Skip to content

Commit

Permalink
Backport changes to auth server API output (remove potentially unsafe…
Browse files Browse the repository at this point in the history 
… output).

Verify that auth server exists before returning information.
Verify API exists before returning Swagger JSON.
  • Loading branch information
@DonMartin76
DonMartin76 committed Nov 28, 2023
1 parent 1efadea commit 103d58d
Show file tree
Hide file tree
Showing 3 changed files with 88 additions and 35 deletions.
18 changes: 18 additions & 0 deletions src/api/routes/authServers.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,24 @@ authServers.getAuthServer = function (app, res, loggedInUserId, serverId) {
} else {
authServer.data.config = {};
}

// The above was the API configuration of the auth server itself,
// now we also want to remove the configuration of the auth methods.
if (authServer.data.authMethods && Array.isArray(authServer.data.authMethods)) {
for (let i = 0; i < authServer.data.authMethods.length; ++i) {
const authMethod = authServer.data.authMethods[i];
if (authMethod.config) {
authMethod.config = {
authorizeEndpoint: authMethod.config.authorizeEndpoint,
tokenEndpoint: authMethod.config.tokenEndpoint,
profileEndpoint: authMethod.config.profileEndpoint,
};
}
}
} else {
// Let's default to something really not containing anything at all.
authServer.data.authMethods = [];
}
} else {
debug(`getAuthServer(${serverId}), logged in User is ADMIN, returning all data`);
}
Expand Down
10 changes: 10 additions & 0 deletions src/api/routes/utils.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -342,6 +342,16 @@ utils.loadAuthServer = function (serverId) {
debug(`loadAuthServer(${serverId})`);

if (!_authServers[serverId]) {
const authServerNames = utils.loadAuthServerNames();
if (authServerNames.indexOf(serverId) < 0) {
debug('Unknown auth-server: ' + serverId);
_authServers[serverId] = {
name: serverId,
exists: false
};
return _authServers[serverId];
}

const staticDir = utils.getStaticDir();
const authServerFileName = path.join(staticDir, 'auth-servers', serverId + '.json');

Expand Down
95 changes: 60 additions & 35 deletions src/ui/routes/apis.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -351,48 +351,73 @@ const corsOptionsDelegate = function (req, callback) {
callback(null, corsOptions);
};

let apiList = null;
const getApiList = function (callback) {
debug('getApiList()');
if (apiList)
return callback(null, apiList);
debug('Retrieving API list via wicked SDK.');
wicked.getApis((err, apis) => {
if (err)
return callback(err);
apiList = apis;
callback(null, apiList);
});
};

router.get('/:api/swagger', cors(corsOptionsDelegate), function (req, res, next) {
debug("get('/:api/swagger')");
const apiId = req.params.api;
// Make sure we are asking for an existing API
getApiList((err, apis) => {
const apiId = req.params.api;

const apiCallback = function (err, swaggerJson) {
if (err)
// Does it exist?
if (!apis.apis.find(api => api.id === apiId)) {
// No, it does not. Return a 404.
const err = new Error(`API ${apiId} not found`);
err.status = 404;
return next(err);
// Pipe it
return res.json(swaggerJson);
};

// Let's call the API, it has all the data we need.
const swaggerUri = '/apis/' + apiId + '/swagger';
}

// Do we have a forUser query parameter?
let forUser = req.query.forUser;
if (!/^[a-z0-9]+$/.test(forUser)) {
debug("get('/:api/swagger') - invalid forUser used: " + forUser);
forUser = null;
}
if (forUser) {
utils.getAsUser(req, swaggerUri, forUser, apiCallback);
} else {
utils.get(req, swaggerUri, function (err, apiResponse, apiBody) {
const apiCallback = function (err, swaggerJson) {
if (err)
return next(err);
if (apiResponse.statusCode !== 200) {
const err = new Error(`Could not retrieve Swagger JSON, unexpected status code ${apiResponse.statusCode}`);
err.status = apiResponse.statusCode;
return next(err);
}
try {
const swaggerJson = utils.getJson(apiBody);
return apiCallback(null, swaggerJson);
} catch (ex) {
error(ex);
const err = new Error(`Swagger: Could not parse JSON body, error: ${ex.message}`);
err.status = 500;
return next(err);
}
});
}
// Pipe it
return res.json(swaggerJson);
};

// Let's call the API, it has all the data we need.
const swaggerUri = '/apis/' + apiId + '/swagger';

// Do we have a forUser query parameter?
let forUser = req.query.forUser;
if (!/^[a-z0-9]+$/.test(forUser)) {
debug("get('/:api/swagger') - invalid forUser used: " + forUser);
forUser = null;
}
if (forUser) {
utils.getAsUser(req, swaggerUri, forUser, apiCallback);
} else {
utils.get(req, swaggerUri, function (err, apiResponse, apiBody) {
if (err)
return next(err);
if (apiResponse.statusCode !== 200) {
const err = new Error(`Could not retrieve Swagger JSON, unexpected status code ${apiResponse.statusCode}`);
err.status = apiResponse.statusCode;
return next(err);
}
try {
const swaggerJson = utils.getJson(apiBody);
return apiCallback(null, swaggerJson);
} catch (ex) {
error(ex);
const err = new Error(`Swagger: Could not parse JSON body, error: ${ex.message}`);
err.status = 500;
return next(err);
}
});
}
});
}); // /apis/:apiId/swagger

module.exports = router;

0 comments on commit 103d58d

Please sign in to comment.