aljaz/btcpayserver
1
0
Fork 0
mirror of https://github.com/aljazceru/btcpayserver.git synced 2025-12-18 14:34:23 +01:00
Code Issues Packages Projects Releases Wiki Activity

Restrict authentication to the APIController to GreenFieldAPIKeys

Browse Source
This commit is contained in:
nicolas.dorier
2020-03-27 13:13:40 +09:00
parent d219ba5d32
commit 08abda1522
5 changed files with 9 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
BTCPayServer.Tests/GreenfieldAPITests.cs
View File

@@ -46,15 +46,13 @@ namespace BTCPayServer.Tests
Assert.Single(apiKeyData.Permissions); Assert.Single(apiKeyData.Permissions);
//a client using Basic Auth has no business here //a client using Basic Auth has no business here
await AssertHttpError(404, async () => await clientBasic.GetCurrentAPIKeyInfo()); await AssertHttpError(401, async () => await clientBasic.GetCurrentAPIKeyInfo());
//revoke current api key //revoke current api key
await client.RevokeCurrentAPIKeyInfo(); await client.RevokeCurrentAPIKeyInfo();
await AssertHttpError(401, async () => await client.GetCurrentAPIKeyInfo()); await AssertHttpError(401, async () => await client.GetCurrentAPIKeyInfo());
//a client using Basic Auth has no business here //a client using Basic Auth has no business here
await AssertHttpError(404, async () => await clientBasic.RevokeCurrentAPIKeyInfo()); await AssertHttpError(401, async () => await clientBasic.RevokeCurrentAPIKeyInfo());
} }
} }

4
BTCPayServer/Controllers/GreenField/ApiKeysController.cs
View File

@@ -12,7 +12,7 @@ using BTCPayServer.Security.GreenField;
namespace BTCPayServer.Controllers.GreenField namespace BTCPayServer.Controllers.GreenField
{ {
[ApiController] [ApiController]
[Authorize(AuthenticationSchemes = AuthenticationSchemes.Greenfield)] [Authorize(AuthenticationSchemes = AuthenticationSchemes.GreenfieldAPIKeys)]
public class ApiKeysController : ControllerBase public class ApiKeysController : ControllerBase
{ {
private readonly APIKeyRepository _apiKeyRepository; private readonly APIKeyRepository _apiKeyRepository;
@@ -36,7 +36,7 @@ namespace BTCPayServer.Controllers.GreenField
} }
[HttpDelete("~/api/v1/api-keys/current")] [HttpDelete("~/api/v1/api-keys/current")]
[Authorize(Policy = Policies.Unrestricted, AuthenticationSchemes = AuthenticationSchemes.Greenfield)] [Authorize(Policy = Policies.Unrestricted, AuthenticationSchemes = AuthenticationSchemes.GreenfieldAPIKeys)]
public async Task<ActionResult<ApiKeyData>> RevokeKey() public async Task<ActionResult<ApiKeyData>> RevokeKey()
{ {
if (!ControllerContext.HttpContext.GetAPIKey(out var apiKey)) if (!ControllerContext.HttpContext.GetAPIKey(out var apiKey))

6
BTCPayServer/Controllers/GreenField/UsersController.cs
View File

@@ -82,7 +82,7 @@ namespace BTCPayServer.Controllers.GreenField
// Even if subscription are unlocked, it is forbidden to create admin unauthenticated // Even if subscription are unlocked, it is forbidden to create admin unauthenticated
if (anyAdmin && request.IsAdministrator is true && !isAuth) if (anyAdmin && request.IsAdministrator is true && !isAuth)
return Forbid(AuthenticationSchemes.Greenfield); return Forbid(AuthenticationSchemes.GreenfieldBasic);
// You are de-facto admin if there is no other admin, else you need to be auth and pass policy requirements // You are de-facto admin if there is no other admin, else you need to be auth and pass policy requirements
bool isAdmin = anyAdmin ? (await _authorizationService.AuthorizeAsync(User, null, new PolicyRequirement(Policies.CanModifyServerSettings))).Succeeded bool isAdmin = anyAdmin ? (await _authorizationService.AuthorizeAsync(User, null, new PolicyRequirement(Policies.CanModifyServerSettings))).Succeeded
&& (await _authorizationService.AuthorizeAsync(User, null, new PolicyRequirement(Policies.Unrestricted))).Succeeded && (await _authorizationService.AuthorizeAsync(User, null, new PolicyRequirement(Policies.Unrestricted))).Succeeded
@@ -90,14 +90,14 @@ namespace BTCPayServer.Controllers.GreenField
: true; : true;
// You need to be admin to create an admin // You need to be admin to create an admin
if (request.IsAdministrator is true && !isAdmin) if (request.IsAdministrator is true && !isAdmin)
return Forbid(AuthenticationSchemes.Greenfield); return Forbid(AuthenticationSchemes.GreenfieldBasic);
if (!isAdmin && policies.LockSubscription) if (!isAdmin && policies.LockSubscription)
{ {
// If we are not admin and subscriptions are locked, we need to check the Policies.CanCreateUser.Key permission // If we are not admin and subscriptions are locked, we need to check the Policies.CanCreateUser.Key permission
var canCreateUser = (await _authorizationService.AuthorizeAsync(User, null, new PolicyRequirement(Policies.CanCreateUser))).Succeeded; var canCreateUser = (await _authorizationService.AuthorizeAsync(User, null, new PolicyRequirement(Policies.CanCreateUser))).Succeeded;
if (!isAuth || !canCreateUser) if (!isAuth || !canCreateUser)
return Forbid(AuthenticationSchemes.Greenfield); return Forbid(AuthenticationSchemes.GreenfieldBasic);
} }
var user = new ApplicationUser var user = new ApplicationUser

2
BTCPayServer/Views/Manage/AddApiKey.cshtml
View File

@@ -1,6 +1,6 @@
@using BTCPayServer.Client @using BTCPayServer.Client
@using BTCPayServer.Controllers @using BTCPayServer.Controllers
@using BTCPayServer.Security.APIKeys @using BTCPayServer.Security.GreenField
@model ManageController.AddApiKeyViewModel @model ManageController.AddApiKeyViewModel
@{ @{

2
BTCPayServer/Views/Manage/AuthorizeAPIKey.cshtml
View File

@@ -1,6 +1,6 @@
@using BTCPayServer.Client @using BTCPayServer.Client
@using BTCPayServer.Controllers @using BTCPayServer.Controllers
@using BTCPayServer.Security.APIKeys @using BTCPayServer.Security.GreenField
@model BTCPayServer.Controllers.ManageController.AuthorizeApiKeysViewModel @model BTCPayServer.Controllers.ManageController.AuthorizeApiKeysViewModel
@{ @{