Commit e8c77040 authored by Emmanuel Raviart's avatar Emmanuel Raviart
Browse files

Enable backend to request demand.

parent 41d9c76d
......@@ -6,6 +6,10 @@ ADMIN_EMAIL="someone@example.com"
# Allow authentication & demands?
AUTHENTICATE=true
# Secret password used to sign requests issued by Progedo backend.
# CHANGE IT!
BACKEND_SECRET="a sample backend secret"
BASE_URL="http://localhost:3000"
# PostgreSQL database configuration
......
......@@ -25,7 +25,7 @@
"@auditors/json5": "^0.3.0",
"@eraviart/svelte-json-tree": "^0.2.0",
"@iconify/svelte": "^2.1.2",
"@progedo/lib": "^0.3.0",
"@progedo/lib": "^0.3.2",
"@sveltejs/adapter-node": "^1.0.0-next.78",
"@sveltejs/kit": "^1.0.0-next.354",
"@tailwindcss/forms": "^0.5.0",
......@@ -697,9 +697,9 @@
}
},
"node_modules/@progedo/lib": {
"version": "0.3.0",
"resolved": "https://registry.npmjs.org/@progedo/lib/-/lib-0.3.0.tgz",
"integrity": "sha512-qniJd5JmeX+fNrX1tm6pLVHTW0Kzrzh0RYSBWqWzjFkyq3l9LoLALuytEoim2lOsjAPfaGhGbBcfeCq2YvPBcQ==",
"version": "0.3.2",
"resolved": "https://registry.npmjs.org/@progedo/lib/-/lib-0.3.2.tgz",
"integrity": "sha512-lFjnp27DRRWx5bi5OaDd6gHXkrZ5mzMk83IW1BDcZkV6n7BVNTMJlkkgVBwrpG42uXCuRhbM3TM/HF8huRVbog==",
"dev": true,
"dependencies": {
"core-js": "^3.12.1",
......@@ -5880,9 +5880,9 @@
"dev": true
},
"@progedo/lib": {
"version": "0.3.0",
"resolved": "https://registry.npmjs.org/@progedo/lib/-/lib-0.3.0.tgz",
"integrity": "sha512-qniJd5JmeX+fNrX1tm6pLVHTW0Kzrzh0RYSBWqWzjFkyq3l9LoLALuytEoim2lOsjAPfaGhGbBcfeCq2YvPBcQ==",
"version": "0.3.2",
"resolved": "https://registry.npmjs.org/@progedo/lib/-/lib-0.3.2.tgz",
"integrity": "sha512-lFjnp27DRRWx5bi5OaDd6gHXkrZ5mzMk83IW1BDcZkV6n7BVNTMJlkkgVBwrpG42uXCuRhbM3TM/HF8huRVbog==",
"dev": true,
"requires": {
"core-js": "^3.12.1",
......
......@@ -50,6 +50,15 @@ export function auditConfig(
auditSetNullish(false),
)
}
audit.attribute(
data,
"backendSecret",
true,
errors,
remainingKeys,
auditTrimString,
auditRequire,
)
audit.attribute(
data,
"baseUrl",
......
import { createHmac } from "crypto"
import config from "$lib/server/config"
export function isSignedBackendGetRequest({
request,
url,
}: {
request: Request
url: URL
}): boolean {
const signature = request.headers.get("X-Hub-Signature")
if (signature === null) {
console.error(
`Error in ${url.pathname}\n\nMissing X-Hub-Signature HTTP header`,
)
return false
}
const match = signature.match(/^sha1=([0-9a-f]+)$/)
if (match === null) {
console.error(
`Error in ${url.pathname}\n\nInvalid X-Hub-Signature HTTP header`,
)
return false
}
const signatureDigest = match[1]
const hmac = createHmac("sha1", config.backendSecret)
hmac.update(url.toString())
const digest = hmac.digest("hex")
if (digest !== signatureDigest) {
console.error(
`Error in ${url.toString()}\n\nHMAc in X-Hub-Signature ${signatureDigest} doesn't match the computed one ${digest}`,
)
return false
}
return true
}
......@@ -7,6 +7,7 @@ import { validateConfig } from "$lib/server/auditors/config"
export interface Config {
adminEmail: string
authenticate: boolean
backendSecret: string
baseUrl: string
db: {
host: string
......@@ -45,6 +46,7 @@ export interface MatomoConfig {
const config = {
adminEmail: process.env["ADMIN_EMAIL"],
authenticate: process.env["AUTHENTICATE"],
backendSecret: process.env["BACKEND_SECRET"],
baseUrl: process.env["BASE_URL"],
db: {
host: process.env["DB_HOST"],
......
import type { ValidDemandQuery } from "@progedo/lib"
import type { ValidDemandQuery, ZammadUser } from "@progedo/lib"
import type { RequestHandler } from "@sveltejs/kit"
import type { JSONValue } from "@sveltejs/kit/types/internal"
import dedent from "dedent-js"
import { validateDemandParameters } from "$lib/auditors/parameters"
import { validateDemandQuery } from "$lib/server/auditors/queries"
import { isSignedBackendGetRequest } from "$lib/server/backend"
import { DataProducer } from "$lib/server/data_producers"
import { db } from "$lib/server/database"
export const get: RequestHandler = async ({
locals,
params: requestParams,
request,
url,
}) => {
const user = locals.user
let user = locals.user
if (user == null) {
return {
status: 401,
body: {
error: {
code: 401,
message: "You must be authenticated to access to this API.",
if (!isSignedBackendGetRequest({ request, url })) {
return {
status: 401,
body: {
error: {
code: 401,
message: "You must be authenticated to access to this API.",
},
},
},
}
}
user = {
id: 0,
roles: ["Agent"],
} as ZammadUser
}
const [params, paramsError] = validateDemandParameters(requestParams) as [
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment