require valid OpenWebRX ticket for all authorize calls
This commit is contained in:
@@ -5527,13 +5527,6 @@ function resolveOpenWebRxOwnerFromRequestContext(req, url) {
|
||||
}
|
||||
|
||||
async function handleOpenWebRxAuthorize(req, res, url) {
|
||||
if (canAuthorizeOpenWebRxByActiveSession()) {
|
||||
await ensureOpenWebRxSdrPath(null, { force: false, minIntervalMs: 3000 });
|
||||
res.writeHead(200, { "Content-Type": "text/plain; charset=utf-8" });
|
||||
res.end("ok");
|
||||
return;
|
||||
}
|
||||
|
||||
const queryTicket = String(url.searchParams.get("ticket") || "").trim();
|
||||
const cookieTicket = readCookie(req.headers && req.headers.cookie, "rms_owrx_ticket");
|
||||
const originalUriHeader = req.headers ? (req.headers["x-original-uri"] || req.headers["x-rewrite-uri"] || "") : "";
|
||||
@@ -5554,12 +5547,6 @@ async function handleOpenWebRxAuthorize(req, res, url) {
|
||||
tickets.push(refererTicket);
|
||||
}
|
||||
if (tickets.length === 0) {
|
||||
if (canAuthorizeOpenWebRxWebSocketWithoutTicket(req, originalUriHeader)) {
|
||||
await ensureOpenWebRxSdrPath(null, { force: false, minIntervalMs: 3000 });
|
||||
res.writeHead(200, { "Content-Type": "text/plain; charset=utf-8" });
|
||||
res.end("ok");
|
||||
return;
|
||||
}
|
||||
res.writeHead(403, { "Content-Type": "text/plain; charset=utf-8" });
|
||||
res.end("forbidden");
|
||||
return;
|
||||
@@ -5654,27 +5641,6 @@ function extractTicketFromUri(rawUri) {
|
||||
return String(params.get("ticket") || "").trim();
|
||||
}
|
||||
|
||||
function canAuthorizeOpenWebRxWebSocketWithoutTicket(req, originalUriHeader) {
|
||||
const headers = req && req.headers ? req.headers : {};
|
||||
const upgrade = String(headers.upgrade || "").toLowerCase();
|
||||
const hasWebSocketKey = Boolean(headers["sec-websocket-key"]);
|
||||
const isWebSocket = upgrade === "websocket" || hasWebSocketKey;
|
||||
if (!isWebSocket) {
|
||||
return false;
|
||||
}
|
||||
if (!runtime.station || !runtime.station.isInUse || !runtime.station.activeByUserId) {
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
function canAuthorizeOpenWebRxByActiveSession() {
|
||||
if (!runtime.station || !runtime.station.isInUse || !runtime.station.activeByUserId) {
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
async function handleHelpContent(res, user) {
|
||||
if (!hasRole(user, ["operator", "approver", "admin"])) {
|
||||
return sendError(res, 403, "auth.forbidden", "Nicht berechtigt");
|
||||
|
||||
@@ -1671,6 +1671,9 @@ test("openwebrx session is owner-bound and release disables tx first", async (t)
|
||||
const authOk = await fetch(`${baseUrl}/v1/openwebrx/authorize?ticket=${encodeURIComponent(session.session.ticket)}`);
|
||||
assert.equal(authOk.status, 200);
|
||||
|
||||
const authWithoutTicket = await fetch(`${baseUrl}/v1/openwebrx/authorize`);
|
||||
assert.equal(authWithoutTicket.status, 403);
|
||||
|
||||
await requestJson(baseUrl, "/v1/openwebrx/tx/enable", {
|
||||
method: "POST",
|
||||
headers,
|
||||
|
||||
Reference in New Issue
Block a user