update beta ProxMenux 1.2.1.1-beta

2026-05-15 05:25:00 +00:00 · 2026-05-09 18:59:59 +02:00
parent 5ed1fc44fd
commit 2f919de9e3
125 changed files with 16506 additions and 2877 deletions
@@ -6,7 +6,7 @@ Automatically checks auth status and validates tokens

 from flask import request, jsonify
 from functools import wraps
-from auth_manager import load_auth_config, verify_token
+from auth_manager import load_auth_config, verify_token, verify_token_full


 def require_auth(f):
@@ -66,6 +66,39 @@ def require_auth(f):
    return decorated_function


+def require_admin_scope(f):
+    """Like `require_auth` but ALSO requires the token's `scope == full_admin`.
+
+    Use on mutating routes that should be off-limits to read-only API
+    tokens (e.g. script execution, SSL disable, auth setup). Tokens
+    generated by the session login flow inherit `full_admin` implicitly;
+    long-lived API tokens default to `read_only` unless the caller
+    opted in. Audit Tier 6 — Tokens API JWT 365 días sin scope.
+    """
+    @wraps(f)
+    def decorated_function(*args, **kwargs):
+        config = load_auth_config()
+        if not config.get("enabled", False) or config.get("declined", False):
+            return f(*args, **kwargs)
+        auth_header = request.headers.get('Authorization')
+        if not auth_header:
+            return jsonify({"error": "Authentication required",
+                            "message": "No authorization header provided"}), 401
+        parts = auth_header.split()
+        if len(parts) != 2 or parts[0].lower() != 'bearer':
+            return jsonify({"error": "Invalid authorization header",
+                            "message": "Authorization header must be in format: Bearer <token>"}), 401
+        username, scope = verify_token_full(parts[1])
+        if not username:
+            return jsonify({"error": "Invalid or expired token",
+                            "message": "Please log in again"}), 401
+        if scope != 'full_admin':
+            return jsonify({"error": "Insufficient scope",
+                            "message": f"This action requires a full_admin token (your token: {scope})"}), 403
+        return f(*args, **kwargs)
+    return decorated_function
+
+
 def optional_auth(f):
    """
    Decorator for routes that can optionally use auth