ayo/maingate
8
1
Fork 3
Code Issues Pull Requests Projects Releases Wiki Activity

api token 체크 누락 수정

Browse Source
This commit is contained in:
mountain
2024-02-21 11:12:25 +09:00
parent 424c8be420
commit 845784d204
2 changed files with 42 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
core/api.go
View File

@ -459,11 +459,28 @@ func (mg *Maingate) api(w http.ResponseWriter, r *http.Request) {
var userinfo map[string]any
var apiTokenObj primitive.ObjectID
if !*devflag {
apiToken := r.Header.Get("MG-X-API-TOKEN")
if len(apiToken) > 0 {
if apiToken != mg.maingateConfig.ApiToken {
w.WriteHeader(http.StatusUnauthorized)
return
}
obj, err := primitive.ObjectIDFromHex(apiToken)
if err != nil {
logger.Error(err)
w.WriteHeader(http.StatusBadRequest)
return
}
apiTokenObj = obj
} else {
authheader := r.Header.Get("Authorization")
if len(authheader) == 0 {
logger.Println("Authorization header is not valid :", authheader)
w.WriteHeader(http.StatusBadRequest)
w.WriteHeader(http.StatusUnauthorized)
return
}
@ -489,6 +506,7 @@ func (mg *Maingate) api(w http.ResponseWriter, r *http.Request) {
return
}
}
}
ptr := atomic.LoadPointer(&mg.admins)
adminsptr := (*globalAdmins)(ptr)
@ -502,20 +520,6 @@ func (mg *Maingate) api(w http.ResponseWriter, r *http.Request) {
}
}
var apiTokenObj primitive.ObjectID
if !*devflag {
apiToken := r.Header.Get("MG-X-API-TOKEN")
if len(apiToken) > 0 {
obj, err := primitive.ObjectIDFromHex(apiToken)
if err != nil {
logger.Error(err)
w.WriteHeader(http.StatusBadRequest)
return
}
apiTokenObj = obj
}
}
logger.Println("api call :", r.URL.Path, r.Method, r.URL.Query(), userinfo)
caller := apiCaller{
userinfo: userinfo,

1
core/maingate.go
View File

@ -123,6 +123,7 @@ func makeAuthCollection(mongoClient gocommon.MongoClient, sessionTTL time.Durati
type maingateConfig struct {
Mongo string `json:"maingate_mongodb_url"`
SessionTTL int64 `json:"maingate_session_ttl"`
ApiToken string `json:"maingate_api_token"`
Autologin_ttl int64 `json:"autologin_ttl"`
AccDelTTL int64 `json:"acc_del_ttl"`
MaximumNumLinkAccount int64 `json:"maximum_num_link_account"`