api token 체크 누락 수정
This commit is contained in:
78
core/api.go
78
core/api.go
@ -459,34 +459,52 @@ func (mg *Maingate) api(w http.ResponseWriter, r *http.Request) {
|
||||
|
||||
var userinfo map[string]any
|
||||
|
||||
var apiTokenObj primitive.ObjectID
|
||||
if !*devflag {
|
||||
authheader := r.Header.Get("Authorization")
|
||||
if len(authheader) == 0 {
|
||||
logger.Println("Authorization header is not valid :", authheader)
|
||||
w.WriteHeader(http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
apiToken := r.Header.Get("MG-X-API-TOKEN")
|
||||
if len(apiToken) > 0 {
|
||||
if apiToken != mg.maingateConfig.ApiToken {
|
||||
w.WriteHeader(http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
req, _ := http.NewRequest("GET", "https://graph.microsoft.com/oidc/userinfo", nil)
|
||||
req.Header.Add("Authorization", authheader)
|
||||
client := &http.Client{}
|
||||
obj, err := primitive.ObjectIDFromHex(apiToken)
|
||||
if err != nil {
|
||||
logger.Error(err)
|
||||
w.WriteHeader(http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
resp, err := client.Do(req)
|
||||
if err != nil {
|
||||
logger.Println("graph microsoft api call failed :", err)
|
||||
w.WriteHeader(http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
apiTokenObj = obj
|
||||
} else {
|
||||
authheader := r.Header.Get("Authorization")
|
||||
if len(authheader) == 0 {
|
||||
logger.Println("Authorization header is not valid :", authheader)
|
||||
w.WriteHeader(http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
raw, _ := io.ReadAll(resp.Body)
|
||||
if err = json.Unmarshal(raw, &userinfo); err != nil {
|
||||
return
|
||||
}
|
||||
req, _ := http.NewRequest("GET", "https://graph.microsoft.com/oidc/userinfo", nil)
|
||||
req.Header.Add("Authorization", authheader)
|
||||
client := &http.Client{}
|
||||
|
||||
if _, expired := userinfo["error"]; expired {
|
||||
w.WriteHeader(http.StatusUnauthorized)
|
||||
return
|
||||
resp, err := client.Do(req)
|
||||
if err != nil {
|
||||
logger.Println("graph microsoft api call failed :", err)
|
||||
w.WriteHeader(http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
|
||||
raw, _ := io.ReadAll(resp.Body)
|
||||
if err = json.Unmarshal(raw, &userinfo); err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
if _, expired := userinfo["error"]; expired {
|
||||
w.WriteHeader(http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -502,20 +520,6 @@ func (mg *Maingate) api(w http.ResponseWriter, r *http.Request) {
|
||||
}
|
||||
}
|
||||
|
||||
var apiTokenObj primitive.ObjectID
|
||||
if !*devflag {
|
||||
apiToken := r.Header.Get("MG-X-API-TOKEN")
|
||||
if len(apiToken) > 0 {
|
||||
obj, err := primitive.ObjectIDFromHex(apiToken)
|
||||
if err != nil {
|
||||
logger.Error(err)
|
||||
w.WriteHeader(http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
apiTokenObj = obj
|
||||
}
|
||||
}
|
||||
|
||||
logger.Println("api call :", r.URL.Path, r.Method, r.URL.Query(), userinfo)
|
||||
caller := apiCaller{
|
||||
userinfo: userinfo,
|
||||
|
||||
Reference in New Issue
Block a user