jnd/beszel-ipv6
1
0
Fork 0
mirror of https://github.com/henrygd/beszel.git synced 2026-04-10 23:11:50 +02:00
Code Issues Packages Projects Releases 2 Wiki Activity

hub: return error if accessing /api/beszel/universal-token with a superuser account (#1870)

Browse Source
This commit is contained in:
henrygd
2026-04-01 22:16:47 -04:00
parent ba10da1b9f
commit 0fff699bf6
3 changed files with 33 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
internal/hub/api.go
View File

@@ -180,6 +180,10 @@ func (info *UpdateInfo) getUpdate(e *core.RequestEvent) error {
// GetUniversalToken handles the universal token API endpoint (create, read, delete) // GetUniversalToken handles the universal token API endpoint (create, read, delete)
func (h *Hub) getUniversalToken(e *core.RequestEvent) error { func (h *Hub) getUniversalToken(e *core.RequestEvent) error {
if e.Auth.IsSuperuser() {
return e.ForbiddenError("Superusers cannot use universal tokens", nil)
}
tokenMap := universalTokenMap.GetMap() tokenMap := universalTokenMap.GetMap()
userID := e.Auth.Id userID := e.Auth.Id
query := e.Request.URL.Query() query := e.Request.URL.Query()

19
internal/hub/api_test.go
View File

@@ -45,6 +45,12 @@ func TestApiRoutesAuthentication(t *testing.T) {
readOnlyUser, err := beszelTests.CreateUserWithRole(hub, "readonly@example.com", "password123", "readonly") readOnlyUser, err := beszelTests.CreateUserWithRole(hub, "readonly@example.com", "password123", "readonly")
require.NoError(t, err, "Failed to create readonly user") require.NoError(t, err, "Failed to create readonly user")
readOnlyUserToken, err := readOnlyUser.NewAuthToken() readOnlyUserToken, err := readOnlyUser.NewAuthToken()
require.NoError(t, err, "Failed to create readonly user auth token")
superuser, err := beszelTests.CreateSuperuser(hub, "superuser@example.com", "password123")
require.NoError(t, err, "Failed to create superuser")
superuserToken, err := superuser.NewAuthToken()
require.NoError(t, err, "Failed to create superuser auth token")
// Create test system // Create test system
system, err := beszelTests.CreateRecord(hub, "systems", map[string]any{ system, err := beszelTests.CreateRecord(hub, "systems", map[string]any{
@@ -197,6 +203,19 @@ func TestApiRoutesAuthentication(t *testing.T) {
ExpectedContent: []string{"\"permanent\":true", "permanent-token-123"}, ExpectedContent: []string{"\"permanent\":true", "permanent-token-123"},
TestAppFactory: testAppFactory, TestAppFactory: testAppFactory,
}, },
{
Name: "GET /universal-token - superuser should fail",
Method: http.MethodGet,
URL: "/api/beszel/universal-token",
Headers: map[string]string{
"Authorization": superuserToken,
},
ExpectedStatus: 403,
ExpectedContent: []string{"Superusers cannot use universal tokens"},
TestAppFactory: func(t testing.TB) *pbTests.TestApp {
return hub.TestApp
},
},
{ {
Name: "GET /universal-token - with readonly auth should fail", Name: "GET /universal-token - with readonly auth should fail",
Method: http.MethodGet, Method: http.MethodGet,

10
internal/tests/hub.go
View File

@@ -77,6 +77,16 @@ func CreateUser(app core.App, email string, password string) (*core.Record, erro
return user, app.Save(user) return user, app.Save(user)
} }
// Helper function to create a test superuser for config tests
func CreateSuperuser(app core.App, email string, password string) (*core.Record, error) {
superusersCollection, _ := app.FindCachedCollectionByNameOrId(core.CollectionNameSuperusers)
superuser := core.NewRecord(superusersCollection)
superuser.Set("email", email)
superuser.Set("password", password)
return superuser, app.Save(superuser)
}
func CreateUserWithRole(app core.App, email string, password string, roleName string) (*core.Record, error) { func CreateUserWithRole(app core.App, email string, password string, roleName string) (*core.Record, error) {
user, err := CreateUser(app, email, password) user, err := CreateUser(app, email, password)
if err != nil { if err != nil {