locked down more routes

api/api.go

@@ -66,7 +66,14 @@ func Setup(jwtKey, rollbarToken, mqConnectionURL, dbPass, dbURL, ethKey, ethPass
 	statsProtected := r.Group("/api/v1/statistics")
 	statsProtected.Use(authMiddleware.MiddlewareFunc())
 	statsProtected.Use(middleware.APIRestrictionMiddleware(db))
-	statsProtected.GET("/stats", func(c *gin.Context) {
+	statsProtected.GET("/stats", func(c *gin.Context) { // admin locked
+		ethAddress := GetAuthenticatedUserFromContext(c)
+		if ethAddress != AdminAddress {
+			c.JSON(http.StatusForbidden, gin.H{
+				"error": "unauthorized access",
+			})
+			return
+		}
 		c.JSON(http.StatusOK, stats.Report())
 	})
 	return r
@@ -91,11 +98,11 @@ func setupRoutes(g *gin.Engine, authWare *jwt.GinJWTMiddleware, db *gorm.DB) {
 	ipfsProtected := g.Group("/api/v1/ipfs")
 	ipfsProtected.Use(authWare.MiddlewareFunc())
 	ipfsProtected.Use(middleware.APIRestrictionMiddleware(db))
-	ipfsProtected.POST("/pubsub/publish/:topic", IpfsPubSubPublish)
+	ipfsProtected.POST("/pubsub/publish/:topic", IpfsPubSubPublish) // admin locked
 	ipfsProtected.POST("/pin/:hash", PinHashLocally)
 	ipfsProtected.POST("/add-file", AddFileLocally)
-	ipfsProtected.GET("/pubsub/consume/:topic", IpfsPubSubConsume)
-	ipfsProtected.GET("/pins", GetLocalPins)
+	ipfsProtected.GET("/pubsub/consume/:topic", IpfsPubSubConsume) // admin locked
+	ipfsProtected.GET("/pins", GetLocalPins)                       // admin locked
 	ipfsProtected.GET("/object-stat/:key", GetObjectStatForIpfs)
 	ipfsProtected.GET("/object/size/:key", GetFileSizeInBytesForObject)
 	ipfsProtected.GET("/check-for-pin/:hash", CheckLocalNodeForPin)
@@ -105,19 +112,19 @@ func setupRoutes(g *gin.Engine, authWare *jwt.GinJWTMiddleware, db *gorm.DB) {
 	clusterProtected.Use(authWare.MiddlewareFunc())
 	clusterProtected.Use(middleware.APIRestrictionMiddleware(db))
 	clusterProtected.POST("/pin/:hash", PinHashToCluster)
-	clusterProtected.POST("/sync-errors-local", SyncClusterErrorsLocally)
-	clusterProtected.GET("/status-local-pin/:hash", GetLocalStatusForClusterPin)
-	clusterProtected.GET("/status-global-pin/:hash", GetGlobalStatusForClusterPin)
-	clusterProtected.GET("/status-local", FetchLocalClusterStatus)
+	clusterProtected.POST("/sync-errors-local", SyncClusterErrorsLocally)          // admin locked
+	clusterProtected.GET("/status-local-pin/:hash", GetLocalStatusForClusterPin)   // admin locked
+	clusterProtected.GET("/status-global-pin/:hash", GetGlobalStatusForClusterPin) // admin locked
+	clusterProtected.GET("/status-local", FetchLocalClusterStatus)                 // admin locked
 	//clusterProtected.DELETE("/remove-pin/:hash", RemovePinFromCluster)
 
 	databaseProtected := g.Group("/api/v1/database")
 	databaseProtected.Use(authWare.MiddlewareFunc())
 	databaseProtected.Use(middleware.APIRestrictionMiddleware(db))
-	databaseProtected.DELETE("/garbage-collect/test", RunTestGarbageCollection)
-	databaseProtected.DELETE("/garbage-collect/run", RunDatabaseGarbageCollection)
-	databaseProtected.GET("/uploads", GetUploadsFromDatabase)
-	databaseProtected.GET("/uploads/:address", GetUploadsForAddress)
+	databaseProtected.DELETE("/garbage-collect/test", RunTestGarbageCollection)    // admin locked
+	databaseProtected.DELETE("/garbage-collect/run", RunDatabaseGarbageCollection) // admin locked
+	databaseProtected.GET("/uploads", GetUploadsFromDatabase)                      // admin locked
+	databaseProtected.GET("/uploads/:address", GetUploadsForAddress)               // partial admin locked
 
 	frontendProtected := g.Group("/api/v1/frontend/")
 	frontendProtected.Use(authWare.MiddlewareFunc())
@@ -128,7 +135,7 @@ func setupRoutes(g *gin.Engine, authWare *jwt.GinJWTMiddleware, db *gorm.DB) {
 	paymentsAPIProtected := g.Group("/api/v1/payments-api")
 	paymentsAPIProtected.Use(authWare.MiddlewareFunc())
 	paymentsAPIProtected.Use(middleware.APIRestrictionMiddleware(db))
-	paymentsAPIProtected.POST("/register", RegisterPayment) // this route requires admin access
+	paymentsAPIProtected.POST("/register", RegisterPayment) // admin locked
 	// PROTECTED ROUTES -- END
 
 }

api/routes_rtfs.go

@@ -179,6 +179,13 @@ func AddFileLocally(c *gin.Context) {
 
 // IpfsPubSubPublish is used to publish a pubsub msg
 func IpfsPubSubPublish(c *gin.Context) {
+	ethAddress := GetAuthenticatedUserFromContext(c)
+	if ethAddress != AdminAddress {
+		c.JSON(http.StatusForbidden, gin.H{
+			"error": "unauthorized access",
+		})
+		return
+	}
 	topic := c.Param("topic")
 	message, present := c.GetPostForm("message")
 	if !present {
@@ -204,6 +211,13 @@ func IpfsPubSubPublish(c *gin.Context) {
 
 // IpfsPubSubConsume is used to consume pubsub messages
 func IpfsPubSubConsume(c *gin.Context) {
+	ethAddress := GetAuthenticatedUserFromContext(c)
+	if ethAddress != AdminAddress {
+		c.JSON(http.StatusForbidden, gin.H{
+			"error": "unauthorized access",
+		})
+		return
+	}
 	contextCopy := c.Copy()
 	topic := contextCopy.Param("topic")
 
@@ -260,6 +274,13 @@ func RemovePinFromLocalHost(c *gin.Context) {
 
 // GetLocalPins is used to get the pins tracked by the local ipfs node
 func GetLocalPins(c *gin.Context) {
+	ethAddress := GetAuthenticatedUserFromContext(c)
+	if ethAddress != AdminAddress {
+		c.JSON(http.StatusForbidden, gin.H{
+			"error": "unauthorized access",
+		})
+		return
+	}
 	// initialize a connection toe the local ipfs node
 	manager, err := rtfs.Initialize("")
 	if err != nil {

api/routes_rtfs_cluster.go

@@ -73,6 +73,13 @@ func PinHashToCluster(c *gin.Context) {
 // SyncClusterErrorsLocally is used to parse through the local cluster state
 // and sync any errors that are detected.
 func SyncClusterErrorsLocally(c *gin.Context) {
+	ethAddress := GetAuthenticatedUserFromContext(c)
+	if ethAddress != AdminAddress {
+		c.JSON(http.StatusForbidden, gin.H{
+			"error": "unauthorized access",
+		})
+		return
+	}
 	// initialize a conection to the cluster
 	manager := rtfs_cluster.Initialize()
 	// parse the local cluster status, and sync any errors, retunring the cids that were in an error state
@@ -107,6 +114,13 @@ func RemovePinFromCluster(c *gin.Context) {
 
 // GetLocalStatusForClusterPin is used to get teh localnode's cluster status for a particular pin
 func GetLocalStatusForClusterPin(c *gin.Context) {
+	ethAddress := GetAuthenticatedUserFromContext(c)
+	if ethAddress != AdminAddress {
+		c.JSON(http.StatusForbidden, gin.H{
+			"error": "unauthorized access",
+		})
+		return
+	}
 	hash := c.Param("hash")
 	// initialize a connection to the cluster
 	manager := rtfs_cluster.Initialize()
@@ -137,6 +151,13 @@ func GetGlobalStatusForClusterPin(c *gin.Context) {
 // cluster state, and not the rest of the cluster
 // TODO: cleanup
 func FetchLocalClusterStatus(c *gin.Context) {
+	ethAddress := GetAuthenticatedUserFromContext(c)
+	if ethAddress != AdminAddress {
+		c.JSON(http.StatusForbidden, gin.H{
+			"error": "unauthorized access",
+		})
+		return
+	}
 	// this will hold all the retrieved content hashes
 	var cids []*gocid.Cid
 	// this will hold all the statuses of the content hashes