diff options
| author | Leonardo Bishop <me@leonardobishop.com> | 2025-02-19 15:19:46 +0000 |
|---|---|---|
| committer | Leonardo Bishop <me@leonardobishop.com> | 2025-02-19 15:19:46 +0000 |
| commit | 141c08bc5fe1432be8372cdae7c7544b9f862c35 (patch) | |
| tree | 2ac26da7fcfa298f7c32101cca923b9c9ed2f37f | |
| parent | 7eee9e83517338c784d428596bbc32ca149a002a (diff) | |
| -rw-r--r-- | api/handlers/peer.go | 8 | ||||
| -rw-r--r-- | pkg/config/service.go | 8 | ||||
| -rw-r--r-- | web/index.html | 8 |
3 files changed, 24 insertions, 0 deletions
diff --git a/api/handlers/peer.go b/api/handlers/peer.go index 51fa047..af6e42a 100644 --- a/api/handlers/peer.go +++ b/api/handlers/peer.go @@ -1,6 +1,7 @@ package handlers import ( + "crypto/subtle" "fmt" "log/slog" "net/http" @@ -36,6 +37,13 @@ func NewPeer(storeService store.Service, wireguardService wireguard.Service, con return func(w http.ResponseWriter, r *http.Request) { params := mux.Vars(r) port := params["port"] + key := r.URL.Query().Get("key") + + if configService.Config().Permissions.Enabled { + if subtle.ConstantTimeCompare([]byte(key), []byte(configService.Config().Permissions.SecretKey)) != 1 { + http.Error(w, "bad key", http.StatusForbidden) + } + } peer, err := wireguardService.NewPeer() if err != nil { diff --git a/pkg/config/service.go b/pkg/config/service.go index 3c9a27e..90d0d11 100644 --- a/pkg/config/service.go +++ b/pkg/config/service.go @@ -22,6 +22,10 @@ type Config struct { Port string `yaml:"port" validate:"required"` InterfaceName string `yaml:"interfaceName" validate:"required"` } `yaml:"wireGuard"` + Permissions struct { + Enabled bool `yaml:"enabled"` + SecretKey string `yaml:"secretKey"` + } ExpireAfter int `yaml:"expireAfter"` } @@ -95,5 +99,9 @@ func (s *service) validateConfig(c *Config) error { } } + if c.Permissions.Enabled && len(c.Permissions.SecretKey) == 0 { + return fmt.Errorf("requested permissioned setup but no secret key was given") + } + return nil } diff --git a/web/index.html b/web/index.html index cdb46ed..4cc5a7f 100644 --- a/web/index.html +++ b/web/index.html @@ -52,6 +52,14 @@ curl -sSL http://{{.Host}}/8080 | sh <dt>Inactivity time: {{.ExpireAfter}} seconds</dt> <dd>Tunnels will expire after this amount of time. (You will need to re-create a new one.)</dd> + + <dt>Permissioned: {{.Permissioned}}</dt> + <dd>If true, a secret key will also need to be passed to create a tunnel.</dd> + <dd> + <pre> +curl -sSL http://{{.Host}}/[PORT YOU WANT TO FORWARD]?key=[SECRET KEY] | sh + </pre> + </dd> </dl> </body> |