enricobuehler
b2e5878711
android / android (push) Failing after 21s
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Failing after 0s
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Failing after 1s
rpm / build-publish (fedora-44, punktfunk-fedora44-rpm) (push) Failing after 1s
ci / rust (push) Failing after 2m27s
ci / web (push) Failing after 10s
ci / docs-site (push) Failing after 0s
ci / bench (push) Failing after 1s
deb / build-publish (push) Failing after 0s
decky / build-publish (push) Failing after 1s
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Failing after 0s
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Failing after 0s
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Failing after 0s
docker / deploy-docs (push) Has been skipped
flatpak / build-publish (push) Failing after 0s
rpm / build-publish (bazzite, punktfunk-fedora-rpm) (push) Failing after 0s
apple / swift (push) Successful in 53s
The mgmt API already always serves HTTPS (the host identity cert), but on a loopback bind with no token it ran unauthenticated — any local process could drive it. Make auth required ALWAYS: - new mgmt_token::load_or_generate(): token precedence is --mgmt-token > env PUNKTFUNK_MGMT_TOKEN > persisted ~/.config/punktfunk/mgmt-token > freshly generated 32-byte hex, persisted 0600 in KEY=VALUE form (so the bundled web console can source it directly as a systemd EnvironmentFile — one source of truth). config_dir() made pub(crate). - parse_serve() resolves the token via load_or_generate() when unset, so a bare `serve` Just Works with auth on and no operator step. - mgmt::run() drops the loopback no-token exemption and requires a token; require_auth()'s unauthenticated fallback now returns 401. The paired-cert (mTLS) branch is unchanged — Apple client + library auth unaffected. - web /api proxy: 503 (legible) instead of forwarding an empty bearer. - tests: test_app/test_app_native default a token, send() auto-attaches the bearer; blank-token test asserts the new "no token" refusal. 80 pass. - docs: mgmt module doc + host.env.example reflect always-on auth + auto-gen. Compiles, clippy/fmt clean, openapi no drift. Part B (bundle the web console into apt, auto-wired to this token) follows. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
29 lines
1.5 KiB
TypeScript
29 lines
1.5 KiB
TypeScript
// /api/** → the management API. By the time we get here the gate (middleware/auth.ts) has
|
|
// confirmed an authenticated session. We inject the management bearer token server-side
|
|
// (the browser never sees it) and drop the browser's own cookies/auth from the upstream
|
|
// request, then proxy. The management API itself binds loopback only — this proxy is the
|
|
// ONLY path to it from the LAN, and it's authenticated.
|
|
import { defineEventHandler, getRequestURL, proxyRequest, setResponseStatus } from 'h3'
|
|
import { mgmtToken, mgmtUrl } from '../../util/auth'
|
|
|
|
export default defineEventHandler((event) => {
|
|
const { pathname, search } = getRequestURL(event)
|
|
const target = `${mgmtUrl()}${pathname}${search}`
|
|
const token = mgmtToken()
|
|
// The mgmt API now requires a token always. Without one configured, forwarding an empty bearer
|
|
// would just bounce as 401 — fail fast and legibly instead (the packaged service sources the
|
|
// host's ~/.config/punktfunk/mgmt-token, so this only fires on a misconfigured/early-start deploy).
|
|
if (!token) {
|
|
setResponseStatus(event, 503)
|
|
return { error: 'management token not configured (PUNKTFUNK_MGMT_TOKEN / ~/.config/punktfunk/mgmt-token)' }
|
|
}
|
|
return proxyRequest(event, target, {
|
|
headers: {
|
|
// Overwrite, not append: the host-held token replaces anything the browser sent.
|
|
authorization: `Bearer ${token}`,
|
|
// Don't forward the session cookie to the management API.
|
|
cookie: '',
|
|
},
|
|
})
|
|
})
|