ayo/maingate
8
1
Fork 3
Code Issues Pull Requests Projects Releases Wiki Activity

api token 체크 누락 수정

Browse Source
This commit is contained in:
mountain
2024-02-21 11:12:25 +09:00
parent 424c8be420
commit 845784d204
2 changed files with 42 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

78
core/api.go
View File

@ -459,34 +459,52 @@ func (mg *Maingate) api(w http.ResponseWriter, r *http.Request) {
var userinfo map[string]any var userinfo map[string]any
var apiTokenObj primitive.ObjectID
if !*devflag { if !*devflag {
authheader := r.Header.Get("Authorization") apiToken := r.Header.Get("MG-X-API-TOKEN")
if len(authheader) == 0 { if len(apiToken) > 0 {
logger.Println("Authorization header is not valid :", authheader) if apiToken != mg.maingateConfig.ApiToken {
w.WriteHeader(http.StatusBadRequest) w.WriteHeader(http.StatusUnauthorized)
return return
} }
req, _ := http.NewRequest("GET", "https://graph.microsoft.com/oidc/userinfo", nil) obj, err := primitive.ObjectIDFromHex(apiToken)
req.Header.Add("Authorization", authheader) if err != nil {
client := &http.Client{} logger.Error(err)
w.WriteHeader(http.StatusBadRequest)
return
}
resp, err := client.Do(req) apiTokenObj = obj
if err != nil { } else {
logger.Println("graph microsoft api call failed :", err) authheader := r.Header.Get("Authorization")
w.WriteHeader(http.StatusBadRequest) if len(authheader) == 0 {
return logger.Println("Authorization header is not valid :", authheader)
} w.WriteHeader(http.StatusUnauthorized)
defer resp.Body.Close() return
}
raw, _ := io.ReadAll(resp.Body) req, _ := http.NewRequest("GET", "https://graph.microsoft.com/oidc/userinfo", nil)
if err = json.Unmarshal(raw, &userinfo); err != nil { req.Header.Add("Authorization", authheader)
return client := &http.Client{}
}
if _, expired := userinfo["error"]; expired { resp, err := client.Do(req)
w.WriteHeader(http.StatusUnauthorized) if err != nil {
return logger.Println("graph microsoft api call failed :", err)
w.WriteHeader(http.StatusBadRequest)
return
}
defer resp.Body.Close()
raw, _ := io.ReadAll(resp.Body)
if err = json.Unmarshal(raw, &userinfo); err != nil {
return
}
if _, expired := userinfo["error"]; expired {
w.WriteHeader(http.StatusUnauthorized)
return
}
} }
} }
@ -502,20 +520,6 @@ func (mg *Maingate) api(w http.ResponseWriter, r *http.Request) {
} }
} }
var apiTokenObj primitive.ObjectID
if !*devflag {
apiToken := r.Header.Get("MG-X-API-TOKEN")
if len(apiToken) > 0 {
obj, err := primitive.ObjectIDFromHex(apiToken)
if err != nil {
logger.Error(err)
w.WriteHeader(http.StatusBadRequest)
return
}
apiTokenObj = obj
}
}
logger.Println("api call :", r.URL.Path, r.Method, r.URL.Query(), userinfo) logger.Println("api call :", r.URL.Path, r.Method, r.URL.Query(), userinfo)
caller := apiCaller{ caller := apiCaller{
userinfo: userinfo, userinfo: userinfo,

1
core/maingate.go
View File

@ -123,6 +123,7 @@ func makeAuthCollection(mongoClient gocommon.MongoClient, sessionTTL time.Durati
type maingateConfig struct { type maingateConfig struct {
Mongo string `json:"maingate_mongodb_url"` Mongo string `json:"maingate_mongodb_url"`
SessionTTL int64 `json:"maingate_session_ttl"` SessionTTL int64 `json:"maingate_session_ttl"`
ApiToken string `json:"maingate_api_token"`
Autologin_ttl int64 `json:"autologin_ttl"` Autologin_ttl int64 `json:"autologin_ttl"`
AccDelTTL int64 `json:"acc_del_ttl"` AccDelTTL int64 `json:"acc_del_ttl"`
MaximumNumLinkAccount int64 `json:"maximum_num_link_account"` MaximumNumLinkAccount int64 `json:"maximum_num_link_account"`