focalboard/server/api/auth.go
Jesús Espino aa540e73ce
Permissions feature branch (#2578)
* wip

* Added data migration for populating categories

* wip

* Added data migration for populating categories

* Store WIP

* migration WIP

* category CRUD APIs complete

* category block API WIP

* block category update API done

* Fetcehed data into store

* Started displayting sidebar data

* sidebar WIP

* Dashboard - basic changes

* Sidebar dashboard btn and board switcher UI only

* Sidebar dashboard btn and board switcher UI only

* create category dialog WIP

* Create category webapp side done

* Integrated move card to other category

* board to block

* Disabled dashboard route for now as we'll implement it in phase 2

* WIP

* Added logic to open last board/view on per team level

* Add workspace to teams and boards migrations (#1986)

* Add workspace to teams and boards migrations

* Update json annotations on board models

* boards search dialog WIP

* Seach dialog WIP

* Implemented opening boiard from search results

* Boards switcher styliung

* Handled update category WS event

* Template support

* personal server support and styling fixes

* test fix WIP

* Fixed a bug causing boards to not be moved correctly beteen categories

* Fixed webapp tests

* fix

* Store changes (#2011)

* Permissions phase 1 - Websocket updates (#2014)

* Store changes

* Websockets changes

* Permissions phase 1 - Permissions service (#2015)

* Store changes

* Websockets changes

* Permissions service

* Api and app updates (#2016)

* Store changes

* Websockets changes

* Permissions service

* New API and App changes

* Delete and Patch boards and blocks endpoints

* Used correct variable

* Webapp changes WIP

* Open correct team URL

* Fixed get block API

* Used React context for workspace users

* WIP

* On load navigation sorted out

* WIP

* Nav fix

* categories WS broadcast

* Used real search API

* Fixed unfurl ppreview

* set active team in sidebar

* IMplemented navigation on changing team in sidebar

* Misc fixes

* close rows inside transaction (#2045)

* update syntax for mysql (#2044)

* Upadted mutator for new patchBlock API

* Updated patchBlock API to use new URL

* Listeining to correct event in plugin mode

* Implemented WS messages for category operations:

* Fix duplicated build tags on Makefile

* Sidebar enhancements

* Add missing prefix to SQLite migration and fix flaky tests

* Sidebar boards menu enhancement

* Fix board page interactions (#2144)

* Fix patch board card properties error

* Fix board interactions

* Fix insert blocks interactions

* Fix app tests (#2104)

* Add json1 tag to vscode launch (#2157)

* Fix add, delete and update boards and add board patch generation (#2146)

* Fix update boards and add board patch generation

* Make add board and add template work, as well as deleting a board

* Update the state on board deletion

* Delete unused variable

* Fix bad parenthesis

* Fix board creation inside plugin, options were coming null due websocket message serialization

* update property type mutators to use boards API (#2168)

* Add permissions modal (#2196)

* Initial integration

* Permissions modal, websocket updates and API tests implemented

* Avoid updating/removing user if there is only one admin left

* Fix duplicates on board search

* Adds integration test

* Addressing PR review comments

Co-authored-by: Jesús Espino <jespinog@gmail.com>

* Merge

* I'm able to compile now

* Some fixes around tests execution

* Fixing migrations

* Fixing migrations order

* WIP

* Fixing some other compilation problems on tests

* Some typescript tests fixed

* Fixing javascript tests

* Fixing compilation

* Fixing some problems to create boards

* Load the templates on initial load

* Improvements over initial team templates import

* Adding new fields in the database

* Working on adding duplicate board api

* Removing RootID concept entirely

* Improving a bit the subscriptions

* Fixing store tests for notificationHints

* Fixing more tests

* fixing tests

* Fixing tests

* Fixing tests

* Fixing some small bugs related to templates

* Fixing registration link generation/regeneration

* Fixing cypress tests

* Adding store tests for duplicateBoard and duplicateBlock

* Addressing some TODO comments

* Making the export api simpler

* Add redirect component for old workspace urls

* Removing Dashboard code

* Delete only the built-in templates on update

* fixing tests

* Adding users autocompletion

* Updating snapshots

* Fixing bad merge

* fix panic when creating new card in notifysubscriptions (#2352)

* fix lint errors (#2353)

* fix lint errors

* fix panic when creating new card in notifysubscriptions (#2352)

* fix lint errors

* fix unit test

* Revert "fix unit test"

This reverts commit 0ad78aed65.

Co-authored-by: Doug Lauder <wiggin77@warpmail.net>

* fix sql syntax error for SearchUsersByTeam (#2357)

* Fix mentions delivery (#2358)

* fix sql syntax error for SearchUsersByTeam

* fix mentions delivery

Co-authored-by: Mattermod <mattermod@users.noreply.github.com>

* update api for octoClient calls, pass correct variables to mutator (#2359)

* Fixing tests after merge

* Fix sidebar context menu UI issue (#2399)

* Fix notification diff for text blocks (#2386)

* fix notification diff for text blocks; fix various linter errors.

* fix URLs to cards

Co-authored-by: Mattermod <mattermod@users.noreply.github.com>

* Permissions branch: Fix card links (#2391)

* fix notification diff for text blocks; fix various linter errors.

* fix URLs to cards

Co-authored-by: Mattermod <mattermod@users.noreply.github.com>

* Fixing sqlite tests

* Fixing server tests

* Update migrations to create global templates. (#2397)

* fix duplicate templates

* revert migrate.go

* update UI for empty templates

* implement updating built-in templates as global (teamId = 0)

* handle error if board not found

* update unit test

* fix more tests

* Update blocks_test.go

Fix merge issue

* fix migration sql error (#2414)

* Fixing frontend tests

* Set target team ID when using a global template (#2419)

* Fix some server tests

* Fixing onboarding creation

* Permissions branch: Fix unit tests and CI errors (part 1) (#2425)

* Fixing some small memory leaks (#2400)

* Fixing some small memory leaks

* fixing tests

* passing the tags to all test targets

* Increasing the timeout of the tests

* Fix some type checkings

* Permissions branch: Fixes all the linter errors (#2429)

* fix linter errors

* Reestructuring the router and splitting in more subcomponents (#2403)

* Reestructuring the router and splitting in more subcomponents

* Removing console.log calls

* Removing unneeded selector

* Addressing PR comment

* Fix redirection to one team when you load directly the boards home path

* Using properly the lastTeamID to redirect the user if needed

* don't allow last admin change/deleted (#2416)

* don't allow last admin change/deleted

* update for i18-extract

* fixed en.json

Co-authored-by: Mattermod <mattermod@users.noreply.github.com>
Co-authored-by: Harshil Sharma <harshilsharma63@gmail.com>

* Splitting BoardPage component into simpler/smaller components (#2435)

* Splitting BoardPage component into simpler/smaller components

* Removing unneeded import

* Replace go migrate with morph permissions (#2424)

* merge origin/replace-go-migrate-with-morph

* run go mod tidy on mattermost-plugin and increase test timeout

* fix merge issue temprorarily

* remove some debug changes

* fixing the linter

* Allow always team 0 (global) templates fetch (#2472)

* Fix problem with viewId 0 in the URL (#2473)

* Migrate from binddata to goembed (#2471)

* Adding join logic to the board switcher (#2434)

* Adding join logic to the board switcher

* Using already existing client function and removing the joinBoard one

* Adding support for autojoin based on url

* Fixing frontend tests

* fix webapp compile error, missing enableSharedBoards (#2501)

* Fixing duplication on postgres

* Adding back views to the sidebar (#2494)

* Fix #2507. Update Swagger comments (#2508)

* Fix the flash of the template selector on board/team switch (#2490)

* Fix the flash of the template selector on board/team switch

* More fixes specially around error handling

* Fixing the bot badge (#2487)

* simplifying a bit the team store sync between channels and focalboard (#2481)

* Fix menu tests (#2528)

* fix failing menu tests

* fix lint error

* Added keyboard shortcut for boards switcher (#2407)

* Added keyboard shortcut for boards switcher

* Fixed a type error

* Added some inline comments

* Fixed lint

* Fixed bug with scroll jumping when the card is opened: (#2477)

- avoid remounting of `ScrollingComponent` for each render of `Kanban` component
  - property `autoFocus` set to false for `CalculationOptions` because it triggers `blur` even for the button in Jest tests and closes the menu
  - snapshots for tests with `CalculationOptions` updated

* Adding the frontend support for permissions and applying it to a big part of the interface. (#2536)

* Initial work on permissions gates

* Applying permissions gates in more places

* Adding more checks to the interface

* Adding more permissions gates and keeping the store up to date

* fixing some tests

* Fixing some more tests

* Fixing another test

* Fixing all tests and adding some more

* Adding no-permission snapshot tests

* Addressing PR review comments

* Fixing invert behavior

* Permissions branch:  No sqlstore calls after app shutdown (#2530)

* fix webapp compile error, missing enableSharedBoards

* refactor app init wip

* - ensure all block change notifications are finished before shutting down app
- fix unit tests for mysql (insert_at only has 1 second resolution!)

* adjust logging

Co-authored-by: Mattermod <mattermod@users.noreply.github.com>

* Fixed migrations to allow upgrading from previous version (#2535)

* Added mechanism to check if schema migration is needed

* WIP

* WIP

* WIP

* WIP

* Fixed migration

* Fixed for SQLite

* minor cleaniup

* Deleted old schema migration table after running migrations

* Removed a debug log

* Fixed a bug where the code always tried to delete a table which may or may not exist

* Show properly the user avatar in the ShareBoard component (#2542)

* Fixing the last CI problems from the permissions-branch (#2541)

* Fix history ordering

* Giving some times to avoid possible race conditions

* Empty

* Reverting accidental change in the config.json

* Optimizing table view (#2540)

* Optimizing table view

* Reducing the amount of rendering for tables

* Some other performance improvements

* Improve the activeView updates

* Some extra simplifications

* Another small improvement

* Fixing tests

* Fixing linter errors

* Reducing a bit the amount of dependency with big objects in the store

* Small simplification

* Removing Commenter role from the user role selector (#2561)

* Shareboard cleanup (#2550)

* Initial work on permissions gates

* Applying permissions gates in more places

* Adding more checks to the interface

* Adding more permissions gates and keeping the store up to date

* fixing some tests

* Fixing some more tests

* Fixing another test

* Fixing all tests and adding some more

* Adding no-permission snapshot tests

* Addressing PR review comments

* cleanup some shareboard settings

* remove unused property, fix for user items being displayed for non admin

* revert change, allow users to show

Co-authored-by: Jesús Espino <jespinog@gmail.com>
Co-authored-by: Mattermod <mattermod@users.noreply.github.com>

* Fixing comments and cards with the new optimizations in the store (#2560)

* Fixing property creation (#2563)

* Fix user selection in table view (#2565)

* Fixing focus new row in table view (#2567)

* Permissions branch: Fix sqlite table lock (CI) (#2568)

* fix sqlite table lock

* remove test db on teardown

* revert .gitignore

* fix goimport on migration code

* fix typo

* more linter fixes

* clean up tmp db for sqlstore tests

Co-authored-by: Mattermod <mattermod@users.noreply.github.com>

* Fixing snapshots

* Migrating center panel to functional component (#2562)

* Migrating center panel to functional component

* Fixing some tests

* Fixing another test

* Fixing linter errors

* Fixing types errors

* Fixing linter error

* Fixing cypress tests

* Fixing the last cypress test

* Simpliying a bit the code

* Making property insertion more robust

* Updating checkbox test

Co-authored-by: Harshil Sharma <harshilsharma63@gmail.com>
Co-authored-by: Miguel de la Cruz <miguel@mcrx.me>
Co-authored-by: Scott Bishel <scott.bishel@mattermost.com>
Co-authored-by: Chen-I Lim <46905241+chenilim@users.noreply.github.com>
Co-authored-by: Doug Lauder <wiggin77@warpmail.net>
Co-authored-by: Mattermod <mattermod@users.noreply.github.com>
Co-authored-by: Harshil Sharma <18575143+harshilsharma63@users.noreply.github.com>
Co-authored-by: Ibrahim Serdar Acikgoz <serdaracikgoz86@gmail.com>
Co-authored-by: kamre <eremchenko@gmail.com>
2022-03-22 08:24:34 -06:00

504 lines
13 KiB
Go

package api
import (
"context"
"encoding/json"
"fmt"
"io"
"io/ioutil"
"net"
"net/http"
"strings"
"github.com/gorilla/mux"
"github.com/mattermost/focalboard/server/model"
"github.com/mattermost/focalboard/server/services/audit"
"github.com/mattermost/focalboard/server/services/auth"
"github.com/mattermost/focalboard/server/utils"
"github.com/mattermost/mattermost-server/v6/shared/mlog"
)
const (
MinimumPasswordLength = 8
)
type ParamError struct {
msg string
}
func (pe ParamError) Error() string {
return pe.msg
}
// LoginRequest is a login request
// swagger:model
type LoginRequest struct {
// Type of login, currently must be set to "normal"
// required: true
Type string `json:"type"`
// If specified, login using username
// required: false
Username string `json:"username"`
// If specified, login using email
// required: false
Email string `json:"email"`
// Password
// required: true
Password string `json:"password"`
// MFA token
// required: false
// swagger:ignore
MfaToken string `json:"mfa_token"`
}
// LoginResponse is a login response
// swagger:model
type LoginResponse struct {
// Session token
// required: true
Token string `json:"token"`
}
func LoginResponseFromJSON(data io.Reader) (*LoginResponse, error) {
var resp LoginResponse
if err := json.NewDecoder(data).Decode(&resp); err != nil {
return nil, err
}
return &resp, nil
}
// RegisterRequest is a user registration request
// swagger:model
type RegisterRequest struct {
// User name
// required: true
Username string `json:"username"`
// User's email
// required: true
Email string `json:"email"`
// Password
// required: true
Password string `json:"password"`
// Registration authorization token
// required: true
Token string `json:"token"`
}
func (rd *RegisterRequest) IsValid() error {
if strings.TrimSpace(rd.Username) == "" {
return ParamError{"username is required"}
}
if strings.TrimSpace(rd.Email) == "" {
return ParamError{"email is required"}
}
if !auth.IsEmailValid(rd.Email) {
return ParamError{"invalid email format"}
}
if rd.Password == "" {
return ParamError{"password is required"}
}
return isValidPassword(rd.Password)
}
// ChangePasswordRequest is a user password change request
// swagger:model
type ChangePasswordRequest struct {
// Old password
// required: true
OldPassword string `json:"oldPassword"`
// New password
// required: true
NewPassword string `json:"newPassword"`
}
// IsValid validates a password change request.
func (rd *ChangePasswordRequest) IsValid() error {
if rd.OldPassword == "" {
return ParamError{"old password is required"}
}
if rd.NewPassword == "" {
return ParamError{"new password is required"}
}
return isValidPassword(rd.NewPassword)
}
func isValidPassword(password string) error {
if len(password) < MinimumPasswordLength {
return ParamError{fmt.Sprintf("password must be at least %d characters", MinimumPasswordLength)}
}
return nil
}
func (a *API) handleLogin(w http.ResponseWriter, r *http.Request) {
// swagger:operation POST /api/v1/login login
//
// Login user
//
// ---
// produces:
// - application/json
// parameters:
// - name: body
// in: body
// description: Login request
// required: true
// schema:
// "$ref": "#/definitions/LoginRequest"
// responses:
// '200':
// description: success
// schema:
// "$ref": "#/definitions/LoginResponse"
// '401':
// description: invalid login
// schema:
// "$ref": "#/definitions/ErrorResponse"
// '500':
// description: internal error
// schema:
// "$ref": "#/definitions/ErrorResponse"
if len(a.singleUserToken) > 0 {
// Not permitted in single-user mode
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "not permitted in single-user mode", nil)
return
}
requestBody, err := ioutil.ReadAll(r.Body)
if err != nil {
a.errorResponse(w, r.URL.Path, http.StatusInternalServerError, "", err)
return
}
var loginData LoginRequest
err = json.Unmarshal(requestBody, &loginData)
if err != nil {
a.errorResponse(w, r.URL.Path, http.StatusInternalServerError, "", err)
return
}
auditRec := a.makeAuditRecord(r, "login", audit.Fail)
defer a.audit.LogRecord(audit.LevelAuth, auditRec)
auditRec.AddMeta("username", loginData.Username)
auditRec.AddMeta("type", loginData.Type)
if loginData.Type == "normal" {
token, err := a.app.Login(loginData.Username, loginData.Email, loginData.Password, loginData.MfaToken)
if err != nil {
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "incorrect login", err)
return
}
json, err := json.Marshal(LoginResponse{Token: token})
if err != nil {
a.errorResponse(w, r.URL.Path, http.StatusInternalServerError, "", err)
return
}
jsonBytesResponse(w, http.StatusOK, json)
auditRec.Success()
return
}
a.errorResponse(w, r.URL.Path, http.StatusBadRequest, "invalid login type", nil)
}
func (a *API) handleLogout(w http.ResponseWriter, r *http.Request) {
// swagger:operation POST /api/v1/logout logout
//
// Logout user
//
// ---
// produces:
// - application/json
// security:
// - BearerAuth: []
// responses:
// '200':
// description: success
// '500':
// description: internal error
// schema:
// "$ref": "#/definitions/ErrorResponse"
if len(a.singleUserToken) > 0 {
// Not permitted in single-user mode
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "not permitted in single-user mode", nil)
return
}
ctx := r.Context()
session := ctx.Value(sessionContextKey).(*model.Session)
auditRec := a.makeAuditRecord(r, "logout", audit.Fail)
defer a.audit.LogRecord(audit.LevelAuth, auditRec)
auditRec.AddMeta("userID", session.UserID)
if err := a.app.Logout(session.ID); err != nil {
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "incorrect login", err)
return
}
auditRec.AddMeta("sessionID", session.ID)
jsonStringResponse(w, http.StatusOK, "{}")
auditRec.Success()
}
func (a *API) handleRegister(w http.ResponseWriter, r *http.Request) {
// swagger:operation POST /api/v1/register register
//
// Register new user
//
// ---
// produces:
// - application/json
// parameters:
// - name: body
// in: body
// description: Register request
// required: true
// schema:
// "$ref": "#/definitions/RegisterRequest"
// responses:
// '200':
// description: success
// '401':
// description: invalid registration token
// '500':
// description: internal error
// schema:
// "$ref": "#/definitions/ErrorResponse"
if len(a.singleUserToken) > 0 {
// Not permitted in single-user mode
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "not permitted in single-user mode", nil)
return
}
requestBody, err := ioutil.ReadAll(r.Body)
if err != nil {
a.errorResponse(w, r.URL.Path, http.StatusInternalServerError, "", err)
return
}
var registerData RegisterRequest
err = json.Unmarshal(requestBody, &registerData)
if err != nil {
a.errorResponse(w, r.URL.Path, http.StatusInternalServerError, "", err)
return
}
registerData.Email = strings.TrimSpace(registerData.Email)
registerData.Username = strings.TrimSpace(registerData.Username)
// Validate token
if len(registerData.Token) > 0 {
team, err2 := a.app.GetRootTeam()
if err2 != nil {
a.errorResponse(w, r.URL.Path, http.StatusInternalServerError, "", err2)
return
}
if registerData.Token != team.SignupToken {
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "invalid token", nil)
return
}
} else {
// No signup token, check if no active users
userCount, err2 := a.app.GetRegisteredUserCount()
if err2 != nil {
a.errorResponse(w, r.URL.Path, http.StatusInternalServerError, "", err2)
return
}
if userCount > 0 {
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "no sign-up token and user(s) already exist", nil)
return
}
}
if err = registerData.IsValid(); err != nil {
a.errorResponse(w, r.URL.Path, http.StatusBadRequest, err.Error(), err)
return
}
auditRec := a.makeAuditRecord(r, "register", audit.Fail)
defer a.audit.LogRecord(audit.LevelAuth, auditRec)
auditRec.AddMeta("username", registerData.Username)
err = a.app.RegisterUser(registerData.Username, registerData.Email, registerData.Password)
if err != nil {
a.errorResponse(w, r.URL.Path, http.StatusBadRequest, err.Error(), err)
return
}
jsonStringResponse(w, http.StatusOK, "{}")
auditRec.Success()
}
func (a *API) handleChangePassword(w http.ResponseWriter, r *http.Request) {
// swagger:operation POST /api/v1/users/{userID}/changepassword changePassword
//
// Change a user's password
//
// ---
// produces:
// - application/json
// parameters:
// - name: userID
// in: path
// description: User ID
// required: true
// type: string
// - name: body
// in: body
// description: Change password request
// required: true
// schema:
// "$ref": "#/definitions/ChangePasswordRequest"
// security:
// - BearerAuth: []
// responses:
// '200':
// description: success
// '400':
// description: invalid request
// schema:
// "$ref": "#/definitions/ErrorResponse"
// '500':
// description: internal error
// schema:
// "$ref": "#/definitions/ErrorResponse"
if len(a.singleUserToken) > 0 {
// Not permitted in single-user mode
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "not permitted in single-user mode", nil)
return
}
vars := mux.Vars(r)
userID := vars["userID"]
requestBody, err := ioutil.ReadAll(r.Body)
if err != nil {
a.errorResponse(w, r.URL.Path, http.StatusInternalServerError, "", err)
return
}
var requestData ChangePasswordRequest
if err = json.Unmarshal(requestBody, &requestData); err != nil {
a.errorResponse(w, r.URL.Path, http.StatusInternalServerError, "", err)
return
}
if err = requestData.IsValid(); err != nil {
a.errorResponse(w, r.URL.Path, http.StatusBadRequest, err.Error(), err)
return
}
auditRec := a.makeAuditRecord(r, "changePassword", audit.Fail)
defer a.audit.LogRecord(audit.LevelAuth, auditRec)
if err = a.app.ChangePassword(userID, requestData.OldPassword, requestData.NewPassword); err != nil {
a.errorResponse(w, r.URL.Path, http.StatusBadRequest, err.Error(), err)
return
}
jsonStringResponse(w, http.StatusOK, "{}")
auditRec.Success()
}
func (a *API) sessionRequired(handler func(w http.ResponseWriter, r *http.Request)) func(w http.ResponseWriter, r *http.Request) {
return a.attachSession(handler, true)
}
func (a *API) attachSession(handler func(w http.ResponseWriter, r *http.Request), required bool) func(w http.ResponseWriter, r *http.Request) {
return func(w http.ResponseWriter, r *http.Request) {
token, _ := auth.ParseAuthTokenFromRequest(r)
a.logger.Debug(`attachSession`, mlog.Bool("single_user", len(a.singleUserToken) > 0))
if len(a.singleUserToken) > 0 {
if required && (token != a.singleUserToken) {
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "invalid single user token", nil)
return
}
now := utils.GetMillis()
session := &model.Session{
ID: model.SingleUser,
Token: token,
UserID: model.SingleUser,
AuthService: a.authService,
Props: map[string]interface{}{},
CreateAt: now,
UpdateAt: now,
}
ctx := context.WithValue(r.Context(), sessionContextKey, session)
handler(w, r.WithContext(ctx))
return
}
if a.MattermostAuth && r.Header.Get("Mattermost-User-Id") != "" {
userID := r.Header.Get("Mattermost-User-Id")
now := utils.GetMillis()
session := &model.Session{
ID: userID,
Token: userID,
UserID: userID,
AuthService: a.authService,
Props: map[string]interface{}{},
CreateAt: now,
UpdateAt: now,
}
ctx := context.WithValue(r.Context(), sessionContextKey, session)
handler(w, r.WithContext(ctx))
return
}
session, err := a.app.GetSession(token)
if err != nil {
if required {
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "", err)
return
}
handler(w, r)
return
}
authService := session.AuthService
if authService != a.authService {
a.logger.Error(`Session authService mismatch`,
mlog.String("sessionID", session.ID),
mlog.String("want", a.authService),
mlog.String("got", authService),
)
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "", err)
return
}
ctx := context.WithValue(r.Context(), sessionContextKey, session)
handler(w, r.WithContext(ctx))
}
}
func (a *API) adminRequired(handler func(w http.ResponseWriter, r *http.Request)) func(w http.ResponseWriter, r *http.Request) {
return func(w http.ResponseWriter, r *http.Request) {
// Currently, admin APIs require local unix connections
conn := GetContextConn(r)
if _, isUnix := conn.(*net.UnixConn); !isUnix {
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "not a local unix connection", nil)
return
}
handler(w, r)
}
}