From c86d650e5a069e1706319609bc6cf7b0025d6759 Mon Sep 17 00:00:00 2001 From: padreug Date: Thu, 26 Jun 2025 13:18:17 +0200 Subject: [PATCH] Refactor API authentication: Replace 'require_invoice_key' with 'require_admin_key' for dashboard endpoints to restrict access to admin users only. Update related frontend API calls to use 'adminkey' instead of 'inkey' for consistency. --- static/js/index.js | 6 +++--- views_api.py | 18 +++++++++++------- 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/static/js/index.js b/static/js/index.js index f59b1bb..192256a 100644 --- a/static/js/index.js +++ b/static/js/index.js @@ -121,7 +121,7 @@ window.app = Vue.createApp({ const { data } = await LNbits.api.request( 'GET', '/satmachineclient/api/v1/dashboard/summary', - this.g.user.wallets[0].inkey + this.g.user.wallets[0].adminkey ) this.dashboardData = data } catch (error) { @@ -135,7 +135,7 @@ window.app = Vue.createApp({ const { data } = await LNbits.api.request( 'GET', '/satmachineclient/api/v1/dashboard/transactions?limit=50', - this.g.user.wallets[0].inkey + this.g.user.wallets[0].adminkey ) // Debug: Log the first transaction to see date format @@ -232,7 +232,7 @@ window.app = Vue.createApp({ const {data} = await LNbits.api.request( 'GET', `/satmachineclient/api/v1/dashboard/analytics?time_range=${this.chartTimeRange}`, - this.g.user.wallets[0].inkey + this.g.user.wallets[0].adminkey ) // Debug: Log analytics data diff --git a/views_api.py b/views_api.py index 4b46774..43b6b2f 100644 --- a/views_api.py +++ b/views_api.py @@ -6,7 +6,7 @@ from datetime import datetime, timedelta from fastapi import APIRouter, Depends, Query from lnbits.core.models import WalletTypeInfo -from lnbits.decorators import require_invoice_key +from lnbits.decorators import require_admin_key from starlette.exceptions import HTTPException from .crud import ( @@ -32,7 +32,7 @@ satmachineclient_api_router = APIRouter() @satmachineclient_api_router.get("/api/v1/dashboard/summary") async def api_get_dashboard_summary( - wallet: WalletTypeInfo = Depends(require_invoice_key), + wallet: WalletTypeInfo = Depends(require_admin_key), ) -> ClientDashboardSummary: """Get client dashboard summary metrics""" summary = await get_client_dashboard_summary(wallet.wallet.user) @@ -46,7 +46,7 @@ async def api_get_dashboard_summary( @satmachineclient_api_router.get("/api/v1/dashboard/transactions") async def api_get_client_transactions( - wallet: WalletTypeInfo = Depends(require_invoice_key), + wallet: WalletTypeInfo = Depends(require_admin_key), limit: int = Query(50, ge=1, le=1000), offset: int = Query(0, ge=0), transaction_type: Optional[str] = Query(None), @@ -66,7 +66,7 @@ async def api_get_client_transactions( @satmachineclient_api_router.get("/api/v1/dashboard/analytics") async def api_get_client_analytics( - wallet: WalletTypeInfo = Depends(require_invoice_key), + wallet: WalletTypeInfo = Depends(require_admin_key), time_range: str = Query("30d", regex="^(7d|30d|90d|1y|all)$"), ) -> ClientAnalytics: """Get client performance analytics and cost basis data""" @@ -95,9 +95,13 @@ async def api_get_client_analytics( @satmachineclient_api_router.put("/api/v1/dashboard/settings") async def api_update_client_settings( settings: UpdateClientSettings, - wallet: WalletTypeInfo = Depends(require_invoice_key), + wallet: WalletTypeInfo = Depends(require_admin_key), ) -> dict: - """Update client DCA settings (mode, limits, status)""" + """Update client DCA settings (mode, limits, status) + + Security: Users can only modify their own DCA settings. + Validated by user_id lookup from wallet.wallet.user. + """ client = await get_client_by_user_id(wallet.wallet.user) if not client: raise HTTPException( @@ -117,7 +121,7 @@ async def api_update_client_settings( @satmachineclient_api_router.get("/api/v1/dashboard/export/transactions") async def api_export_transactions( - wallet: WalletTypeInfo = Depends(require_invoice_key), + wallet: WalletTypeInfo = Depends(require_admin_key), format: str = Query("csv", regex="^(csv|json)$"), start_date: Optional[datetime] = Query(None), end_date: Optional[datetime] = Query(None),