewHS256([]byte(config.Get().AuthenticationToken))
|
||||
}
|
||||
|
||||
now := time.Now()
|
||||
verifyOptions := jwt.ValidatePayload(
|
||||
&payload.Payload,
|
||||
jwt.ExpirationTimeValidator(now),
|
||||
)
|
||||
|
||||
_, err := jwt.Verify(token, alg, &payload, verifyOptions)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return &payload, nil
|
||||
}
|
33
http.go
33
http.go
|
@ -33,7 +33,7 @@ type Router struct {
|
|||
upgrader websocket.Upgrader
|
||||
|
||||
// The authentication token defined in the config.yml file that allows
|
||||
// a request to perform any action aganist the daemon.
|
||||
// a request to perform any action against the daemon.
|
||||
token string
|
||||
}
|
||||
|
||||
|
@ -79,7 +79,7 @@ func (rt *Router) AuthenticateToken(h httprouter.Handle) httprouter.Handle {
|
|||
return
|
||||
}
|
||||
|
||||
// Try to match the request aganist the global token for the Daemon, regardless
|
||||
// Try to match the request against the global token for the Daemon, regardless
|
||||
// of the permission type. If nothing is matched we will fall through to the Panel
|
||||
// API to try and validate permissions for a server.
|
||||
if auth[1] == rt.token {
|
||||
|
@ -156,7 +156,7 @@ func (rt *Router) routeServerPower(w http.ResponseWriter, r *http.Request, ps ht
|
|||
return
|
||||
}
|
||||
|
||||
// Because we route all of the actual bootup process to a seperate thread we need to
|
||||
// Because we route all of the actual bootup process to a separate thread we need to
|
||||
// check the suspension status here, otherwise the user will hit the endpoint and then
|
||||
// just sit there wondering why it returns a success but nothing actually happens.
|
||||
//
|
||||
|
@ -606,6 +606,25 @@ func (rt *Router) routeRequestServerArchive(w http.ResponseWriter, _ *http.Reque
|
|||
}
|
||||
|
||||
func (rt *Router) routeGetServerArchive(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
|
||||
auth := strings.SplitN(r.Header.Get("Authorization"), " ", 2)
|
||||
|
||||
if len(auth) != 2 || auth[0] != "Bearer" {
|
||||
w.Header().Set("WWW-Authenticate", "Bearer")
|
||||
http.Error(w, "authorization failed", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
token, err := ParseArchiveJWT([]byte(auth[1]))
|
||||
if err != nil {
|
||||
http.Error(w, "authorization failed", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
if token.Subject != ps.ByName("server") {
|
||||
http.Error(w, "forbidden", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
||||
s := rt.GetServer(ps.ByName("server"))
|
||||
|
||||
st, err := s.Archiver.Stat()
|
||||
|
@ -647,6 +666,10 @@ func (rt *Router) routeGetServerArchive(w http.ResponseWriter, r *http.Request,
|
|||
bufio.NewReader(file).WriteTo(w)
|
||||
}
|
||||
|
||||
func (rt *Router) routeIncomingTransfer(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
|
||||
w.WriteHeader(204)
|
||||
}
|
||||
|
||||
func (rt *Router) ReaderToBytes(r io.Reader) []byte {
|
||||
buf := bytes.Buffer{}
|
||||
buf.ReadFrom(r)
|
||||
|
@ -684,7 +707,9 @@ func (rt *Router) ConfigureRouter() *httprouter.Router {
|
|||
router.DELETE("/api/servers/:server", rt.AuthenticateRequest(rt.routeServerDelete))
|
||||
|
||||
router.POST("/api/servers/:server/archive", rt.AuthenticateRequest(rt.routeRequestServerArchive))
|
||||
router.GET("/api/servers/:server/archive", rt.AuthenticateRequest(rt.routeGetServerArchive))
|
||||
router.GET("/api/servers/:server/archive", rt.AuthenticateServer(rt.routeGetServerArchive))
|
||||
|
||||
router.POST("/api/transfer", rt.AuthenticateToken(rt.routeIncomingTransfer))
|
||||
|
||||
return router
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue
Block a user