3 tahun lalu · 0b32bf72f7
--- a/apps/emqx_dashboard/src/emqx_dashboard.appup.src
+++ b/apps/emqx_dashboard/src/emqx_dashboard.appup.src
@@ -1,7 +1,13 @@
 
				 %% -*- mode: erlang -*-
			
 
				 %% Unless you know what you are doing, DO NOT edit manually!!
			
 
				 {VSN,
			
 
				-  [{"5.0.0",[{load_module,emqx_dashboard_api,brutal_purge,soft_purge,[]}]},
			
 
				+  [{"5.0.0", [
			
 
				+    {load_module,emqx_dashboard_api,brutal_purge,soft_purge,[]},
			
 
				+    {load_module,emqx_dashboard_token,brutal_purge,soft_purge,[]}
			
 
				+   ]},
			
 
				    {<<".*">>,[]}],
			
 
				-  [{"5.0.0",[{load_module,emqx_dashboard_api,brutal_purge,soft_purge,[]}]},
			
 
				+  [{"5.0.0", [
			
 
				+    {load_module,emqx_dashboard_api,brutal_purge,soft_purge,[]},
			
 
				+    {load_module,emqx_dashboard_token,brutal_purge,soft_purge,[]}
			
 
				+   ]},
			
 
				    {<<".*">>,[]}]}.
			
--- a/apps/emqx_dashboard/src/emqx_dashboard_api.erl
+++ b/apps/emqx_dashboard/src/emqx_dashboard_api.erl
@@ -272,22 +272,59 @@ user(put, #{bindings := #{username := Username}, body := Params}) ->
 
				         {error, Reason} ->
			
 
				             {404, ?USER_NOT_FOUND, Reason}
			
 
				     end;
			
 
				-user(delete, #{bindings := #{username := Username}}) ->
			
 
				+user(delete, #{bindings := #{username := Username}, headers := Headers}) ->
			
 
				     case Username == emqx_dashboard_admin:default_username() of
			
 
				         true ->
			
 
				             ?SLOG(info, #{msg => "Dashboard delete admin user failed", username => Username}),
			
 
				             Message = list_to_binary(io_lib:format("Cannot delete user ~p", [Username])),
			
 
				             {400, ?NOT_ALLOWED, Message};
			
 
				         false ->
			
 
				-            case emqx_dashboard_admin:remove_user(Username) of
			
 
				-                {error, Reason} ->
			
 
				-                    {404, ?USER_NOT_FOUND, Reason};
			
 
				-                {ok, _} ->
			
 
				-                    ?SLOG(info, #{msg => "Dashboard delete admin user", username => Username}),
			
 
				-                    {204}
			
 
				+            case is_self_auth(Username, Headers) of
			
 
				+                true ->
			
 
				+                    {400, ?NOT_ALLOWED, <<"Cannot delete self">>};
			
 
				+                false ->
			
 
				+                    case emqx_dashboard_admin:remove_user(Username) of
			
 
				+                        {error, Reason} ->
			
 
				+                            {404, ?USER_NOT_FOUND, Reason};
			
 
				+                        {ok, _} ->
			
 
				+                            ?SLOG(info, #{
			
 
				+                                msg => "Dashboard delete admin user", username => Username
			
 
				+                            }),
			
 
				+                            {204}
			
 
				+                    end
			
 
				             end
			
 
				     end.
			
 
				 
			
 
				+is_self_auth(Username, #{<<"authorization">> := Token}) ->
			
 
				+    is_self_auth(Username, Token);
			
 
				+is_self_auth(Username, #{<<"Authorization">> := Token}) ->
			
 
				+    is_self_auth(Username, Token);
			
 
				+is_self_auth(Username, <<"basic ", Token/binary>>) ->
			
 
				+    is_self_auth_basic(Username, Token);
			
 
				+is_self_auth(Username, <<"Basic ", Token/binary>>) ->
			
 
				+    is_self_auth_basic(Username, Token);
			
 
				+is_self_auth(Username, <<"bearer ", Token/binary>>) ->
			
 
				+    is_self_auth_token(Username, Token);
			
 
				+is_self_auth(Username, <<"Bearer ", Token/binary>>) ->
			
 
				+    is_self_auth_token(Username, Token).
			
 
				+
			
 
				+is_self_auth_basic(Username, Token) ->
			
 
				+    UP = base64:decode(Token),
			
 
				+    case binary:match(UP, Username) of
			
 
				+        {0, N} ->
			
 
				+            binary:part(UP, {N, 1}) == <<":">>;
			
 
				+        _ ->
			
 
				+            false
			
 
				+    end.
			
 
				+
			
 
				+is_self_auth_token(Username, Token) ->
			
 
				+    case emqx_dashboard_token:owner(Token) of
			
 
				+        {ok, Owner} ->
			
 
				+            Owner == Username;
			
 
				+        {error, _NotFound} ->
			
 
				+            false
			
 
				+    end.
			
 
				+
			
 
				 change_pwd(put, #{bindings := #{username := Username}, body := Params}) ->
			
 
				     LogMeta = #{msg => "Dashboard change password", username => Username},
			
 
				     OldPwd = maps:get(<<"old_pwd">>, Params),
			
--- a/apps/emqx_dashboard/src/emqx_dashboard_token.erl
+++ b/apps/emqx_dashboard/src/emqx_dashboard_token.erl
@@ -22,6 +22,7 @@
 
				     sign/2,
			
 
				     verify/1,
			
 
				     lookup/1,
			
 
				+    owner/1,
			
 
				     destroy/1,
			
 
				     destroy_by_username/1
			
 
				 ]).
			
@@ -161,6 +162,14 @@ lookup_by_username(Username) ->
 
				     {atomic, List} = mria:ro_transaction(?DASHBOARD_SHARD, Fun),
			
 
				     List.
			
 
				 
			
 
				+-spec owner(Token :: binary()) -> {ok, Username :: binary} | {error, not_found}.
			
 
				+owner(Token) ->
			
 
				+    Fun = fun() -> mnesia:read(?TAB, Token) end,
			
 
				+    case mria:ro_transaction(?DASHBOARD_SHARD, Fun) of
			
 
				+        {atomic, [#?ADMIN_JWT{username = Username}]} -> {ok, Username};
			
 
				+        {atomic, []} -> {error, not_found}
			
 
				+    end.
			
 
				+
			
 
				 jwk(Username, Password, Salt) ->
			
 
				     Key = crypto:hash(md5, <<Salt/binary, Username/binary, Password/binary>>),
			
 
				     #{