ComputerSurge/shields
3
0
Fork 0
Code Pull Requests 1 Activity

Fix and test the github admin route (#1886)

Browse Source 
Fix regressions in the github admin and token acceptor endpoints, introduced in #1813.
This commit is contained in:
Paul Melnikow
2018-08-11 19:48:43 -04:00
committed by GitHub
parent cd6c38a616
commit 39d393028d
4 changed files with 84 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
services/github/auth/admin.js
View File

@@ -1,8 +1,7 @@
'use strict'
const crypto = require('crypto')
const { serializeDebugInfo } = require('../../../lib/github-auth')
const serverSecrets = require('../../../lib/server-secrets')
const secretIsValid = require('../../../lib/sys/secret-is-valid')
function setRoutes(server) {
// Allow the admin to obtain the tokens for operational and debugging
@@ -16,9 +15,9 @@ function setRoutes(server) {
// password.
//
// e.g.
// curl -u ':very-very-secret' 'https://example.com/$github-auth/tokens'
// curl --insecure -u ':very-very-secret' 'https://s0.shields-server.com/$github-auth/tokens'
server.ajax.on('github-auth/tokens', (json, end, ask) => {
if (!crypto.timingSafeEqual(ask.password, serverSecrets.shieldsSecret)) {
if (!secretIsValid(ask.password)) {
// An unknown entity tries to connect. Let the connection linger for a minute.
return setTimeout(function() {
end('Invalid secret.')