Added API key authentication

11 years ago · 57fdbe6e08
parent 689f27bee6
commit 57fdbe6e08
11 changed files with 114 additions and 15 deletions
--- a/NzbDrone.Api/Authentication/EnableBasicAuthInNancy.cs
+++ b/NzbDrone.Api/Authentication/EnableBasicAuthInNancy.cs
@ -27,7 +27,10 @@ namespace NzbDrone.Api.Authentication
        private Response RequiresAuthentication(NancyContext context)
        {
            Response response = null;
-            if (context.CurrentUser == null && _authenticationService.Enabled)
+
+            if (!context.Request.Path.StartsWith("/api/") &&
+                context.CurrentUser == null &&
+                _authenticationService.Enabled)
            {
                response = new Response { StatusCode = HttpStatusCode.Unauthorized };
            }
--- a/NzbDrone.Api/Authentication/EnableStatelessAuthInNancy.cs
+++ b/NzbDrone.Api/Authentication/EnableStatelessAuthInNancy.cs
@ -0,0 +1,50 @@
+using System.Linq;
+using Nancy;
+using Nancy.Bootstrapper;
+using NzbDrone.Common.EnvironmentInfo;
+using NzbDrone.Core.Configuration;
+
+namespace NzbDrone.Api.Authentication
+{
+    public interface IEnableStatelessAuthInNancy
+    {
+        void Register(IPipelines pipelines);
+    }
+
+    public class EnableStatelessAuthInNancy : IEnableStatelessAuthInNancy
+    {
+        private readonly IConfigFileProvider _configFileProvider;
+
+        public EnableStatelessAuthInNancy(IConfigFileProvider configFileProvider)
+        {
+            _configFileProvider = configFileProvider;
+        }
+
+        public void Register(IPipelines pipelines)
+        {
+            pipelines.BeforeRequest.AddItemToEndOfPipeline(ValidateApiKey);
+        }
+
+        public Response ValidateApiKey(NancyContext context)
+        {
+            Response response = null;
+            var apiKey = context.Request.Headers["ApiKey"].FirstOrDefault();
+
+            if (!RuntimeInfo.IsProduction &&
+                (context.Request.UserHostAddress.Equals("localhost") ||
+                context.Request.UserHostAddress.Equals("127.0.0.1") ||
+                context.Request.UserHostAddress.Equals("::1")))
+            {
+                return response;
+            }
+            
+            if (context.Request.Path.StartsWith("/api/") && 
+                (apiKey == null || !apiKey.Equals(_configFileProvider.ApiKey)))
+            {
+                response = new Response { StatusCode = HttpStatusCode.Unauthorized };
+            }
+
+            return response;
+        }
+    }
+}
--- a/NzbDrone.Api/Frontend/Mappers/IndexHtmlMapper.cs
+++ b/NzbDrone.Api/Frontend/Mappers/IndexHtmlMapper.cs
@ -1,20 +1,28 @@
+using System;
 using System.IO;
 using Nancy;
+using Nancy.Responses;
 using NLog;
 using NzbDrone.Common;
 using NzbDrone.Common.EnvironmentInfo;
+using NzbDrone.Core.Configuration;

 namespace NzbDrone.Api.Frontend.Mappers
 {
    public class IndexHtmlMapper : StaticResourceMapperBase
    {
        private readonly IDiskProvider _diskProvider;
+        private readonly IConfigFileProvider _configFileProvider;
        private readonly string _indexPath;

-        public IndexHtmlMapper(IAppFolderInfo appFolderInfo, IDiskProvider diskProvider, Logger logger)
+        public IndexHtmlMapper(IAppFolderInfo appFolderInfo,
+                               IDiskProvider diskProvider,
+                               IConfigFileProvider configFileProvider,
+                               Logger logger)
            : base(diskProvider, logger)
        {
            _diskProvider = diskProvider;
+            _configFileProvider = configFileProvider;
            _indexPath = Path.Combine(appFolderInfo.StartUpFolder, "UI", "index.html");
        }

@ -30,7 +38,21 @@ namespace NzbDrone.Api.Frontend.Mappers

        public override Response GetResponse(string resourceUrl)
        {
+            string content;
            var response = base.GetResponse(resourceUrl);
+            var stream = new MemoryStream();
+            
+            response.Contents.Invoke(stream);
+            stream.Position = 0;
+
+            using (var reader = new StreamReader(stream))
+            {
+                content = reader.ReadToEnd();
+            }
+
+            content = content.Replace("API_KEY", _configFileProvider.ApiKey);
+
+            response = new StreamResponse(() => StringToStream(content), response.ContentType);
            response.Headers["X-UA-Compatible"] = "IE=edge";

            return response;
@ -51,6 +73,5 @@ namespace NzbDrone.Api.Frontend.Mappers

            return text;
        }
-
    }
 }
--- a/NzbDrone.Api/Frontend/Mappers/StaticResourceMapperBase.cs
+++ b/NzbDrone.Api/Frontend/Mappers/StaticResourceMapperBase.cs
@ -24,13 +24,10 @@ namespace NzbDrone.Api.Frontend.Mappers
            {
                _caseSensitive = true;
            }
-
-
        }

        protected abstract string Map(string resourceUrl);

-
        public abstract bool CanHandle(string resourceUrl);

        public virtual Response GetResponse(string resourceUrl)
--- a/NzbDrone.Api/NancyBootstrapper.cs
+++ b/NzbDrone.Api/NancyBootstrapper.cs
@ -31,6 +31,7 @@ namespace NzbDrone.Api

            container.Resolve<DatabaseTarget>().Register();
            container.Resolve<IEnableBasicAuthInNancy>().Register(pipelines);
+            container.Resolve<IEnableStatelessAuthInNancy>().Register(pipelines);
            container.Resolve<IEventAggregator>().PublishEvent(new ApplicationStartedEvent());

            ApplicationPipelines.OnError.AddItemToEndOfPipeline(container.Resolve<NzbDroneErrorPipeline>().HandleException);
--- a/NzbDrone.Api/NzbDrone.Api.csproj
+++ b/NzbDrone.Api/NzbDrone.Api.csproj
@ -74,6 +74,7 @@
      <Link>Properties\SharedAssemblyInfo.cs</Link>
    </Compile>
    <Compile Include="Authentication\AuthenticationService.cs" />
+    <Compile Include="Authentication\EnableStatelessAuthInNancy.cs" />
    <Compile Include="Authentication\EnableBasicAuthInNancy.cs" />
    <Compile Include="Authentication\NzbDroneUser.cs" />
    <Compile Include="Calendar\CalendarModule.cs" />
--- a/NzbDrone.Core/Configuration/ConfigFileProvider.cs
+++ b/NzbDrone.Core/Configuration/ConfigFileProvider.cs
@ -26,6 +26,7 @@ namespace NzbDrone.Core.Configuration
        string Password { get; }
        string LogLevel { get; }
        string Branch { get; }
+        string ApiKey { get; }
        bool Torrent { get; }
    }

@ -95,6 +96,14 @@ namespace NzbDrone.Core.Configuration
            get { return GetValueBoolean("LaunchBrowser", true); }
        }

+        public string ApiKey
+        {
+            get
+            {
+                return GetValue("ApiKey", Guid.NewGuid().ToString().Replace("-", ""));
+            }
+        }
+
        public bool Torrent
        {
            get { return GetValueBoolean("Torrent", false, persist: false); }
--- a/UI/Mixins/backbone.ajax.js
+++ b/UI/Mixins/backbone.ajax.js
@ -20,9 +20,15 @@ define(function () {

                delete xhr.data;
            }
+            if (xhr) {
+                if (!xhr.headers) {
+                    xhr.headers = {};
+                }
+
+                xhr.headers["ApiKey"] = window.NzbDrone.ApiKey;
+            }

            return original.apply(this, arguments);
        };
    };
-
 });
--- a/UI/ServerStatus.js
+++ b/UI/ServerStatus.js
@ -1,10 +1,12 @@
-window.NzbDrone = {};
 window.NzbDrone.ApiRoot = '/api';

 var statusText = $.ajax({
    type : 'GET',
    url  : window.NzbDrone.ApiRoot + '/system/status',
-    async: false
+    async: false,
+    headers: {
+        ApiKey: window.NzbDrone.ApiKey
+    }
 }).responseText;

 window.NzbDrone.ServerStatus = JSON.parse(statusText);
--- a/UI/app.js
+++ b/UI/app.js
@ -33,12 +33,19 @@ require.config({
        $: {
            exports: '$',

-            init: function () {
+            deps   :
+                [
+                    'Mixins/jquery.ajax'
+                ],
+
+            init: function (AjaxMixin) {
                require(
                    [
                        'jQuery/ToTheTop',
                        'Instrumentation/ErrorHandler'
                    ]);
+
+                AjaxMixin.apply($);
            }

        },
@ -75,14 +82,10 @@ require.config({
        backbone: {
            deps   :
                [
-                    'Mixins/backbone.ajax',
                    'underscore',
                    '$'
                ],
-            exports: 'Backbone',
-            init   : function (AjaxMixin) {
-                AjaxMixin.apply(Backbone);
-            }
+            exports: 'Backbone'
        },


--- a/UI/index.html
+++ b/UI/index.html
@ -60,6 +60,12 @@
    </div>
 </footer>
 </body>
+
+<script type="text/javascript">
+    window.NzbDrone = {};
+    window.NzbDrone.ApiKey = 'API_KEY';
+</script>
+
 <script src="/polyfills.js"></script>
 <script src="/JsLibraries/jquery.js"></script>
 <script src="/JsLibraries/messenger.js"></script>