From fcd000b8f41eca0ef58d292c6f5a8e09e04090a5 Mon Sep 17 00:00:00 2001
From: Maxb <bittmanmax@gmail.com>
Date: Tue, 28 Jan 2025 10:09:29 -0800
Subject: [PATCH] Fix case of empty agent registration shared key config

Previously if the agent registration shared key was left empty, we would
simply configure the agent registration endpoints with an empty auth
key. That could allow for arbitrary external actors to register new
gateways and bridges. This enforces that if the agent registration
shared key config is left empty, the associated endpoints will no longer
be served.
---
 pkg/api/api.go | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/pkg/api/api.go b/pkg/api/api.go
index 89e231f..ff21d17 100644
--- a/pkg/api/api.go
+++ b/pkg/api/api.go
@@ -115,12 +115,14 @@ func InitServer(cfg *Config) *echo.Echo {
 		return c.HTML(http.StatusOK, help.HelpiOS)
 	})
 
-	agentEndpoints := e.Group("/api/5/agent")
-	agentEndpoints.Use(agentRegistrationMiddleware(cfg.AgentSharedKey))
-	// Limit agent registration requests to 10MB
-	agentEndpoints.Use(middleware.BodyLimit("10M"))
-	agentEndpoints.PUT("/bridge", r.RegisterBridge)
-	agentEndpoints.PUT("/gateway", r.RegisterGateway)
+	if cfg.AgentSharedKey != "" {
+		agentEndpoints := e.Group("/api/5/agent")
+		agentEndpoints.Use(agentRegistrationMiddleware(cfg.AgentSharedKey))
+		// Limit agent registration requests to 10MB
+		agentEndpoints.Use(middleware.BodyLimit("10M"))
+		agentEndpoints.PUT("/bridge", r.RegisterBridge)
+		agentEndpoints.PUT("/gateway", r.RegisterGateway)
+	}
 
 	e.HideBanner = true
 	return e
-- 
GitLab