aljaz/btcpayserver
1
0
Fork 0
mirror of https://github.com/aljazceru/btcpayserver.git synced 2025-12-17 14:04:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

clean and remove hack

Browse Source
This commit is contained in:
Kukks
2020-08-28 09:15:08 +02:00
parent 0e07fcc706
commit 6a8dbf49da
2 changed files with 61 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
BTCPayServer.Client/BTCPayServerClient.cs
View File

@@ -103,7 +103,7 @@ namespace BTCPayServer.Client
return request; return request;
} }
private static void AppendPayloadToQuery(UriBuilder uri, KeyValuePair<string, object> keyValuePair) public static void AppendPayloadToQuery(UriBuilder uri, KeyValuePair<string, object> keyValuePair)
{ {
if (uri.Query.Length > 1) if (uri.Query.Length > 1)
uri.Query += "&"; uri.Query += "&";
@@ -126,7 +126,7 @@ namespace BTCPayServer.Client
uri.Query = uri.Query.Trim('&'); uri.Query = uri.Query.Trim('&');
} }
private static void AppendPayloadToQuery(UriBuilder uri, Dictionary<string, object> payload) public static void AppendPayloadToQuery(UriBuilder uri, Dictionary<string, object> payload)
{ {
if (uri.Query.Length > 1) if (uri.Query.Length > 1)
uri.Query += "&"; uri.Query += "&";

119
BTCPayServer/Controllers/ManageController.APIKeys.cs
View File

@@ -104,69 +104,73 @@ namespace BTCPayServer.Controllers
{ {
UserId = new[] {_userManager.GetUserId(User)} UserId = new[] {_userManager.GetUserId(User)}
}); });
if (keys.Any()) foreach (var key in keys)
{ {
foreach (var key in keys) var blob = key.GetBlob();
if (blob.ApplicationIdentifier != applicationIdentifier ||
blob.ApplicationAuthority != redirect.Authority)
{ {
var blob = key.GetBlob(); continue;
}
if (blob.ApplicationIdentifier != applicationIdentifier ||
blob.ApplicationAuthority != redirect.Authority) //matched the identifier and authority, but we need to check if what the app is requesting in terms of permissions is enough
var alreadyPresentPermissions = Permission.ToPermissions(blob.Permissions)
.GroupBy(permission => permission.Policy);
var fail = false;
foreach (var permission in requestPermissions.GroupBy(permission => permission.Policy))
{
var presentPermission =
alreadyPresentPermissions.SingleOrDefault(grouping => permission.Key == grouping.Key);
if (strict && presentPermission == null)
{ {
continue; fail = true;
break;
} }
//matched the identifier and authority, but we need to check if what the app is requesting in terms of permissions is enough
var alreadyPresentPermissions = Permission.ToPermissions(blob.Permissions).GroupBy(permission => permission.Policy); if (Policies.IsStorePolicy(permission.Key))
var fail = false;
foreach (var permission in requestPermissions.GroupBy(permission => permission.Policy))
{ {
var presentPermission = if (!selectiveStores &&
alreadyPresentPermissions.SingleOrDefault(grouping => permission.Key == grouping.Key); permission.Any(permission1 => !string.IsNullOrEmpty(permission1.Scope)))
if (strict && presentPermission == null) {
TempData.SetStatusMessageModel(new StatusMessageModel()
{
Severity = StatusMessageModel.StatusSeverity.Error,
Message =
"Cannot request specific store permission when selectiveStores is not enable"
});
return RedirectToAction("APIKeys");
}
else if (!selectiveStores && presentPermission.Any(permission1 =>
!string.IsNullOrEmpty(permission1.Scope)))
{ {
fail = true; fail = true;
break; break;
} }
if(Policies.IsStorePolicy(permission.Key))
{
if (!selectiveStores && permission.Any(permission1 => !string.IsNullOrEmpty(permission1.Scope)))
{
TempData.SetStatusMessageModel(new StatusMessageModel()
{
Severity = StatusMessageModel.StatusSeverity.Error,
Message = "Cannot request specific store permission when selectiveStores is not enable"
});
return RedirectToAction("APIKeys");
}else if (!selectiveStores && presentPermission.Any(permission1 =>
!string.IsNullOrEmpty(permission1.Scope)))
{
fail = true;
break;
}
}
} }
if (fail)
{
continue;
}
//we have a key that is sufficient, redirect to a page to confirm that it's ok to provide this key to the app.
return View("Confirm",
new ConfirmModel()
{
Title = $"Are you sure about exposing your API Key to {applicationName??applicationIdentifier}?",
Description = $"You've previously generated this API Key ({key.Id}) specifically for {applicationName??applicationIdentifier} with the url {redirect}. ",
ActionUrl = GetRedirectToApplicationUrl(redirect, key),
ButtonClass = "btn-secondary",
Action = "Confirm"
});
} }
if (fail)
{
continue;
}
//we have a key that is sufficient, redirect to a page to confirm that it's ok to provide this key to the app.
return View("Confirm",
new ConfirmModel()
{
Title =
$"Are you sure about exposing your API Key to {applicationName ?? applicationIdentifier}?",
Description =
$"You've previously generated this API Key ({key.Id}) specifically for {applicationName ?? applicationIdentifier} with the url {redirect}. ",
ActionUrl = GetRedirectToApplicationUrl(redirect, key),
ButtonClass = "btn-secondary",
Action = "Confirm"
});
} }
} }
var vm = await SetViewModelValues(new AuthorizeApiKeysViewModel() var vm = await SetViewModelValues(new AuthorizeApiKeysViewModel()
{ {
RedirectUrl = redirect, RedirectUrl = redirect,
@@ -256,8 +260,8 @@ namespace BTCPayServer.Controllers
case "no": case "no":
return RedirectToAction("APIKeys"); return RedirectToAction("APIKeys");
case "yes": case "yes":
var key = await CreateKey(viewModel, (viewModel.ApplicationIdentifier, viewModel.RedirectUrl.Authority)); var key = await CreateKey(viewModel, (viewModel.ApplicationIdentifier, viewModel.RedirectUrl?.Authority));
if (viewModel.RedirectUrl != null) if (viewModel.RedirectUrl != null)
{ {
return Redirect(GetRedirectToApplicationUrl(viewModel.RedirectUrl, key)); return Redirect(GetRedirectToApplicationUrl(viewModel.RedirectUrl, key));
@@ -278,15 +282,10 @@ namespace BTCPayServer.Controllers
{ {
var uri = new UriBuilder(redirect); var uri = new UriBuilder(redirect);
var permissions = key.GetBlob().Permissions; var permissions = key.GetBlob().Permissions;
uri.AppendPayloadToQuery(new Dictionary<string, object>() BTCPayServerClient.AppendPayloadToQuery(uri,
{ new Dictionary<string, object>() {{"key", key.Id}, {"permissions", permissions}, {"user", key.UserId}});
{"key", key.Id}, {"permissions",permissions}, {"user", key.UserId} return uri.Uri.AbsoluteUri;
});
//uri builder has bug around string[] params
return uri.Uri.ToStringInvariant().Replace("permissions=System.String%5B%5D",
string.Join("&", permissions.Select(s1 => $"permissions={s1}")), StringComparison.InvariantCulture);
} }
[HttpPost] [HttpPost]
public async Task<IActionResult> AddApiKey(AddApiKeyViewModel viewModel) public async Task<IActionResult> AddApiKey(AddApiKeyViewModel viewModel)