client/web: invert auth logic for synology and qnap
Add separate server methods for synology and qnap, and enforce authentication and authorization checks before calling into the actual serving handlers. This allows us to remove all of the auth logic from those handlers, since all requests will already be authenticated by that point. Also simplify the Synology token redirect handler by using fetch. Remove the SynologyUser from nodeData, since it was never used in the frontend anyway. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com>
This commit is contained in:
Will Norris
Will Norris
@@ -16,6 +16,23 @@ import (
|
||||
"net/url"
|
||||
)
|
||||
|
||||
// authorizeQNAP authenticates the logged-in QNAP user and verifies
|
||||
// that they are authorized to use the web client. It returns true if the
|
||||
// request was handled and no further processing is required.
|
||||
func authorizeQNAP(w http.ResponseWriter, r *http.Request) (handled bool) {
|
||||
_, resp, err := qnapAuthn(r)
|
||||
if err != nil {
|
||||
http.Error(w, err.Error(), http.StatusUnauthorized)
|
||||
return true
|
||||
}
|
||||
if resp.IsAdmin == 0 {
|
||||
http.Error(w, "user is not an admin", http.StatusForbidden)
|
||||
return true
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
type qnapAuthResponse struct {
|
||||
AuthPassed int `xml:"authPassed"`
|
||||
IsAdmin int `xml:"isAdmin"`
|
||||
|
||||
Reference in New Issue
Block a user