mirror of
https://github.com/bitwarden/browser.git
synced 2024-09-27 04:03:00 +02:00
support Authorization token protection in bw serve
This commit is contained in:
parent
b482a15d34
commit
f98a180dfb
@ -32,6 +32,7 @@ import { GetCommand } from "./get.command";
|
||||
import { ListCommand } from "./list.command";
|
||||
import { RestoreCommand } from "./restore.command";
|
||||
import { StatusCommand } from "./status.command";
|
||||
import { readFileSync, existsSync } from "fs";
|
||||
|
||||
export class ServeCommand {
|
||||
private listCommand: ListCommand;
|
||||
@ -183,6 +184,29 @@ export class ServeCommand {
|
||||
process.env.BW_SERVE = "true";
|
||||
process.env.BW_NOINTERACTION = "true";
|
||||
|
||||
const authTokenEnabled = !options.disableAuth;
|
||||
|
||||
var useToken = null;
|
||||
if(options.authToken != null && options.authToken.length > 0) {
|
||||
useToken = options.authToken;
|
||||
}
|
||||
if(options.authTokenFile != null && options.authTokenFile.length > 0) {
|
||||
if(!existsSync(options.authTokenFile)) {
|
||||
this.main.logService.error("Auth token file does not exist.");
|
||||
return;
|
||||
}
|
||||
useToken = readFileSync(options.authTokenFile, 'utf8').trim();
|
||||
}
|
||||
if(options.authTokenEnv != null && options.authTokenEnv.length > 0) {
|
||||
useToken = process.env[options.authTokenEnv];
|
||||
}
|
||||
|
||||
const authToken = useToken || process.env.BW_SERVE_AUTH_TOKEN;
|
||||
if(authTokenEnabled && (authToken == null || authToken.length == 0)) {
|
||||
this.main.logService.error("No auth token provided. Please deactivate auth explicitly or provide an auth token using --auth-token, --auth-token-file, --auth-token-env or BW_SERVE_AUTH_TOKEN environment variable.");
|
||||
return;
|
||||
}
|
||||
|
||||
server
|
||||
.use(async (ctx, next) => {
|
||||
if (protectOrigin && ctx.headers.origin != undefined) {
|
||||
@ -198,6 +222,21 @@ export class ServeCommand {
|
||||
}
|
||||
await next();
|
||||
})
|
||||
.use(async (ctx, next) => {
|
||||
if(!authTokenEnabled) {
|
||||
await next();
|
||||
return;
|
||||
}
|
||||
|
||||
if (ctx.request.headers.authorization == null || ctx.request.headers.authorization.indexOf("Bearer " + authToken) != 0) {
|
||||
ctx.status = 403;
|
||||
this.main.logService.warning(
|
||||
`Blocking request from as token is invalid or missing.`,
|
||||
);
|
||||
return;
|
||||
}
|
||||
await next();
|
||||
})
|
||||
.use(koaBodyParser())
|
||||
.use(koaJson({ pretty: false, param: "pretty" }));
|
||||
|
||||
|
@ -479,6 +479,10 @@ export class Program {
|
||||
.description("Start a RESTful API webserver.")
|
||||
.option("--hostname <hostname>", "The hostname to bind your API webserver to.")
|
||||
.option("--port <port>", "The port to run your API webserver on.")
|
||||
.option("--auth-token-env <authTokenEnv>", "The environment variable to use for the auth token. Defaults to BW_SERVE_AUTH_TOKEN if not set.")
|
||||
.option("--auth-token-file <authTokenFile>", "The file to use for the auth token.")
|
||||
.option("--auth-token <authToken>", "The auth token to use for authentication.")
|
||||
.option("--disable-auth", "If set, disables authentication.")
|
||||
.option(
|
||||
"--disable-origin-protection",
|
||||
"If set, allows requests with origin header. Warning, this option exists for backwards compatibility reasons and exposes your environment to known CSRF attacks.",
|
||||
|
Loading…
Reference in New Issue
Block a user