From f0fb7c4db3ec5a2a06ae26e9a31b97356a1b418e Mon Sep 17 00:00:00 2001
From: Christopher Jeffrey <chjjeffrey@gmail.com>
Date: Wed, 16 Nov 2016 09:41:17 -0800
Subject: [PATCH] http: do not allow dumping of master key without admin
 privileges.

---
 lib/http/server.js | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/lib/http/server.js b/lib/http/server.js
index b02d642c..9460f211 100644
--- a/lib/http/server.js
+++ b/lib/http/server.js
@@ -160,14 +160,18 @@ HTTPServer.prototype._init = function _init() {
   this.use(function(req, res, send, next) {
     var hash;
 
-    if (this.options.noAuth)
+    if (this.options.noAuth) {
+      req.admin = true;
       return next();
+    }
 
     hash = hash256(req.password);
 
     // Regular API key gives access to everything.
-    if (crypto.ccmp(hash, this.apiHash))
+    if (crypto.ccmp(hash, this.apiHash)) {
+      req.admin = true;
       return next();
+    }
 
     // If they're hitting the wallet services,
     // they can use the less powerful API key.
@@ -762,6 +766,9 @@ HTTPServer.prototype._init = function _init() {
 
   // Get wallet master key
   this.get('/wallet/:id/master', function(req, res, send, next) {
+    if (!req.admin)
+      return send(403, { error: 'Admin access required.' });
+
     send(200, req.wallet.master.toJSON(true));
   });