not allow remote get access tokens

author Yongfeng LI <wliyongfeng@gmail.com>

Mon, 15 Jan 2018 07:03:57 +0000 (15:03 +0800)

committer Yongfeng LI <wliyongfeng@gmail.com>

Mon, 15 Jan 2018 07:03:57 +0000 (15:03 +0800)
author Yongfeng LI <wliyongfeng@gmail.com>
Mon, 15 Jan 2018 07:03:57 +0000 (15:03 +0800)
committer Yongfeng LI <wliyongfeng@gmail.com>
Mon, 15 Jan 2018 07:03:57 +0000 (15:03 +0800)
diff --git a/net/http/authn/authn.go b/net/http/authn/authn.go

index 77790d6..923466c 100644 (file)
--- a/net/http/authn/authn.go
+++ b/net/http/authn/authn.go
@@ -61,6 +61,11 @@ func (a *API) Authenticate(req *http.Request) (*http.Request, error) {
         if local {
                 ctx = newContextWithLocalhost(ctx)
         }
+
+       if !local && strings.HasPrefix(req.URL.Path, "/list-access-tokens") {
+               return req.WithContext(ctx), errors.New("only local can get access token list")
+       }
+
         // Temporary workaround. Dashboard is always ok.
         // See loopbackOn comment above.
         if strings.HasPrefix(req.URL.Path, "/dashboard/") || req.URL.Path == "/dashboard" {
author	Yongfeng LI <wliyongfeng@gmail.com>
	Mon, 15 Jan 2018 07:03:57 +0000 (15:03 +0800)
committer	Yongfeng LI <wliyongfeng@gmail.com>
	Mon, 15 Jan 2018 07:03:57 +0000 (15:03 +0800)