From dd3d87bd97e41c77eea270812d338139fd87b9fc Mon Sep 17 00:00:00 2001 From: Benjamin Morrison Date: Thu, 21 Oct 2021 21:31:17 -0400 Subject: delete a user, new config option for admin pass. pass is bcrypt hashed on startup and not stored in plaintext. --- svc/handlers.go | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) (limited to 'svc/handlers.go') diff --git a/svc/handlers.go b/svc/handlers.go index cb07349..5dbb10d 100644 --- a/svc/handlers.go +++ b/svc/handlers.go @@ -20,15 +20,18 @@ along with Getwtxt. If not, see . package svc // import "git.sr.ht/~gbmor/getwtxt/svc" import ( + "errors" "fmt" "hash/fnv" "net/http" + "net/url" "strconv" "strings" "time" "git.sr.ht/~gbmor/getwtxt/registry" "github.com/gorilla/mux" + "golang.org/x/crypto/bcrypt" ) // Takes the modtime of one of the static files, derives @@ -242,3 +245,38 @@ func apiTagsHandler(w http.ResponseWriter, r *http.Request) { } log200(r) } + +func handleUserDelete(w http.ResponseWriter, r *http.Request) { + pass := r.Header.Get("X-Auth") + if pass == "" { + errHTTP(w, r, errors.New("unauthorized"), http.StatusUnauthorized) + return + } + confObj.Mu.RLock() + adminHash := []byte(confObj.AdminPassHash) + confObj.Mu.RUnlock() + + if err := bcrypt.CompareHashAndPassword(adminHash, []byte(pass)); err != nil { + errHTTP(w, r, errors.New("unauthorized"), http.StatusUnauthorized) + return + } + + r.ParseForm() + userURL := strings.TrimSpace(r.Form.Get("url")) + if userURL == "" { + errHTTP(w, r, errors.New("bad request"), http.StatusBadRequest) + return + } + if _, err := url.Parse(userURL); err != nil { + errHTTP(w, r, errors.New("bad request"), http.StatusBadRequest) + return + } + + if err := delUser(userURL); err != nil { + return + } + + w.WriteHeader(200) + w.Write([]byte("200 OK\n")) + log200(r) +} -- cgit 1.4.1-2-gfad0