X-Git-Url: http://git.squeep.com/?a=blobdiff_plain;f=lib%2Fpleroma%2Fplugs%2Fadmin_secret_authentication_plug.ex;h=2e54df47a386bb6e02eb402981e09c5567d08cdc;hb=e1a1c8e7de5e10fa64d168dc5d35a80b96767395;hp=fdadd476e6c06320f9bfa708024764789482ccfd;hpb=43ea16870fe60578a6528e1f01bfaab68943a1bc;p=akkoma

diff --git a/lib/pleroma/plugs/admin_secret_authentication_plug.ex b/lib/pleroma/plugs/admin_secret_authentication_plug.ex
index fdadd476e..2e54df47a 100644
--- a/lib/pleroma/plugs/admin_secret_authentication_plug.ex
+++ b/lib/pleroma/plugs/admin_secret_authentication_plug.ex
@@ -1,9 +1,12 @@
 # Pleroma: A lightweight social networking server
-# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
+# Copyright © 2017-2020 Pleroma Authors <https://pleroma.social/>
 # SPDX-License-Identifier: AGPL-3.0-only
 
 defmodule Pleroma.Plugs.AdminSecretAuthenticationPlug do
   import Plug.Conn
+
+  alias Pleroma.Plugs.OAuthScopesPlug
+  alias Pleroma.Plugs.RateLimiter
   alias Pleroma.User
 
   def init(options) do
@@ -11,19 +14,47 @@ defmodule Pleroma.Plugs.AdminSecretAuthenticationPlug do
   end
 
   def secret_token do
-    Pleroma.Config.get(:admin_token)
+    case Pleroma.Config.get(:admin_token) do
+      blank when blank in [nil, ""] -> nil
+      token -> token
+    end
   end
 
   def call(%{assigns: %{user: %User{}}} = conn, _), do: conn
 
-  def call(%{params: %{"admin_token" => admin_token}} = conn, _) do
-    if secret_token() && admin_token == secret_token() do
-      conn
-      |> assign(:user, %User{is_admin: true})
+  def call(conn, _) do
+    if secret_token() do
+      authenticate(conn)
     else
       conn
     end
   end
 
-  def call(conn, _), do: conn
+  def authenticate(%{params: %{"admin_token" => admin_token}} = conn) do
+    if admin_token == secret_token() do
+      assign_admin_user(conn)
+    else
+      handle_bad_token(conn)
+    end
+  end
+
+  def authenticate(conn) do
+    token = secret_token()
+
+    case get_req_header(conn, "x-admin-token") do
+      blank when blank in [[], [""]] -> conn
+      [^token] -> assign_admin_user(conn)
+      _ -> handle_bad_token(conn)
+    end
+  end
+
+  defp assign_admin_user(conn) do
+    conn
+    |> assign(:user, %User{is_admin: true})
+    |> OAuthScopesPlug.skip_plug()
+  end
+
+  defp handle_bad_token(conn) do
+    RateLimiter.call(conn, name: :authentication)
+  end
 end