fix: /client:elevate to /client/:id/elevate

Author: jmattheis

api/client.go

@@ -246,7 +246,7 @@ func (a *ClientAPI) DeleteClient(ctx *gin.Context) {
 	})
 }
 
-// swagger:operation POST /client:elevate client elevateClient
+// swagger:operation POST /client/{id}/elevate client elevateClient
 //
 // Elevate a client session.
 //
@@ -256,6 +256,12 @@ func (a *ClientAPI) DeleteClient(ctx *gin.Context) {
 //	consumes: [application/json]
 //	produces: [application/json]
 //	parameters:
+//	- name: id
+//	  in: path
+//	  description: the client id
+//	  required: true
+//	  type: integer
+//	  format: int64
 //	- name: body
 //	  in: body
 //	  description: the elevation request
@@ -279,28 +285,30 @@ func (a *ClientAPI) DeleteClient(ctx *gin.Context) {
 //	    schema:
 //	        $ref: "#/definitions/Error"
 func (a *ClientAPI) ElevateClient(ctx *gin.Context) {
-	var params model.ElevateRequest
-	if err := ctx.Bind(&params); err != nil {
-		return
-	}
+	withID(ctx, "id", func(id uint) {
+		var params model.ElevateRequest
+		if err := ctx.Bind(&params); err != nil {
+			return
+		}
 
-	client, err := a.DB.GetClientByID(params.ID)
-	if err != nil {
-		ctx.AbortWithError(500, err)
-		return
-	}
-	if client == nil || client.UserID != auth.GetUserID(ctx) {
-		ctx.AbortWithError(404, errors.New("client not found"))
-		return
-	}
+		client, err := a.DB.GetClientByID(id)
+		if err != nil {
+			ctx.AbortWithError(500, err)
+			return
+		}
+		if client == nil || client.UserID != auth.GetUserID(ctx) {
+			ctx.AbortWithError(404, errors.New("client not found"))
+			return
+		}
 
-	elevatedUntil := time.Now().Add(time.Duration(params.DurationSeconds) * time.Second)
-	if err := a.DB.UpdateClientElevatedUntil(client.ID, &elevatedUntil); err != nil {
-		ctx.AbortWithError(500, err)
-		return
-	}
+		elevatedUntil := time.Now().Add(time.Duration(params.DurationSeconds) * time.Second)
+		if err := a.DB.UpdateClientElevatedUntil(client.ID, &elevatedUntil); err != nil {
+			ctx.AbortWithError(500, err)
+			return
+		}
 
-	ctx.Status(204)
+		ctx.Status(204)
+	})
 }
 
 func (a *ClientAPI) clientExists(token string) bool {

api/client_test.go

@@ -1,6 +1,7 @@
 package api
 
 import (
+	"fmt"
 	"net/http/httptest"
 	"net/url"
 	"strings"
@@ -165,7 +166,7 @@ func (s *ClientSuite) Test_DeleteClient_expectNotFound() {
 
 	test.WithUser(s.ctx, 5)
 	s.ctx.Request = httptest.NewRequest("DELETE", "/token/"+firstClientToken, nil)
-	s.ctx.Params = gin.Params{{Key: "id", Value: "8"}}
+	s.ctx.AddParam("id", "8")
 
 	s.a.DeleteClient(s.ctx)
 
@@ -177,7 +178,7 @@ func (s *ClientSuite) Test_DeleteClient() {
 
 	test.WithUser(s.ctx, 5)
 	s.ctx.Request = httptest.NewRequest("DELETE", "/token/"+firstClientToken, nil)
-	s.ctx.Params = gin.Params{{Key: "id", Value: "8"}}
+	s.ctx.AddParam("id", "8")
 
 	assert.False(s.T(), s.notified)
 
@@ -228,7 +229,7 @@ func (s *ClientSuite) Test_ElevateClient_expectSuccess() {
 	s.db.User(5).Client(8)
 
 	test.WithUser(s.ctx, 5)
-	s.withJSONBody(`{"id":8,"durationSeconds":900}`)
+	s.withElevateRequest(8, 900)
 
 	before := time.Now()
 	s.a.ElevateClient(s.ctx)
@@ -245,7 +246,7 @@ func (s *ClientSuite) Test_ElevateClient_expectNotFoundOnMissingClient() {
 	s.db.User(5)
 
 	test.WithUser(s.ctx, 5)
-	s.withJSONBody(`{"id":8,"durationSeconds":900}`)
+	s.withElevateRequest(8, 900)
 
 	s.a.ElevateClient(s.ctx)
 
@@ -257,7 +258,7 @@ func (s *ClientSuite) Test_ElevateClient_expectNotFoundOnCurrentUserIsNotOwner()
 	s.db.User(2)
 
 	test.WithUser(s.ctx, 2)
-	s.withJSONBody(`{"id":8,"durationSeconds":900}`)
+	s.withElevateRequest(8, 900)
 
 	s.a.ElevateClient(s.ctx)
 
@@ -271,7 +272,7 @@ func (s *ClientSuite) Test_ElevateClient_expectBadRequestOnMissingID() {
 	s.db.User(5)
 
 	test.WithUser(s.ctx, 5)
-	s.withJSONBody(`{"durationSeconds":900}`)
+	s.withElevateBody(`{"durationSeconds":900}`)
 
 	s.a.ElevateClient(s.ctx)
 
@@ -282,7 +283,8 @@ func (s *ClientSuite) Test_ElevateClient_expectBadRequestOnMissingDuration() {
 	s.db.User(5).Client(8)
 
 	test.WithUser(s.ctx, 5)
-	s.withJSONBody(`{"id":8}`)
+	s.ctx.AddParam("id", "8")
+	s.withElevateBody(`{}`)
 
 	s.a.ElevateClient(s.ctx)
 
@@ -297,8 +299,13 @@ func (s *ClientSuite) withFormData(formData string) {
 	s.ctx.Request.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 }
 
-func (s *ClientSuite) withJSONBody(body string) {
-	s.ctx.Request = httptest.NewRequest("POST", "/client:elevate", strings.NewReader(body))
+func (s *ClientSuite) withElevateRequest(id uint, durationSeconds int) {
+	s.ctx.AddParam("id", fmt.Sprintf("%d", id))
+	s.withElevateBody(fmt.Sprintf(`{"durationSeconds":%d}`, durationSeconds))
+}
+
+func (s *ClientSuite) withElevateBody(body string) {
+	s.ctx.Request = httptest.NewRequest("POST", "/client/ignored/elevate", strings.NewReader(body))
 	s.ctx.Request.Header.Set("Content-Type", "application/json")
 }
 

api/oidc.go

@@ -71,7 +71,12 @@ type pendingOIDCSession struct {
 	RedirectURI string
 	ClientName  string
 	CreatedAt   time.Time
-	Elevate     *model.ElevateRequest
+	Elevate     *pendingElevation
+}
+
+type pendingElevation struct {
+	ClientID        uint `form:"id" binding:"required"`
+	DurationSeconds int  `form:"durationSeconds" binding:"required"`
 }
 
 // OIDCAPI provides handlers for OIDC authentication.
@@ -153,7 +158,7 @@ func (a *OIDCAPI) LoginHandler() gin.HandlerFunc {
 //	    schema:
 //	        $ref: "#/definitions/Error"
 func (a *OIDCAPI) ElevateHandler(ctx *gin.Context) {
-	var elevate model.ElevateRequest
+	var elevate pendingElevation
 	if err := ctx.BindQuery(&elevate); err != nil {
 		return
 	}
@@ -227,8 +232,8 @@ func (a *OIDCAPI) CallbackHandler() gin.HandlerFunc {
 	return gin.WrapF(rp.CodeExchangeHandler(rp.UserinfoCallback(callback), a.Provider))
 }
 
-func (a *OIDCAPI) handleElevationCallback(w http.ResponseWriter, elevate *model.ElevateRequest, user *model.User) {
-	client, err := a.DB.GetClientByID(elevate.ID)
+func (a *OIDCAPI) handleElevationCallback(w http.ResponseWriter, elevate *pendingElevation, user *model.User) {
+	client, err := a.DB.GetClientByID(elevate.ClientID)
 	if err != nil {
 		http.Error(w, fmt.Sprintf("database error: %v", err), http.StatusInternalServerError)
 		return

docs/spec.json

@@ -1129,7 +1129,7 @@
         }
       }
     },
-    "/client:elevate": {
+    "/client/{id}/elevate": {
       "post": {
         "security": [
           {
@@ -1158,6 +1158,14 @@
         "summary": "Elevate a client session.",
         "operationId": "elevateClient",
         "parameters": [
+          {
+            "type": "integer",
+            "format": "int64",
+            "description": "the client id",
+            "name": "id",
+            "in": "path",
+            "required": true
+          },
           {
             "description": "the elevation request",
             "name": "body",
@@ -2684,7 +2692,6 @@
       "type": "object",
       "title": "ElevateRequest parameters for client elevation.",
       "required": [
-        "id",
         "durationSeconds"
       ],
       "properties": {
@@ -2694,13 +2701,6 @@
           "format": "int64",
           "x-go-name": "DurationSeconds",
           "example": 900
-        },
-        "id": {
-          "description": "The client ID to elevate.",
-          "type": "integer",
-          "format": "int64",
-          "x-go-name": "ID",
-          "example": 5
         }
       },
       "x-go-package": "github.com/gotify/server/v2/model"

model/elevate.go

@@ -6,11 +6,6 @@ import "time"
 //
 // swagger:model ElevateRequest
 type ElevateRequest struct {
-	// The client ID to elevate.
-	//
-	// required: true
-	// example: 5
-	ID uint `form:"id" query:"id" json:"id" binding:"required"`
 	// How long the elevation should last, in seconds.
 	//
 	// required: true

router/router.go

@@ -220,7 +220,7 @@ func Create(db *database.GormDatabase, vInfo *model.VersionInfo, conf *config.Co
 	clientElevated := g.Group("")
 	{
 		clientElevated.Use(authentication.RequireElevatedClient)
-		clientElevated.POST("/client:elevate", clientHandler.ElevateClient)
+		clientElevated.POST("/client/:id/elevate", clientHandler.ElevateClient)
 		clientElevated.DELETE("/application/:id", applicationHandler.DeleteApplication)
 		clientElevated.DELETE("/client/:id", clientHandler.DeleteClient)
 		clientElevated.POST("/current/user/password", userHandler.ChangePassword)

ui/src/ElevateStore.ts

@@ -33,9 +33,9 @@ export class ElevateStore {
 
     public localElevate = async (password: string, durationSeconds: number): Promise<void> => {
         await axios.create().request({
-            url: config.get('url') + 'client:elevate',
+            url: `${config.get('url')}client/${this.currentUser.user.clientId}/elevate`,
             method: 'POST',
-            data: {id: this.currentUser.user.clientId, durationSeconds},
+            data: {durationSeconds},
             headers: {
                 Authorization: 'Basic ' + btoa(this.currentUser.user.name + ':' + password),
             },

ui/src/client/ClientStore.ts

@@ -41,7 +41,7 @@ export class ClientStore extends BaseStore<IClient> {
 
     @action
     public elevate = async (id: number, durationSeconds: number): Promise<void> => {
-        await axios.post(`${config.get('url')}client:elevate`, {id, durationSeconds});
+        await axios.post(`${config.get('url')}client/${id}/elevate`, {durationSeconds});
         await this.refresh();
         if (durationSeconds < 0) {
             this.snack('Canceled client elevation');