From 2da920d634f50a4e2ab78350f56fd91a525075b5 Mon Sep 17 00:00:00 2001 From: Kailash Nadh Date: Wed, 17 Jul 2024 10:39:03 +0530 Subject: [PATCH] Add legacy TOML user+password to API auth on init with warning. --- cmd/init.go | 12 +++++++----- internal/auth/auth.go | 13 +++++++++++-- 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/cmd/init.go b/cmd/init.go index f039383e5..b4e4dc3ff 100644 --- a/cmd/init.go +++ b/cmd/init.go @@ -975,6 +975,11 @@ func initAuth(db *sql.DB, ko *koanf.Koanf, co *core.Core) *auth.Auth { lo.Fatalf("error initializing auth: %v", err) } + // Cache all API users in-memory for token auth. + if err := cacheAPIUsers(co, a); err != nil { + lo.Fatalf("error loading API users: %v", err) + } + // If the legacy username+password is set in the TOML file, use that as an API // access token in the auth module to preserve backwards compatibility for existing // API integrations. The presence of these values show a red banner on the admin UI @@ -994,12 +999,9 @@ func initAuth(db *sql.DB, ko *koanf.Koanf, co *core.Core) *auth.Auth { Type: models.UserTypeAPI, } u.Role.ID = auth.SuperAdminRoleID - a.CacheAPIUsers([]models.User{u}) - } + a.CacheAPIUser(u) - // Load all API users. - if err := cacheAPIUsers(co, a); err != nil { - lo.Fatalf("error loading API users: %v", err) + lo.Println(`WARNING: Remove the admin_username and admin_password fields from the TOML configuration file. If you are using APIs, create and use new credentials. Users are now managed via the Admin -> Settings -> Users dashboard.`) } return a diff --git a/internal/auth/auth.go b/internal/auth/auth.go index bbc40d7b8..9b1629021 100644 --- a/internal/auth/auth.go +++ b/internal/auth/auth.go @@ -138,7 +138,9 @@ func New(cfg Config, db *sql.DB, cb *Callbacks, lo *log.Logger) (*Auth, error) { return a, nil } -// CacheAPIUsers caches API users for authenticating requests. +// CacheAPIUsers caches API users for authenticating requests. It wipes +// the existing cache every time and is meant for syncing all API users +// in the database in one shot. func (o *Auth) CacheAPIUsers(users []models.User) { o.Lock() o.apiUsers = map[string]models.User{} @@ -149,6 +151,13 @@ func (o *Auth) CacheAPIUsers(users []models.User) { o.Unlock() } +// CacheAPIUser caches an API user for authenticating requests. +func (o *Auth) CacheAPIUser(u models.User) { + o.Lock() + o.apiUsers[u.Username] = u + o.Unlock() +} + // GetAPIToken validates an API user+token. func (o *Auth) GetAPIToken(user string, token string) (models.User, bool) { o.RLock() @@ -236,7 +245,7 @@ func (o *Auth) Middleware(next echo.HandlerFunc) echo.HandlerFunc { return next(c) } - // It's a cookie based session. + // Is it a cookie based session? sess, user, err := o.validateSession(c) if err != nil { c.Set(UserKey, echo.NewHTTPError(http.StatusForbidden, "invalid session"))