First

1 files changed, 60 insertions, 0 deletions

diff --git a/lib/pleroma/web/plugs/admin_secret_authentication_plug.ex b/lib/pleroma/web/plugs/admin_secret_authentication_plug.ex
new file mode 100644
index 0000000..2e4702f
--- /dev/null
+++ b/lib/pleroma/web/plugs/admin_secret_authentication_plug.ex
@@ -0,0 +1,60 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2022 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.Plugs.AdminSecretAuthenticationPlug do
+  import Plug.Conn
+
+  alias Pleroma.Helpers.AuthHelper
+  alias Pleroma.User
+  alias Pleroma.Web.Plugs.RateLimiter
+
+  def init(options) do
+    options
+  end
+
+  def call(%{assigns: %{user: %User{}}} = conn, _), do: conn
+
+  def call(conn, _) do
+    if secret_token() do
+      authenticate(conn)
+    else
+      conn
+    end
+  end
+
+  defp authenticate(%{params: %{"admin_token" => admin_token}} = conn) do
+    if admin_token == secret_token() do
+      assign_admin_user(conn)
+    else
+      handle_bad_token(conn)
+    end
+  end
+
+  defp authenticate(conn) do
+    token = secret_token()
+
+    case get_req_header(conn, "x-admin-token") do
+      blank when blank in [[], [""]] -> conn
+      [^token] -> assign_admin_user(conn)
+      _ -> handle_bad_token(conn)
+    end
+  end
+
+  defp secret_token do
+    case Pleroma.Config.get(:admin_token) do
+      blank when blank in [nil, ""] -> nil
+      token -> token
+    end
+  end
+
+  defp assign_admin_user(conn) do
+    conn
+    |> assign(:user, %User{is_admin: true})
+    |> AuthHelper.skip_oauth()
+  end
+
+  defp handle_bad_token(conn) do
+    RateLimiter.call(conn, name: :authentication)
+  end
+end