Merge pull request #5942 from jaredhilton/develop

Fix 3651, update to /api.../info endpoints to be secure and backwards compatible for mobile clients.
9 years ago · e5f545b0a2
parent f5e3fe6579 6d8c9ad5b2
commit e5f545b0a2
6 changed files with 51 additions and 10 deletions
--- a/packages/rocketchat-api/package.js
+++ b/packages/rocketchat-api/package.js
@ -20,7 +20,12 @@ Package.onUse(function(api) {
 	api.addFiles('server/v1/helpers/getPaginationItems.js', 'server');
 	api.addFiles('server/v1/helpers/getUserFromParams.js', 'server');
 	api.addFiles('server/v1/helpers/parseJsonQuery.js', 'server');
+	api.addFiles('server/v1/helpers/getLoggedInUser.js', 'server');

+	//Register default helpers
+	api.addFiles('server/default/helpers/getLoggedInUser.js', 'server');
+
+	//Add default routes
 	api.addFiles('server/default/info.js', 'server');
 	api.addFiles('server/default/metrics.js', 'server');

--- a/packages/rocketchat-api/server/default/helpers/getLoggedInUser.js
+++ b/packages/rocketchat-api/server/default/helpers/getLoggedInUser.js
@ -0,0 +1,12 @@
+RocketChat.API.default.helperMethods.set('getLoggedInUser', function _getLoggedInUser() {
+	let user;
+
+	if (this.request.headers['x-auth-token'] && this.request.headers['x-user-id']) {
+		user = RocketChat.models.Users.findOne({
+			'_id': this.request.headers['x-user-id'],
+			'services.resume.loginTokens.hashedToken': Accounts._hashLoginToken(this.request.headers['x-auth-token'])
+		});
+	}
+
+	return user;
+});
--- a/packages/rocketchat-api/server/default/info.js
+++ b/packages/rocketchat-api/server/default/info.js
@ -1,5 +1,15 @@
 RocketChat.API.default.addRoute('info', { authRequired: false }, {
 	get: function() {
-		return RocketChat.Info;
+		const user = this.getLoggedInUser();
+
+		if (user && RocketChat.authz.hasRole(user._id, 'admin')) {
+			return RocketChat.API.v1.success({
+				info: RocketChat.Info
+			});
+		}
+
+		return RocketChat.API.v1.success({
+			version: RocketChat.Info.version
+		});
 	}
 });
--- a/packages/rocketchat-api/server/v1/helpers/getLoggedInUser.js
+++ b/packages/rocketchat-api/server/v1/helpers/getLoggedInUser.js
@ -0,0 +1,12 @@
+RocketChat.API.v1.helperMethods.set('getLoggedInUser', function _getLoggedInUser() {
+	let user;
+
+	if (this.request.headers['x-auth-token'] && this.request.headers['x-user-id']) {
+		user = RocketChat.models.Users.findOne({
+			'_id': this.request.headers['x-user-id'],
+			'services.resume.loginTokens.hashedToken': Accounts._hashLoginToken(this.request.headers['x-auth-token'])
+		});
+	}
+
+	return user;
+});
--- a/packages/rocketchat-api/server/v1/misc.js
+++ b/packages/rocketchat-api/server/v1/misc.js
@ -1,7 +1,17 @@
 RocketChat.API.v1.addRoute('info', { authRequired: false }, {
 	get: function() {
+		const user = this.getLoggedInUser();
+
+		if (user && RocketChat.authz.hasRole(user._id, 'admin')) {
+			return RocketChat.API.v1.success({
+				info: RocketChat.Info
+			});
+		}
+
 		return RocketChat.API.v1.success({
-			info: RocketChat.Info
+			info: {
+				'version': RocketChat.Info.version
+			}
 		});
 	}
 });
--- a/tests/end-to-end/api/00-miscellaneous.js
+++ b/tests/end-to-end/api/00-miscellaneous.js
@ -29,14 +29,6 @@ describe('miscellaneous', function() {
 				.expect(200)
 				.expect((res) => {
 					expect(res.body).to.have.property('version');
-					expect(res.body).to.have.deep.property('build.date');
-					expect(res.body).to.have.deep.property('build.nodeVersion');
-					expect(res.body).to.have.deep.property('build.arch');
-					expect(res.body).to.have.deep.property('build.platform');
-					expect(res.body).to.have.deep.property('build.osRelease');
-					expect(res.body).to.have.deep.property('build.totalMemory');
-					expect(res.body).to.have.deep.property('build.freeMemory');
-					expect(res.body).to.have.deep.property('build.cpus');
 				})
 				.end(done);
 		});