ihor/akkoma
1
0
Fork 0
forked from AkkomaGang/akkoma
Code Issues Pull requests Projects Releases Packages Wiki Activity

Support authentication via x-admin-token HTTP header

Browse source
This commit is contained in:
Egor Kislitsyn 2019-11-19 15:58:20 +07:00
parent 06151776c0
commit 36686f5245
No known key found for this signature in database
GPG key ID: 1B49CB15B71E7805
4 changed files with 59 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG.md
View file

@ -30,6 +30,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
- Admin API: Return `total` when querying for reports - Admin API: Return `total` when querying for reports
- Mastodon API: Return `pleroma.direct_conversation_id` when creating a direct message (`POST /api/v1/statuses`) - Mastodon API: Return `pleroma.direct_conversation_id` when creating a direct message (`POST /api/v1/statuses`)
- Admin API: Return link alongside with token on password reset - Admin API: Return link alongside with token on password reset
- Admin API: Support authentication via `x-admin-token` HTTP header
- Mastodon API: Add `pleroma.direct_conversation_id` to the status endpoint (`GET /api/v1/statuses/:id`) - Mastodon API: Add `pleroma.direct_conversation_id` to the status endpoint (`GET /api/v1/statuses/:id`)
- Mastodon API: `pleroma.thread_muted` to the Status entity - Mastodon API: `pleroma.thread_muted` to the Status entity
- Mastodon API: Mark the direct conversation as read for the author when they send a new direct message - Mastodon API: Mark the direct conversation as read for the author when they send a new direct message

12
docs/configuration/cheatsheet.md
View file

@ -656,7 +656,7 @@ Feel free to adjust the priv_dir and port number. Then you will have to create t
### :admin_token ### :admin_token
Allows to set a token that can be used to authenticate with the admin api without using an actual user by giving it as the 'admin_token' parameter. Example: Allows to set a token that can be used to authenticate with the admin api without using an actual user by giving it as the `admin_token` parameter or `x-admin-token` HTTP header. Example:
```elixir ```elixir
config :pleroma, :admin_token, "somerandomtoken" config :pleroma, :admin_token, "somerandomtoken"
@ -664,8 +664,14 @@ config :pleroma, :admin_token, "somerandomtoken"
You can then do You can then do
```sh ```shell
curl "http://localhost:4000/api/pleroma/admin/invite_token?admin_token=somerandomtoken" curl "http://localhost:4000/api/pleroma/admin/users/invites?admin_token=somerandomtoken"
```
or
```shell
curl -H "X-Admin-Token: somerandomtoken" "http://localhost:4000/api/pleroma/admin/users/invites"
``` ```
### :auth ### :auth

24
lib/pleroma/plugs/admin_secret_authentication_plug.ex
View file

@ -16,14 +16,28 @@ def secret_token do
def call(%{assigns: %{user: %User{}}} = conn, _), do: conn def call(%{assigns: %{user: %User{}}} = conn, _), do: conn
def call(%{params: %{"admin_token" => admin_token}} = conn, _) do def call(conn, _) do
if secret_token() && admin_token == secret_token() do if secret_token() do
conn authenticate(conn)
|> assign(:user, %User{is_admin: true})
else else
conn conn
end end
end end
def call(conn, _), do: conn def authenticate(%{params: %{"admin_token" => admin_token}} = conn) do
if admin_token == secret_token() do
assign(conn, :user, %User{is_admin: true})
else
conn
end
end
def authenticate(conn) do
token = secret_token()
case get_req_header(conn, "x-admin-token") do
[^token] -> assign(conn, :user, %User{is_admin: true})
_ -> conn
end
end
end end

42
test/plugs/admin_secret_authentication_plug_test.exs
View file

@ -22,21 +22,39 @@ test "does nothing if a user is assigned", %{conn: conn} do
assert conn == ret_conn assert conn == ret_conn
end end
test "with secret set and given in the 'admin_token' parameter, it assigns an admin user", %{ describe "when secret set it assigns an admin user" do
conn: conn test "with `admin_token` query parameter", %{conn: conn} do
} do Pleroma.Config.put(:admin_token, "password123")
Pleroma.Config.put(:admin_token, "password123")
conn = conn =
%{conn | params: %{"admin_token" => "wrong_password"}} %{conn | params: %{"admin_token" => "wrong_password"}}
|> AdminSecretAuthenticationPlug.call(%{}) |> AdminSecretAuthenticationPlug.call(%{})
refute conn.assigns[:user] refute conn.assigns[:user]
conn = conn =
%{conn | params: %{"admin_token" => "password123"}} %{conn | params: %{"admin_token" => "password123"}}
|> AdminSecretAuthenticationPlug.call(%{}) |> AdminSecretAuthenticationPlug.call(%{})
assert conn.assigns[:user].is_admin assert conn.assigns[:user].is_admin
end
test "with `x-admin-token` HTTP header", %{conn: conn} do
Pleroma.Config.put(:admin_token, "☕️")
conn =
conn
|> put_req_header("x-admin-token", "🥛")
|> AdminSecretAuthenticationPlug.call(%{})
refute conn.assigns[:user]
conn =
conn
|> put_req_header("x-admin-token", "☕️")
|> AdminSecretAuthenticationPlug.call(%{})
assert conn.assigns[:user].is_admin
end
end end
end end