octoleo/syncthing
1
0
Fork 0
mirror of https://github.com/octoleo/syncthing.git synced 2024-11-10 07:11:08 +00:00
Code Issues Packages Projects Releases Wiki Activity
96c30f8387
syncthing/lib/api/api_csrf.go

108 lines
3.0 KiB
Go
Raw Normal View History

Use more inclusive copyright header
2014-11-16 20:13:20 +00:00
// Copyright (C) 2014 The Syncthing Authors.
Relicense to GPL
2014-09-29 19:43:32 +00:00
//
MPLv2
2015-03-07 20:36:35 +00:00
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this file,
all: Update license url to https (ref #3976)
2017-02-09 06:52:18 +00:00
// You can obtain one at https://mozilla.org/MPL/2.0/.
Copyright cleanup
2014-09-04 06:31:38 +00:00
cmd/syncthing, lib/api: Separate api/gui into own package (ref #4085) (#5529) * cmd/syncthing, lib/gui: Separate gui into own package (ref #4085) * fix tests * Don't use main as interface name (make old go happy) * gui->api * don't leak state via locations and use in-tree config * let api (un-)subscribe to config * interface naming and exporting * lib/ur * fix tests and lib/foldersummary * shorter URVersion and ur debug fix * review * model.JsonCompletion(FolderCompletion) -> FolderCompletion.Map() * rename debug facility https -> api * folder summaries in model * disassociate unrelated constants * fix merge fail * missing id assignement
2019-03-26 19:53:58 +00:00
package api
Implement CSRF protection for REST interface (fixes #287)
2014-06-04 19:20:07 +00:00
import (
"net/http"
CSRF protection should only cover /rest
2014-07-06 13:00:44 +00:00
"strings"
lib/api: Save session & CSRF tokens to database, add option to stay logged in (fixes #9151) (#9284) This adds a "token manager" which handles storing and checking expired tokens, used for both sessions and CSRF tokens. It removes the old, corresponding functionality for CSRFs which saved things in a file. The result is less crap in the state directory, and active login sessions now survive a Syncthing restart (this really annoyed me). It also adds a boolean on login to create a longer-lived session cookie, which is now possible and useful. Thus we can remain logged in over browser restarts, which was also annoying... :) <img width="1001" alt="Screenshot 2023-12-12 at 09 56 34" src="https://github.com/syncthing/syncthing/assets/125426/55cb20c8-78fc-453e-825d-655b94c8623b"> Best viewed with whitespace-insensitive diff, as a bunch of the auth functions became methods instead of closures which changed indentation.
2024-01-04 10:07:12 +00:00
"time"
Implement CSRF protection for REST interface (fixes #287)
2014-06-04 19:20:07 +00:00
lib/api: Save session & CSRF tokens to database, add option to stay logged in (fixes #9151) (#9284) This adds a "token manager" which handles storing and checking expired tokens, used for both sessions and CSRF tokens. It removes the old, corresponding functionality for CSRFs which saved things in a file. The result is less crap in the state directory, and active login sessions now survive a Syncthing restart (this really annoyed me). It also adds a boolean on login to create a longer-lived session cookie, which is now possible and useful. Thus we can remain logged in over browser restarts, which was also annoying... :) <img width="1001" alt="Screenshot 2023-12-12 at 09 56 34" src="https://github.com/syncthing/syncthing/assets/125426/55cb20c8-78fc-453e-825d-655b94c8623b"> Best viewed with whitespace-insensitive diff, as a bunch of the auth functions became methods instead of closures which changed indentation.
2024-01-04 10:07:12 +00:00
"github.com/syncthing/syncthing/lib/db"
Implement CSRF protection for REST interface (fixes #287)
2014-06-04 19:20:07 +00:00
)
lib/api: Save session & CSRF tokens to database, add option to stay logged in (fixes #9151) (#9284) This adds a "token manager" which handles storing and checking expired tokens, used for both sessions and CSRF tokens. It removes the old, corresponding functionality for CSRFs which saved things in a file. The result is less crap in the state directory, and active login sessions now survive a Syncthing restart (this really annoyed me). It also adds a boolean on login to create a longer-lived session cookie, which is now possible and useful. Thus we can remain logged in over browser restarts, which was also annoying... :) <img width="1001" alt="Screenshot 2023-12-12 at 09 56 34" src="https://github.com/syncthing/syncthing/assets/125426/55cb20c8-78fc-453e-825d-655b94c8623b"> Best viewed with whitespace-insensitive diff, as a bunch of the auth functions became methods instead of closures which changed indentation.
2024-01-04 10:07:12 +00:00
const (
maxCSRFTokenLifetime = time.Hour
maxActiveCSRFTokens = 25
)
Don't allow in use CSRF tokens to expire (fixes #1008)
2016-01-03 20:56:19 +00:00
lib/api: Refactor to run tests in parallel (#5998) This is an experiment in testing, based on the advise to always call t.Parallel() at the start of every test. Doing so makes tests run in parallel, which is usually faster, but also exposes package level state and potential race conditions better. To support this I had to redesign the CSRF manager to not be package global, which was indeed an improvement. And tests run five times faster now.
2019-09-05 11:35:51 +00:00
type csrfManager struct {
unique string
prefix string
apiKeyValidator apiKeyValidator
next http.Handler
lib/api: Save session & CSRF tokens to database, add option to stay logged in (fixes #9151) (#9284) This adds a "token manager" which handles storing and checking expired tokens, used for both sessions and CSRF tokens. It removes the old, corresponding functionality for CSRFs which saved things in a file. The result is less crap in the state directory, and active login sessions now survive a Syncthing restart (this really annoyed me). It also adds a boolean on login to create a longer-lived session cookie, which is now possible and useful. Thus we can remain logged in over browser restarts, which was also annoying... :) <img width="1001" alt="Screenshot 2023-12-12 at 09 56 34" src="https://github.com/syncthing/syncthing/assets/125426/55cb20c8-78fc-453e-825d-655b94c8623b"> Best viewed with whitespace-insensitive diff, as a bunch of the auth functions became methods instead of closures which changed indentation.
2024-01-04 10:07:12 +00:00
tokens *tokenManager
lib/api: Refactor to run tests in parallel (#5998) This is an experiment in testing, based on the advise to always call t.Parallel() at the start of every test. Doing so makes tests run in parallel, which is usually faster, but also exposes package level state and potential race conditions better. To support this I had to redesign the CSRF manager to not be package global, which was indeed an improvement. And tests run five times faster now.
2019-09-05 11:35:51 +00:00
}
type apiKeyValidator interface {
IsValidAPIKey(key string) bool
}
Implement CSRF protection for REST interface (fixes #287)
2014-06-04 19:20:07 +00:00
// Check for CSRF token on /rest/ URLs. If a correct one is not given, reject
// the request with 403. For / and /index.html, set a new CSRF cookie if none
// is currently set.
lib/api: Save session & CSRF tokens to database, add option to stay logged in (fixes #9151) (#9284) This adds a "token manager" which handles storing and checking expired tokens, used for both sessions and CSRF tokens. It removes the old, corresponding functionality for CSRFs which saved things in a file. The result is less crap in the state directory, and active login sessions now survive a Syncthing restart (this really annoyed me). It also adds a boolean on login to create a longer-lived session cookie, which is now possible and useful. Thus we can remain logged in over browser restarts, which was also annoying... :) <img width="1001" alt="Screenshot 2023-12-12 at 09 56 34" src="https://github.com/syncthing/syncthing/assets/125426/55cb20c8-78fc-453e-825d-655b94c8623b"> Best viewed with whitespace-insensitive diff, as a bunch of the auth functions became methods instead of closures which changed indentation.
2024-01-04 10:07:12 +00:00
func newCsrfManager(unique string, prefix string, apiKeyValidator apiKeyValidator, next http.Handler, miscDB *db.NamespacedKV) *csrfManager {
lib/api: Refactor to run tests in parallel (#5998) This is an experiment in testing, based on the advise to always call t.Parallel() at the start of every test. Doing so makes tests run in parallel, which is usually faster, but also exposes package level state and potential race conditions better. To support this I had to redesign the CSRF manager to not be package global, which was indeed an improvement. And tests run five times faster now.
2019-09-05 11:35:51 +00:00
m := &csrfManager{
unique: unique,
prefix: prefix,
apiKeyValidator: apiKeyValidator,
next: next,
lib/api: Save session & CSRF tokens to database, add option to stay logged in (fixes #9151) (#9284) This adds a "token manager" which handles storing and checking expired tokens, used for both sessions and CSRF tokens. It removes the old, corresponding functionality for CSRFs which saved things in a file. The result is less crap in the state directory, and active login sessions now survive a Syncthing restart (this really annoyed me). It also adds a boolean on login to create a longer-lived session cookie, which is now possible and useful. Thus we can remain logged in over browser restarts, which was also annoying... :) <img width="1001" alt="Screenshot 2023-12-12 at 09 56 34" src="https://github.com/syncthing/syncthing/assets/125426/55cb20c8-78fc-453e-825d-655b94c8623b"> Best viewed with whitespace-insensitive diff, as a bunch of the auth functions became methods instead of closures which changed indentation.
2024-01-04 10:07:12 +00:00
tokens: newTokenManager("csrfTokens", miscDB, maxCSRFTokenLifetime, maxActiveCSRFTokens),
lib/api: Refactor to run tests in parallel (#5998) This is an experiment in testing, based on the advise to always call t.Parallel() at the start of every test. Doing so makes tests run in parallel, which is usually faster, but also exposes package level state and potential race conditions better. To support this I had to redesign the CSRF manager to not be package global, which was indeed an improvement. And tests run five times faster now.
2019-09-05 11:35:51 +00:00
}
return m
}
Remove martini, use standard http mux
2014-07-05 19:40:29 +00:00
lib/api: Refactor to run tests in parallel (#5998) This is an experiment in testing, based on the advise to always call t.Parallel() at the start of every test. Doing so makes tests run in parallel, which is usually faster, but also exposes package level state and potential race conditions better. To support this I had to redesign the CSRF manager to not be package global, which was indeed an improvement. And tests run five times faster now.
2019-09-05 11:35:51 +00:00
func (m *csrfManager) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// Allow requests carrying a valid API key
lib/api: Allow `Bearer` authentication style with API key (#9002) Currently, historically, we look for the `X-API-Key` header to authenticate with an API key. There's nothing wrong with this, but in some scenarios it's easier to produce an `Authorization` header with a `Bearer $token` content, which is nowadays more common. This change adds support for both, so that we will accept an API key either in our custom header or as a bearer token.
2023-07-26 11:13:06 +00:00
if hasValidAPIKeyHeader(r, m.apiKeyValidator) {
lib/api: Refactor to run tests in parallel (#5998) This is an experiment in testing, based on the advise to always call t.Parallel() at the start of every test. Doing so makes tests run in parallel, which is usually faster, but also exposes package level state and potential race conditions better. To support this I had to redesign the CSRF manager to not be package global, which was indeed an improvement. And tests run five times faster now.
2019-09-05 11:35:51 +00:00
// Set the access-control-allow-origin header for CORS requests
// since a valid API key has been provided
w.Header().Add("Access-Control-Allow-Origin", "*")
m.next.ServeHTTP(w, r)
return
}
cmd/syncthing, lib/config: Enable HTTP CPU/heap profile collection for users This adds a config to enable debug functions on the API server, which is by default disabled. When enabled, the /rest/debug things become available and become available without requiring a CSRF token (although authentication is required if configured). We also add a new endpoint /rest/debug/cpuprof?duration=15s (with the duration being configurable, defaulting to 30s). This runs a CPU profile for the duration and returns it as a file. It sets headers so that a browser will save the file with an informative name. The same is done for heap profiles, /rest/debug/heapprof, which does not take any parameters. The purpose of this is that any user can enable debugging under advanced, then point their browser to the endpoint above and get a file that contains a CPU or heap profile we can use, with the filename telling us what version and architecture the profile is from. On the command line, this becomes curl -O -J http://localhost:8082/rest/debug/cpuprof?duration=5s curl: Saved to filename 'syncthing-cpu-darwin-amd64-v0.14.3+4-g935bcc0-110307.pprof' GitHub-Pull-Request: https://github.com/syncthing/syncthing/pull/3467
2016-08-02 11:06:45 +00:00
lib/api: Refactor to run tests in parallel (#5998) This is an experiment in testing, based on the advise to always call t.Parallel() at the start of every test. Doing so makes tests run in parallel, which is usually faster, but also exposes package level state and potential race conditions better. To support this I had to redesign the CSRF manager to not be package global, which was indeed an improvement. And tests run five times faster now.
2019-09-05 11:35:51 +00:00
if strings.HasPrefix(r.URL.Path, "/rest/debug") {
// Debugging functions are only available when explicitly
// enabled, and can be accessed without a CSRF token
m.next.ServeHTTP(w, r)
return
}
// Allow requests for anything not under the protected path prefix,
// and set a CSRF cookie if there isn't already a valid one.
if !strings.HasPrefix(r.URL.Path, m.prefix) {
cookie, err := r.Cookie("CSRF-Token-" + m.unique)
lib/api: Save session & CSRF tokens to database, add option to stay logged in (fixes #9151) (#9284) This adds a "token manager" which handles storing and checking expired tokens, used for both sessions and CSRF tokens. It removes the old, corresponding functionality for CSRFs which saved things in a file. The result is less crap in the state directory, and active login sessions now survive a Syncthing restart (this really annoyed me). It also adds a boolean on login to create a longer-lived session cookie, which is now possible and useful. Thus we can remain logged in over browser restarts, which was also annoying... :) <img width="1001" alt="Screenshot 2023-12-12 at 09 56 34" src="https://github.com/syncthing/syncthing/assets/125426/55cb20c8-78fc-453e-825d-655b94c8623b"> Best viewed with whitespace-insensitive diff, as a bunch of the auth functions became methods instead of closures which changed indentation.
2024-01-04 10:07:12 +00:00
if err != nil || !m.tokens.Check(cookie.Value) {
lib/api: Refactor to run tests in parallel (#5998) This is an experiment in testing, based on the advise to always call t.Parallel() at the start of every test. Doing so makes tests run in parallel, which is usually faster, but also exposes package level state and potential race conditions better. To support this I had to redesign the CSRF manager to not be package global, which was indeed an improvement. And tests run five times faster now.
2019-09-05 11:35:51 +00:00
l.Debugln("new CSRF cookie in response to request for", r.URL)
cookie = &http.Cookie{
Name: "CSRF-Token-" + m.unique,
lib/api: Save session & CSRF tokens to database, add option to stay logged in (fixes #9151) (#9284) This adds a "token manager" which handles storing and checking expired tokens, used for both sessions and CSRF tokens. It removes the old, corresponding functionality for CSRFs which saved things in a file. The result is less crap in the state directory, and active login sessions now survive a Syncthing restart (this really annoyed me). It also adds a boolean on login to create a longer-lived session cookie, which is now possible and useful. Thus we can remain logged in over browser restarts, which was also annoying... :) <img width="1001" alt="Screenshot 2023-12-12 at 09 56 34" src="https://github.com/syncthing/syncthing/assets/125426/55cb20c8-78fc-453e-825d-655b94c8623b"> Best viewed with whitespace-insensitive diff, as a bunch of the auth functions became methods instead of closures which changed indentation.
2024-01-04 10:07:12 +00:00
Value: m.tokens.New(),
Remove martini, use standard http mux
2014-07-05 19:40:29 +00:00
}
lib/api: Refactor to run tests in parallel (#5998) This is an experiment in testing, based on the advise to always call t.Parallel() at the start of every test. Doing so makes tests run in parallel, which is usually faster, but also exposes package level state and potential race conditions better. To support this I had to redesign the CSRF manager to not be package global, which was indeed an improvement. And tests run five times faster now.
2019-09-05 11:35:51 +00:00
http.SetCookie(w, cookie)
Remove martini, use standard http mux
2014-07-05 19:40:29 +00:00
}
lib/api: Refactor to run tests in parallel (#5998) This is an experiment in testing, based on the advise to always call t.Parallel() at the start of every test. Doing so makes tests run in parallel, which is usually faster, but also exposes package level state and potential race conditions better. To support this I had to redesign the CSRF manager to not be package global, which was indeed an improvement. And tests run five times faster now.
2019-09-05 11:35:51 +00:00
m.next.ServeHTTP(w, r)
return
}
API key change should take effect on restart only
2014-06-05 07:16:12 +00:00
Add HTML login form (fixes #4137) (#8757)
2023-10-06 11:00:58 +00:00
if isNoAuthPath(r.URL.Path) {
// REST calls that don't require authentication also do not
// need a CSRF token.
m.next.ServeHTTP(w, r)
return
}
lib/api: Refactor to run tests in parallel (#5998) This is an experiment in testing, based on the advise to always call t.Parallel() at the start of every test. Doing so makes tests run in parallel, which is usually faster, but also exposes package level state and potential race conditions better. To support this I had to redesign the CSRF manager to not be package global, which was indeed an improvement. And tests run five times faster now.
2019-09-05 11:35:51 +00:00
// Verify the CSRF token
token := r.Header.Get("X-CSRF-Token-" + m.unique)
lib/api: Save session & CSRF tokens to database, add option to stay logged in (fixes #9151) (#9284) This adds a "token manager" which handles storing and checking expired tokens, used for both sessions and CSRF tokens. It removes the old, corresponding functionality for CSRFs which saved things in a file. The result is less crap in the state directory, and active login sessions now survive a Syncthing restart (this really annoyed me). It also adds a boolean on login to create a longer-lived session cookie, which is now possible and useful. Thus we can remain logged in over browser restarts, which was also annoying... :) <img width="1001" alt="Screenshot 2023-12-12 at 09 56 34" src="https://github.com/syncthing/syncthing/assets/125426/55cb20c8-78fc-453e-825d-655b94c8623b"> Best viewed with whitespace-insensitive diff, as a bunch of the auth functions became methods instead of closures which changed indentation.
2024-01-04 10:07:12 +00:00
if !m.tokens.Check(token) {
lib/api: Refactor to run tests in parallel (#5998) This is an experiment in testing, based on the advise to always call t.Parallel() at the start of every test. Doing so makes tests run in parallel, which is usually faster, but also exposes package level state and potential race conditions better. To support this I had to redesign the CSRF manager to not be package global, which was indeed an improvement. And tests run five times faster now.
2019-09-05 11:35:51 +00:00
http.Error(w, "CSRF Error", http.StatusForbidden)
return
}
Remove martini, use standard http mux
2014-07-05 19:40:29 +00:00
lib/api: Refactor to run tests in parallel (#5998) This is an experiment in testing, based on the advise to always call t.Parallel() at the start of every test. Doing so makes tests run in parallel, which is usually faster, but also exposes package level state and potential race conditions better. To support this I had to redesign the CSRF manager to not be package global, which was indeed an improvement. And tests run five times faster now.
2019-09-05 11:35:51 +00:00
m.next.ServeHTTP(w, r)
Implement CSRF protection for REST interface (fixes #287)
2014-06-04 19:20:07 +00:00
}
lib/api: Allow `Bearer` authentication style with API key (#9002) Currently, historically, we look for the `X-API-Key` header to authenticate with an API key. There's nothing wrong with this, but in some scenarios it's easier to produce an `Authorization` header with a `Bearer $token` content, which is nowadays more common. This change adds support for both, so that we will accept an API key either in our custom header or as a bearer token.
2023-07-26 11:13:06 +00:00
func hasValidAPIKeyHeader(r *http.Request, validator apiKeyValidator) bool {
if key := r.Header.Get("X-API-Key"); validator.IsValidAPIKey(key) {
return true
}
if auth := r.Header.Get("Authorization"); strings.HasPrefix(strings.ToLower(auth), "bearer ") {
bearerToken := auth[len("bearer "):]
return validator.IsValidAPIKey(bearerToken)
}
return false
}
Reference in New Issue Copy Permalink