WireGuard Web UI Host/Node Management Unauthenticated Access Fix

### Vulnerability Overview This vulnerability involves fixes to the host authorization function, specifically checking the validity of tokens. The fix aims to enhance system security and prevent unauthorized access and operations. ### Impact Scope - **Affected Files**: - `controllers/hosts.go` - `controllers/node.go` - `logic/jwts.go` - `pro/controllers/auto_relay.go` - `pro/controllers/failover.go` - **Affected Components**: - Host management functionality - Node management functionality - JWT token validation logic - Auto relay and failover functionality ### Fixes 1. **Host Authorization Function Fix**: - In `controllers/hosts.go`, added calls to the `AuthorizeHost` function for multiple API endpoints to ensure each request undergoes token verification. - Specific changes include: ```go r.HandleFunc("/api/hosts/{hostid}", logic.SecurityCheck(true, http.HandlerFunc(updateHost))).Methods(http.MethodPut) r.HandleFunc("/api/hosts/{hostid}", AuthorizeHost(http.HandlerFunc(deleteHost))).Methods(http.MethodDelete) r.HandleFunc("/api/hosts/{hostid}/upgrade", logic.SecurityCheck(true, http.HandlerFunc(upgradeHost))).Methods(http.MethodPost) r.HandleFunc("/api/hosts/{hostid}/networks/{network}", logic.SecurityCheck(true, http.HandlerFunc(deleteHostFromNetwork))).Methods(http.MethodDelete) r.HandleFunc("/api/hosts/num/authenticate", authenticateHost).Methods(http.MethodPost) r.HandleFunc("/api/v1/host", AuthorizeHost(http.HandlerFunc(poll))).Methods(http.MethodGet) r.HandleFunc("/api/v1/host/{hostid}/signalpeer", AuthorizeHost(http.HandlerFunc(signalPeer))).Methods(http.MethodPost) r.HandleFunc("/api/v1/host/{hostid}/signalpeer", AuthorizeHost(http.HandlerFunc(signalPeer))).Methods(http.MethodDelete) r.HandleFunc("/api/v1/fallback/host/{hostid}", AuthorizeHost(http.HandlerFunc(hostpostageFallback))).Methods(http.MethodPut) r.HandleFunc("/api/v1/fallback/host/{hostid}", AuthorizeHost(http.HandlerFunc(getHostPeerInfo))).Methods(http.MethodGet) r.HandleFunc("/api/v1/host/{hostid}/peer_info", AuthorizeHost(http.HandlerFunc(getHostPeerInfo))).Methods(http.MethodGet) ``` 2. **Node Authorization Function Fix**: - In `controllers/node.go`, added calls to the `AuthorizeHost` function for multiple API endpoints to ensure each request undergoes token verification. - Specific changes include: ```go r.HandleFunc("/api/nodes/{network}/{nodeid}", AuthorizeHost(http.HandlerFunc(getNode))).Methods(http.MethodGet) r.HandleFunc("/api/nodes/{network}/{nodeid}", AuthorizeHost(http.HandlerFunc(updateNode))).Methods(http.MethodPut) r.HandleFunc("/api/nodes/{network}/{nodeid}", AuthorizeHost(http.HandlerFunc(deleteNode))).Methods(http.MethodDelete) ``` 3. **JWT Token Validation Logic Fix**: - In `logic/jwts.go`, added checks for JWT token validity. - Specific changes include: ```go if token == nil { return "", "", "", errors.New("token is nil") } if token.Valid { return claims.Iss, claims.MacAddress, claims.Network, nil } return "", "", "", errors.New("token is invalid") ``` 4. **Auto Relay and Failover Functionality Fix**: - In `pro/controllers/auto_relay.go` and `pro/controllers/failover.go`, added calls to the `AuthorizeHost` function for multiple API endpoints to ensure each request undergoes token verification. - Specific changes include: ```go r.HandleFunc("/api/v1/node/{nodeid}/auto_relay", controller.AuthorizeHost(http.HandlerFunc(getAutoRelay))).Methods(http.MethodGet) r.HandleFunc("/api/v1/node/{nodeid}/auto_relay", controller.AuthorizeHost(http.HandlerFunc(setAutoRelay))).Methods(http.MethodPost) r.HandleFunc("/api/v1/node/{nodeid}/auto_relay", controller.AuthorizeHost(http.HandlerFunc(unsetAutoRelay))).Methods(http.MethodDelete) r.HandleFunc("/api/v1/node/{nodeid}/auto_relay/reset", controller.AuthorizeHost(http.HandlerFunc(resetAutoRelay))).Methods(http.MethodPost) r.HandleFunc("/api/v1/node/{nodeid}/auto_relay_me", controller.AuthorizeHost(http.HandlerFunc(autoRelayME))).Methods(http.MethodPost) r.HandleFunc("/api/v1/node/{nodeid}/auto_relay_me", controller.AuthorizeHost(http.HandlerFunc(autoRelayMEUpdate))).Methods(http.MethodPut) r.HandleFunc("/api/v1/node/{nodeid}/auto_relay_check", controller.AuthorizeHost(http.HandlerFunc(checkAutoRelayCts))).Methods(http.MethodGet) r.HandleFunc("/api/v1/node/{nodeid}/failover", controller.AuthorizeHost(http.HandlerFunc(getFailover))).Methods(http.MethodGet) r.HandleFunc("/api/v1/node/{nodeid}/failover", controller.AuthorizeHost(http.HandlerFunc(createFailover))).Methods(http.MethodPost) r.HandleFunc("/api/v1/node/{nodeid}/failover", controller.AuthorizeHost(http.HandlerFunc(deleteFailover))).Methods(http.MethodDelete) r.HandleFunc("/api/v1/node/{nodeid}/failover/reset", controller.AuthorizeHost(http.HandlerFunc(resetFailover))).Methods(http.MethodPost) r.HandleFunc("/api/v1/node/{nodeid}/failover_me", controller.AuthorizeHost(http.HandlerFunc(failoverME))).Methods(http.MethodPost) r.HandleFunc("/api/v1/node/{nodeid}/failover_me", controller.AuthorizeHost(http.HandlerFunc(failoverMEUpdat

Goal Reached Thanks to every supporter — we hit 100%!

WireGuard Web UI Host/Node Management Unauthenticated Access Fix

More from this source