restrict to admin users

vatesfr · Apr 27, 2022 · 5803ce1 · 5803ce1
1 parent 874c534
commit 5803ce1
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 12 deletions.
diff --git a/@xen-orchestra/mixins/HttpProxy.js b/@xen-orchestra/mixins/HttpProxy.js
@@ -45,20 +45,31 @@ module.exports = class HttpProxy {
   async #handleAuthentication(req, res, next) {
     const auth = parseBasicAuth(req.headers['proxy-authorization'])
 
-    const app = this.#app
-    if (
-      auth === undefined ||
-      !(await (app.authenticateUser !== undefined
-        ? app.authenticateUser(auth) // xo-server
-        : app.authentication.findProfile(auth))) // xo-proxy
-    ) {
-      // https://datatracker.ietf.org/doc/html/rfc7235#section-3.2
-      res.statusCode = '407'
-      res.setHeader('proxy-authenticate', 'Basic realm="proxy"')
-      return res.end('Proxy Authentication Required')
+    let authenticated = false
+
+    if (auth !== undefined) {
+      const app = this.#app
+
+      if (app.authenticateUser !== undefined) {
+        // xo-server
+        try {
+          const { user } = await app.authenticateUser(auth)
+          authenticated = user.permission === 'admin'
+        } catch (error) {}
+      } else {
+        // xo-proxy
+        authenticated = (await app.authentication.findProfile(auth)) !== undefined
+      }
+    }
+
+    if (authenticated) {
+      return next()
     }
 
-    return next()
+    // https://datatracker.ietf.org/doc/html/rfc7235#section-3.2
+    res.statusCode = '407'
+    res.setHeader('proxy-authenticate', 'Basic realm="proxy"')
+    return res.end('Proxy Authentication Required')
   }
 
   async #handleConnect(req, clientSocket, head) {

diff --git a/@xen-orchestra/mixins/docs/HttpProxy.md b/@xen-orchestra/mixins/docs/HttpProxy.md
@@ -35,6 +35,8 @@ https://J0BgKritQgPxoyZrBJ5ViafQfLk06YoyFwC3fmfO5wU@xo-proxy.company.lan
 
 ### `xo-server`
 
+> Only available for admin users.
+
 You can use your credentials:
 
 ```