RanchiMall/fcoin
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

http: do not allow dumping of master key without admin privileges.

Browse Source
This commit is contained in:
Christopher Jeffrey 2016-11-16 09:41:17 -08:00
parent 18e742a092
commit f0fb7c4db3
No known key found for this signature in database
GPG Key ID: 8962AB9DE6666BBD
1 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
lib/http/server.js
View File

@ -160,14 +160,18 @@ HTTPServer.prototype._init = function _init() {
this.use(function(req, res, send, next) {
var hash;
if (this.options.noAuth)
if (this.options.noAuth) {
req.admin = true;
return next();
}
hash = hash256(req.password);
// Regular API key gives access to everything.
if (crypto.ccmp(hash, this.apiHash))
if (crypto.ccmp(hash, this.apiHash)) {
req.admin = true;
return next();
}
// If they're hitting the wallet services,
// they can use the less powerful API key.
@ -762,6 +766,9 @@ HTTPServer.prototype._init = function _init() {
// Get wallet master key
this.get('/wallet/:id/master', function(req, res, send, next) {
if (!req.admin)
return send(403, { error: 'Admin access required.' });
send(200, req.wallet.master.toJSON(true));
});