davide/purple-explorer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add new settings to disable individual public apis

Browse Source 
-All coind + extended public api calls can now be enabled/disabled individually via settings.json; Disabled apis still work internally when disabled; The only noteworthy exception is the extended /ext/getlasttxs endpoint which is the only extended api consumed by the explorer itself, although it works to prevent outside access by default, it is controlled by http headers which can be manipulated and it's extremely likely that a savvy user could enable usage of /ext/getlasttxs for their own needs even if the site has specifically disabled that public api. More thought may be needed to properly resolve that problem, but it may also not be a big deal since it's data that is available to the explorer and in no way hidden or secret
-Disabled apis do not show up on the /info page and will return a "This method is disabled" msg if the endpoint is called
-Applied some code formatting to the /lib/nodeapi.js file
This commit is contained in:
joeuhren
2020-12-28 15:12:56 -07:00
parent ac237ad8e9
commit 374ab2d7aa
5 changed files with 505 additions and 397 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/nodeapi.js
+76 -78
View File
@@ -2,27 +2,28 @@ var onode = require('./node');
var express = require('express');
var settings = require('./settings');
module.exports = function(){
function express_app(){
module.exports = function() {
function express_app() {
var app = express();
app.get('*', hasAccess, function(req, res){
var method = req.path.substring(1,req.path.length);
if('undefined' != typeof requires_passphrase[method]){
if(wallet_passphrase) client.walletPassphrase(wallet_passphrase, 10);
else res.send('A wallet passphrase is needed and has not been set.');
app.get('*', hasAccess, function(req, res) {
var method = req.path.substring(1, req.path.length);
if ('undefined' != typeof requires_passphrase[method]) {
if (wallet_passphrase)
client.walletPassphrase(wallet_passphrase, 10);
else
res.send('A wallet passphrase is needed and has not been set.');
}
var query_parameters = req.query;
var params = [];
for(var parameter in query_parameters){
if(query_parameters.hasOwnProperty(parameter)){
for (var parameter in query_parameters) {
if (query_parameters.hasOwnProperty(parameter)) {
var param = query_parameters[parameter];
if(!isNaN(param)){
if (!isNaN(param))
param = parseFloat(param);
}
params.push(param);
}
}
@@ -64,38 +65,46 @@ module.exports = function(){
break;
}
client.cmd(command, function(err, response){
if(err){console.log(err); res.send("There was an error. Check your console.");}
else{
if(typeof response === 'object'){
client.cmd(command, function(err, response) {
if (err) {
console.log(err);
res.send("There was an error. Check your console.");
} else {
if (typeof response === 'object')
res.json(response);
}
else{
else {
res.setHeader('content-type', 'text/plain');
res.end(response.toString());
}
}
});
});
function hasAccess(req, res, next){
if(accesslist.type == 'all'){
return next();
}
var method = req.path.substring(1,req.path.length);
if('undefined' == typeof accesslist[method]){
if(accesslist.type == 'only') res.end('This method is restricted.');
else return next();
}
else{
if(accesslist[method] == true){
function hasAccess(req, res, next) {
var method = req.path.substring(1, req.path.length);
var method_enabled = settings.public_api.rpc[method];
// only show disabled msg for outside calls. internal calls should always go through
if (method_enabled == null || !method_enabled && req.headers.host.indexOf('127.0.0.1') == -1)
res.end('This method is disabled');
else {
if (accesslist.type == 'all')
return next();
if ('undefined' == typeof accesslist[method]) {
if (accesslist.type == 'only')
res.end('This method is restricted');
else
return next();
} else {
if (accesslist[method] == true)
return next();
else
res.end('This method is restricted');
}
else res.end('This method is restricted.');
}
}
}
function prepareRpcCommand(cmd, addParams) {
var method_name = '';
var params = addParams || [];
@@ -116,9 +125,9 @@ module.exports = function(){
return { method: method_name, parameters: params };
}
function specialApiCase(method_name, query_parameters){
function specialApiCase(method_name, query_parameters) {
var params = [];
switch (method_name) {
case 'getnetworkhashps':
case 'getmininginfo':
@@ -185,9 +194,8 @@ module.exports = function(){
params.push(query_parameters[parameter]);
if (parameter == 'signature') {
var param = decodeURIComponent(query_parameters[parameter]);
while (param.indexOf(" ") > -1) {
while (param.indexOf(" ") > -1)
param = param.replace(" ", "+");
}
params.push(param);
}
}
@@ -200,28 +208,25 @@ module.exports = function(){
var after_account = false;
var before_min_conf = true;
var address_info = {};
for(var parameter in query_parameters){
if(query_parameters.hasOwnProperty(parameter)){
if(parameter == 'minconf'){
for (var parameter in query_parameters) {
if (query_parameters.hasOwnProperty(parameter)) {
if (parameter == 'minconf') {
before_min_conf = false;
params.push(address_info);
}
var param = query_parameters[parameter];
if(!isNaN(param)){
if (!isNaN(param))
param = parseFloat(param);
}
if(after_account && before_min_conf){
if (after_account && before_min_conf)
address_info[parameter] = param;
}
else {
else
params.push(param);
}
if(parameter == 'account') after_account = true;
if (parameter == 'account')
after_account = true;
}
}
if(before_min_conf){
if (before_min_conf)
params.push(address_info);
}
break;
}
@@ -249,56 +254,49 @@ module.exports = function(){
'signrawtransaction': true
};
function setAccess(type, access_list){
function setAccess(type, access_list) {
//Reset//
accesslist = {};
accesslist.type = type;
if(type == "only"){
var i=0;
for(; i<access_list.length; i++){
if (type == "only") {
for (i = 0; i < access_list.length; i++)
accesslist[access_list[i]] = true;
}
}
if(type == "restrict"){
var i=0;
for(; i<access_list.length; i++){
if (type == "restrict") {
for (i = 0; i < access_list.length; i++)
accesslist[access_list[i]] = false;
}
}
//Default is for security reasons. Prevents accidental theft of coins/attack
if(type == 'default-safe'){
accesslist.type = 'restrict';
if (type == 'default-safe') {
var restrict_list = ['dumpprivkey', 'walletpassphrasechange', 'stop'];
var i=0;
for(;i<restrict_list.length;i++){
accesslist[restrict_list[i]] = false;
}
}
if(type == 'read-only'){
accesslist.type = 'restrict';
var restrict_list = ['addmultisigaddress', 'addnode', 'backupwallet', 'createmultisig', 'createrawtransaction', 'encryptwallet', 'importprivkey', 'keypoolrefill', 'lockunspent', 'move', 'sendfrom', 'sendmany', 'sendrawtransaction', 'sendtoaddress', 'setaccount', 'setgenerate', 'settxfee', 'signmessage', 'signrawtransaction', 'stop', 'submitblock', 'walletlock', 'walletpassphrasechange'];
var i=0;
for(;i<restrict_list.length;i++){
for (i = 0; i < restrict_list.length; i++)
accesslist[restrict_list[i]] = false;
}
if (type == 'read-only') {
var restrict_list = ['addmultisigaddress', 'addnode', 'backupwallet', 'createmultisig', 'createrawtransaction', 'encryptwallet', 'importprivkey', 'keypoolrefill', 'lockunspent', 'move', 'sendfrom', 'sendmany', 'sendrawtransaction', 'sendtoaddress', 'setaccount', 'setgenerate', 'settxfee', 'signmessage', 'signrawtransaction', 'stop', 'submitblock', 'walletlock', 'walletpassphrasechange'];
accesslist.type = 'restrict';
for (i=0; i < restrict_list.length; i++)
accesslist[restrict_list[i]] = false;
}
}
};
function setWalletDetails(details){
if('undefined' == typeof details.rpc){
function setWalletDetails(details) {
if ('undefined' == typeof details.rpc)
client = new onode.Client(details);
}
else{
else
client = details;
}
};
function setWalletPassphrase(passphrase){
function setWalletPassphrase(passphrase) {
wallet_passphrase = passphrase;
};
@@ -308,4 +306,4 @@ module.exports = function(){
setWalletDetails: setWalletDetails,
setWalletPassphrase: setWalletPassphrase
}
}();
}();