2020-05-03 15:57:05 +02:00
|
|
|
from http import HTTPStatus
|
2023-12-12 12:38:19 +02:00
|
|
|
from typing import Annotated, Literal, Optional, Type, Union
|
2022-07-20 09:36:13 +02:00
|
|
|
|
2023-12-12 12:38:19 +02:00
|
|
|
from fastapi import Cookie, Depends, Query, Request, Security
|
2023-05-09 10:18:53 +02:00
|
|
|
from fastapi.exceptions import HTTPException
|
2021-08-29 19:38:42 +02:00
|
|
|
from fastapi.openapi.models import APIKey, APIKeyIn
|
2023-12-12 12:38:19 +02:00
|
|
|
from fastapi.security import APIKeyHeader, APIKeyQuery, OAuth2PasswordBearer
|
2021-08-29 19:38:42 +02:00
|
|
|
from fastapi.security.base import SecurityBase
|
2023-12-12 12:38:19 +02:00
|
|
|
from jose import ExpiredSignatureError, JWTError, jwt
|
|
|
|
|
from loguru import logger
|
2021-10-18 16:06:06 +01:00
|
|
|
from pydantic.types import UUID4
|
2021-08-29 19:38:42 +02:00
|
|
|
|
2023-12-12 12:38:19 +02:00
|
|
|
from lnbits.core.crud import (
|
|
|
|
|
get_account,
|
|
|
|
|
get_account_by_email,
|
|
|
|
|
get_account_by_username,
|
|
|
|
|
get_user,
|
|
|
|
|
get_wallet_for_key,
|
|
|
|
|
)
|
2023-08-23 12:41:22 +02:00
|
|
|
from lnbits.core.models import User, WalletType, WalletTypeInfo
|
2023-05-09 10:18:53 +02:00
|
|
|
from lnbits.db import Filter, Filters, TFilterModel
|
2023-12-12 12:38:19 +02:00
|
|
|
from lnbits.settings import AuthMethods, settings
|
|
|
|
|
|
|
|
|
|
oauth2_scheme = OAuth2PasswordBearer(tokenUrl="api/v1/auth", auto_error=False)
|
2020-03-04 23:11:15 +01:00
|
|
|
|
|
|
|
|
|
2023-02-02 12:58:23 +00:00
|
|
|
# TODO: fix type ignores
|
2021-08-29 19:38:42 +02:00
|
|
|
class KeyChecker(SecurityBase):
|
2021-10-17 18:33:29 +01:00
|
|
|
def __init__(
|
2023-02-02 12:58:23 +00:00
|
|
|
self,
|
|
|
|
|
scheme_name: Optional[str] = None,
|
|
|
|
|
auto_error: bool = True,
|
|
|
|
|
api_key: Optional[str] = None,
|
2021-10-17 18:33:29 +01:00
|
|
|
):
|
2021-08-29 19:38:42 +02:00
|
|
|
self.scheme_name = scheme_name or self.__class__.__name__
|
|
|
|
|
self.auto_error = auto_error
|
2023-08-23 12:41:22 +02:00
|
|
|
self._key_type = WalletType.invoice
|
2021-08-29 19:38:42 +02:00
|
|
|
self._api_key = api_key
|
|
|
|
|
if api_key:
|
2022-07-20 09:36:13 +02:00
|
|
|
key = APIKey(
|
2023-02-02 12:58:23 +00:00
|
|
|
**{"in": APIKeyIn.query}, # type: ignore
|
2021-10-17 18:33:29 +01:00
|
|
|
name="X-API-KEY",
|
|
|
|
|
description="Wallet API Key - QUERY",
|
2021-08-29 19:38:42 +02:00
|
|
|
)
|
|
|
|
|
else:
|
2022-07-20 09:36:13 +02:00
|
|
|
key = APIKey(
|
2023-02-02 12:58:23 +00:00
|
|
|
**{"in": APIKeyIn.header}, # type: ignore
|
2021-10-17 18:33:29 +01:00
|
|
|
name="X-API-KEY",
|
|
|
|
|
description="Wallet API Key - HEADER",
|
2021-08-29 19:38:42 +02:00
|
|
|
)
|
2023-08-23 12:41:22 +02:00
|
|
|
self.wallet = None
|
2022-07-20 09:36:13 +02:00
|
|
|
self.model: APIKey = key
|
2021-08-29 19:38:42 +02:00
|
|
|
|
2022-07-20 09:36:13 +02:00
|
|
|
async def __call__(self, request: Request):
|
2021-08-29 19:38:42 +02:00
|
|
|
try:
|
2021-10-17 18:33:29 +01:00
|
|
|
key_value = (
|
|
|
|
|
self._api_key
|
|
|
|
|
if self._api_key
|
|
|
|
|
else request.headers.get("X-API-KEY") or request.query_params["api-key"]
|
|
|
|
|
)
|
2023-08-24 11:26:09 +02:00
|
|
|
# FIXME: Find another way to validate the key. A fetch from DB should be
|
|
|
|
|
# avoided here. Also, we should not return the wallet here - thats
|
|
|
|
|
# silly. Possibly store it in a Redis DB
|
|
|
|
|
wallet = await get_wallet_for_key(key_value, self._key_type)
|
2023-09-11 14:06:31 +01:00
|
|
|
if not wallet or wallet.deleted:
|
2021-10-17 18:33:29 +01:00
|
|
|
raise HTTPException(
|
|
|
|
|
status_code=HTTPStatus.UNAUTHORIZED,
|
2023-09-11 14:06:31 +01:00
|
|
|
detail="Invalid key or wallet.",
|
2021-10-17 18:33:29 +01:00
|
|
|
)
|
2023-09-11 14:06:31 +01:00
|
|
|
self.wallet = wallet # type: ignore
|
2021-08-29 19:38:42 +02:00
|
|
|
except KeyError:
|
2021-10-17 18:33:29 +01:00
|
|
|
raise HTTPException(
|
|
|
|
|
status_code=HTTPStatus.BAD_REQUEST, detail="`X-API-KEY` header missing."
|
|
|
|
|
)
|
|
|
|
|
|
2021-08-29 19:38:42 +02:00
|
|
|
|
|
|
|
|
class WalletInvoiceKeyChecker(KeyChecker):
|
|
|
|
|
"""
|
|
|
|
|
WalletInvoiceKeyChecker will ensure that the provided invoice
|
2021-10-15 16:21:05 +01:00
|
|
|
wallet key is correct and populate g().wallet with the wallet
|
2021-08-29 19:38:42 +02:00
|
|
|
for the key in `X-API-key`.
|
|
|
|
|
|
|
|
|
|
The checker will raise an HTTPException when the key is wrong in some ways.
|
|
|
|
|
"""
|
2021-10-17 18:33:29 +01:00
|
|
|
|
|
|
|
|
def __init__(
|
2023-02-02 12:58:23 +00:00
|
|
|
self,
|
|
|
|
|
scheme_name: Optional[str] = None,
|
|
|
|
|
auto_error: bool = True,
|
|
|
|
|
api_key: Optional[str] = None,
|
2021-10-17 18:33:29 +01:00
|
|
|
):
|
2021-08-29 19:38:42 +02:00
|
|
|
super().__init__(scheme_name, auto_error, api_key)
|
2023-08-23 12:41:22 +02:00
|
|
|
self._key_type = WalletType.invoice
|
2021-08-29 19:38:42 +02:00
|
|
|
|
2021-10-17 18:33:29 +01:00
|
|
|
|
2021-08-29 19:38:42 +02:00
|
|
|
class WalletAdminKeyChecker(KeyChecker):
|
|
|
|
|
"""
|
|
|
|
|
WalletAdminKeyChecker will ensure that the provided admin
|
2021-10-15 16:21:05 +01:00
|
|
|
wallet key is correct and populate g().wallet with the wallet
|
2021-08-29 19:38:42 +02:00
|
|
|
for the key in `X-API-key`.
|
|
|
|
|
|
|
|
|
|
The checker will raise an HTTPException when the key is wrong in some ways.
|
|
|
|
|
"""
|
2021-10-17 18:33:29 +01:00
|
|
|
|
|
|
|
|
def __init__(
|
2023-02-02 12:58:23 +00:00
|
|
|
self,
|
|
|
|
|
scheme_name: Optional[str] = None,
|
|
|
|
|
auto_error: bool = True,
|
|
|
|
|
api_key: Optional[str] = None,
|
2021-10-17 18:33:29 +01:00
|
|
|
):
|
2021-08-29 19:38:42 +02:00
|
|
|
super().__init__(scheme_name, auto_error, api_key)
|
2023-08-23 12:41:22 +02:00
|
|
|
self._key_type = WalletType.admin
|
2020-03-04 23:11:15 +01:00
|
|
|
|
2021-10-17 18:33:29 +01:00
|
|
|
|
|
|
|
|
api_key_header = APIKeyHeader(
|
|
|
|
|
name="X-API-KEY",
|
|
|
|
|
auto_error=False,
|
|
|
|
|
description="Admin or Invoice key for wallet API's",
|
|
|
|
|
)
|
|
|
|
|
api_key_query = APIKeyQuery(
|
|
|
|
|
name="api-key",
|
|
|
|
|
auto_error=False,
|
|
|
|
|
description="Admin or Invoice key for wallet API's",
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
async def get_key_type(
|
|
|
|
|
r: Request,
|
2023-01-02 11:56:28 +01:00
|
|
|
api_key_header: str = Security(api_key_header),
|
|
|
|
|
api_key_query: str = Security(api_key_query),
|
2021-10-17 18:33:29 +01:00
|
|
|
) -> WalletTypeInfo:
|
2022-08-16 17:01:05 +02:00
|
|
|
token = api_key_header or api_key_query
|
2021-10-15 17:05:38 +01:00
|
|
|
|
2022-08-16 17:01:05 +02:00
|
|
|
if not token:
|
|
|
|
|
raise HTTPException(
|
|
|
|
|
status_code=HTTPStatus.UNAUTHORIZED,
|
|
|
|
|
detail="Invoice (or Admin) key required.",
|
|
|
|
|
)
|
2021-10-17 18:33:29 +01:00
|
|
|
|
2023-08-23 12:41:22 +02:00
|
|
|
for wallet_type, WalletChecker in zip(
|
|
|
|
|
[WalletType.admin, WalletType.invoice],
|
|
|
|
|
[WalletAdminKeyChecker, WalletInvoiceKeyChecker],
|
2022-09-12 18:49:57 +03:00
|
|
|
):
|
|
|
|
|
try:
|
|
|
|
|
checker = WalletChecker(api_key=token)
|
|
|
|
|
await checker.__call__(r)
|
2023-08-23 12:41:22 +02:00
|
|
|
if checker.wallet is None:
|
2022-09-12 18:49:57 +03:00
|
|
|
raise HTTPException(
|
|
|
|
|
status_code=HTTPStatus.NOT_FOUND, detail="Wallet does not exist."
|
|
|
|
|
)
|
2023-08-23 12:41:22 +02:00
|
|
|
wallet = WalletTypeInfo(wallet_type, checker.wallet)
|
2022-09-12 18:49:57 +03:00
|
|
|
if (
|
2022-12-07 11:02:23 +01:00
|
|
|
wallet.wallet.user != settings.super_user
|
|
|
|
|
and wallet.wallet.user not in settings.lnbits_admin_users
|
2022-10-03 16:46:46 +02:00
|
|
|
) and (
|
|
|
|
|
settings.lnbits_admin_extensions
|
2023-08-23 12:41:22 +02:00
|
|
|
and r["path"].split("/")[1] in settings.lnbits_admin_extensions
|
2022-10-03 16:46:46 +02:00
|
|
|
):
|
2022-09-12 18:49:57 +03:00
|
|
|
raise HTTPException(
|
2022-09-20 15:34:03 +03:00
|
|
|
status_code=HTTPStatus.FORBIDDEN,
|
|
|
|
|
detail="User not authorized for this extension.",
|
2022-09-12 18:49:57 +03:00
|
|
|
)
|
|
|
|
|
return wallet
|
2023-08-23 12:41:22 +02:00
|
|
|
except HTTPException as exc:
|
|
|
|
|
if exc.status_code == HTTPStatus.BAD_REQUEST:
|
2022-09-12 18:49:57 +03:00
|
|
|
raise
|
2023-08-23 12:41:22 +02:00
|
|
|
elif exc.status_code == HTTPStatus.UNAUTHORIZED:
|
2023-08-24 11:26:09 +02:00
|
|
|
# we pass this in case it is not an invoice key, nor an admin key,
|
|
|
|
|
# and then return NOT_FOUND at the end of this block
|
2022-09-12 18:49:57 +03:00
|
|
|
pass
|
2022-09-20 15:34:03 +03:00
|
|
|
else:
|
|
|
|
|
raise
|
2023-08-16 12:17:54 +02:00
|
|
|
except Exception:
|
2021-09-28 21:13:04 +02:00
|
|
|
raise
|
2022-09-12 18:49:57 +03:00
|
|
|
raise HTTPException(
|
|
|
|
|
status_code=HTTPStatus.NOT_FOUND, detail="Wallet does not exist."
|
|
|
|
|
)
|
2021-10-17 18:33:29 +01:00
|
|
|
|
|
|
|
|
|
2021-10-18 16:06:06 +01:00
|
|
|
async def require_admin_key(
|
|
|
|
|
r: Request,
|
2023-01-02 11:56:28 +01:00
|
|
|
api_key_header: str = Security(api_key_header),
|
|
|
|
|
api_key_query: str = Security(api_key_query),
|
2021-10-18 16:06:06 +01:00
|
|
|
):
|
2022-08-16 17:01:05 +02:00
|
|
|
token = api_key_header or api_key_query
|
|
|
|
|
|
|
|
|
|
if not token:
|
|
|
|
|
raise HTTPException(
|
|
|
|
|
status_code=HTTPStatus.UNAUTHORIZED,
|
|
|
|
|
detail="Admin key required.",
|
|
|
|
|
)
|
2020-03-04 23:11:15 +01:00
|
|
|
|
2021-10-18 16:06:06 +01:00
|
|
|
wallet = await get_key_type(r, token)
|
2020-03-04 23:11:15 +01:00
|
|
|
|
2021-10-18 16:06:06 +01:00
|
|
|
if wallet.wallet_type != 0:
|
|
|
|
|
# If wallet type is not admin then return the unauthorized status
|
|
|
|
|
# This also covers when the user passes an invalid key type
|
|
|
|
|
raise HTTPException(
|
2023-08-23 12:41:22 +02:00
|
|
|
status_code=HTTPStatus.UNAUTHORIZED, detail="Admin key required."
|
2021-10-18 16:06:06 +01:00
|
|
|
)
|
|
|
|
|
else:
|
|
|
|
|
return wallet
|
2020-03-04 23:11:15 +01:00
|
|
|
|
2022-01-30 19:43:30 +00:00
|
|
|
|
2021-12-28 15:22:45 +00:00
|
|
|
async def require_invoice_key(
|
|
|
|
|
r: Request,
|
2023-01-02 11:56:28 +01:00
|
|
|
api_key_header: str = Security(api_key_header),
|
|
|
|
|
api_key_query: str = Security(api_key_query),
|
2021-12-28 15:22:45 +00:00
|
|
|
):
|
2022-08-13 14:47:29 +02:00
|
|
|
token = api_key_header or api_key_query
|
|
|
|
|
|
2022-08-16 17:01:05 +02:00
|
|
|
if not token:
|
2022-08-13 14:47:29 +02:00
|
|
|
raise HTTPException(
|
2022-08-16 17:01:05 +02:00
|
|
|
status_code=HTTPStatus.UNAUTHORIZED,
|
2022-08-13 14:47:29 +02:00
|
|
|
detail="Invoice (or Admin) key required.",
|
|
|
|
|
)
|
2021-12-28 15:22:45 +00:00
|
|
|
|
|
|
|
|
wallet = await get_key_type(r, token)
|
|
|
|
|
|
2023-08-23 12:41:22 +02:00
|
|
|
if (
|
|
|
|
|
wallet.wallet_type != WalletType.admin
|
|
|
|
|
and wallet.wallet_type != WalletType.invoice
|
|
|
|
|
):
|
2021-12-28 15:22:45 +00:00
|
|
|
raise HTTPException(
|
2023-08-23 12:41:22 +02:00
|
|
|
status_code=HTTPStatus.UNAUTHORIZED,
|
2022-01-30 19:43:30 +00:00
|
|
|
detail="Invoice (or Admin) key required.",
|
2021-12-28 15:22:45 +00:00
|
|
|
)
|
|
|
|
|
else:
|
|
|
|
|
return wallet
|
|
|
|
|
|
2020-03-04 23:11:15 +01:00
|
|
|
|
2023-12-12 12:38:19 +02:00
|
|
|
async def check_access_token(
|
|
|
|
|
header_access_token: Annotated[Union[str, None], Depends(oauth2_scheme)],
|
|
|
|
|
cookie_access_token: Annotated[Union[str, None], Cookie()] = None,
|
|
|
|
|
) -> Optional[str]:
|
|
|
|
|
return header_access_token or cookie_access_token
|
2022-10-03 16:46:46 +02:00
|
|
|
|
2020-03-04 23:11:15 +01:00
|
|
|
|
2023-12-12 12:38:19 +02:00
|
|
|
async def check_user_exists(
|
|
|
|
|
r: Request,
|
|
|
|
|
access_token: Annotated[Optional[str], Depends(check_access_token)],
|
|
|
|
|
usr: Optional[UUID4] = None,
|
|
|
|
|
) -> User:
|
|
|
|
|
if access_token:
|
|
|
|
|
account = await _get_account_from_token(access_token)
|
|
|
|
|
elif usr and settings.is_auth_method_allowed(AuthMethods.user_id_only):
|
|
|
|
|
account = await get_account(usr.hex)
|
|
|
|
|
else:
|
|
|
|
|
raise HTTPException(HTTPStatus.UNAUTHORIZED, "Missing user ID or access token.")
|
|
|
|
|
|
|
|
|
|
if not account or not settings.is_user_allowed(account.id):
|
|
|
|
|
raise HTTPException(HTTPStatus.UNAUTHORIZED, "User not allowed.")
|
2020-03-04 23:11:15 +01:00
|
|
|
|
2023-12-12 12:38:19 +02:00
|
|
|
user = await get_user(account.id)
|
|
|
|
|
assert user, "User not found for account."
|
2022-10-03 16:46:46 +02:00
|
|
|
|
2023-12-12 12:38:19 +02:00
|
|
|
if not user.admin and r["path"].split("/")[1] in settings.lnbits_admin_extensions:
|
|
|
|
|
raise HTTPException(HTTPStatus.FORBIDDEN, "User not authorized for extension.")
|
2022-10-03 16:46:46 +02:00
|
|
|
|
2023-12-12 12:38:19 +02:00
|
|
|
return user
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
async def check_admin(user: Annotated[User, Depends(check_user_exists)]) -> User:
|
2023-01-21 15:07:40 +00:00
|
|
|
if user.id != settings.super_user and user.id not in settings.lnbits_admin_users:
|
2022-10-03 16:46:46 +02:00
|
|
|
raise HTTPException(
|
2023-12-12 12:38:19 +02:00
|
|
|
HTTPStatus.UNAUTHORIZED, "User not authorized. No admin privileges."
|
2022-10-03 16:46:46 +02:00
|
|
|
)
|
2022-12-06 16:08:21 +00:00
|
|
|
|
2022-12-07 11:02:23 +01:00
|
|
|
return user
|
2022-12-12 09:43:20 +01:00
|
|
|
|
|
|
|
|
|
2023-12-12 12:38:19 +02:00
|
|
|
async def check_super_user(user: Annotated[User, Depends(check_user_exists)]) -> User:
|
2022-12-12 09:43:20 +01:00
|
|
|
if user.id != settings.super_user:
|
|
|
|
|
raise HTTPException(
|
2023-12-12 12:38:19 +02:00
|
|
|
HTTPStatus.UNAUTHORIZED, "User not authorized. No super user privileges."
|
2022-12-12 09:43:20 +01:00
|
|
|
)
|
|
|
|
|
return user
|
2023-04-03 14:55:49 +02:00
|
|
|
|
|
|
|
|
|
2023-05-09 10:18:53 +02:00
|
|
|
def parse_filters(model: Type[TFilterModel]):
|
2023-04-03 14:55:49 +02:00
|
|
|
"""
|
|
|
|
|
Parses the query params as filters.
|
|
|
|
|
:param model: model used for validation of filter values
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
def dependency(
|
2023-05-09 10:18:53 +02:00
|
|
|
request: Request,
|
|
|
|
|
limit: Optional[int] = None,
|
|
|
|
|
offset: Optional[int] = None,
|
|
|
|
|
sortby: Optional[str] = None,
|
|
|
|
|
direction: Optional[Literal["asc", "desc"]] = None,
|
|
|
|
|
search: Optional[str] = Query(None, description="Text based search"),
|
2023-04-03 14:55:49 +02:00
|
|
|
):
|
|
|
|
|
params = request.query_params
|
|
|
|
|
filters = []
|
|
|
|
|
for key in params.keys():
|
|
|
|
|
try:
|
|
|
|
|
filters.append(Filter.parse_query(key, params.getlist(key), model))
|
|
|
|
|
except ValueError:
|
|
|
|
|
continue
|
|
|
|
|
|
|
|
|
|
return Filters(
|
|
|
|
|
filters=filters,
|
|
|
|
|
limit=limit,
|
|
|
|
|
offset=offset,
|
2023-05-09 10:18:53 +02:00
|
|
|
sortby=sortby,
|
|
|
|
|
direction=direction,
|
|
|
|
|
search=search,
|
|
|
|
|
model=model,
|
2023-04-03 14:55:49 +02:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
return dependency
|
2023-12-12 12:38:19 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
async def _get_account_from_token(access_token):
|
|
|
|
|
try:
|
|
|
|
|
payload = jwt.decode(access_token, settings.auth_secret_key, "HS256")
|
|
|
|
|
if "sub" in payload and payload.get("sub"):
|
|
|
|
|
return await get_account_by_username(str(payload.get("sub")))
|
|
|
|
|
if "usr" in payload and payload.get("usr"):
|
|
|
|
|
return await get_account(str(payload.get("usr")))
|
|
|
|
|
if "email" in payload and payload.get("email"):
|
|
|
|
|
return await get_account_by_email(str(payload.get("email")))
|
|
|
|
|
|
|
|
|
|
raise HTTPException(HTTPStatus.UNAUTHORIZED, "Data missing for access token.")
|
|
|
|
|
except ExpiredSignatureError:
|
|
|
|
|
raise HTTPException(
|
|
|
|
|
HTTPStatus.UNAUTHORIZED, "Session expired.", {"token-expired": "true"}
|
|
|
|
|
)
|
|
|
|
|
except JWTError as e:
|
|
|
|
|
logger.debug(e)
|
|
|
|
|
raise HTTPException(HTTPStatus.UNAUTHORIZED, "Invalid access token.")
|
