aljaz/btcpayserver
1
0
Fork 0
mirror of https://github.com/aljazceru/btcpayserver.git synced 2025-12-18 14:34:23 +01:00
Code Issues Packages Projects Releases Wiki Activity

Restrict authentication to the APIController to GreenFieldAPIKeys

Browse Source
This commit is contained in:
nicolas.dorier
2020-03-27 13:13:40 +09:00
parent d219ba5d32
commit 08abda1522
5 changed files with 9 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
BTCPayServer.Tests/GreenfieldAPITests.cs
View File

@@ -46,15 +46,13 @@ namespace BTCPayServer.Tests
Assert.Single(apiKeyData.Permissions);
//a client using Basic Auth has no business here
await AssertHttpError(404, async () => await clientBasic.GetCurrentAPIKeyInfo());
await AssertHttpError(401, async () => await clientBasic.GetCurrentAPIKeyInfo());
//revoke current api key
await client.RevokeCurrentAPIKeyInfo();
await AssertHttpError(401, async () => await client.GetCurrentAPIKeyInfo());
//a client using Basic Auth has no business here
await AssertHttpError(404, async () => await clientBasic.RevokeCurrentAPIKeyInfo());
await AssertHttpError(401, async () => await clientBasic.RevokeCurrentAPIKeyInfo());
}
}

4
BTCPayServer/Controllers/GreenField/ApiKeysController.cs
View File

@@ -12,7 +12,7 @@ using BTCPayServer.Security.GreenField;
namespace BTCPayServer.Controllers.GreenField
{
[ApiController]
[Authorize(AuthenticationSchemes = AuthenticationSchemes.Greenfield)]
[Authorize(AuthenticationSchemes = AuthenticationSchemes.GreenfieldAPIKeys)]
public class ApiKeysController : ControllerBase
{
private readonly APIKeyRepository _apiKeyRepository;
@@ -36,7 +36,7 @@ namespace BTCPayServer.Controllers.GreenField
}
[HttpDelete("~/api/v1/api-keys/current")]
[Authorize(Policy = Policies.Unrestricted, AuthenticationSchemes = AuthenticationSchemes.Greenfield)]
[Authorize(Policy = Policies.Unrestricted, AuthenticationSchemes = AuthenticationSchemes.GreenfieldAPIKeys)]
public async Task<ActionResult<ApiKeyData>> RevokeKey()
{
if (!ControllerContext.HttpContext.GetAPIKey(out var apiKey))

6
BTCPayServer/Controllers/GreenField/UsersController.cs
View File

@@ -82,7 +82,7 @@ namespace BTCPayServer.Controllers.GreenField
// Even if subscription are unlocked, it is forbidden to create admin unauthenticated
if (anyAdmin && request.IsAdministrator is true && !isAuth)
return Forbid(AuthenticationSchemes.Greenfield);
return Forbid(AuthenticationSchemes.GreenfieldBasic);
// You are de-facto admin if there is no other admin, else you need to be auth and pass policy requirements
bool isAdmin = anyAdmin ? (await _authorizationService.AuthorizeAsync(User, null, new PolicyRequirement(Policies.CanModifyServerSettings))).Succeeded
&& (await _authorizationService.AuthorizeAsync(User, null, new PolicyRequirement(Policies.Unrestricted))).Succeeded
@@ -90,14 +90,14 @@ namespace BTCPayServer.Controllers.GreenField
: true;
// You need to be admin to create an admin
if (request.IsAdministrator is true && !isAdmin)
return Forbid(AuthenticationSchemes.Greenfield);
return Forbid(AuthenticationSchemes.GreenfieldBasic);
if (!isAdmin && policies.LockSubscription)
{
// If we are not admin and subscriptions are locked, we need to check the Policies.CanCreateUser.Key permission
var canCreateUser = (await _authorizationService.AuthorizeAsync(User, null, new PolicyRequirement(Policies.CanCreateUser))).Succeeded;
if (!isAuth || !canCreateUser)
return Forbid(AuthenticationSchemes.Greenfield);
return Forbid(AuthenticationSchemes.GreenfieldBasic);
}
var user = new ApplicationUser

2
BTCPayServer/Views/Manage/AddApiKey.cshtml
View File

@@ -1,6 +1,6 @@
@using BTCPayServer.Client
@using BTCPayServer.Controllers
@using BTCPayServer.Security.APIKeys
@using BTCPayServer.Security.GreenField
@model ManageController.AddApiKeyViewModel
@{

2
BTCPayServer/Views/Manage/AuthorizeAPIKey.cshtml
View File

@@ -1,6 +1,6 @@
@using BTCPayServer.Client
@using BTCPayServer.Controllers
@using BTCPayServer.Security.APIKeys
@using BTCPayServer.Security.GreenField
@model BTCPayServer.Controllers.ManageController.AuthorizeApiKeysViewModel
@{