mirrors/btcpayserver
1
0
Fork 0
mirror of https://github.com/btcpayserver/btcpayserver.git synced 2025-02-22 06:21:44 +01:00
Code Issues Projects Releases Packages Wiki Activity

If AnyoneCanInvoice and the storeId is passed as a parameter to the Bitpay API, then allow request

Browse source
This commit is contained in:
nicolas.dorier 2019-03-25 12:18:39 +09:00
parent 4d7e9d3f8a
commit ee733fee28
1 changed files with 14 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
BTCPayServer/Security/BitpayAuthentication.cs
View file

@ -57,18 +57,27 @@ namespace BTCPayServer.Security
List<Claim> claims = new List<Claim>();
var bitpayAuth = Context.Request.HttpContext.GetBitpayAuth();
string storeId = null;
bool hasCredentials = false;
bool? success = null;
if (!string.IsNullOrEmpty(bitpayAuth.Signature) && !string.IsNullOrEmpty(bitpayAuth.Id))
{
var result = await CheckBitId(Context.Request.HttpContext, bitpayAuth.Signature, bitpayAuth.Id, claims);
storeId = result.StoreId;
success = result.SuccessAuth;
hasCredentials = true;
}
else if (!string.IsNullOrEmpty(bitpayAuth.Authorization))
{
storeId = await CheckLegacyAPIKey(Context.Request.HttpContext, bitpayAuth.Authorization);
success = storeId != null;
hasCredentials = true;
}
else
{
if (Context.Request.HttpContext.Request.Query.TryGetValue("storeId", out var storeIdStringValues))
{
storeId = storeIdStringValues.FirstOrDefault();
}
}
if (success is true)
@ -77,6 +86,10 @@ namespace BTCPayServer.Security
{
claims.Add(new Claim(Policies.CanCreateInvoice.Key, storeId));
var store = await _StoreRepository.FindStore(storeId);
if (!hasCredentials && !store.GetStoreBlob().AnyoneCanInvoice)
{
return AuthenticateResult.Fail("Invalid credentials");
}
store.AdditionalClaims.AddRange(claims);
Context.Request.HttpContext.SetStoreData(store);
}
@ -86,7 +99,6 @@ namespace BTCPayServer.Security
{
return AuthenticateResult.Fail("Invalid credentials");
}
// else if (success is null)
}
return AuthenticateResult.NoResult();
}