From c1ed7ec0bca268cd35d96d6edaec93e8b91c6db8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lucas=20Men=C3=A9ndez?= <hi@lucasmenendez.me>
Date: Tue, 24 Oct 2023 17:31:27 +0200
Subject: [PATCH 1/2] limiting POST /tokens endpoint to admins, the admint auth
 token can be defined as flag or in the env file, if it is not defined, it is
 randomly generated and logged

---
 api/api.go          |  3 +++
 api/tokens.go       |  2 +-
 cmd/census3/main.go | 13 +++++++++++++
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/api/api.go b/api/api.go
index 2e7b56d3..eaaf62a0 100644
--- a/api/api.go
+++ b/api/api.go
@@ -17,6 +17,7 @@ type Census3APIConf struct {
 	DataDir       string
 	GroupKey      string
 	Web3Providers map[uint64]string
+	AdminToken    string
 }
 
 type census3API struct {
@@ -48,6 +49,8 @@ func Init(db *db.DB, conf Census3APIConf) error {
 	if newAPI.endpoint, err = api.NewAPI(&r, "/api"); err != nil {
 		return err
 	}
+	// set the admin token
+	newAPI.endpoint.SetAdminToken(conf.AdminToken)
 	// init the census DB
 	if newAPI.censusDB, err = census.NewCensusDB(conf.DataDir, conf.GroupKey); err != nil {
 		return err
diff --git a/api/tokens.go b/api/tokens.go
index a0ecf724..98d872cb 100644
--- a/api/tokens.go
+++ b/api/tokens.go
@@ -22,7 +22,7 @@ func (capi *census3API) initTokenHandlers() error {
 		return err
 	}
 	if err := capi.endpoint.RegisterMethod("/tokens", "POST",
-		api.MethodAccessTypePublic, capi.createToken); err != nil {
+		api.MethodAccessTypeAdmin, capi.createToken); err != nil {
 		return err
 	}
 	if err := capi.endpoint.RegisterMethod("/tokens/{tokenID}", "GET",
diff --git a/cmd/census3/main.go b/cmd/census3/main.go
index f1280c1f..e452dbb0 100644
--- a/cmd/census3/main.go
+++ b/cmd/census3/main.go
@@ -15,12 +15,14 @@ import (
 	"github.com/vocdoni/census3/service"
 	"github.com/vocdoni/census3/state"
 	"go.vocdoni.io/dvote/log"
+	"go.vocdoni.io/dvote/util"
 )
 
 type Census3Config struct {
 	dataDir, logLevel, connectKey string
 	listOfWeb3Providers           []string
 	port                          int
+	adminToken                    string
 }
 
 func main() {
@@ -37,6 +39,7 @@ func main() {
 	flag.StringVar(&config.logLevel, "logLevel", "info", "log level (debug, info, warn, error)")
 	flag.IntVar(&config.port, "port", 7788, "HTTP port for the API")
 	flag.StringVar(&config.connectKey, "connectKey", "", "connect group key for IPFS connect")
+	flag.StringVar(&config.adminToken, "adminToken", "", "the admin token for the API")
 	var strWeb3Providers string
 	flag.StringVar(&strWeb3Providers, "web3Providers", "", "the list of URL's of available web3 providers")
 	flag.Parse()
@@ -68,6 +71,10 @@ func main() {
 		panic(err)
 	}
 	config.connectKey = pviper.GetString("connectKey")
+	if err := pviper.BindPFlag("adminToken", flag.Lookup("adminToken")); err != nil {
+		panic(err)
+	}
+	config.adminToken = pviper.GetString("adminToken")
 	if err := pviper.BindPFlag("web3Providers", flag.Lookup("web3Providers")); err != nil {
 		panic(err)
 	}
@@ -93,6 +100,11 @@ func main() {
 	if err != nil {
 		log.Fatal(err)
 	}
+	// if the admin token is not defined, generate a random one
+	if config.adminToken == "" {
+		config.adminToken = util.RandomHex(20)
+		log.Infof("no admin token defined, using a random one: %s", config.adminToken)
+	}
 	// start the API
 	err = api.Init(database, api.Census3APIConf{
 		Hostname:      "0.0.0.0",
@@ -100,6 +112,7 @@ func main() {
 		DataDir:       config.dataDir,
 		Web3Providers: w3p,
 		GroupKey:      config.connectKey,
+		AdminToken:    config.adminToken,
 	})
 	if err != nil {
 		log.Fatal(err)

From be13fa3dec2afa9b9cce3ae836fa5c9466e09948 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lucas=20Men=C3=A9ndez?= <hi@lucasmenendez.me>
Date: Thu, 26 Oct 2023 12:19:17 +0200
Subject: [PATCH 2/2] use UUID for admin token

---
 cmd/census3/main.go | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/cmd/census3/main.go b/cmd/census3/main.go
index e452dbb0..296225c5 100644
--- a/cmd/census3/main.go
+++ b/cmd/census3/main.go
@@ -8,6 +8,7 @@ import (
 	"syscall"
 	"time"
 
+	"github.com/google/uuid"
 	flag "github.com/spf13/pflag"
 	"github.com/spf13/viper"
 	"github.com/vocdoni/census3/api"
@@ -15,7 +16,6 @@ import (
 	"github.com/vocdoni/census3/service"
 	"github.com/vocdoni/census3/state"
 	"go.vocdoni.io/dvote/log"
-	"go.vocdoni.io/dvote/util"
 )
 
 type Census3Config struct {
@@ -39,7 +39,7 @@ func main() {
 	flag.StringVar(&config.logLevel, "logLevel", "info", "log level (debug, info, warn, error)")
 	flag.IntVar(&config.port, "port", 7788, "HTTP port for the API")
 	flag.StringVar(&config.connectKey, "connectKey", "", "connect group key for IPFS connect")
-	flag.StringVar(&config.adminToken, "adminToken", "", "the admin token for the API")
+	flag.StringVar(&config.adminToken, "adminToken", "", "the admin UUID token for the API")
 	var strWeb3Providers string
 	flag.StringVar(&strWeb3Providers, "web3Providers", "", "the list of URL's of available web3 providers")
 	flag.Parse()
@@ -101,8 +101,13 @@ func main() {
 		log.Fatal(err)
 	}
 	// if the admin token is not defined, generate a random one
-	if config.adminToken == "" {
-		config.adminToken = util.RandomHex(20)
+
+	if config.adminToken != "" {
+		if _, err := uuid.Parse(config.adminToken); err != nil {
+			log.Fatal("bad admin token format, it must be a valid UUID")
+		}
+	} else {
+		config.adminToken = uuid.New().String()
 		log.Infof("no admin token defined, using a random one: %s", config.adminToken)
 	}
 	// start the API