From dce6bcde56a38e48adf1ed5d4fb404a0a524f95e Mon Sep 17 00:00:00 2001 From: Travis Ralston Date: Fri, 15 Mar 2019 20:02:21 -0600 Subject: [PATCH] Require ?v=1.1 on Scalar /register and /account For upstream compatibility and security. --- src/api/scalar/ScalarService.ts | 12 ++++++++++-- src/scalar/ScalarClient.ts | 2 ++ src/utils/common-constants.ts | 1 + .../services/scalar/scalar-server-api.service.ts | 7 +++++-- 4 files changed, 18 insertions(+), 4 deletions(-) create mode 100644 src/utils/common-constants.ts diff --git a/src/api/scalar/ScalarService.ts b/src/api/scalar/ScalarService.ts index 5774626..4fc430b 100644 --- a/src/api/scalar/ScalarService.ts +++ b/src/api/scalar/ScalarService.ts @@ -49,7 +49,11 @@ export class ScalarService { @POST @Path("register") - public async register(request: RegisterRequest): Promise { + public async register(request: RegisterRequest, @QueryParam("v") apiVersion: string): Promise { + if (apiVersion !== "1.1") { + throw new ApiError(401, "Invalid API version."); + } + const mxClient = new MatrixOpenIdClient(request); const mxUserId = await mxClient.getUserId(); @@ -95,7 +99,11 @@ export class ScalarService { @GET @Path("account") - public async getAccount(@QueryParam("scalar_token") scalarToken: string): Promise { + public async getAccount(@QueryParam("scalar_token") scalarToken: string, @QueryParam("v") apiVersion: string): Promise { + if (apiVersion !== "1.1") { + throw new ApiError(401, "Invalid API version."); + } + const userId = await ScalarService.getTokenOwner(scalarToken); return {user_id: userId}; } diff --git a/src/scalar/ScalarClient.ts b/src/scalar/ScalarClient.ts index c042a8c..47ed0b2 100644 --- a/src/scalar/ScalarClient.ts +++ b/src/scalar/ScalarClient.ts @@ -3,6 +3,7 @@ import { ScalarRegisterResponse } from "../models/ScalarResponses"; import * as request from "request"; import { LogService } from "matrix-js-snippets"; import Upstream from "../db/models/Upstream"; +import { SCALAR_API_VERSION } from "../utils/common-constants"; export class ScalarClient { constructor(private upstream: Upstream) { @@ -14,6 +15,7 @@ export class ScalarClient { request({ method: "POST", url: this.upstream.scalarUrl + "/register", + qs: {v: SCALAR_API_VERSION}, json: openId, }, (err, res, _body) => { if (err) { diff --git a/src/utils/common-constants.ts b/src/utils/common-constants.ts new file mode 100644 index 0000000..fe62678 --- /dev/null +++ b/src/utils/common-constants.ts @@ -0,0 +1 @@ +export const SCALAR_API_VERSION = "1.1"; \ No newline at end of file diff --git a/web/app/shared/services/scalar/scalar-server-api.service.ts b/web/app/shared/services/scalar/scalar-server-api.service.ts index cc90dde..79a27a0 100644 --- a/web/app/shared/services/scalar/scalar-server-api.service.ts +++ b/web/app/shared/services/scalar/scalar-server-api.service.ts @@ -6,6 +6,7 @@ import { FE_ScalarRegisterResponse } from "../../models/scalar-server-responses"; import { AuthedApi } from "../authed-api"; +import { SCALAR_API_VERSION } from "../../../../../src/utils/common-constants"; @Injectable() export class ScalarServerApiService extends AuthedApi { @@ -14,10 +15,12 @@ export class ScalarServerApiService extends AuthedApi { } public getAccount(): Promise { - return this.authedGet("/api/v1/scalar/account").map(res => res.json()).toPromise(); + return this.authedGet("/api/v1/scalar/account", {v: SCALAR_API_VERSION}).map(res => res.json()).toPromise(); } public register(openId: FE_ScalarOpenIdRequestBody): Promise { - return this.http.post("/api/v1/scalar/register", openId).map(res => res.json()).toPromise(); + return this.http.post("/api/v1/scalar/register", openId, { + params: {v: SCALAR_API_VERSION}, + }).map(res => res.json()).toPromise(); } }