From e3999c4906348dadcc85eec1df9a48e776deccd5 Mon Sep 17 00:00:00 2001
From: "Kali Kaneko (leap communications)" <kali@leap.se>
Date: Thu, 23 Feb 2017 00:35:33 +0100
Subject: [feature] require authentication token for api

implements a global auth token for the app.

this token is written to .config/leap/authtoken, and passed to the
anchor part of the landing URI when opening the index resource by the
browser.

- Resolves: #8765
---
 src/leap/bitmask/core/web/api.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

(limited to 'src/leap/bitmask/core/web/api.py')

diff --git a/src/leap/bitmask/core/web/api.py b/src/leap/bitmask/core/web/api.py
index d31afa50..01c65bae 100644
--- a/src/leap/bitmask/core/web/api.py
+++ b/src/leap/bitmask/core/web/api.py
@@ -11,11 +11,20 @@ class Api(Resource):
 
     isLeaf = True
 
-    def __init__(self, dispatcher):
+    def __init__(self, dispatcher, global_tokens):
         Resource.__init__(self)
         self.dispatcher = dispatcher
+        self.global_tokens = global_tokens
 
     def render_POST(self, request):
+        token = request.getHeader('x-bitmask-auth')
+        if not token:
+            request.setResponseCode(401)
+            return 'unauthorized: no app token'
+        elif token.strip() not in self.global_tokens:
+            request.setResponseCode(401)
+            return 'unauthorized: bad app token'
+
         command = request.uri.split('/')[2:]
         params = request.content.getvalue()
         if params:
-- 
cgit v1.2.3