X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=lib%2Fpleroma%2Fplugs%2Fadmin_secret_authentication_plug.ex;h=2e54df47a386bb6e02eb402981e09c5567d08cdc;hb=bc86d0a906e58becb94c5a73552f90abbe494c28;hp=5baf8a6914defa37c6a60d42bb61eab7ba22d87e;hpb=980b5288ed119a3579afe632dff3391528ff399c;p=akkoma
diff --git a/lib/pleroma/plugs/admin_secret_authentication_plug.ex b/lib/pleroma/plugs/admin_secret_authentication_plug.ex
index 5baf8a691..2e54df47a 100644
--- a/lib/pleroma/plugs/admin_secret_authentication_plug.ex
+++ b/lib/pleroma/plugs/admin_secret_authentication_plug.ex
@@ -1,9 +1,12 @@
# Pleroma: A lightweight social networking server
-# Copyright © 2017-2019 Pleroma Authors
+# Copyright © 2017-2020 Pleroma Authors
# SPDX-License-Identifier: AGPL-3.0-only
defmodule Pleroma.Plugs.AdminSecretAuthenticationPlug do
import Plug.Conn
+
+ alias Pleroma.Plugs.OAuthScopesPlug
+ alias Pleroma.Plugs.RateLimiter
alias Pleroma.User
def init(options) do
@@ -11,19 +14,47 @@ defmodule Pleroma.Plugs.AdminSecretAuthenticationPlug do
end
def secret_token do
- Pleroma.Config.get(:admin_token)
+ case Pleroma.Config.get(:admin_token) do
+ blank when blank in [nil, ""] -> nil
+ token -> token
+ end
end
def call(%{assigns: %{user: %User{}}} = conn, _), do: conn
- def call(%{params: %{"admin_token" => admin_token}} = conn, _) do
- if secret_token() && admin_token == secret_token() do
- conn
- |> assign(:user, %User{info: %{is_admin: true}})
+ def call(conn, _) do
+ if secret_token() do
+ authenticate(conn)
else
conn
end
end
- def call(conn, _), do: conn
+ def authenticate(%{params: %{"admin_token" => admin_token}} = conn) do
+ if admin_token == secret_token() do
+ assign_admin_user(conn)
+ else
+ handle_bad_token(conn)
+ end
+ end
+
+ def authenticate(conn) do
+ token = secret_token()
+
+ case get_req_header(conn, "x-admin-token") do
+ blank when blank in [[], [""]] -> conn
+ [^token] -> assign_admin_user(conn)
+ _ -> handle_bad_token(conn)
+ end
+ end
+
+ defp assign_admin_user(conn) do
+ conn
+ |> assign(:user, %User{is_admin: true})
+ |> OAuthScopesPlug.skip_plug()
+ end
+
+ defp handle_bad_token(conn) do
+ RateLimiter.call(conn, name: :authentication)
+ end
end