Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enforce token on api routes [fixed critical security issue #4357] #4840

Merged
merged 45 commits into from
Sep 10, 2018
Merged

Enforce token on api routes [fixed critical security issue #4357] #4840

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
45 commits
Select commit Hold shift + click to select a range
c53ef40
enforce token on api routes
beeonthego Sep 1, 2018
94c1708
remove redundant check on signin
beeonthego Sep 1, 2018
5840433
Merge branch 'master' into api-routes-enforce-token
techknowlogick Sep 3, 2018
26eb5da
add function to get a new token for logged in user
techknowlogick Sep 5, 2018
5a3e4c8
test api create with token
techknowlogick Sep 5, 2018
14cc933
make fmt fix
techknowlogick Sep 5, 2018
fe45731
update function
techknowlogick Sep 5, 2018
1c7615a
Update api_comment_test.go
techknowlogick Sep 5, 2018
3c38127
make fmt fix
techknowlogick Sep 5, 2018
83f01a8
fix build errors
techknowlogick Sep 5, 2018
7ab90a5
Merge branch 'master' into api-routes-enforce-token
techknowlogick Sep 5, 2018
9afd922
Update integration_test.go
techknowlogick Sep 5, 2018
6420202
Update integration_test.go
techknowlogick Sep 5, 2018
dbf3b33
add an extra doc
techknowlogick Sep 5, 2018
5dbef59
Update integration_test.go
techknowlogick Sep 5, 2018
5787fd2
Update integration_test.go
techknowlogick Sep 5, 2018
d112e43
Update integration_test.go
techknowlogick Sep 5, 2018
e2f9ac1
get flash
techknowlogick Sep 5, 2018
94ba687
Remove log
techknowlogick Sep 5, 2018
6f7898d
add token to comment api tests
techknowlogick Sep 5, 2018
fd42d3f
Update api_admin_test.go
techknowlogick Sep 5, 2018
635a65a
Update api_branch_test.go
techknowlogick Sep 5, 2018
800b2d3
Update api_gpg_keys_test.go
techknowlogick Sep 5, 2018
7c9233e
Update api_gpg_keys_test.go
techknowlogick Sep 5, 2018
0da8690
Update api_gpg_keys_test.go
techknowlogick Sep 5, 2018
26f7f00
Update api_issue_label_test.go
techknowlogick Sep 5, 2018
eb6be56
Update api_admin_test.go
techknowlogick Sep 5, 2018
f60b486
Update api_issue_label_test.go
techknowlogick Sep 5, 2018
30c10c9
Update api_issue_test.go
techknowlogick Sep 5, 2018
4e5a2e9
Update api_keys_test.go
techknowlogick Sep 5, 2018
cd37ebb
Update api_admin_test.go
techknowlogick Sep 5, 2018
759772b
Update api_gpg_keys_test.go
techknowlogick Sep 5, 2018
5f82314
Update api_pull_test.go
techknowlogick Sep 5, 2018
12324bf
Update api_releases_test.go
techknowlogick Sep 5, 2018
85245a8
Update api_repo_raw_test.go
techknowlogick Sep 5, 2018
a3a0362
Update api_repo_test.go
techknowlogick Sep 5, 2018
c35f5dc
Update api_team_test.go
techknowlogick Sep 5, 2018
8f7a754
Update api_repo_test.go
techknowlogick Sep 5, 2018
8f6353a
Update api_repo_test.go
techknowlogick Sep 5, 2018
60d407b
Update repo_commits_test.go
techknowlogick Sep 6, 2018
8646332
Update git_test.go
techknowlogick Sep 6, 2018
4093d15
Merge branch 'master' into api-routes-enforce-token
techknowlogick Sep 7, 2018
a74435b
Update api_admin_test.go
techknowlogick Sep 10, 2018
3d73f40
Update api_admin_test.go
techknowlogick Sep 10, 2018
40a2419
Merge branch 'master' into api-routes-enforce-token
techknowlogick Sep 10, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion modules/auth/auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ func SignedInID(ctx *macaron.Context, sess session.Store) int64 {
if err = models.UpdateAccessToken(t); err != nil {
log.Error(4, "UpdateAccessToken: %v", err)
}
ctx.Data["IsApiToken"] = true
return t.UID
}
}
Expand Down Expand Up @@ -136,7 +137,7 @@ func SignedInUser(ctx *macaron.Context, sess session.Store) (*models.User, bool)
}
return nil, false
}

ctx.Data["IsApiToken"] = true
return u, true
}
}
Expand Down
2 changes: 1 addition & 1 deletion routers/api/v1/api.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -132,7 +132,7 @@ func repoAssignment() macaron.Handler {
// Contexter middleware already checks token for user sign in process.
func reqToken() macaron.Handler {
return func(ctx *context.Context) {
if !ctx.IsSigned {
if !ctx.IsSigned || true != ctx.Data["IsApiToken"] {
ctx.Error(401)
return
}
Expand Down