Fixed, styling, added use of nonce (#1067)

buerokratt · Dec 13, 2024 · c717ea3 · c717ea3
1 parent 56ee7e3
commit c717ea3
Show file tree

Hide file tree

Showing 8 changed files with 82 additions and 16 deletions.
diff --git a/DSL/DMapper/hbs/delete_conversations_cron.handlebars b/DSL/DMapper/hbs/delete_conversations_cron.handlebars
@@ -1,6 +1,5 @@
 {
     "trigger": "{{ cronExpression }}",
-    "type": "http",
-    "method": "{{ method }}",
-    "url": "{{{ url }}}"
+    "type": "exec",
+    "command": "{{{ command }}}"
 }
diff --git a/DSL/Resql/get-new-nonce.sql b/DSL/Resql/get-new-nonce.sql
@@ -0,0 +1 @@
+INSERT INTO request_nonces (valid_until) VALUES ( now() + interval '1 day') RETURNING nonce;
diff --git a/DSL/Resql/use-nonce.sql b/DSL/Resql/use-nonce.sql
@@ -0,0 +1 @@
+update request_nonces set used_at = now() where nonce = :updated_nonce and used_at is null returning nonce;
diff --git a/DSL/Ruuter.private/DSL/GET/.guard b/DSL/Ruuter.private/DSL/GET/.guard
@@ -1,17 +1,48 @@
-check_for_cookie:
+process_request:
   switch:
-    - condition: ${incoming.params.skipAuth ===  "true"}
-      next: guard_success
+    - condition: ${ incoming.headers['x-ruuter-nonce'] != null }
+      next: verify_header_nonce
+    - condition: ${ incoming.params['ruuter-nonce'] != null }
+      next: verify_param_nonce
     - condition: ${incoming.headers == null || incoming.headers.cookie == null}
       next: guard_fail
   next: authenticate
 
+verify_header_nonce:
+  call: http.post
+  args:
+    url: "[#TRAINING_RESQL]/use-nonce"
+    body:
+      updated_nonce: ${incoming.headers['x-ruuter-nonce']}
+  result: nonce_response
+  next: check_inline
+
+verify_param_nonce:
+  call: http.post
+  args:
+    url: "[#TRAINING_RESQL]/use-nonce"
+    body:
+      updated_nonce: ${incoming.params['ruuter-nonce']}
+  result: nonce_response
+  next: check_inline
+
+check_inline:
+  inline: extAuth
+  result: extauth
+
+check_nonce:
+  switch:
+    - condition: ${ !extauth || (nonce_response.response.body[0] == null) }
+      next: guard_fail
+  next: guard_success
+
 authenticate:
   template: check-user-authority
   requestType: templates
   headers:
     cookie: ${incoming.headers.cookie}
   result: authority_result
+  next: check_authority_result
 
 check_authority_result:
   switch:
@@ -26,5 +57,5 @@ guard_success:
 
 guard_fail:
   return: "unauthorized"
-  status: 200
-  next: end
+  status: 403
+  next: end
diff --git a/DSL/Ruuter.private/DSL/POST/.guard b/DSL/Ruuter.private/DSL/POST/.guard
@@ -1,15 +1,48 @@
-check_for_cookie:
+process_request:
   switch:
+    - condition: ${ incoming.headers['x-ruuter-nonce'] != null }
+      next: verify_header_nonce
+    - condition: ${ incoming.params['ruuter-nonce'] != null }
+      next: verify_param_nonce
     - condition: ${incoming.headers == null || incoming.headers.cookie == null}
-      next: guard_fail
+      next: guard_fail  
   next: authenticate
 
+verify_header_nonce:
+  call: http.post
+  args:
+    url: "[#TRAINING_RESQL]/use-nonce"
+    body:
+      updated_nonce: ${incoming.headers['x-ruuter-nonce']}
+  result: nonce_response
+  next: check_inline
+
+verify_param_nonce:
+  call: http.post
+  args:
+    url: "[#TRAINING_RESQL]/use-nonce"
+    body:
+      updated_nonce: ${incoming.params['ruuter-nonce']}
+  result: nonce_response
+  next: check_inline
+
+check_inline:
+  inline: extAuth
+  result: extauth
+
+check_nonce:
+  switch:
+    - condition: ${ !extauth || (nonce_response.response.body[0] == null) }
+      next: guard_fail
+  next: guard_success
+
 authenticate:
   template: check-user-authority
   requestType: templates
   headers:
     cookie: ${incoming.headers.cookie}
   result: authority_result
+  next: check_authority_result
 
 check_authority_result:
   switch:
@@ -24,5 +57,5 @@ guard_success:
 
 guard_fail:
   return: "unauthorized"
-  status: 200
-  next: end
+  status: 403
+  next: end
diff --git a/DSL/Ruuter.private/DSL/POST/internal/sync/delete-conversations-cron.yml b/DSL/Ruuter.private/DSL/POST/internal/sync/delete-conversations-cron.yml
@@ -58,8 +58,7 @@ createAuthCronJson:
       type: "json"
     body:
       cronExpression: ${expression}
-      method: "GET"
-      url: "[#CHATBOT_RUUTER_PRIVATE_INTERNAL]/cron-tasks/delete-conversations?isAuth=true&skipAuth=true"
+      command: "./scripts/remove-auth-conversations.sh"
   result: authCronJson
 
 createAnonCronJson:
@@ -70,8 +69,7 @@ createAnonCronJson:
       type: "json"
     body:
       cronExpression: ${expression}
-      method: "GET"
-      url: "[#CHATBOT_RUUTER_PRIVATE_INTERNAL]/cron-tasks/delete-conversations?isAuth=false&skipAuth=true"
+      command: "./scripts/remove-anonym-conversations.sh"
   result: anonCronJson
 
 checkAuthConditions:

diff --git a/GUI/src/pages/Settings/DeleteConversations/index.tsx b/GUI/src/pages/Settings/DeleteConversations/index.tsx
@@ -162,6 +162,7 @@ const DeleteConversations: FC = () => {
             <Card
                 isHeaderLight={true}
                 isBodyDivided={true}
+                isScrollable={true}
                 footer={
                     <Track justify="end">
                         <Button onClick={handleFormSubmit}>{t('global.save')}</Button>

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -48,9 +48,11 @@ services:
       - application.logging.printStackTrace=true
       - application.internalRequests.disabled=true
       - server.port=8088
+      - application.externalAuthAllowed=/cron-tasks/delete-conversations
     volumes:
       - ./DSL/Ruuter.private/DSL:/DSL
       - ./constants.ini:/app/constants.ini
+      - jwt-integration.signature.key-store-password=defaultpassword
     ports:
       - 8088:8088
     networks:
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		INSERT INTO request_nonces (valid_until) VALUES ( now() + interval '1 day') RETURNING nonce;
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		update request_nonces set used_at = now() where nonce = :updated_nonce and used_at is null returning nonce;