From 43c1a5e1c8efeba08e5e66e1adc70f74741b4906 Mon Sep 17 00:00:00 2001
From: Travis Ralston <travpc@gmail.com>
Date: Wed, 4 Sep 2019 18:18:25 -0600
Subject: [PATCH] Expose shared secret auth to all APIs

---
 api/auth.go              | 19 +++++++++++++++----
 api/custom/purge.go      |  2 +-
 api/custom/quarantine.go |  2 +-
 3 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/api/auth.go b/api/auth.go
index 56b76a33..ef3c7bb6 100644
--- a/api/auth.go
+++ b/api/auth.go
@@ -12,6 +12,7 @@ import (
 type UserInfo struct {
 	UserId      string
 	AccessToken string
+	IsShared    bool
 }
 
 func AccessTokenRequiredRoute(next func(r *http.Request, log *logrus.Entry, user UserInfo) interface{}) func(*http.Request, *logrus.Entry) interface{} {
@@ -21,6 +22,11 @@ func AccessTokenRequiredRoute(next func(r *http.Request, log *logrus.Entry, user
 			log.Error("Error: no token provided (required)")
 			return InternalServerError("Error no token provided (required)")
 		}
+		if config.Get().SharedSecret.Enabled && accessToken == config.Get().SharedSecret.Token {
+			log = log.WithFields(logrus.Fields{"isRepoAdmin": true})
+			log.Info("User authed using shared secret")
+			return next(r, log, UserInfo{UserId: "@sharedsecret", AccessToken: accessToken, IsShared: true})
+		}
 		appserviceUserId := util.GetAppserviceUserIdFromRequest(r)
 		userId, err := matrix.GetUserIdFromToken(r.Context(), r.Host, accessToken, appserviceUserId, r.RemoteAddr)
 		if err != nil || userId == "" {
@@ -34,7 +40,7 @@ func AccessTokenRequiredRoute(next func(r *http.Request, log *logrus.Entry, user
 		}
 
 		log = log.WithFields(logrus.Fields{"authUserId": userId})
-		return next(r, log, UserInfo{userId, accessToken})
+		return next(r, log, UserInfo{userId, accessToken, false})
 	}
 }
 
@@ -42,7 +48,12 @@ func AccessTokenOptionalRoute(next func(r *http.Request, log *logrus.Entry, user
 	return func(r *http.Request, log *logrus.Entry) interface{} {
 		accessToken := util.GetAccessTokenFromRequest(r)
 		if accessToken == "" {
-			return next(r, log, UserInfo{"", ""})
+			return next(r, log, UserInfo{"", "", false})
+		}
+		if config.Get().SharedSecret.Enabled && accessToken == config.Get().SharedSecret.Token {
+			log = log.WithFields(logrus.Fields{"isRepoAdmin": true})
+			log.Info("User authed using shared secret")
+			return next(r, log, UserInfo{UserId: "@sharedsecret", AccessToken: accessToken, IsShared: true})
 		}
 		appserviceUserId := util.GetAppserviceUserIdFromRequest(r)
 		userId, err := matrix.GetUserIdFromToken(r.Context(), r.Host, accessToken, appserviceUserId, r.RemoteAddr)
@@ -57,7 +68,7 @@ func AccessTokenOptionalRoute(next func(r *http.Request, log *logrus.Entry, user
 		}
 
 		log = log.WithFields(logrus.Fields{"authUserId": userId})
-		return next(r, log, UserInfo{userId, accessToken})
+		return next(r, log, UserInfo{userId, accessToken, false})
 	}
 }
 
@@ -82,7 +93,7 @@ func RepoAdminRoute(next func(r *http.Request, log *logrus.Entry, user UserInfo)
 			if accessToken == config.Get().SharedSecret.Token {
 				log = log.WithFields(logrus.Fields{"isRepoAdmin": true})
 				log.Info("User authed using shared secret")
-				return next(r, log, UserInfo{UserId: "@sharedsecret", AccessToken: accessToken})
+				return next(r, log, UserInfo{UserId: "@sharedsecret", AccessToken: accessToken, IsShared: true})
 			}
 		}
 
diff --git a/api/custom/purge.go b/api/custom/purge.go
index 5bb507d8..f3dcec69 100644
--- a/api/custom/purge.go
+++ b/api/custom/purge.go
@@ -121,7 +121,7 @@ func PurgeQurantined(r *http.Request, log *logrus.Entry, user api.UserInfo) inte
 }
 
 func getPurgeRequestInfo(r *http.Request, log *logrus.Entry, user api.UserInfo) (bool, bool) {
-	isGlobalAdmin := util.IsGlobalAdmin(user.UserId)
+	isGlobalAdmin := util.IsGlobalAdmin(user.UserId) || user.IsShared
 	isLocalAdmin, err := matrix.IsUserAdmin(r.Context(), r.Host, user.AccessToken, r.RemoteAddr)
 	if err != nil {
 		log.Error("Error verifying local admin: " + err.Error())
diff --git a/api/custom/quarantine.go b/api/custom/quarantine.go
index f28a5c01..d8d828ad 100644
--- a/api/custom/quarantine.go
+++ b/api/custom/quarantine.go
@@ -151,7 +151,7 @@ func setMediaQuarantined(media *types.Media, isQuarantined bool, allowOtherHosts
 }
 
 func getQuarantineRequestInfo(r *http.Request, log *logrus.Entry, user api.UserInfo) (bool, bool, bool) {
-	isGlobalAdmin := util.IsGlobalAdmin(user.UserId)
+	isGlobalAdmin := util.IsGlobalAdmin(user.UserId) || user.IsShared
 	canQuarantine := isGlobalAdmin
 	allowOtherHosts := isGlobalAdmin
 	isLocalAdmin := false
-- 
GitLab