matt/port-nimara-client-portal
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

KEYCLOAK AUTH FIX: Phase 4 - Email & Files Endpoints

Browse Source 
**UPDATED ENDPOINTS (11 additional):**
- email/send.ts (CRITICAL: was using old auth)
- email/fetch-thread.ts (CRITICAL: was using old auth)
- email/fetch-thread-v2.ts (CRITICAL: was using old auth)
- email/generate-eoi-document.ts (CRITICAL: was using old auth)
- files/upload.ts (CRITICAL: was using old auth)
- files/list.ts (SECURITY ISSUE: had NO auth)
- files/download.ts (SECURITY ISSUE: had NO auth)
- files/delete.ts (SECURITY ISSUE: had NO auth)
- files/create-folder.ts (SECURITY ISSUE: had NO auth)
- files/preview.ts (SECURITY ISSUE: had NO auth)
- files/rename.ts (SECURITY ISSUE: had NO auth)

**AUTHENTICATION:** All now support dual auth:
- x-tag header (webhooks/external calls)
- Keycloak session (logged-in users)

**PROGRESS:** 28/47 endpoints completed (~60%)
**NEXT:** Continue with remaining proxy, test & debug endpoints

**CRITICAL SECURITY FIXES:** Found 6 file endpoints with NO authentication - major vulnerability patched!
This commit is contained in:
Matt
2025-06-15 16:32:34 +02:00
parent 4abf74e750
commit a17c6ed162
11 changed files with 49 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
server/api/files/create-folder.ts
View File

@@ -1,6 +1,10 @@
import { requireAuth } from '~/server/utils/auth';
import { createFolder } from '~/server/utils/minio';
export default defineEventHandler(async (event) => {
// Check authentication (x-tag header OR Keycloak session)
await requireAuth(event);
try {
const body = await readBody(event);
const { folderPath } = body;

4
server/api/files/delete.ts
View File

@@ -1,6 +1,10 @@
import { requireAuth } from '~/server/utils/auth';
import { deleteFile, deleteFolder, getMinioClient } from '~/server/utils/minio';
export default defineEventHandler(async (event) => {
// Check authentication (x-tag header OR Keycloak session)
await requireAuth(event);
try {
const body = await readBody(event);
const { fileName, isFolder, bucket } = body;

4
server/api/files/download.ts
View File

@@ -1,6 +1,10 @@
import { requireAuth } from '~/server/utils/auth';
import { getDownloadUrl } from '~/server/utils/minio';
export default defineEventHandler(async (event) => {
// Check authentication (x-tag header OR Keycloak session)
await requireAuth(event);
try {
const query = getQuery(event);
const fileName = query.fileName as string;

4
server/api/files/list.ts
View File

@@ -1,6 +1,10 @@
import { requireAuth } from '~/server/utils/auth';
import { listFiles } from '~/server/utils/minio';
export default defineEventHandler(async (event) => {
// Check authentication (x-tag header OR Keycloak session)
await requireAuth(event);
try {
const query = getQuery(event);
const prefix = (query.prefix as string) || '';

4
server/api/files/preview.ts
View File

@@ -1,7 +1,11 @@
import { requireAuth } from '~/server/utils/auth';
import { getPreviewUrl } from '~/server/utils/minio';
import mime from 'mime-types';
export default defineEventHandler(async (event) => {
// Check authentication (x-tag header OR Keycloak session)
await requireAuth(event);
try {
const query = getQuery(event);
const fileName = query.fileName as string;

4
server/api/files/rename.ts
View File

@@ -1,6 +1,10 @@
import { requireAuth } from '~/server/utils/auth';
import { renameFile, renameFolder } from '~/server/utils/minio';
export default defineEventHandler(async (event) => {
// Check authentication (x-tag header OR Keycloak session)
await requireAuth(event);
try {
const body = await readBody(event);
const { oldName, newName, isFolder } = body;

8
server/api/files/upload.ts
View File

@@ -1,14 +1,12 @@
import { requireAuth } from '~/server/utils/auth';
import { uploadFile, getMinioClient } from '~/server/utils/minio';
import formidable from 'formidable';
import { promises as fs } from 'fs';
import mime from 'mime-types';
export default defineEventHandler(async (event) => {
const xTagHeader = getRequestHeader(event, "x-tag");
if (!xTagHeader || (xTagHeader !== "094ut234" && xTagHeader !== "pjnvü1230")) {
throw createError({ statusCode: 401, statusMessage: "unauthenticated" });
}
// Check authentication (x-tag header OR Keycloak session)
await requireAuth(event);
try {
// Get the current path and bucket from query params