Add push secret validation

K0IN · Jul 22, 2023 · 640c006 · 640c006
1 parent 51ba83a
commit 640c006
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 9 deletions.
diff --git a/app/backend/middleware/auth.ts b/app/backend/middleware/auth.ts
@@ -49,3 +49,16 @@ export async function validateDeviceSecret<CTX extends RouterContext<A, B, C>, A
         return;
     }
 }
+
+
+export async function validatePushSecret<CTX extends RouterContext<A, B, C>, A extends string, B extends RouteParams<A>, C extends State>(context: CTX, next: () => Promise<unknown>) {
+    const { sendkey } = context.state;
+    const authHeader = context.request.headers.get('authorization');
+    if (!sendkey || validateAuthHeader(authHeader, sendkey)) {
+        return next();
+    } else {
+        const response = failure({ type: 'auth_required', message: 'Authorization header invalid' }, { status: 401 });
+        responseToContext(context, response)
+        return;
+    }
+}
diff --git a/app/backend/mod.ts b/app/backend/mod.ts
@@ -20,8 +20,14 @@ export async function serve(params: AppParameters, listen = true): Promise<Appli
     }
 
     const { port, vapidKey, sub, frontend, cors, sendkey, loginkey } = parsed.data;
-
+    
     const app = new Application();
+
+    app.state.vapidKey = vapidKey;
+    app.state.sub = sub;
+    app.state.frontend = frontend;
+    app.state.sendkey = sendkey;
+    app.state.loginkey = loginkey;
 
     if (cors) {
         app.use(oakCors());
@@ -35,13 +41,6 @@ export async function serve(params: AppParameters, listen = true): Promise<Appli
         app.use(serveStaticFilesMiddleware);
     }
 
-    // inject global settings
-    app.state.vapidKey = vapidKey;
-    app.state.sub = sub;
-    app.state.frontend = frontend;
-    app.state.sendkey = sendkey;
-    app.state.loginkey = loginkey;
-
     console.log(`Listening on http://localhost:${port}/ Config: ${JSON.stringify(params)}`);
 
     if (listen) {

diff --git a/app/backend/routes/notify.ts b/app/backend/routes/notify.ts
@@ -3,10 +3,11 @@ import { MessageValidator } from "../types/message.ts";
 import { failure, success } from "../types/apiresponse.ts";
 import { notifyAll } from "../logic/project/notify.ts";
 import { toReturn } from "../util/oakreturn.ts";
+import { validatePushSecret } from "../middleware/auth.ts";
 
 export const notificationRouter = new Router({ prefix: '/notify' });
 
-notificationRouter.post('/', // authFactory(SERVERPWD ?? AUTHPWD), // if no Server password is set, use the user password
+notificationRouter.post('/', validatePushSecret,
     toReturn(async (context): Promise<Response> => {
         const body = context.request.body({ type: 'json' });
         const rawMessage = await body.value;