mirrors/btcpayserver
1
0
Fork 0
mirror of https://github.com/btcpayserver/btcpayserver.git synced 2025-02-20 13:34:37 +01:00
Code Issues Projects Releases Packages Wiki Activity

clean and remove hack

Browse source
This commit is contained in:
Kukks 2020-08-28 09:15:08 +02:00
parent 0e07fcc706
commit 6a8dbf49da
2 changed files with 61 additions and 62 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
BTCPayServer.Client/BTCPayServerClient.cs
View file

@ -103,7 +103,7 @@ namespace BTCPayServer.Client
return request;
}
private static void AppendPayloadToQuery(UriBuilder uri, KeyValuePair<string, object> keyValuePair)
public static void AppendPayloadToQuery(UriBuilder uri, KeyValuePair<string, object> keyValuePair)
{
if (uri.Query.Length > 1)
uri.Query += "&";
@ -126,7 +126,7 @@ namespace BTCPayServer.Client
uri.Query = uri.Query.Trim('&');
}
private static void AppendPayloadToQuery(UriBuilder uri, Dictionary<string, object> payload)
public static void AppendPayloadToQuery(UriBuilder uri, Dictionary<string, object> payload)
{
if (uri.Query.Length > 1)
uri.Query += "&";

119
BTCPayServer/Controllers/ManageController.APIKeys.cs
View file

@ -104,69 +104,73 @@ namespace BTCPayServer.Controllers
{
UserId = new[] {_userManager.GetUserId(User)}
});
if (keys.Any())
foreach (var key in keys)
{
foreach (var key in keys)
var blob = key.GetBlob();
if (blob.ApplicationIdentifier != applicationIdentifier ||
blob.ApplicationAuthority != redirect.Authority)
{
var blob = key.GetBlob();
if (blob.ApplicationIdentifier != applicationIdentifier ||
blob.ApplicationAuthority != redirect.Authority)
continue;
}
//matched the identifier and authority, but we need to check if what the app is requesting in terms of permissions is enough
var alreadyPresentPermissions = Permission.ToPermissions(blob.Permissions)
.GroupBy(permission => permission.Policy);
var fail = false;
foreach (var permission in requestPermissions.GroupBy(permission => permission.Policy))
{
var presentPermission =
alreadyPresentPermissions.SingleOrDefault(grouping => permission.Key == grouping.Key);
if (strict && presentPermission == null)
{
continue;
fail = true;
break;
}
//matched the identifier and authority, but we need to check if what the app is requesting in terms of permissions is enough
var alreadyPresentPermissions = Permission.ToPermissions(blob.Permissions).GroupBy(permission => permission.Policy);
var fail = false;
foreach (var permission in requestPermissions.GroupBy(permission => permission.Policy))
if (Policies.IsStorePolicy(permission.Key))
{
var presentPermission =
alreadyPresentPermissions.SingleOrDefault(grouping => permission.Key == grouping.Key);
if (strict && presentPermission == null)
if (!selectiveStores &&
permission.Any(permission1 => !string.IsNullOrEmpty(permission1.Scope)))
{
TempData.SetStatusMessageModel(new StatusMessageModel()
{
Severity = StatusMessageModel.StatusSeverity.Error,
Message =
"Cannot request specific store permission when selectiveStores is not enable"
});
return RedirectToAction("APIKeys");
}
else if (!selectiveStores && presentPermission.Any(permission1 =>
!string.IsNullOrEmpty(permission1.Scope)))
{
fail = true;
break;
}
if(Policies.IsStorePolicy(permission.Key))
{
if (!selectiveStores && permission.Any(permission1 => !string.IsNullOrEmpty(permission1.Scope)))
{
TempData.SetStatusMessageModel(new StatusMessageModel()
{
Severity = StatusMessageModel.StatusSeverity.Error,
Message = "Cannot request specific store permission when selectiveStores is not enable"
});
return RedirectToAction("APIKeys");
}else if (!selectiveStores && presentPermission.Any(permission1 =>
!string.IsNullOrEmpty(permission1.Scope)))
{
fail = true;
break;
}
}
}
if (fail)
{
continue;
}
//we have a key that is sufficient, redirect to a page to confirm that it's ok to provide this key to the app.
return View("Confirm",
new ConfirmModel()
{
Title = $"Are you sure about exposing your API Key to {applicationName??applicationIdentifier}?",
Description = $"You've previously generated this API Key ({key.Id}) specifically for {applicationName??applicationIdentifier} with the url {redirect}. ",
ActionUrl = GetRedirectToApplicationUrl(redirect, key),
ButtonClass = "btn-secondary",
Action = "Confirm"
});
}
if (fail)
{
continue;
}
//we have a key that is sufficient, redirect to a page to confirm that it's ok to provide this key to the app.
return View("Confirm",
new ConfirmModel()
{
Title =
$"Are you sure about exposing your API Key to {applicationName ?? applicationIdentifier}?",
Description =
$"You've previously generated this API Key ({key.Id}) specifically for {applicationName ?? applicationIdentifier} with the url {redirect}. ",
ActionUrl = GetRedirectToApplicationUrl(redirect, key),
ButtonClass = "btn-secondary",
Action = "Confirm"
});
}
}
var vm = await SetViewModelValues(new AuthorizeApiKeysViewModel()
{
RedirectUrl = redirect,
@ -256,8 +260,8 @@ namespace BTCPayServer.Controllers
case "no":
return RedirectToAction("APIKeys");
case "yes":
var key = await CreateKey(viewModel, (viewModel.ApplicationIdentifier, viewModel.RedirectUrl.Authority));
var key = await CreateKey(viewModel, (viewModel.ApplicationIdentifier, viewModel.RedirectUrl?.Authority));
if (viewModel.RedirectUrl != null)
{
return Redirect(GetRedirectToApplicationUrl(viewModel.RedirectUrl, key));
@ -278,15 +282,10 @@ namespace BTCPayServer.Controllers
{
var uri = new UriBuilder(redirect);
var permissions = key.GetBlob().Permissions;
uri.AppendPayloadToQuery(new Dictionary<string, object>()
{
{"key", key.Id}, {"permissions",permissions}, {"user", key.UserId}
});
//uri builder has bug around string[] params
return uri.Uri.ToStringInvariant().Replace("permissions=System.String%5B%5D",
string.Join("&", permissions.Select(s1 => $"permissions={s1}")), StringComparison.InvariantCulture);
BTCPayServerClient.AppendPayloadToQuery(uri,
new Dictionary<string, object>() {{"key", key.Id}, {"permissions", permissions}, {"user", key.UserId}});
return uri.Uri.AbsoluteUri;
}
[HttpPost]
public async Task<IActionResult> AddApiKey(AddApiKeyViewModel viewModel)