akkoma/lib/pleroma/web/plugs/admin_secret_authentication_plug.ex

# Pleroma: A lightweight social networking server
# Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>
# SPDX-License-Identifier: AGPL-3.0-only

defmodule Pleroma.Web.Plugs.AdminSecretAuthenticationPlug do
  import Plug.Conn

  alias Pleroma.Helpers.AuthHelper
  alias Pleroma.User
  alias Pleroma.Web.Plugs.RateLimiter

  def init(options) do
    options
  end

  def call(%{assigns: %{user: %User{}}} = conn, _), do: conn

  def call(conn, _) do
    if secret_token() do
      authenticate(conn)
    else
      conn
    end
  end

  defp authenticate(%{params: %{"admin_token" => admin_token}} = conn) do
    if admin_token == secret_token() do
      assign_admin_user(conn)
    else
      handle_bad_token(conn)
    end
  end

  defp authenticate(conn) do
    token = secret_token()

    case get_req_header(conn, "x-admin-token") do
      blank when blank in [[], [""]] -> conn
      [^token] -> assign_admin_user(conn)
      _ -> handle_bad_token(conn)
    end
  end

  defp secret_token do
    case Pleroma.Config.get(:admin_token) do
      blank when blank in [nil, ""] -> nil
      token -> token
    end
  end

  defp assign_admin_user(conn) do
    conn
    |> assign(:user, %User{is_admin: true})
    |> AuthHelper.skip_oauth()
  end

  defp handle_bad_token(conn) do
    RateLimiter.call(conn, name: :authentication)
  end
end
add license boilerplate to pleroma core 2018-12-23 20:04:54 +00:00			`# Pleroma: A lightweight social networking server`
Bump Copyright to 2021 grep -rl '# Copyright © .* Pleroma' * \| xargs sed -i 's;Copyright © .* Pleroma .*;Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>;' 2021-01-13 06:49:20 +00:00			`# Copyright © 2017-2021 Pleroma Authors <https://pleroma.social/>`
add license boilerplate to pleroma core 2018-12-23 20:04:54 +00:00			`# SPDX-License-Identifier: AGPL-3.0-only`

AdminSecretAuthenticationPlug module name 2020-06-24 08:18:42 +00:00			`defmodule Pleroma.Web.Plugs.AdminSecretAuthenticationPlug do`
Add a way to use the admin api without a user. 2018-12-18 20:08:52 +00:00			`import Plug.Conn`
[#1940] Reinstated OAuth-less `admin_token` authentication. Refactored UserIsAdminPlug (freed from checking admin scopes presence). 2020-07-19 18:35:57 +00:00
Auth subsystem refactoring and tweaks. Added proper OAuth skipping for SessionAuthenticationPlug. Integrated LegacyAuthenticationPlug into AuthenticationPlug. Adjusted tests & docs. 2020-10-31 10:38:35 +00:00			`alias Pleroma.Helpers.AuthHelper`
[#1940] Applied rate limit for requests with bad `admin_token`. Added doc warnings on `admin_token` setting. 2020-07-14 08:58:41 +00:00			`alias Pleroma.User`
fixes after rebase 2020-08-16 17:28:31 +00:00			`alias Pleroma.Web.Plugs.RateLimiter`
Add a way to use the admin api without a user. 2018-12-18 20:08:52 +00:00
			`def init(options) do`
			`options`
			`end`

			`def call(%{assigns: %{user: %User{}}} = conn, _), do: conn`

Support authentication via `x-admin-token` HTTP header 2019-11-19 08:58:20 +00:00			`def call(conn, _) do`
			`if secret_token() do`
			`authenticate(conn)`
			`else`
Add a way to use the admin api without a user. 2018-12-18 20:08:52 +00:00			`conn`
Support authentication via `x-admin-token` HTTP header 2019-11-19 08:58:20 +00:00			`end`
			`end`

[#3112] Ensured presence and consistency of :user and :token assigns (EnsureUserTokenAssignsPlug). Refactored auth info dropping functions. 2020-12-06 10:59:10 +00:00			`defp authenticate(%{params: %{"admin_token" => admin_token}} = conn) do`
Support authentication via `x-admin-token` HTTP header 2019-11-19 08:58:20 +00:00			`if admin_token == secret_token() do`
[#1940] Reinstated OAuth-less `admin_token` authentication. Refactored UserIsAdminPlug (freed from checking admin scopes presence). 2020-07-19 18:35:57 +00:00			`assign_admin_user(conn)`
Add a way to use the admin api without a user. 2018-12-18 20:08:52 +00:00			`else`
[#1940] Applied rate limit for requests with bad `admin_token`. Added doc warnings on `admin_token` setting. 2020-07-14 08:58:41 +00:00			`handle_bad_token(conn)`
Add a way to use the admin api without a user. 2018-12-18 20:08:52 +00:00			`end`
			`end`

[#3112] Ensured presence and consistency of :user and :token assigns (EnsureUserTokenAssignsPlug). Refactored auth info dropping functions. 2020-12-06 10:59:10 +00:00			`defp authenticate(conn) do`
Support authentication via `x-admin-token` HTTP header 2019-11-19 08:58:20 +00:00			`token = secret_token()`

			`case get_req_header(conn, "x-admin-token") do`
[#1940] Applied rate limit for requests with bad `admin_token`. Added doc warnings on `admin_token` setting. 2020-07-14 08:58:41 +00:00			`blank when blank in [[], [""]] -> conn`
[#1940] Reinstated OAuth-less `admin_token` authentication. Refactored UserIsAdminPlug (freed from checking admin scopes presence). 2020-07-19 18:35:57 +00:00			`[^token] -> assign_admin_user(conn)`
[#1940] Applied rate limit for requests with bad `admin_token`. Added doc warnings on `admin_token` setting. 2020-07-14 08:58:41 +00:00			`_ -> handle_bad_token(conn)`
Support authentication via `x-admin-token` HTTP header 2019-11-19 08:58:20 +00:00			`end`
			`end`
[#1940] Reinstated OAuth-less `admin_token` authentication. Refactored UserIsAdminPlug (freed from checking admin scopes presence). 2020-07-19 18:35:57 +00:00
[#3112] Ensured presence and consistency of :user and :token assigns (EnsureUserTokenAssignsPlug). Refactored auth info dropping functions. 2020-12-06 10:59:10 +00:00			`defp secret_token do`
			`case Pleroma.Config.get(:admin_token) do`
			`blank when blank in [nil, ""] -> nil`
			`token -> token`
			`end`
			`end`

[#1940] Reinstated OAuth-less `admin_token` authentication. Refactored UserIsAdminPlug (freed from checking admin scopes presence). 2020-07-19 18:35:57 +00:00			`defp assign_admin_user(conn) do`
			`conn`
			`\|> assign(:user, %User{is_admin: true})`
Auth subsystem refactoring and tweaks. Added proper OAuth skipping for SessionAuthenticationPlug. Integrated LegacyAuthenticationPlug into AuthenticationPlug. Adjusted tests & docs. 2020-10-31 10:38:35 +00:00			`\|> AuthHelper.skip_oauth()`
[#1940] Reinstated OAuth-less `admin_token` authentication. Refactored UserIsAdminPlug (freed from checking admin scopes presence). 2020-07-19 18:35:57 +00:00			`end`
[#1940] Applied rate limit for requests with bad `admin_token`. Added doc warnings on `admin_token` setting. 2020-07-14 08:58:41 +00:00
			`defp handle_bad_token(conn) do`
			`RateLimiter.call(conn, name: :authentication)`
			`end`
Add a way to use the admin api without a user. 2018-12-18 20:08:52 +00:00			`end`