lnbits-exts/satmachineclient
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions 2

Refactor API authentication: Replace 'require_invoice_key' with 'require_admin_key' for dashboard endpoints to restrict access to admin users only. Update related frontend API calls to use 'adminkey' instead of 'inkey' for consistency.

Browse source
This commit is contained in:
padreug 2025-06-26 13:18:17 +02:00
parent 74b7d0f9a3
commit c86d650e5a
2 changed files with 14 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

6
static/js/index.js
View file

@ -121,7 +121,7 @@ window.app = Vue.createApp({
const { data } = await LNbits.api.request( const { data } = await LNbits.api.request(
'GET', 'GET',
'/satmachineclient/api/v1/dashboard/summary', '/satmachineclient/api/v1/dashboard/summary',
this.g.user.wallets[0].inkey this.g.user.wallets[0].adminkey
) )
this.dashboardData = data this.dashboardData = data
} catch (error) { } catch (error) {
@ -135,7 +135,7 @@ window.app = Vue.createApp({
const { data } = await LNbits.api.request( const { data } = await LNbits.api.request(
'GET', 'GET',
'/satmachineclient/api/v1/dashboard/transactions?limit=50', '/satmachineclient/api/v1/dashboard/transactions?limit=50',
this.g.user.wallets[0].inkey this.g.user.wallets[0].adminkey
) )
// Debug: Log the first transaction to see date format // Debug: Log the first transaction to see date format
@ -232,7 +232,7 @@ window.app = Vue.createApp({
const {data} = await LNbits.api.request( const {data} = await LNbits.api.request(
'GET', 'GET',
`/satmachineclient/api/v1/dashboard/analytics?time_range=${this.chartTimeRange}`, `/satmachineclient/api/v1/dashboard/analytics?time_range=${this.chartTimeRange}`,
this.g.user.wallets[0].inkey this.g.user.wallets[0].adminkey
) )
// Debug: Log analytics data // Debug: Log analytics data

18
views_api.py
View file

@ -6,7 +6,7 @@ from datetime import datetime, timedelta
from fastapi import APIRouter, Depends, Query from fastapi import APIRouter, Depends, Query
from lnbits.core.models import WalletTypeInfo from lnbits.core.models import WalletTypeInfo
from lnbits.decorators import require_invoice_key from lnbits.decorators import require_admin_key
from starlette.exceptions import HTTPException from starlette.exceptions import HTTPException
from .crud import ( from .crud import (
@ -32,7 +32,7 @@ satmachineclient_api_router = APIRouter()
@satmachineclient_api_router.get("/api/v1/dashboard/summary") @satmachineclient_api_router.get("/api/v1/dashboard/summary")
async def api_get_dashboard_summary( async def api_get_dashboard_summary(
wallet: WalletTypeInfo = Depends(require_invoice_key), wallet: WalletTypeInfo = Depends(require_admin_key),
) -> ClientDashboardSummary: ) -> ClientDashboardSummary:
"""Get client dashboard summary metrics""" """Get client dashboard summary metrics"""
summary = await get_client_dashboard_summary(wallet.wallet.user) summary = await get_client_dashboard_summary(wallet.wallet.user)
@ -46,7 +46,7 @@ async def api_get_dashboard_summary(
@satmachineclient_api_router.get("/api/v1/dashboard/transactions") @satmachineclient_api_router.get("/api/v1/dashboard/transactions")
async def api_get_client_transactions( async def api_get_client_transactions(
wallet: WalletTypeInfo = Depends(require_invoice_key), wallet: WalletTypeInfo = Depends(require_admin_key),
limit: int = Query(50, ge=1, le=1000), limit: int = Query(50, ge=1, le=1000),
offset: int = Query(0, ge=0), offset: int = Query(0, ge=0),
transaction_type: Optional[str] = Query(None), transaction_type: Optional[str] = Query(None),
@ -66,7 +66,7 @@ async def api_get_client_transactions(
@satmachineclient_api_router.get("/api/v1/dashboard/analytics") @satmachineclient_api_router.get("/api/v1/dashboard/analytics")
async def api_get_client_analytics( async def api_get_client_analytics(
wallet: WalletTypeInfo = Depends(require_invoice_key), wallet: WalletTypeInfo = Depends(require_admin_key),
time_range: str = Query("30d", regex="^(7d|30d|90d|1y|all)$"), time_range: str = Query("30d", regex="^(7d|30d|90d|1y|all)$"),
) -> ClientAnalytics: ) -> ClientAnalytics:
"""Get client performance analytics and cost basis data""" """Get client performance analytics and cost basis data"""
@ -95,9 +95,13 @@ async def api_get_client_analytics(
@satmachineclient_api_router.put("/api/v1/dashboard/settings") @satmachineclient_api_router.put("/api/v1/dashboard/settings")
async def api_update_client_settings( async def api_update_client_settings(
settings: UpdateClientSettings, settings: UpdateClientSettings,
wallet: WalletTypeInfo = Depends(require_invoice_key), wallet: WalletTypeInfo = Depends(require_admin_key),
) -> dict: ) -> dict:
"""Update client DCA settings (mode, limits, status)""" """Update client DCA settings (mode, limits, status)
Security: Users can only modify their own DCA settings.
Validated by user_id lookup from wallet.wallet.user.
"""
client = await get_client_by_user_id(wallet.wallet.user) client = await get_client_by_user_id(wallet.wallet.user)
if not client: if not client:
raise HTTPException( raise HTTPException(
@ -117,7 +121,7 @@ async def api_update_client_settings(
@satmachineclient_api_router.get("/api/v1/dashboard/export/transactions") @satmachineclient_api_router.get("/api/v1/dashboard/export/transactions")
async def api_export_transactions( async def api_export_transactions(
wallet: WalletTypeInfo = Depends(require_invoice_key), wallet: WalletTypeInfo = Depends(require_admin_key),
format: str = Query("csv", regex="^(csv|json)$"), format: str = Query("csv", regex="^(csv|json)$"),
start_date: Optional[datetime] = Query(None), start_date: Optional[datetime] = Query(None),
end_date: Optional[datetime] = Query(None), end_date: Optional[datetime] = Query(None),