this repo has no description
add simple auth for new admin routes and basic auth token management
+81
-1
+11
bgs/admin.go
+11
bgs/admin.go
+60
-1
bgs/bgs.go
+60
-1
bgs/bgs.go
···
60
60
61
61
func NewBGS(db *gorm.DB, ix *indexer.Indexer, repoman *repomgr.RepoManager, evtman *events.EventManager, didr plc.DidResolver, blobs blobs.BlobStore, ssl bool) (*BGS, error) {
62
62
db.AutoMigrate(User{})
63
+
db.AutoMigrate(AuthToken{})
63
64
db.AutoMigrate(models.PDS{})
64
65
65
66
bgs := &BGS{
···
181
182
// TODO: this API is temporary until we formalize what we want here
182
183
183
184
e.GET("/xrpc/com.atproto.sync.subscribeRepos", bgs.EventsHandler)
184
-
185
185
e.GET("/xrpc/com.atproto.sync.getCheckout", bgs.HandleComAtprotoSyncGetCheckout)
186
186
e.GET("/xrpc/com.atproto.sync.getCommitPath", bgs.HandleComAtprotoSyncGetCommitPath)
187
187
e.GET("/xrpc/com.atproto.sync.getHead", bgs.HandleComAtprotoSyncGetHead)
···
191
191
e.GET("/xrpc/com.atproto.sync.requestCrawl", bgs.HandleComAtprotoSyncRequestCrawl)
192
192
e.GET("/xrpc/com.atproto.sync.notifyOfUpdate", bgs.HandleComAtprotoSyncNotifyOfUpdate)
193
193
e.GET("/xrpc/_health", bgs.HandleHealthCheck)
194
+
195
+
admin := e.Group("/admin", bgs.checkAdminAuth)
196
+
admin.POST("/deleteRecord", bgs.handleAdminDeleteRecord)
194
197
195
198
return e.Start(listen)
196
199
}
···
206
209
return c.JSON(500, HealthStatus{Status: "error", Message: "can't connect to database"})
207
210
} else {
208
211
return c.JSON(200, HealthStatus{Status: "ok"})
212
+
}
213
+
}
214
+
215
+
type AuthToken struct {
216
+
gorm.Model
217
+
Token string `gorm:"index"`
218
+
}
219
+
220
+
func (bgs *BGS) lookupAdminToken(tok string) (bool, error) {
221
+
var at AuthToken
222
+
if err := bgs.db.Find(&at, "token = ?", tok).Error; err != nil {
223
+
return false, err
224
+
}
225
+
226
+
if at.ID == 0 {
227
+
return false, nil
228
+
}
229
+
230
+
return true, nil
231
+
}
232
+
233
+
func (bgs *BGS) CreateAdminToken(tok string) error {
234
+
exists, err := bgs.lookupAdminToken(tok)
235
+
if err != nil {
236
+
return err
237
+
}
238
+
239
+
if exists {
240
+
return nil
241
+
}
242
+
243
+
return bgs.db.Create(&AuthToken{
244
+
Token: tok,
245
+
}).Error
246
+
}
247
+
248
+
func (bgs *BGS) checkAdminAuth(next echo.HandlerFunc) echo.HandlerFunc {
249
+
return func(e echo.Context) error {
250
+
authheader := e.Request().Header.Get("Authorization")
251
+
pref := "Bearer "
252
+
if !strings.HasPrefix(authheader, pref) {
253
+
return echo.ErrForbidden
254
+
}
255
+
256
+
token := authheader[len(pref):]
257
+
258
+
exists, err := bgs.lookupAdminToken(token)
259
+
if err != nil {
260
+
return err
261
+
}
262
+
263
+
if !exists {
264
+
return echo.ErrForbidden
265
+
}
266
+
267
+
return next(e)
209
268
}
210
269
}
211
270
+10
cmd/bigsky/main.go
+10
cmd/bigsky/main.go
···
103
103
&cli.StringFlag{
104
104
Name: "disk-blob-store",
105
105
},
106
+
&cli.StringFlag{
107
+
Name: "admin-key",
108
+
EnvVars: []string{"BGS_ADMIN_KEY"},
109
+
},
106
110
}
107
111
108
112
app.Action = func(cctx *cli.Context) error {
···
199
203
bgs, err := bgs.NewBGS(db, ix, repoman, evtman, cachedidr, blobstore, !cctx.Bool("crawl-insecure-ws"))
200
204
if err != nil {
201
205
return err
206
+
}
207
+
208
+
if tok := cctx.String("admin-key"); tok != "" {
209
+
if err := bgs.CreateAdminToken(tok); err != nil {
210
+
return fmt.Errorf("failed to set up admin token: %w", err)
211
+
}
202
212
}
203
213
204
214
// set up pprof endpoint