diff --git a/common/constants.go b/common/constants.go index 4196f2441..127f4d8fa 100644 --- a/common/constants.go +++ b/common/constants.go @@ -2,6 +2,6 @@ package common const ( SERVICENAME = "casaos" - VERSION = "0.4.4" + VERSION = "0.4.4.1" BODY = " " ) diff --git a/route/v2.go b/route/v2.go index 6348368cc..c141aa83a 100644 --- a/route/v2.go +++ b/route/v2.go @@ -148,6 +148,21 @@ func InitV2DocRouter(docHTML string, docYAML string) http.Handler { func InitFile() http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + token := r.URL.Query().Get("token") + if len(token) == 0 { + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(http.StatusUnauthorized) + w.Write([]byte(`{"message": "token not found"}`)) + return + } + + valid, _, errs := jwt.Validate(token, func() (*ecdsa.PublicKey, error) { return external.GetPublicKey(config.CommonInfo.RuntimePath) }) + if errs != nil || !valid { + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(http.StatusUnauthorized) + w.Write([]byte(`{"message": "validation failure"}`)) + return + } filePath := r.URL.Query().Get("path") fileName := path.Base(filePath) w.Header().Add("Content-Disposition", "attachment; filename*=utf-8''"+url.PathEscape(fileName)) @@ -158,6 +173,21 @@ func InitFile() http.Handler { func InitDir() http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + token := r.URL.Query().Get("token") + if len(token) == 0 { + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(http.StatusUnauthorized) + w.Write([]byte(`{"message": "token not found"}`)) + return + } + + valid, _, errs := jwt.Validate(token, func() (*ecdsa.PublicKey, error) { return external.GetPublicKey(config.CommonInfo.RuntimePath) }) + if errs != nil || !valid { + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(http.StatusUnauthorized) + w.Write([]byte(`{"message": "validation failure"}`)) + return + } t := r.URL.Query().Get("format") files := r.URL.Query().Get("files")