Describe the bug
Currently its required to have the "page-all" right to receive a JWT.
Default access right for service authorization is "page-all"
https://github.com/jaredhendrickson13/pfsense-api/blob/a2d0d3cf7c7d921a1896f0a8be741f241dab5607/pfSense-pkg-API/files/etc/inc/api/framework/APIModel.inc#L41
Token create does not override authorization
https://github.com/jaredhendrickson13/pfsense-api/blob/a2d0d3cf7c7d921a1896f0a8be741f241dab5607/pfSense-pkg-API/files/etc/inc/api/models/APIAccessTokenCreate.inc#L21
Add privileges field to the constructor of APIAccessTokenCreate (APIAccessTokenCreate.inc) to
$this->privileges = [];
This makes allows every valid user to create a JWT, independend of other rights. In my view that is correct, APIAccessTokenCreate does only authentication, authorisation is done by each service itself.
To Reproduce
Create a no admin user e.g. only access to cert manager
curl -s -u "${PFSENSE_USERNAME}:${PFSENSE_PASSWORD}" -X POST "${PFSENSE_URL}/api/v1/access_token")
{"status":"forbidden","code":403,"return":4,"message":"Authorization failed","data":[]}
Expected behavior
Tokens are possible also with no admin users.
Screenshots or Response
n/a
pfSense Version & Package Version:
- pfSense Version: pfSense 2.7.0
- Package Version v1.6.0
Affected Endpoints:
- URL: /api/v1/access_token
Additional context
I thought a E2E would for this scenario would be good, but currently is struggle with building one.
Describe the bug
Currently its required to have the "page-all" right to receive a JWT.
Default access right for service authorization is "page-all"
https://github.com/jaredhendrickson13/pfsense-api/blob/a2d0d3cf7c7d921a1896f0a8be741f241dab5607/pfSense-pkg-API/files/etc/inc/api/framework/APIModel.inc#L41
Token create does not override authorization
https://github.com/jaredhendrickson13/pfsense-api/blob/a2d0d3cf7c7d921a1896f0a8be741f241dab5607/pfSense-pkg-API/files/etc/inc/api/models/APIAccessTokenCreate.inc#L21
Add privileges field to the constructor of APIAccessTokenCreate (APIAccessTokenCreate.inc) to
$this->privileges = [];This makes allows every valid user to create a JWT, independend of other rights. In my view that is correct, APIAccessTokenCreate does only authentication, authorisation is done by each service itself.
To Reproduce
Create a no admin user e.g. only access to cert manager
curl -s -u "${PFSENSE_USERNAME}:${PFSENSE_PASSWORD}" -X POST "${PFSENSE_URL}/api/v1/access_token")
{"status":"forbidden","code":403,"return":4,"message":"Authorization failed","data":[]}
Expected behavior
Tokens are possible also with no admin users.
Screenshots or Response
n/a
pfSense Version & Package Version:
Affected Endpoints:
Additional context
I thought a E2E would for this scenario would be good, but currently is struggle with building one.