Auth: Accept access token as passwd with fail rate limit #782 #808 #3943

Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-12-12 00:34:13 +01:00 · 2024-01-14 18:28:17 +01:00
parent 9586a9ec69
commit fed1d8ad95
71 changed files with 930 additions and 507 deletions
--- a/internal/api/session_delete.go
+++ b/internal/api/session_delete.go
@@ -10,8 +10,10 @@ import (
 	"github.com/photoprism/photoprism/internal/event"
 	"github.com/photoprism/photoprism/internal/get"
 	"github.com/photoprism/photoprism/internal/i18n"
+	"github.com/photoprism/photoprism/internal/server/limiter"
 	"github.com/photoprism/photoprism/internal/session"
 	"github.com/photoprism/photoprism/pkg/clean"
+	"github.com/photoprism/photoprism/pkg/header"
 	"github.com/photoprism/photoprism/pkg/rnd"
 )

@@ -19,8 +21,12 @@ import (
 //
 // DELETE /api/v1/session
 // DELETE /api/v1/session/:id
+// DELETE /api/v1/sessions/:id
 func DeleteSession(router *gin.RouterGroup) {
 	deleteSessionHandler := func(c *gin.Context) {
+		// Disable caching of responses.
+		c.Header(header.CacheControl, header.CacheControlNoStore)
+
 		// Abort if running in public mode.
 		if get.Config().Public() {
 			// Return JSON response for confirmation.
@@ -30,13 +36,23 @@ func DeleteSession(router *gin.RouterGroup) {

 		id := clean.ID(c.Param("id"))

-		// Get client IP address for logs and rate limiting checks.
-		clientIP := ClientIP(c)
+		// Get client IP and auth token from request headers.
+		clientIp := ClientIP(c)
+		authToken := AuthToken(c)
+
+		// Fail if authentication error rate limit is exceeded.
+		if clientIp != "" && limiter.Auth.Reject(clientIp) {
+			limiter.AbortJSON(c)
+			return
+		}

 		// Find session based on auth token.
-		sess, err := entity.FindSession(rnd.SessionID(AuthToken(c)))
+		sess, err := entity.FindSession(rnd.SessionID(authToken))

 		if err != nil || sess == nil {
+			if clientIp != "" {
+				limiter.Auth.Reserve(clientIp)
+			}
 			Abort(c, http.StatusUnauthorized, i18n.ErrUnauthorized)
 			return
 		} else if sess.Abort(c) {
@@ -45,29 +61,29 @@ func DeleteSession(router *gin.RouterGroup) {

 		// Only admins may delete other sessions by ref id.
 		if rnd.IsRefID(id) {
-			if !acl.Resources.AllowAll(acl.ResourceUsers, sess.User().AclRole(), acl.Permissions{acl.AccessAll, acl.ActionManage}) {
-				event.AuditErr([]string{clientIP, "session %s", "delete session %s as %s", "denied"}, sess.RefID, id, sess.User().AclRole())
+			if !acl.Resources.AllowAll(acl.ResourceSessions, sess.User().AclRole(), acl.Permissions{acl.AccessAll, acl.ActionManage}) {
+				event.AuditErr([]string{clientIp, "session %s", "delete %s as %s", "denied"}, sess.RefID, acl.ResourceSessions.String(), sess.User().AclRole())
 				Abort(c, http.StatusForbidden, i18n.ErrForbidden)
 				return
 			}

-			event.AuditInfo([]string{clientIP, "session %s", "delete session %s as %s", "granted"}, sess.RefID, id, sess.User().AclRole())
+			event.AuditInfo([]string{clientIp, "session %s", "delete %s as %s", "granted"}, sess.RefID, acl.ResourceSessions.String(), sess.User().AclRole())

 			if sess = entity.FindSessionByRefID(id); sess == nil {
 				Abort(c, http.StatusNotFound, i18n.ErrNotFound)
 				return
 			}
 		} else if id != "" && sess.ID != id {
-			event.AuditWarn([]string{clientIP, "session %s", "delete session as %s", "ids do not match"}, sess.RefID, sess.User().AclRole())
+			event.AuditWarn([]string{clientIp, "session %s", "delete %s as %s", "ids do not match"}, sess.RefID, acl.ResourceSessions.String(), sess.User().AclRole())
 			Abort(c, http.StatusForbidden, i18n.ErrForbidden)
 			return
 		}

 		// Delete session cache and database record.
 		if err = sess.Delete(); err != nil {
-			event.AuditErr([]string{clientIP, "session %s", "delete session as %s", "%s"}, sess.RefID, sess.User().AclRole(), err)
+			event.AuditErr([]string{clientIp, "session %s", "delete session as %s", "%s"}, sess.RefID, sess.User().AclRole(), err)
 		} else {
-			event.AuditDebug([]string{clientIP, "session %s", "deleted"}, sess.RefID)
+			event.AuditDebug([]string{clientIp, "session %s", "deleted"}, sess.RefID)
 		}

 		// Return JSON response for confirmation.
@@ -76,4 +92,5 @@ func DeleteSession(router *gin.RouterGroup) {

 	router.DELETE("/session", deleteSessionHandler)
 	router.DELETE("/session/:id", deleteSessionHandler)
+	router.DELETE("/sessions/:id", deleteSessionHandler)
 }