Add a way to use the admin api without a user.

diff --git a/config/config.md b/config/config.md
index edabd6e0fcb4a654cdb946297d3cdcdef012f203..63c89575375bb2d50e7c4867a5084f9fc5734974 100644 (file)
--- a/config/config.md
+++ b/config/config.md
@@ -174,4 +174,17 @@ Kocaptcha is a very simple captcha service with a single API endpoint,
 the source code is here: https://github.com/koto-bank/kocaptcha. The default endpoint
 `https://captcha.kotobank.ch` is hosted by the developer.
 
-* `endpoint`: the kocaptcha endpoint to use
\ No newline at end of file
+* `endpoint`: the kocaptcha endpoint to use
+
+## :admin_token
+
+Allows to set a token that can be used to authenticate with the admin api without using an actual user by giving it as the 'admin_token' parameter. Example:
+
+```
+config :pleroma, :admin_token, "somerandomtoken"
+```
+
+You can then do
+```
+curl "http://localhost:4000/api/pleroma/admin/invite_token?admin_token=somerandomtoken"
+```

diff --git a/lib/pleroma/plugs/admin_secret_authentication_plug.ex b/lib/pleroma/plugs/admin_secret_authentication_plug.ex
new file mode 100644 (file)
index 0000000..f61a6ee
--- /dev/null
+++ b/lib/pleroma/plugs/admin_secret_authentication_plug.ex
@@ -0,0 +1,25 @@
+defmodule Pleroma.Plugs.AdminSecretAuthenticationPlug do
+  import Plug.Conn
+  alias Pleroma.User
+
+  def init(options) do
+    options
+  end
+
+  def secret_token do
+    Pleroma.Config.get(:admin_token)
+  end
+
+  def call(%{assigns: %{user: %User{}}} = conn, _), do: conn
+
+  def call(%{params: %{"admin_token" => admin_token}} = conn, _) do
+    if secret_token() && admin_token == secret_token() do
+      conn
+      |> assign(:user, %User{info: %{is_admin: true}})
+    else
+      conn
+    end
+  end
+
+  def call(conn, _), do: conn
+end

diff --git a/lib/pleroma/web/router.ex b/lib/pleroma/web/router.ex
index dd1985d6ee1b91a16e0c88517f0edc9fa1e49f27..e988f10888757a5d63ee23e087022cce7bc32348 100644 (file)
--- a/lib/pleroma/web/router.ex
+++ b/lib/pleroma/web/router.ex
@@ -38,6 +38,7 @@ defmodule Pleroma.Web.Router do
     plug(Pleroma.Plugs.SessionAuthenticationPlug)
     plug(Pleroma.Plugs.LegacyAuthenticationPlug)
     plug(Pleroma.Plugs.AuthenticationPlug)
+    plug(Pleroma.Plugs.AdminSecretAuthenticationPlug)
     plug(Pleroma.Plugs.UserEnabledPlug)
     plug(Pleroma.Plugs.SetUserSessionIdPlug)
     plug(Pleroma.Plugs.EnsureAuthenticatedPlug)

diff --git a/test/plugs/admin_secret_authentication_plug_test.exs b/test/plugs/admin_secret_authentication_plug_test.exs
new file mode 100644 (file)
index 0000000..c0fe2cf
--- /dev/null
+++ b/test/plugs/admin_secret_authentication_plug_test.exs
@@ -0,0 +1,38 @@
+defmodule Pleroma.Plugs.AdminSecretAuthenticationPlugTest do
+  use Pleroma.Web.ConnCase, async: true
+  import Pleroma.Factory
+
+  alias Pleroma.Plugs.AdminSecretAuthenticationPlug
+
+  test "does nothing if a user is assigned", %{conn: conn} do
+    user = insert(:user)
+
+    conn =
+      conn
+      |> assign(:user, user)
+
+    ret_conn =
+      conn
+      |> AdminSecretAuthenticationPlug.call(%{})
+
+    assert conn == ret_conn
+  end
+
+  test "with secret set and given in the 'admin_token' parameter, it assigns an admin user", %{
+    conn: conn
+  } do
+    Pleroma.Config.put(:admin_token, "password123")
+
+    conn =
+      %{conn | params: %{"admin_token" => "wrong_password"}}
+      |> AdminSecretAuthenticationPlug.call(%{})
+
+    refute conn.assigns[:user]
+
+    conn =
+      %{conn | params: %{"admin_token" => "password123"}}
+      |> AdminSecretAuthenticationPlug.call(%{})
+
+    assert conn.assigns[:user].info.is_admin
+  end
+end