Use POST for token generation

GSoC/Meterpreter_Web_Console
James Barnett 2018-12-14 15:03:10 -06:00
parent 260bfdc071
commit 60681e4385
No known key found for this signature in database
GPG Key ID: 647983861A4EC5EA
3 changed files with 18 additions and 19 deletions

View File

@ -16,25 +16,20 @@ module AuthApiDoc
swagger_path '/api/v1/auth/generate-token' do swagger_path '/api/v1/auth/generate-token' do
# Swagger documentation for /api/v1/auth/generate-token GET # Swagger documentation for /api/v1/auth/generate-token GET
operation :get do operation :post do
key :description, 'Return a valid Authorization Bearer token.' key :description, 'Return a valid Authorization Bearer token.'
key :tags, [ 'auth' ] key :tags, [ 'auth' ]
parameter do parameter do
key :name, :username key :in, :body
key :in, :query key :name, :body
key :description, 'The username for the user you want to authenticate.' key :description, 'Login credentials for the user who will be generating a token.'
key :required, true key :required, true
key :type, :string schema do
end property :username, type: :string, required: true
property :password, type: :string, required: true
parameter do end
key :name, :password
key :in, :query
key :description, 'The password for the user you want to authenticate.'
key :required, true
key :type, :string
end end
response 200 do response 200 do

View File

@ -16,15 +16,19 @@ module Authentication
# Check if request contains valid data and should be authenticated. # Check if request contains valid data and should be authenticated.
# @return [Boolean] true if strategy should be run for the request; otherwise, false. # @return [Boolean] true if strategy should be run for the request; otherwise, false.
def valid? def valid?
params['username'] && params['password'] body = JSON.parse(request.body.read, symbolize_names: true)
request.body.rewind # Reset the StringIO buffer so any further consumers can read the body
body[:username] && body[:password]
end end
# Authenticate the request. # Authenticate the request.
def authenticate! def authenticate!
body = JSON.parse(request.body.read, symbolize_names: true)
request.body.rewind # Reset the StringIO buffer so any further consumers can read the body
db_manager = env['msf.db_manager'] db_manager = env['msf.db_manager']
user = db_manager.users(username: params['username']).first user = db_manager.users(username: body[:username]).first
if user.nil? || !db_manager.authenticate_user(id: user.id, password: params['password']) if user.nil? || !db_manager.authenticate_user(id: user.id, password: body[:password])
fail("Invalid username or password.") fail("Invalid username or password.")
else else
success!(user) success!(user)

View File

@ -31,7 +31,7 @@ module AuthServlet
app.post AuthServlet.api_login_path, &post_login app.post AuthServlet.api_login_path, &post_login
app.get AuthServlet.api_logout_path, &get_logout app.get AuthServlet.api_logout_path, &get_logout
app.get AuthServlet.api_generate_token_path, &get_generate_token app.post AuthServlet.api_generate_token_path, &post_generate_token
app.post "#{AuthServlet.api_unauthenticated_path}/?:scope?", &post_unauthenticated app.post "#{AuthServlet.api_unauthenticated_path}/?:scope?", &post_unauthenticated
end end
@ -75,7 +75,7 @@ module AuthServlet
end end
# Generate a new API token for the current user # Generate a new API token for the current user
def self.get_generate_token def self.post_generate_token
lambda { lambda {
# change action to drop the scope param since this is used # change action to drop the scope param since this is used
# by XMLHttpRequest (XHR) and we don't want a redirect # by XMLHttpRequest (XHR) and we don't want a redirect
@ -103,4 +103,4 @@ module AuthServlet
} }
end end
end end