Use POST for token generation

2018-12-14 15:03:10 -06:00 · 2018-12-14 15:03:10 -06:00 · 60681e4385
parent 260bfdc071
commit 60681e4385
3 changed files with 18 additions and 19 deletions
--- a/documentation/api/v1/auth_api_doc.rb
+++ b/documentation/api/v1/auth_api_doc.rb
@ -16,25 +16,20 @@ module AuthApiDoc

  swagger_path '/api/v1/auth/generate-token' do
    # Swagger documentation for /api/v1/auth/generate-token GET
-    operation :get do
+    operation :post do

      key :description, 'Return a valid Authorization Bearer token.'
      key :tags, [ 'auth' ]

      parameter do
-        key :name, :username
-        key :in, :query
-        key :description, 'The username for the user you want to authenticate.'
+        key :in, :body
+        key :name, :body
+        key :description, 'Login credentials for the user who will be generating a token.'
        key :required, true
-        key :type, :string
-      end
-
-      parameter do
-        key :name, :password
-        key :in, :query
-        key :description, 'The password for the user you want to authenticate.'
-        key :required, true
-        key :type, :string
+        schema do
+          property :username, type: :string, required: true
+          property :password, type: :string, required: true
+        end
      end

      response 200 do
--- a/lib/msf/core/web_services/authentication/strategies/user_password.rb
+++ b/lib/msf/core/web_services/authentication/strategies/user_password.rb
@ -16,15 +16,19 @@ module Authentication
      # Check if request contains valid data and should be authenticated.
      # @return [Boolean] true if strategy should be run for the request; otherwise, false.
      def valid?
-        params['username'] && params['password']
+        body = JSON.parse(request.body.read, symbolize_names: true)
+        request.body.rewind # Reset the StringIO buffer so any further consumers can read the body
+        body[:username] && body[:password]
      end

      # Authenticate the request.
      def authenticate!
+        body = JSON.parse(request.body.read, symbolize_names: true)
+        request.body.rewind # Reset the StringIO buffer so any further consumers can read the body
        db_manager = env['msf.db_manager']
-        user = db_manager.users(username: params['username']).first
+        user = db_manager.users(username: body[:username]).first

-        if user.nil? || !db_manager.authenticate_user(id: user.id, password: params['password'])
+        if user.nil? || !db_manager.authenticate_user(id: user.id, password: body[:password])
          fail("Invalid username or password.")
        else
          success!(user)
--- a/lib/msf/core/web_services/servlet/auth_servlet.rb
+++ b/lib/msf/core/web_services/servlet/auth_servlet.rb
@ -31,7 +31,7 @@ module AuthServlet
    app.post AuthServlet.api_login_path, &post_login

    app.get AuthServlet.api_logout_path, &get_logout
-    app.get AuthServlet.api_generate_token_path, &get_generate_token
+    app.post AuthServlet.api_generate_token_path, &post_generate_token
    app.post "#{AuthServlet.api_unauthenticated_path}/?:scope?", &post_unauthenticated
  end

@ -75,7 +75,7 @@ module AuthServlet
  end

  # Generate a new API token for the current user
-  def self.get_generate_token
+  def self.post_generate_token
    lambda {
      # change action to drop the scope param since this is used
      # by XMLHttpRequest (XHR) and we don't want a redirect