mirrors/btcpayserver
1
0
Fork 0
mirror of https://github.com/btcpayserver/btcpayserver.git synced 2025-02-23 06:35:13 +01:00
Code Issues Projects Releases Packages Wiki Activity

If AnyoneCanInvoice and the storeId is passed as a parameter to the Bitpay API, then allow request

Browse source
This commit is contained in:
nicolas.dorier 2019-03-25 12:18:39 +09:00
parent 4d7e9d3f8a
commit ee733fee28
1 changed files with 14 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
BTCPayServer/Security/BitpayAuthentication.cs
View file

@ -57,18 +57,27 @@ namespace BTCPayServer.Security
List<Claim> claims = new List<Claim>(); List<Claim> claims = new List<Claim>();
var bitpayAuth = Context.Request.HttpContext.GetBitpayAuth(); var bitpayAuth = Context.Request.HttpContext.GetBitpayAuth();
string storeId = null; string storeId = null;
bool hasCredentials = false;
bool? success = null; bool? success = null;
if (!string.IsNullOrEmpty(bitpayAuth.Signature) && !string.IsNullOrEmpty(bitpayAuth.Id)) if (!string.IsNullOrEmpty(bitpayAuth.Signature) && !string.IsNullOrEmpty(bitpayAuth.Id))
{ {
var result = await CheckBitId(Context.Request.HttpContext, bitpayAuth.Signature, bitpayAuth.Id, claims); var result = await CheckBitId(Context.Request.HttpContext, bitpayAuth.Signature, bitpayAuth.Id, claims);
storeId = result.StoreId; storeId = result.StoreId;
success = result.SuccessAuth; success = result.SuccessAuth;
hasCredentials = true;
} }
else if (!string.IsNullOrEmpty(bitpayAuth.Authorization)) else if (!string.IsNullOrEmpty(bitpayAuth.Authorization))
{ {
storeId = await CheckLegacyAPIKey(Context.Request.HttpContext, bitpayAuth.Authorization); storeId = await CheckLegacyAPIKey(Context.Request.HttpContext, bitpayAuth.Authorization);
success = storeId != null; success = storeId != null;
hasCredentials = true;
}
else
{
if (Context.Request.HttpContext.Request.Query.TryGetValue("storeId", out var storeIdStringValues))
{
storeId = storeIdStringValues.FirstOrDefault();
}
} }
if (success is true) if (success is true)
@ -77,6 +86,10 @@ namespace BTCPayServer.Security
{ {
claims.Add(new Claim(Policies.CanCreateInvoice.Key, storeId)); claims.Add(new Claim(Policies.CanCreateInvoice.Key, storeId));
var store = await _StoreRepository.FindStore(storeId); var store = await _StoreRepository.FindStore(storeId);
if (!hasCredentials && !store.GetStoreBlob().AnyoneCanInvoice)
{
return AuthenticateResult.Fail("Invalid credentials");
}
store.AdditionalClaims.AddRange(claims); store.AdditionalClaims.AddRange(claims);
Context.Request.HttpContext.SetStoreData(store); Context.Request.HttpContext.SetStoreData(store);
} }
@ -86,7 +99,6 @@ namespace BTCPayServer.Security
{ {
return AuthenticateResult.Fail("Invalid credentials"); return AuthenticateResult.Fail("Invalid credentials");
} }
// else if (success is null)
} }
return AuthenticateResult.NoResult(); return AuthenticateResult.NoResult();
} }