From f3eb414e282dd0e3bd5c60838e45c69cf21541e4 Mon Sep 17 00:00:00 2001 From: lain Date: Tue, 18 Dec 2018 21:08:52 +0100 Subject: [PATCH] Add a way to use the admin api without a user. --- config/config.md | 15 +++++++- .../plugs/admin_secret_authentication_plug.ex | 25 ++++++++++++ lib/pleroma/web/router.ex | 1 + .../admin_secret_authentication_plug_test.exs | 38 +++++++++++++++++++ 4 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 lib/pleroma/plugs/admin_secret_authentication_plug.ex create mode 100644 test/plugs/admin_secret_authentication_plug_test.exs diff --git a/config/config.md b/config/config.md index edabd6e0f..63c895753 100644 --- a/config/config.md +++ b/config/config.md @@ -174,4 +174,17 @@ Kocaptcha is a very simple captcha service with a single API endpoint, the source code is here: https://github.com/koto-bank/kocaptcha. The default endpoint `https://captcha.kotobank.ch` is hosted by the developer. -* `endpoint`: the kocaptcha endpoint to use \ No newline at end of file +* `endpoint`: the kocaptcha endpoint to use + +## :admin_token + +Allows to set a token that can be used to authenticate with the admin api without using an actual user by giving it as the 'admin_token' parameter. Example: + +``` +config :pleroma, :admin_token, "somerandomtoken" +``` + +You can then do +``` +curl "http://localhost:4000/api/pleroma/admin/invite_token?admin_token=somerandomtoken" +``` diff --git a/lib/pleroma/plugs/admin_secret_authentication_plug.ex b/lib/pleroma/plugs/admin_secret_authentication_plug.ex new file mode 100644 index 000000000..f61a6ee24 --- /dev/null +++ b/lib/pleroma/plugs/admin_secret_authentication_plug.ex @@ -0,0 +1,25 @@ +defmodule Pleroma.Plugs.AdminSecretAuthenticationPlug do + import Plug.Conn + alias Pleroma.User + + def init(options) do + options + end + + def secret_token do + Pleroma.Config.get(:admin_token) + end + + def call(%{assigns: %{user: %User{}}} = conn, _), do: conn + + def call(%{params: %{"admin_token" => admin_token}} = conn, _) do + if secret_token() && admin_token == secret_token() do + conn + |> assign(:user, %User{info: %{is_admin: true}}) + else + conn + end + end + + def call(conn, _), do: conn +end diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex index dd1985d6e..e988f1088 100644 --- a/lib/pleroma/web/router.ex +++ b/lib/pleroma/web/router.ex @@ -38,6 +38,7 @@ defmodule Pleroma.Web.Router do plug(Pleroma.Plugs.SessionAuthenticationPlug) plug(Pleroma.Plugs.LegacyAuthenticationPlug) plug(Pleroma.Plugs.AuthenticationPlug) + plug(Pleroma.Plugs.AdminSecretAuthenticationPlug) plug(Pleroma.Plugs.UserEnabledPlug) plug(Pleroma.Plugs.SetUserSessionIdPlug) plug(Pleroma.Plugs.EnsureAuthenticatedPlug) diff --git a/test/plugs/admin_secret_authentication_plug_test.exs b/test/plugs/admin_secret_authentication_plug_test.exs new file mode 100644 index 000000000..c0fe2cf97 --- /dev/null +++ b/test/plugs/admin_secret_authentication_plug_test.exs @@ -0,0 +1,38 @@ +defmodule Pleroma.Plugs.AdminSecretAuthenticationPlugTest do + use Pleroma.Web.ConnCase, async: true + import Pleroma.Factory + + alias Pleroma.Plugs.AdminSecretAuthenticationPlug + + test "does nothing if a user is assigned", %{conn: conn} do + user = insert(:user) + + conn = + conn + |> assign(:user, user) + + ret_conn = + conn + |> AdminSecretAuthenticationPlug.call(%{}) + + assert conn == ret_conn + end + + test "with secret set and given in the 'admin_token' parameter, it assigns an admin user", %{ + conn: conn + } do + Pleroma.Config.put(:admin_token, "password123") + + conn = + %{conn | params: %{"admin_token" => "wrong_password"}} + |> AdminSecretAuthenticationPlug.call(%{}) + + refute conn.assigns[:user] + + conn = + %{conn | params: %{"admin_token" => "password123"}} + |> AdminSecretAuthenticationPlug.call(%{}) + + assert conn.assigns[:user].info.is_admin + end +end